Introduction
Solera Networks’ line of packet capture and playback devices, combined with lawful intercept management software, provides everything necessary to monitor and preserve all digital communication sessions—email, chat, instant messaging and HTTP sessions—and related intercept information.
Lawful Intercept »LAWFUL INTERCEPT
It’s nearly impossible to find a business today that uses nothing but standard telephones for communication. Every organization on the planet has expanded its communications to include email, chat, wireless phones, and instant messaging. Many organizations operate completely in the realm of digital networks. And, unfortunately, so do many inside traders, drug dealers, terrorists and cyber criminals.
For this reason, the United States and other governments around the world require support capabilities for digital lawful intercept. These requirements define how communications providers must be able to provide law enforcement agencies (LEA) with the ability to tap or monitor specific communication sessions along with detailed session information, all without the possibility of detection by those being monitored.
In the United States, the lawful intercept regulations are known as CALEA (Communications Assistance for Law Enforcement Act). The deadline for full compliance was established as May 14, 2007.
Solera Networks provides a powerful, yet simple CALEA compliance solution with full communications monitoring and detail logging. Solera Networks’ line of packet capture and stream-to-storage devices, combined with lawful intercept management software, provides everything necessary to monitor and preserve all digital communication sessions—email, chat, instant messaging and HTTP sessions—along with related intercept information.
Several challenges exist when providing lawful intercept capabilities for digital communications. These include extracting specific communication sessions from general data streams, strict audit requirements and timing issues. Solera Networks provides an elegant and effective solution that helps organizations of all sizes meet these challenges with an automated, simple-to-use appliance.
Email, chat, instant messaging, etc. are packetized communications (composed of hundreds or thousands of packets) and are spread across the larger flow of network data. In order to reconstruct a conversation or assemble a communication, the packets representing a specific communication must be filtered from other data, collected, re-sequenced, reformatted, and played back. This resource intensive activity, if attempted inline or as part of regular network traffic flow, degrades network performance and increases the risk of detection.
Solera Networks’ line of packet capture and stream-to-storage devices allows analysts to filter irrelevant data, sequence all packets in a communications session, and deliver them to mediation or law enforcement agencies in an industry standard, CALEA-compliant format. Communication streams are preserved exactly as they occurred, supporting the legal chain of custody mandated by law enforcement agencies.
Under United States legislation, lawful intercepts require a target warrant ID and a case ID assigned by the law enforcement agency. Each case is assigned a start date and an end date upon which the case will expire and monitoring should cease. This information, along with target list matches, must be auditable to show that only authorized targets were monitored and that the monitoring only happened during the times specified in the warrant. A comprehensive flow record ensures that all information associated with any communication will be available.
Solera Networks provides a comprehensive capture of all data (or only specified data types) without any loss of packets or associated information. With the industry’s highest capture, stream-to-storage and playback speeds, Solera Networks ensures that all information is captured and available for investigation. In addition, continuous recording will show that the tap ended when the warrant expired.
General concern exists about beginning a trace in a timely manner. Systems that require placing a sensor or installing a tap as soon as possible after a warrant has been issued, can miss the targeted communication entirely.
With Solera Networks’ continuous “always-on” capture of data, implementing the trace is effortless. The Solera Networks capture device detects inefficiencies in a network on a daily basis, allowing performance to be constantly improved. When a warrant is issued, the device becomes a means of compliance. The network administrator starts a tap or reconstructs a previously recorded session and can easily provide requested communications to the law enforcement agency, even after it has happened. Because Solera Networks provides a robust filtering technology, businesses can rest assured that they will be able to quickly comply with a warrant, while simultaneously leveraging the solution to improve their own network performance and bottom line.
CALEA
The Communications Assistance for Law Enforcement Act (CALEA) is a United States law enacted in 1994 which states that communications providers (including telephone companies, network and service providers) must make it possible for law enforcement agencies to tap any conversations carried over their networks. In addition, providers must make communication record details available and tapping must be carried out in a way that monitoring cannot be detected by persons under surveillance.
In March of 2004, the US Department of Justice (DOJ), Federal Bureau of Investigation (FBI) and Drug Enforcement Agency (DEA) filed a joint petition to accelerate compliance and extend provisions to cover communications that travel over the Internet.
CALEA compliance regulations are in effect as of May 14, 2007 and apply to all broadband access providers and all interconnected VoIP service providers. Individual carriers are responsible for CALEA development and implementation costs.
Worldwide Compliance
Similar regulations are in effect for other areas of the world with new legislation emerging in all developing countries. Similar requirements for the Commonwealth of Independent States (former Soviet republics) are known as SORM (System of Ensuring Investigative Activity). The European Union is developing legislation based on intercept standards outlined by the IETF (Internet Engineering Task Force).
« Introduction || Why Solera »WHY SOLERA NETWORKS?
Solera Networks’ line of deep packet capture and playback devices are industry-best in several categories including performance, openness and versatility. As a powerful key component for any lawful intercept strategy, Solera Networks devices are designed from the ground up with the following features:
SPEED & PERFORMANCE
Few capture devices actually capture ALL network traffic, including payload. Solera Networks’ devices have the industry’s highest line capture rates (up to 8.1Gbps sustained capture rate, with configurations available for full 10Gbps). Capture is comprehensive (entire stream), lossless, and based on Solera Networks’ proprietary and patented file system.
Playback for analysis is possible at full-line rate within 1 milliosecond of capture. This provides the advantage of near real-time analysis without any network impact. This architecture eliminates the overhead associated with running network monitoring tools directly on the production environment. Instead of expensive server-logging or the need for added bandwidth to support traffic monitoring, traffic is replayed to a separate analysis segment for analysis by multiple tools (see diagram). And because the Solera Networks appliance supports multiple regenerated streams concurrently, businesses can now have Intrusion Detection, Network Management, and Data Leakage Protection solutions reviewing identical traffic without fear of network degradation.
SECURITY
Solera Networks’ proprietary encryption tightens chain-of-custody evidentiary rules for how data is captured and stored. Solera Networks captures data and streams it to storage in a format that can’t be altered. Proprietary on-disk formats make it so any attempt to edit, alter, or otherwise modify will only serve to corrupt the entire disk. Moreover, Solera Networks’ devices can be configured to have no IP address, making them invisible to the network they reside on. They simply connect to a port and listen passively.
Solera Networks’ deep packet capture devices are also built using an optimized Linux kernel. Mandatory access control eliminates vulnerabilities to tampering and bypass.
OPENNESS
Solera Networks’ captured data is accessible by various LEA systems. Captured network traffic can be exposed to external appliances and devices utilizing three primary methods: a virtual file system exposing pcap formatted files, a virtual network interface (Ethernet) device, or a regenerated stream of packets to external network segments feeding external appliances or applications. REST and SOAP APIs are also available for custom integration into the Solera DS File System. Solera Networks also integrates with iSCSI and Fibre Channel providing a myriad of options for external storage.
SCALABLE
Recording capacity is scalable for the largest of operations with the ability to store up to 576TB of data in a single partition and external storage can be configured for virtually limitless capacity using a SAN. In addition, if capturing from multiple sources concurrently is important, Solera Networks has options for up to ten different capture ports, allowing companies to consolidate or expand their monitoring operation across multiple segments. This support includes the ability to consolidate asymmetrically routed traffic flows. And finally, Solera Networks’ unique file storage and caching mechanisms provide for continuous recording with newest data overwriting oldest data, eliminating problems of storage overflow.
MULTIPLE OPTIONS TO FIT ANY SIZE ORGANIZATION
SIMPLE
Solera Networks devices connect to your network via copper or SX fiber cables using either a SPAN (switched port analyzer – port mirror) port or a network tap. A built-in web-based interface guides you through setup of capture/playback filters and allows you to specify time periods and session filters based on warrant information.
VERSATILE
Lawful intercept is only one area where Solera Networks solutions have been effectively implemented. With full capture and playback capabilities combined with other market offerings, Solera Networks can provide a comprehensive historical engine for data leakage protection solutions, intrusion detection, and network troubleshooting. In addition to reconstructing communications (browser sessions, chats, instant messages, email, etc.), Solera Networks solutions can be used to detect intrusions (port scanning over time) and determine sources of high bandwidth use or erratic activity.
« Lawful Intercept || How it Works »HOW IT WORKS
Solera Networks solutions are comprehensive, deep packet capture and stream-to-storage devices. In short, they record all traffic on a network and make it available for near- immediate playback. It’s like a digital video recorder (DVR) or TiVo for a network, but instead of being limited to recording one or two channels it can record all 500 channels simultaneously. All channels are available for playback–or just a few (i.e., only email between two target points, only IM sessions, or any combination of protocols).
As a platform for lawful intercept, Solera Networks appliances are like having a complete dynamic model of your network traffic with all communication sessions and intercept details preserved.
Specific CALEA features:
LEA collector capability
CMII packet annotation and forwarding support (conforms to configuration management standards)
Full 24x7 packet capture with dynamic tap filtering capability
TAP forwarding of captured data to LEAs via TCP/IP
Support for open CALEA architecture
Historical views of network traffic
Filter views for LEA limits content to only what’s needed
Solera Networks’ capture device easily fits into any network as the foundation for any forensics or analytics system.
Using Solera Networks devices, packet information can be filtered by VLAN, TCP/IP version (IPv4 or IPv6), MAC address, protocol or port (i.e. HTTP or SMTP), IP Address or IP network or subnet (ie. 67.137.0.0/16 or 192.168.0. or 192.168.0.1). Data can be further defined by time domain.
A sample implementation for lawful intercept using Solera Networks’ CALEA solution would have the following architecture:
Solera Networks CALEA device easily taps network traffic to comply with LEA warrants
BENEFITS OF SOLERA NETWORKS’ LAWFUL INTERCEPT SOLUTION
The benefits include proactive compliance, substantive proof, and rapid deployment.
There is no stress of finding and implementing a last minute, completely architected, CALEA compliant solution. With Solera Networks, you turn on the appliance, configure the LI, start recording and relax. When a company is notified to tap a communication, they’ve already got the solution in place. All they do is start the tap and hand over the file or forward the traffic.
Full information surrounding communication sessions is very valuable (and required) when providing lawful intercept. Communication targets, source and destination locations, start and stop times, and also any other peripherally related information are required. Having a complete record of all network activity provides the ability to trace communications as well as provide rich context for communication events.
Getting compliant couldn’t be easier. Solera Networks appliances simply connect to your network via copper or SX fiber cables using either a SPAN (switched port analyzer – port mirror) port or a network tap. A web-based browser interface guides you through the selection of communication session types and CALEA parameter settings. A CALEA solution can be deployed, running and compliant in less than an hour.
« Why Solera || Conclusion/Disclaimer »CONCLUSION
In summary, Solera Networks' scalable packet capture and playback devices are an effective and powerful solution for organizations looking to rapidly comply with CALEA requirements. Solera solutions provide comprehensive monitoring with filtering and security designed to capture target communications and all relevant intercept details—all at a price point far below other alternatives.
Contact
For more information on how you can rapidly implement an intrusion detection solution using Solera Networks products, please visit our website at www.soleranetworks.com or call us at 801-623-5705.
DISCLAIMER
Solera Networks, Inc. manufactures devices that are widely used in Internet Service Provider networks and can be used as an integral part of a CALEA compliance solution. The information on Solera's website and in this paper is designed to help carriers and service providers with their efforts towards attaining CALEA compliance for their respective companies.
Nothing within this website or paper is for the purpose of providing legal advice. It is written for informational purposes only.
IMPORTANT: SOLERA NETWORKS, INC. IS NOT RESPONSIBLE FOR YOUR ORGANIZATION'S COMPLIANCE WITH CALEA. SOLERA NETWORKS, INC. WILL NOT PAY ANY FEES, FINES, OR OTHER COSTS ASSOCIATED WITH YOUR COMPLIANCE EFFORTS. THE INFORMATION HERE IS PROVIDED "AS-IS" AND DOES NOT CONSTITUTE LEGAL ADVICE. INTERESTED PARTIES SHOULD SEEK INDEPENDENT LEGAL COUNSEL WHEN REVIEWING ANY PROGRAM OR PLAN THAT IS DESIGNED TO PROVIDE COMPLIANCE WITH CALEA.
« How it Works