(pdf)
calore_podcast.mp3 (To download: right click and choose save as)
Northern California telephone and Internet service provider deploys Solera Networks deep packet capture and stream-to-storage appliance, becomes CALEA compliant, improves network security and performance and saves about $100,000.
CALEA (Communications Assistance for Law Enforcement Act) is a federal law that requires ISPs and telecommunication carriers to ensure their equipment, facilities and services are able to comply with warrants from law enforcement agencies for authorized lawful intercept (wire tap) requests. Failure to comply can culminate in the carrier receiving a $10,000 per-day fine.
Cal-Ore, a rural telephone company and ISP headquartered in Northern California, has been serving customers for more than 55 years. In order to comply with CALEA requirements, Charles Boening, Cal-Ore's network manager considered three choices. First, they could do nothing and hope they never received a lawful intercept warrant request. Second, they could contract with a trusted third-party (TTP) that would perform any tapping services and bring them into compliance: at a six-figure price tag with ongoing fees. Or third, they could purchase a Solera DS 1000 from Solera Networks that not only provided a low-cost and surprisingly straightforward solution to CALEA compliance, but also preformed a number of network management functions that brought tremendous value and ROI.
Charles and his team began their exhaustive research to find a solution worked best for their needs.
"We found a few options, but one of the requirements I had was that I wanted a solution that did something more than just strict CALEA compliance," he said. "Initially, the reaction was to turn to a TTP, but as it turns out, it just didn't make sense with the TTPs. They were asking us to spend in the neighborhood of $100K for a box that would sit there and wait for a warrant. I wanted something I could use on a day-to-day basis that would improve security and performance of my network."
Not only did the TTPs want to charge up front or on a monthly fee basis, but every time a warrant appeared, they would charge additional fees to fulfill the warrant. Furthermore, The TTP solution only gave them a solution for just one site. With the Solera Networks product, they were able to purchase multiple systems for multiple sites at a fraction of the price the TTPs were asking.
"When it came down to it, the biggest bang for our buck was with the Solera Networks solution."
Charles purchased two Solera DS 1000 appliances. They added an additional 400 Gig of storage, which brings their total storage for packet capture to 1.2 terabytes and an additional four-port Ethernet card so they can create multiple capture points for traffic. "We not only capture internet traffic but also traffic from other points in our network with the extra ethernet ports," Charles said.
Charles says he was impressed with the install of the solution. "Once we decided on the Solera Networks box, compliance was relatively simple. All we did was put it in our rack, configure the IP address and told it to start capturing—that's about it. It was actually a very easy implementation of the product. If we have a valid warrant come in, we can have packets being captured within five minutes."
While not being used to fulfill a warrant, Charles uses the Solera DS 1000 for complete network packet capture and storage. This has become an integral component to network management at Cal-Ore. For instance, if they come across a network traffic spike, Charles can use the appliance to "go back in time", watch what happened, and take appropriate action. The appliance captures every single packet, so he doesn't worry about making decisions on just a sample of data.
Even though going with Solera Networks saved Cal-Ore about $100,000 for their CALEA compliance solution, that was only part of the value Solera provided.
Charles is able to use the box for VoIP traffic analysis for analyzing call set up and tear down; mirror traffic right off the Solera Networks box into an Intrusion Detection System (IDS) for logging, history, alarming and notifications, and many other applications including spam trapping.
"We'll hear from other providers telling us that we have a customer who is sending out spam," said Charles. "Before I disconnect that customer, I need to verify it is a legitimate compliant. I use the Solera Networks box to find specific traffic over a period of time and put it into an analyzer, such as WireShark, to determine whether the system is sending out spam. If it is, I will then turn off the customer."
Charles says security is enhanced as well. "With the Solera Networks solution, I can go back to look at the traffic to see exactly what happened. If I suspect network traffic crashed an application, instead of taking the risk of waiting for the problem to occur again, I have a way to go back to look and I can find out for sure what happened and then take measures to stop it from happening again.
"Being able to do more with the solution than just meeting strict CALEA compliance is one of the most valuable reasons we went with Solera Networks," Charles said.
Compliance with any regulation can be difficult to deal with, but when it comes to
CALEA compliance, Solera Networks helps Cal-Ore comply and achieve a positive ROI.
"One of the most important points with CALEA is we get the bad guys. With a TTP solution, there is no buffer; they just send it out to Law Enforcement," Charles said. "The downside is that if there is some sort of interruption, the data is lost. With the DS 1150 from Solera Networks, we have the data, and can still deliver it. That is the most important thing."
Full Transcript of the Podcast
Calore, a regional telephone company and ISP in Northern California, needed to find a solution to become CALEA compliant. Third party providers, TTPs, were asking up to $200,000 for a solution and wouldn't provide any added benefit of monitoring Calore's network traffic to allow them to improve performance and service to their customers.
It chose the Solera Network's Deep Packet Capture and Stream Storage Appliance, because it provides dual purpose of capturing and storing all network traffic to perform historical analysis and also the primary function of becoming CALEA compliant. Only Solera Networks provides a positive ROI.
I wanted something I could use maybe on a day to day basis or on an as needed basis with other functions within the organization. We looked at three or four different products and what we came down, you know, the bang for the buck was with the Solera box.
Welcome to this Solera Networks podcast. Today we have Charlie Boening with Calore Telecommunications talking about why they chose CALEA solution from Solera Networks.
Calore Telephone is a long world telephone company located in Northern California. We have about 2500 access lines from our ILEC perspective and our traditional phone service.
The transition or the addition of Internet services was in the late '90s and started with dial up Internet.
From there, it expanded to offer Nortel 1 meg modem DSL service. We've been offering DSL service for I think about seven years now. And we've since transitioned into newer ADSL technologies to provide more bandwidth and higher quality service to the customers.
We still offer our traditional wire line service as our primary function as a phone company. We're also delving into voice over IP and offering that in alternative areas outside of our primary service area.
The requirements that the FCC put forth for broadband carriers to offer CALEA assistance to law enforcement led us down the path to research. Initially the reaction was to go with a trusted third party. And the trusted third parties wanted a lot of money.
We were hitting six figures. So we started searching for alternative options. And we found quite a few alternative options, decent prices. One of the requirements that I had when we were looking at some of the alternatives was I wanted something else I could use the box for.
It didn't make a lot of sense like with the trusted third parties where you spend, you know, 80, 100, $200,000 whatever you get into it, and that's all it does; it just sits there and waits.
I wanted something that I could use maybe on a day to day basis or on an as needed basis with other functions within the organization. We looked at three or four different products. And what we came down, the bang for the buck was with the Solera box. We could be approached by law enforcement to provide real time streaming of a customer's data back to them within the confines of the warrant.
If they show up with a warrant for e mail traffic coming from a customer and they want a live feed on that traffic or instant messaging traffic and they want a live feed, that's from a broadband provider's perspective.
From a VoIP provider's perspective, they're going to want to see call identifying information and they're going to possibly want the actual RTP stream, the meat of the call, the actual voice that's inside. We could also use it to capture VoIP traffic that's not ours.
If we were approached by law enforcement to capture traffic for a customer and provide it on a real time basis with the Solera box, we can capture anything. We have a Solera DS1000 with an additional 400 gigs of storage. So we have 1.2 terabites total.
And we also added an additional 4.4 ethernet card so we can bring data in from multiple locations within our office and create multiple capture points for traffic.
So we're not just capturing at the edge as the traffic goes to the Internet. We can leave that in place and capturing but we can also utilize those extra ethernet points to capture traffic from another area of our network, say, between two customers, say a wireless customer and a DSL customer or something along those lines.
From the hardware implementation standpoint, once we decided on the Solera box to provide that functionality, it was actually very simple. We ordered the box. It showed up within about three days. Pull it out. Pop it in the rack. Configure the IP address on it, tell it to start capturing. It was actually very easy in actual implementation of the product.
The trusted third party solution and that high five figure, six figure scenario would have actually only given us a solution for one site. And the plan was to do it just in time, where we would ship that solution from site to site as needed.
With the Solera solution, because of the lower cost, we were able to buy multiple systems for multiple sites and maintain a reasonable CapEx on that. That was the process that we had to get to get there. Gosh, we can buy one really expensive one and go through the pain of shipping it around, reconfiguring it every time somebody needs it, problems with the trusted third party. Every time you had a law enforcement request come in, the trusted third party wants more money.
So not only did they want money for the box up front or on a monthly basis, but every time you get a warrant they want more money.
With the solution we have now, we have Solera boxes in two locations, one with Western New Mexico Telephone and one with Calore Telephone. And the plan today is to buy another Solera box for our DFT site in New York and possibly even a couple more Solera boxes for other sites, kind of building up as we go.
While not being used in a capacity for CALEA, we're using the Solera box for general everyday traffic packet capture functionality, where I can go and I can say, I can look at some traffic graphs and I can say, my gosh, there was this huge spike of this traffic over here, what happened. I can go back in time, pull that data off the box, and run it through an analyzer and see what was going on.
The other things I've used it for, VoIP analysis, I've captured VoIP traffic. And between our Class 5 switch and CPE devices, for analyzing call setup and tear down, where I may not have an actual device in line.
I can't drive out 20, 30 miles to capture that traffic and then come back. Likewise, I don't capture the traffic right off of our Class 5 switch.
Other things I've used it for include spam trapping. I'll take a look at traffic on a periodic basis. We'll get complaints of customers saying that their computer's not working. I can go back, well, geez, look at all this traffic that was coming out of you, looks like spam.
We'll get e mails from other service providers saying this computer on your network is sending out spam. Before I disconnect the customer, I like to verify that and make sure that it's a legitimate complaint and see if I can verify that that customer had that IP address and the type of traffic that was being emitted from them was indeed spam.
So if the customer is not online and they're not emitting any of that traffic, I don't know, is it a legitimate complaint or not. So I can go back into the Solera box for a time period and find that traffic, pull it out, bring it into Wire Sharp, analyze it and say, yeah, this is definitely junk and go turn off the customer.
There are quite a bit of different open source tools that I use. Chaos Reader is one. And Chaos Reader is a real handy utility that will recreate the data within the packet capture. So you can run this across the captured data and you can look at the web pages or the e mails that were done.
Other tools that I've used, I've used a Clear Site tool. Wire Sharp is by far the one I've used the most. I've thought about running traffic into an IDS, mirroring it right off the Solera box into an IDS just for logging and history and alarming and notification.
The nice thing about it is I already have the data coming into the Solera box. To spit them it back on their interface is not that big of a deal.
When the traffic comes in, I can replay it out into [inaudible) for instance. I can replay it out into a program called In Top. That will give me history on top talkers and who is transferring the most data, things like that.
From a live traffic standpoint, Packet Capture is handy to see what's going on right now. This is what's happening. When you start looking at it from a more historical standpoint, you can see what happened instead of what's happening.
And I think that's important because you don't always get the problem when the problem's happening. It's, hey, yesterday I was having a problem with this and I couldn't send this e mail. Why? Did it even make it here? So the choices are to continue working with the customer on the phone, have them try it again, maybe it works now, maybe it didn't then. If all you have is live traffic capture, you can't go back. You can't go see what happened. But if you have the ability to go back in time and look at that traffic, then you can look and you can say, oh, there's the problem, the guy had his password wrong. Or, there's the problem, the server wasn't responding. So I never saw the traffic, or different things you can look at depending on the problem to try and figure out what the problem was.
One of the important things is being able to go back and look at that data. Ideally, you'd have an IDS that could capture it real time or some way that prevent it in real time.
But in this day and age it's hard to keep up with the bad guys. Especially being a small ISP, sometimes we find ourselves being more reactive than we do proactive. And a lot of that is due to costs.
IDS systems aren't cheap. How many customers does it take? How much revenue do you have to work with to put a big enough system in place? And so I find myself using a lot of open source tools just because of that. It's great. Some of them are better than the commercial tools I've seen. Some of them aren't. But you use what you have, what tools you have.
And Solera boxes fit really nicely in there because I can go back and look at this traffic in time. I can go back and see what happened that made the mail server break or what happened that made the web server break.
Somebody says, hey, your web server is down. Really? It was up 10 minutes ago. What happened? Okay. It crashed. Was it network traffic that made it crash? Or was it some other issue? If it was network traffic that made it crash and the time has passed, now what?
It's done. I have to wait for it to happen again. If it was network traffic that made it crash, and I have a way to go back and look, then I can go back and look. I can pull that traffic out. I can replay it against the web server. Crash. Oh, there's the traffic that made it crash. Or if it doesn't crash, then you can say, well, okay, it wasn't network traffic and maybe it helps get you going in a different direction.
I would say within five minutes of validating that it's a justified warrant, I could have a packet being captured for a particular customer. But the trusted third party solution, there is no buffering of the data or that break, that communication from the capture box to the law enforcement agency, then they're not receiving their live stream anymore.
And any data that's coming into that trusted third party box is gone. And so I guess my point is at least we're still buffering it locally, and if the stream is broken, we still have the data.
With the trusted third parties we didn't feel like we got that functionality. We're very pleased with our purchase of the Solera DS1000. We're very confident that it will be able to perform the CALEA operations that it was purchased for.
We are currently using it in a capacity to capture and retrieve historical network traffic for analysis purposes, and it does that very well.
We've also recommended Solera to two other service providers, both of which have bought systems. One bought a single box and another service provider bought two boxes.
Now, that's completely outside of our organization. I felt comfortable enough that it would resolve their CALEA needs that I could recommend the box.
Hide
