Lawful Interception Case Studies for ISS Solutions

Special Topic of Telecommunication Network

Chapter 7

Case Studies for ISS Solutions

Aris Cahyadi Risdianto23210016

Case Study 1: Wireline Voice Intercept and Surveillance Solutions from Lucent Technologies


CALEA function provide by TSP

•Access: network entity intercepts and reports call data and/content to LEA•Delivery: network platform provide interface to LEAs for delivery of call content/data•Administration: capability that establishes and maintains surveillance with TSP

Level of Surveillance

•Level I — call related information: Only call-identifying information (CII) is reported, and it is intended to satisfy pen register and trap and trace court orders.•Level II — call and content related information: The intent is to satisfy a Title-III court order.


CALEA Interfaces (SAS, CDC, and CCC)

Surveillance administration system (SAS) for provisioning using existing 5ESS TTY ports

CDC for reporting CII (CDC messages) from the switch to the LEA CCC for delivering call content from the switch to the LEA

Conclusions

J-STD-025 compliance : allowing TSPs to meet their obligations under CALEA

Flexibility: Different LEAs in different locations may require different CALEA interfaces

Cost: Integrated delivery function and dial-out capability significantly reduced the costs

Evolution: Current 5ESS CALEA solution can be adapted to future technologies without any effect

Case Study 2: Lawful Interception in CDMA Wireless IP Networks from SS8 Networks


Reference Function

AF through IAP responsible for providing access to an intercept subject’s communications and CII.

DF is responsible for delivering intercepted communications and CII to collection functions.

CF is responsible for collecting lawfully authorized intercepted communications and CII for an LEA. CF handle by the LEA

IAP on the CDMA 2000 Packet Data Network

AAA (IAP for CII) PDSN (call-content IAP for simple IP) HA (call-content IAP for mobile IP)


Typical call flow scenarios are addressed

Scenario 1: Intercept Provisioning, Target Not Involved in Data Session

Scenario 2: Intercept Provisioning, Target Involved in Data Session Scenario 3: Data Session Termination Scenario 4: Intercept Expiration, Target Inactive Scenario 5: Intercept Expiration, Target Active

Case Study 3: LIs for 3G Networks Using ALIS

Uses of 3G Technology and Implications for Lawful Interception

Voice, increasing proportion of LI requests from LEAs because increasing amount of voice traffic as users migrate from wireline to wireless services.

SMS, LI will have to address growing use of the service among interception targets.

General Internet connectivity, added complication of the mobility of the target, the proportion of Internet communications over mobile networks will grow because more "safer" for crimininals and variety of devices with which to communicate (modem, PDA, etc)

High-speed photo and video clip upload and download, LI need to be prepared to intercept video and still imagery in against abusers.

Multimedia games, LI tracking users and sources of games involving illicit thematic material (child pornography, gambling, and hate targeting).

VoIP, VoIP traffic raises a number of technical and legal issues that cannot be ignored.


Lawful Interception in 3G Networks

Figure 7.16 and Figure 7.17, give visualization of where to capture call data (IRI) and call content and also where LI management functions flow.

Figure 7.18, provide a closer view of interception topology in 3G networks (sufficiently general to include cdma2000) for circuit-switched network operations.

LI management commands are conveyed between the administrative function (ADMF) and other network elements via the X1 interface.

Intercepted call data (IRI) are conveyed via the X2 interface. Intercepted call content is gathered via the X3 interface, and relayed

to LEA using HI3.


ALIS in 3G Networks

Implementation of ALIS as a mediation platform in a UMTS and cdma2000 network shown in Figure 7.20 and Figure 7.21

Important are the call data, call content, and LI management paths leading from ALIS-D and ALIS-M to the appropriate network elements and functions.

Conclusions

The processes are delineated by architectures, such as specified by ETSI, 3GPP, and ANSI, that facilitate systematic implementations and provisioning of LI systems.

The challenges to lawful interception remain, including the need to support a diversity of services, vendor technologies, wireless networking technologies, voice, and a multiplicity of high-speed data services.

Case Study 4: Lawful Interception for IP Networks Using ALIS

Interception of Internet traffic involves complications

Target source and destination identities embedded on overall data flow

Target and non-target data are mixed at numerous IP circuits and network elements

Many parties involved in transporting data (access, transport, core) Current laws on how to handle Internet interception are not clear. Separation of applications and data from the flow are difficult There is a lack of standards implementation


IP Interception Examples (Internet Access)

Internet Access Target Identification : LEA must coordinate interception activities with the TSP, regarding IP addresses which assigned through DHCP (including AAA) and fixed IP addresses assigned to customers business (T1, xDSL, etc). Others identifiers (username, ethernet address, Dial-in calling number identity, etc)

Collected Data (IRI) : Identity target, service and access, time of access success or denied, access location, etc. This data delivered to LEA through HI3 interfaces, but make sure LEA not become IP address spoofing

Lawful Interception Configurations for Network Access (shown in Figure 7.24a to Figure 7.24d) : interception points implement internal interception by applying probes or networking interfaces to local networks,access loops, routers, gateways, AAA functions, and so forth


IP Interception Examples (Email)

Collected Data (IRI) : Server IP, Client IP, Server port, Client port, E-mail protocol ID, E-mail sender, E-mail recipient list, Total recipient count, Server octets sent, Client octets sent, Message ID, Status.

Internal interception take place in the context of any e-mail server to identify targeted e-mail traffic and route the corresponding call data (CD) information to the mediation platform

LEAs as well must deal with spam to ensure not receive modified header on the email, use reverse DNS lookup practices to authenticate the origination of an e-mail, and subscribe to the e-mail blacklists for spam prevention.


IP Interception Examples (VoIP)

Call control events : answer and origination target, release and terminated attempt.

Signaling events : Dialed digit extraction/DDE (captured extra digit after call connected), Direct signal reporting (signaling message), Network signal (activity network for provide signal), Subject Signal (signal initiate features)

Feature use events : signaling associated with conference calling, call transfer, and other call feature

Registration events : occur when the target provides address information to the VoIP network


ALIS for IP

ALIS Internet access (Figure 7.28) : data information is extracted from RADIUS server and access termination point (CMTS, DSLAM, or modem pool). An internal intercept function (IIF) in a router replicates call content to and from the target and sends this data to ALIS-D.

ALIS mediation platform for e-mail (Figure 7.29) : Relevant e-mail header and other protocol information captured directly from the e-mail server as call data and routed to ALIS-D for reformatting and delivery to the LEA, while contents of e-mail messages routed to ALIS-D as call content.

ALIS for VoIP Calling (Figure 7.30) : ALIS-M sets triggering events for relevant network equipment, including the call agent (gatekeeper, SIP server, gateway, etc.) and routers assigned to capture data flow. Call data information is extracted via internal interception and sent to ALIS-D for processing.

Case Study 6: Monitoring and Logging Activities

Features of monitoring and logging for conducting LIs:● Site-usage analysis: provides an understanding of how visitors

(target) interact with Web sites● Site-user analysis: particular messages to increase the likelihood that

site visitors (targets) will be interested on web site information● Site-content analysis: analyzes the content and structure of Web sites

that may help indirectly with recognizing usage patterns

Features and Attributes of Monitoring and Logging Tools● Monitoring devices used at distributed locations● Monitors are passively measuring the traffic in the network segments● Data-capturing technique is also very important (location of probe,

capturing schedule, location of logs)● Intelligent filtering during collection and data compression/compaction ● Management of log files is very important (automatic log cycling,

Visitors clustered)● Predefined reports (template) and scheduler report


IP Monitoring System (IMS) from GTEN AG● Data Collection and Filtering Subsystem : deployed in strategic field

with DCFD as for target monitoring based on log-in identification.● Mass Storage Subsystem : file server acting as the mass storage

which receive pre-filtered data from data collection and filter subsystem manually or automatic triggered.

● Data Re-Creation and Analysis Subsystem : recorded data viewed by standard browser (example e-mail displayed in e-mail format and an Internet page displayed as Internet page) including WWW sessions, FTP transfer, Email, Chat, Radius, etc.

Typical Monitoring Applications● Web-Site Monitoring : collect all traffic moving to and from a particular

Web site, which done by wiretaps on Internet line and on Radius Server connection in order to correlate data recorded.

● Target Monitoring : monitored target must have unique ID (fixed IP address or user ID in RADIUS server), which DCFD sniff the all the packet after retrieves assigned IP address from RADIUS.

Case Study 9: MC Case Examples from Siemens AG

Fixed Network — PSTN● Network Protocols : E1 to network switches and EDSS1 line protocol.● Network Switches : Any manufacturer switch comply to ETSI standard

such as Siemens, Ericsson, Alcatel, and Nokia switches.● Interception and Recording Modes : can be setup as mono or stereo,

and compression mode to save space● Types of Interception : conversation, call-related information, DTMF

transmission, SMS, Fax, and modem● Interception Management Systems : Any IMS comply ETSI standard

such as Siemens LIOS, Utimaco IMS, Ericsson IMS, and Alcatel IMS

Mobile Network — GSM● Feature highlights are identical with intercepting fixed networks.● Add-On Systems : location of the mobile cell is known through GIS


Mobile Networks — GPRS/UMTS● Network Protocols : E1 to network switches and EDSS1 line protocol.● Network Switches : Any manufacturer switch comply to ETSI standard● Interception Types : IP traffic on the packet-switch● Add-On Systems : based on current location information can indicate the

direction of travel● Feature Highlights : IP traffic with the attributes read, view, navigate entire

Web, e-mail, FTP, and chat sessions.

Internet Monitoring● Data Collectors : data collectors to connect points on the Internet to intercept● Internet Applications : all IP traffic with decoding support for Web, Email

(SMTP, POP3, Webmail), and Chat (IRC)● Internet Access Points : collectors to any IP source such as GPRS switches,

ISP SPAN ports, Internet backbone links, orInternet core computers● Physical Interfaces : support many physical interfaces include Ethernet 100

Mbps, Ethernet 1000 Mbps, and OC3● Filtering : applied by the MC mediation device to collector, and filters IP data● Back-End Internet Applications : operator can replay visited Web sites and

viewed Web pages by the target user● Interception Management Features : offered a single unified set of interception

management features

Conclusion

Case studies, in addition to the necessary level of awareness regarding product features, can help provide an understanding of how to deal with practical solutions. This chapter has addressed nine different cases — with some overlaps — that represent actual telecommunications services and products.

These case studies, e.g., for wireless networks, packet data applications and VoIP, show that there are no technological barriers to lawful interception activities

Thank youThank you

Lawful Interception Case Studies for ISS Solutions

Documents

Transcript of Lawful Interception Case Studies for ISS Solutions