Name: Real Time Interception from Packet Networks Challenges and Solutions

Text: Real Time Intercept from Packet
Networks, Challenges and

Presented by Keith Driver

Packet Intercept
Packets are everywhere
– LAN networks
– WAN networks/ Carrier Ethernet
– 3G Telephony networks
– CDMA 2000 Networks
– ISP Networks
– Etc etc etc

Commercial in Confidence

Packet Intercept
– Access to the packets on the wire
– Selection of packets on the wire
– Accumulation/ Forwarding of packets

Commercial in Confidence

Access to packets
Range of network types

CDMA/UMTS cellular
GSM cellular
WiMax, WiFi

Roughly divisible into Telecom and Data
– Also Valid
• Cellular/ Fixed
• Enterprise/Operator
Commercial in Confidence

Access to packets
Physical access to the transport
Range of Media
– Ethernet, E1/T1 , SDH/SONET, GE, CarrierEthernet,
• Span ports
• Hubs
• Passive taps

– WAN/3G/CDMA 2000/etc
• Passive taps
• Internal interception functions
• SPAN ports

Optical and electrical transports
Commercial in Confidence

Access to packets
Transport protocol handling
– VLAN tags
– ATM ( IMA )
– PPP ( ML-PPP )
– PoS ( Packet over Sonet )

Commercial in Confidence

Selection of packets
A major problem
– What are the criteria for selection?
– Lower layers
• Label address ( i.e. IP Address, ATM address ) ?
• Protocols used?

– Upper Layers

Session Identity
User Identity ( email address/ IM id etc )
Cross packet identities

And packet selection must be done in real
Commercial in Confidence

Selection of packets
Generically requires hardware support
– Line rates are too fast for software

Selection on labels easier
Selection on protocol contents much harder

Requires Deep packet Inspection
Complex matching criteria
Cross packet assembly for matching
Session buffering to extract the whole session
from embedded triggers ( e.g. email cc: )

Commercial in Confidence

Selection of packets
Very hard for routing nodes to do this
– ‘Internal interception’

Many nodes are L2 switches with little packet
– Most switches have a stated aim to keep the
packet for a minimum time

Effort required for inspection usually means
added hardware to the node
Limited then by manufacturer capability

Commercial in Confidence

Subscriber Identities
– Many, Many identities
– Each human probably has 50 used often

Terminal / equipment identities
– Many terminals used by one target

Network Assigned identities
– Networks use these for obfuscation and mobility

Application/Entity identities
– Not only humans and equipment have identity

Commercial in Confidence


Each human can have many identities
Identities can be changed frequently
Identities can be used only once
Identities can be changed by location
Anonymisation services exist on the internet

– Keeping track is VERY difficult when faced with
knowledgeable adversaries

But it can be done with sophisticated software
Commercial in Confidence

Cyphering is a major issue
– Network based protection
• 3G information cyphered to the RNC
• 2G data cyphered to the SGSN
• IMS sessions protected end to end from the terminals

– Application based cyphering • Skype

– User based cyphering
• X.509 SMIME etc

Commercial in Confidence

What can be done?
– Mobile Network based cyphering
• Access to CK/Kc for the session from core network

– IMS - end to end - very difficult
– Skype - proprietary - very difficult.
– PGP/SMIME - powerful encryption

Best hope is to record the cyphered session
and apply cryptographic techniques
Not Real time though

Commercial in Confidence

A big problem that will get bigger
As communication networks migrate to
offering end to end transparent pipes
– More user based encryption
– More encryption algorithms

But connection records are still available
– ( time / duration etc )

Patterns of use are still available
Keys may be available through other means

Commercial in Confidence

Accumulation of packets
Packets rarely travel alone
Most packets form streams to carry a higher
layer service

Telephone call
Web session

Packets therefore need to be acquired, and
presented in sequence
Buffering is one solution to this
Commercial in Confidence

Buffering ( or not )
Buffering can be useful
– But it is resource expensive ( memory )
– Controversial in evidential environments

Allows session reassembly
– Which enables L7 protocol presentation
– Allows cross packet pattern recognition

Provides post analysis capability
Allows session recovery
But can delay delivery
Requires very large resource in high bandwidth
links ( STM-64/10G etc )
Commercial in Confidence

Handover of product

ES 101 671,
ES 102 232.x

Often with national/local variants
Buffering is sometimes allowed
Session reassembly is sometimes desired
– I.e. presentation as email / Web page image etc.

Commercial in Confidence

Challenges review
– Physical interfaces differ
– Internal Interception limited

– High data rates make this difficult
– Cyphering prevents DPI
– Identity obfuscates communication

– High data rates
– Buffering is expensive

Commercial in Confidence

Problems split into roughly 2 domains
– LAN/ISP type access with Gb ethernet
– WAN/Core network access where transport

High capacity fibre
Carrier ethernet.

Commercial in Confidence

In the 1G ethernet domain
– Many companies have adapted IDS systems
( usually from SNORT )
– Several companies have hardware acceleration to
assist with this

Very useful in enterprise or ISP domain
Kit is relatively small and powerfull.
But somrthing bigger is needed in the core

Commercial in Confidence

Ethernet based solutions tend not to work so
well in other environments
– Specialised , distributed equipment is needed
– Full network coverage

Probes cope with the complex Layer 1/ and
transport stacks
– Probes cope with the variety of protocols,
telephony and data ( ATM/ MPLS / Carrier E etc )
– Probes offer a pre-processing function to DPI

Commercial in Confidence

Large scale Solutions!
Telesoft Technologies specialize in the
provision of such probes - HINTON product

3G/CDMA 2000/GSM network access
Large , distributed networks
Access to telephony and data sessions
TDM legacy and Packet intercept
Highly distributable and scalable
Hardware accelerated
Centralised Handover
Decyphering available with complete access
Location ( including Abis/Iub ) , Call content, SMS,

Proven, large and small scale deployments
for intercept
Commercial in Confidence

Thank you for watching

Telesoft Technologies Ltd
Observatory House
Blandford Dorset

Telesoft Technologies Inc
Suite 601
4340 Georgetown Square
Atlanta GA 30338 USA

T. +44 (0)1258 480 880
T. +1 770 454 6001
F. +44 (0)1258 486 598
F. +1 770 452 0130
E. E.

Document Path: ["39-200810-iss-prg-telesoft.pdf"]


Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh