(pdf)
skyriver_podcast.mp3 (To download: right click and choose save as)
Skyriver needed a cost-effective solution to quickly bring them into CALEA compliance. Solera Networks provided its Solera CALEA Appliance to enable Skyriver to provide lawful intercepts or "wire taps" when requested by Law Enforcement Agencies.
Skyriver is a fixed-wireless broadband carrier located in San Diego, California, providing enterprise grade high speed internet access to businesses throughout Southern California. In addition to enterprise grade bandwidth, they provide typical Internet Service Provider (ISP) solutions including, web-hosting, spam filtering and e-mail intrusion detection services. They also provide on-site network services and full infrastructure management and maintenance as well as deploy and maintain WiFi hotspots for hotels and other hospitality organizations. Skyriver has 40 employees located in Los Angeles, San Diego and Riverside, California.
In 1994, the U.S. passed a law called The Communications Assistance for Law Enforcement Act (CALEA). This act states that communications providers, including telephone companies and network and service providers must have the ability to tap any communication or data transfer carried over their networks when they receive a request from a Law Enforcement Agency—a procedure called lawful intercept. For a small to medium ISP, this mandate can be an overwhelming prospect and the implication of the act seems to call for complicated, very expensive solutions.
"There were a lot of nebulous unknowns about the law and we had to educate ourselves to find out what our responsibility actually was," says Brad Slavin, Vice President of Engineering and Network Operations for Skyriver. Once the rules were clarified, Slavin's role was to do a comprehensive due diligence and feasibility study by interviewing a number of network traffic monitoring vendors and Trusted Third Parties (TTP). "To become compliant we needed a vendor who understood what the requirements were, how they were going to impact an organization like ours and how to best respond to any lawful intercept requests we receive from approved agencies," he said.
We looked at about nine different vendors," Slavin said. "Most of their solutions were coming in at $40k or more and we couldn't justify that price for the sole purpose of becoming CALEA compliant. Also, the way they were requiring us to architect the network just didn't make sense. One of the specifics most of the TTPs and appliance vendors had was their requirement to install one appliance at each Internet egress in order to be compliant. And from my perspective, there had to be a better way."
Fortunately, Solera Networks was among the nine vendors Skyriver evaluated. Not only did Solera Networks provide an appliance to help Skyriver meet the CALEA regulations, the appliance also provided the added benefit of allowing Skyriver to monitor their own network traffic and improve performance for their customers—at a fraction of the cost of the other vendors.
Skyriver found that Solera Networks' complete packet capture and stream-to-storage technology provides an elegantly simple CALEA compliance solution with full traffic recording, filtering and detail logging at a price point vastly lower than the competition. Solera Networks' appliances, combined with standard packet analysis software, provides everything necessary to capture, analyze and preserve all digital communication sessions – VoIP, e-mail, chat, instant messaging, HTTP sessions, etc. – along with related intercept information.
The 1U Solera CALEA Appliance captures at OC12 data rates, has onboard storage capacity of 800 GB, and is designed to be deployed via a SPAN port or network TAP, allowing for streamlined and invisible network packet capture.
Once the data is captured, the network traffic can be accessed by LEAs through either an industry standard pcap file, a virtual network interface (Ethernet) device or a regenerated stream of packets to external network segments feeding external appliances or applications. Solera Networks also integrates with iSCSI and Fibre Channel providing numerous options for external storage.
"When I initially learned of Solera Networks and its CALEA solution, I was stunned at the pricing," Slavin said. "It was about a quarter of the cost of anything else I had seen on the market and for a while I actually doubted they would be able to deal with the compliance issues in a solution that cost less than $10k. I was pleasantly surprised."
"The bottom line is we have received our response from the FCC," Slavin said. "We have been stamped and signed off as a ‘CALEA Compliant' ISP and we are ready to respond in any of our markets to a lawful intercept request at the drop of a hat!"
Lawful intercept was the initial reason Skyriver implemented Solera Networks' appliance, but this is only one area where Solera Networks solutions improve a company's network performance. With full capture, filter and playback capabilities combined with other standard network analysis tools, Solera Networks gives Skyriver a comprehensive historical engine to improve network security, enable network forensics and analysis, and improve overall network performance. In addition to reconstructing communications, Solera Networks solutions can be used to detect intrusions and determine sources of high bandwidth use or erratic activity.
"It's my expectation that when using the device to perform network analysis, if there is an event, its going to really reduce our time to respond. It seems that we started out looking for a hunting knife but ended up getting a Swiss Army Knife. Because it provides a complete and accurate picture of network activity and performance, this is going to handle a lot more of our day-to-day networking needs than being a dumb box that just sits there, waiting for a specific lawful intercept request that may or may not happen any time soon," he said.
"From a capture prospective this is not only a CALEA compliance solution but also a robust and cost-effective solution," Slavin said. "We've really shifted from an ‘I wish I could' perspective for our engineers to a ‘Hey, I know we can do this!'"
Full Transcript of the Podcast
Skyriver Incorporated, a broadband wireless carrier from San Diego was faced with the impending CALEA deadline. They needed a solution that would make them compliant to this government mandate requiring them to be able to tap anything that passes over their network.
We had wanted a hunting knife and we ended up getting a Swiss Army knife that was really going to handle a lot more of our day to day networking needs than being a dumb box that just sat there waiting for a specific request that may never come.
Welcome to this Solera Network podcast. Today we have Brad Slavin, VP of Engineering and Network Operations at Skyriver Incorporated, talking about his experience with the Solera Networks CALEA appliance.
Our core competency is to provide enterprise grade business level high speed Internet access over the spectrum exempt frequencies.
We have three distinct verticals that we support. Primarily the core competency is the enterprise grade Internet access, and then we also provide wireless services and technical support and billing for hospitality.
From a CALEA compliance perspective, we've known that this requirement has been on the books for a number of years. There was some question on whether or not we would be subjected to that as a broadband wireless Internet service provider that didn't provide voice over IP systems.
And once the rules got clarified, my role as the VP of Engineering for the organization was to do a comprehensive due diligence and feasibility study interviewing a number of vendors and TTPs, which are trusted third parties, to become compliant to both understand what the requirements were, how they were going to impact an organization like us and what the most effective way to implement and to respond to any lawful intercept requests that we receive from an approved agency.
A lot of what I learned was not everybody understands it the same way. It was more of about a framework that had specific sets of criteria versus this is exactly what you would need and how you would need to do it.
There was a lot of nebulous unknowns, and each vendor took a completely disparate approach to compare these type of solutions. One of the things that were stated was you could create your own home grown solution or you could use trusted third party or you could speak to your hardware manufacturers and see if they were going to be supporting lawful intercept on their code base.
So it was really up to us and my engineering team to pull this information together, find out what the commonalities were and work with the vendors to make sure that we understood exactly what our expectations from a response time and from a capture perspective were and come up with what we think is not only a compliant solution but also a robust and cost effective solution.
We have submitted the paperwork. We've received our response from the FCC. We have been stamped and signed off as a CALEA compliant Internet service provider, and we are ready to respond in any one of our six locations to lawful intercept requests almost at the drop of a hat.
I think we interviewed three hardware providers, people who are appliance makers, and I think six separate trusted third parties, and it became a balance of cost, time to implement and understanding the way our network was architected in making our final decision.
Initially, when I found the Solera website and the CALEA tab on that particular location, I was sort of stunned at the pricing that I had seen. And for me it was about a quarter of the cost of anything else that I had seen on the market. And for a while I actually doubted that there was a way that somebody was going to be able to deal with the issue in a sub $10,000 solution.
One of the specifics about most of the TTPs and the other appliance vendors that we had spoken about was their requirement to have one appliance at each Internet egress in order to be compliant.
And from my perspective there had to have been some there had to have been a better way.
And working with the engineers over at Solera, we exchanged some Bisio diagrams over the course of a couple of weeks, and we were able to work together with our hardware vendor for our routers, which is Cisco, and come up with a solution that was not only compliant but in full implementation including our Cisco updates.
I think it worked out to be somewhat less than $15,000 to cover all six locations, which was considerably less expensive than the 150 that we had gotten quoted for all locations or the $2,200 a month from trusted third parties, which was the average of the the average quote.
We went over our network architecture, what our back hauling, what our latency looked like. And we all came to the determination that this was going to work.
And, also, we tested this to make sure it actually does work. We have yet to receive an intercept request. But I had a high degree of confidence that we would be able to meet even the four hour window as placed on by an Amber Alert requirement.
After I had created the diagram with Solera, we ended up sending what our proposed network was going to look like to one of the TPs, and we got feedback from one of their engineers that they said, you know, we had never thought of architecting a network this way; we can see now how there were other ways to approach this.
And I greatly appreciate the Solera folks for having the insight. And this is like this is not a BS smoke thing to understand what your box can do, what the interoperability was going to be like from a major vendor like Cisco, and delivering us a solution that really just met our compliance and our peace of mind needs.
It seems that we had wanted a hunting knife and we ended up getting a Swiss Army knife that was going to really handle a lot more of our day to day networking needs than being a dumb box that just sat there waiting for a specific request that may never come.
We have network taps in place right now that we end up doing LIPB cap or serial dumps. But the line speeds of some of the captures and then our ability to go back and view it was you're loading a lot of data in an interface that's sort of cumbersome. And there was really no way to do any slice in time playback and the ability to really understand the mechanisms of what happened at your network at a specific slice in time.
So everything we have used has been from an open source perspective, TCP dump. But it's viewing interface that you guys have that is going to make interpretation a lot more seamless.
We've opened up a Cisco tech case right now because we're having some BGP difficulties with two of our upstreams. They are both insisting that they're sending us all of the appropriate information.
But our Cisco is only seeing the default route coming from one side. And looks like almost there's data that's either not making it to us or that Cisco is not seeing it.
So we have an intention of putting this on the ethernet interface on our WAN side to be able to do debugging on this network traffic and hopefully get this issue resolved.
Because, for us, BGP and our failover is part of our ability to provide mission critical services. So specific protocol issues that exist, I think we've really shifted from a "I wish I can" perspective for our engineers to a, "Hey, I know that we can do this."
It's just another piece in the toolkit.
Hide
