Presentation is loading. Please wait.

Presentation is loading. Please wait.

SS8 Lawful Intercept Briefing

Published byHollie Fowler Modified over 9 years ago

Similar presentations

Presentation on theme: "SS8 Lawful Intercept Briefing"— Presentation transcript:

1 SS8 Lawful Intercept Briefing

2 SS8 Networks Overview Privately held company with 20+ years of operating history 12 years providing Law Intercept solutions Headquartered in San Jose, CA Market leader in lawful intercept delivery function solution 250 worldwide service provider customers OEM relationship with some of the largest equipment vendors (Lucent, Nortel, Alcatel)

3 Agenda What is Lawful Intercept (LI) How does it work
Rules, Regulations and Successes

4 What is Lawful Intercept?
The targeted intercept of voice and data services, by a service provider on the behalf of Law Enforcement, when authorized by a court Uses: Criminal - Investigation and Prosecution of criminal activity Intelligence Gathering - Investigation of individuals for Homeland security, anti-terrorism and other threats

5 How is Lawful Intercept performed?
Identify the user Determine the target identifier (phone number, address, IP address etc.) Wait for authentication When the target utilizes the network they must be authenticated. Watch for that event. Find the edge When the target authenticates, find the edge device closest to the target (so as not to miss any peer-to-peer transactions) and obtain a copy of the target’s communications.

6 Lawful Intercept Network Architecture
Service Provider Domain Access Function Delivery Function Collection Function Law Enforcement Domain Access elements that provide connectivity to target’s voice & data communications Identifies and replicates target’s traffic PSTN switches, SBC, routers, BRAS SS8 passive probe Provisions the access elements with target identifying information Receives target information from access elements typically via custom interface Correlates and converts raw target traffic to standards based interface towards LEA Recording and storage of intercepted traffic Analysis tools to track, correlate and interpret intercepted traffic Support of delivery standards SBC Phone switches LEA Raw Network Data Xcipio VoIP Call Agent Routers, data switches Standards Based Delivery (J-STD, ETSI, PacketCable) Passive probe

7 Defining the Interfaces
Service Provider Domain Access Function Delivery Function Collection Function Law Enforcement Domain Phone switches SBC Provisioning Internal Network Interface #1 Provisioning Handover Interface #1 INI-1 HI-1 LEA Raw Network Data Xcipio VoIP Call Agent INI-2 Communication Data / Signaling Internal Network Interface #2 HI-2 Why a Delivery Function? Law Enforcement lacks the expertise, resources and time to develop interfaces to all network elements and protocols The Delivery Function has to be a carrier class network element, not PC based. Centralized Command and Control for all LI activity in a carriers network DF creates a single interface point for network elements and law enforcement Carriers don’t need to learn the LI functions of multiple devices, reduces costs for training, maintenance and OPEX More secure solution (isolated, fewer people involved) Number of network elements has increased significantly from one or two phone switches (routers, CMTS, gateways etc.) Data / Signaling Handover Interface #2 Routers, data switches Standards Based Delivery (J-STD, ETSI, PacketCable) HI-3 INI-3 Media Content Handover Interface #3 Media Content Internal Network Interface #3 Passive probe

8 Methods for Lawful Intercept
Active Approach Work with the network equipment manufacturers to develop lawful intercept capability in the network elements. Utilize existing network elements for lawful intercept Sometimes serious impact to network performance No need for additional hardware Passive Approach Use passive probes or sniffers as Access Function to monitor the network and filter target’s traffic Requires expensive additional hardware No impact to the network performance Hybrid – utilizes both

9 Active Approach to IP Data Intercept
Target Subscriber Law Enforcement Agency Service Provider Domain AAA Server Router LI Administration Function Law Enforcement Monitoring Facility Internet Provisioning of Warrant HI-2 INI-1 Admin SNMPv3 Request HI-1 Authenticate Radius XCIPIO INI – 2 IRI HI-3 Intercepted Data – INI-3 Data Stream/IP Access

10 Passive Approach to IP Data Intercept
Service Provider Domain Law Enforcement Agency LI Administration Function HI-1 Provisioning of Warrant Law Enforcement Monitoring Facility XCIPIO AAA Server HI-2 INI -1 Provisioning HI-3 Provisioning Report Intercepted Data INI-3 Radius Authenticate Report IP Address INI-2 Internet Aggregation Router Data Stream/IP Access Target Subscriber WLAN

11 Standards

12 Standards: Impact and Use
One exception is PacketCable. It also defines how the AFs in a cable network communicate with the DF Use: Mainly used to define how the DF communicates with the CF Initiated by US legislation called CALEA – Communications Assistance for Law Enforcement Act. This act required the Telecom industry to come up with standards for accessing and delivering intercepted communications to the LEAs. The standard they created is called J-STD-025, it describes how call data and call content is delivered to the CF from the DF. Before that custom solutions were developed or bought by Law Enforcement and placed at the service providers premises. Since J-STD was adopted several other standards have emerged: J-STD-25A – Punchlist J-STD-25B – CDMA2000 wireless data PacketCable – VoIP for Cable networks T1.678 – VoIP for wireline, PTT, PoC ETSI – GPRS wireless data ETSI – ISP data intercepts Access Function Delivery Function Collection Function Service Provider Domain Law Enforcement Domain BRAS Phone switches LEA XCIPIO VoIP Call Agent Routers, data switches Impact: Standards made cost effective solutions possible. Without standards it would be a totally custom environment without any ability to produce off-the-shelf, reproducible products. Standards defined the components: Access Function (AF), Delivery Function (DF), Collection Function (CF) Standards defined the demarcation points and the need for interfaces Passive probe

13 A bit about Xcipio

14 The Components of Xcipio
Service Provider Domain Access Function Delivery Function Collection Function Law Enforcement Domain Provisioning Internal Network Interface #1 Provisioning Handover Interface #1 INI-1 HI-1 LEA Xcipio INI-2 Communication Data / Signaling Internal Network Interface #2 HI-2 Data / Signaling Handover Interface #2 At this point we have seen where Xcipio fits in the architecture. And we’ve seen what the standard connections are between the network elements (Access Functions) are Xcipio (CLICK) And we’ve seen what the standard connections from Xcipio to Law Enforcement are (CLICK) Now lets look at Xcipio itself and look at the hardware, software and licenses that it is comprised of (CLICK) HI-3 INI-3 Media Content Handover Interface #3 Media Content Internal Network Interface #3

15 The Components of Xcipio
Provisioning Element: Database, supports User Interface, maintains all warrant information, creates shared memory image of intercept information User Interface Remote or local access to Xcipio Intercept Engine: Receives call data, call events, network signaling, INI-2 and HI-2 LIS: Signaling stacks (SIP,SS7), TCP/IP stacks, error logs, alarms, SNMP, Managed object structure etc. INI-1 Provisioning Element Database, User Interface HI-1 PE-2200 Software module INI-2 Intercept Engine Call data, call events, signaling HI-2 Content Processor processing, routing, replicating, identification, encapsulation, encryption and delivery of content (packet and/or TDM voice) to law enforcement in real-time. IE-2100 Software module LIS – Lawful Intercept Server Core Software Application - real-time processing - LIS Software release Primary Server Physical Layer Sun servers, Ethernet connectivity, IP packets, switch matrix cards IP Packet processing (CLICK) The primary element of the Xcipio solution, at the physical layer, is a Sun server called the Primary Server. There are other hardware elements and we will get to them shortly. The Primary Server is the main command and control platform for the whole solution. (Click) On this platform runs the core software application LIS (Lawful Intercept Server). LIS performs core functionality like maintaining TCP/IP stacks, errors, alarms, SNMP interfaces, logging, signaling stacks etc. This layer is built on the original SS7 real-time, carrier class switching and signaling application. We have leveraged our own product, that has been deployed in xxx countries by xxx vendors in over xxx networks, in order to build our LI application. The heritage of this real-time robust application development environment has made Xcipio the carrier class product it is today. (click) LIS has 3 components, this first of these is the IE-2100 (the Intercept Engine). The Intercept Engine is tasked with processing signaling events, call data events. And if you remember back to the different interfaces that exist in a LI solution (INI-1, HI-2 etc.), the IE-2100 is responsible for maintaining INI-2 and HI-2 (Click) The second component of LIS is the Provisioning Element (click) The Provisioning Element maintains the database, supports the User interface and is the entry point for all intercept information. It also copies intercept information into shared memory (more on that later). And just like the Intercept Engine, the Provisioning Element is also responsible for INI and HI interfaces: INI-1 and HI-1 (click) The third component of LIS is the CP-2300 (Content Processor) (click) The Content Processor is responsible for getting the content of the communication session (VoIP, Wireless data, ISP, Voice etc.) from the network to the LEA. It is responsible for the last set of interfaces: INI-3 and HI-3 (click) The CP-2300 also introduces some additional hardware to the Physical layer. The first of these is another Sun server that does Packet processing. (click) This Sun server functions as a CP-2300 and handles all IP traffic (VoIP, RTP, HTTP, HTML etc.). The second possible CP-2300 hardware element is TDM switch matrix (click) This product allows TDM voice (wireless or wireline) to be delivered to Law Enforcement. This product comes in different configurations and scales from 1x1 to 8x8. The last type of CP-2300 is the ASX-2500 probe. (click) While normally used as an Access Function it can also be used to deliver content directly to the LEA. In addition to the Primary The physical layer of Xcipio is made up of one or more Sun servers, Ethernet connectivity, depending on the network and the configuration. Passive probe TDM Switch Matrix CP-2300 Software module Content Processor Filters, encapsulates content (IP, VoIP, TDM, HTTP etc.) INI-3 HI-3

16 Rules and Regulations

17 CALEA Decision Making Passes Legislation (CALEA)
Arbitrator between Law Enforcement and service providers Tasked with enforcement and implementation Required to implement CALEA solution in their networks. Develop standards for use with different technologies Standards include: J-STD-025A, B PacketCable, T1.678, T1.IPNA

18 The Burden on Law Enforcement
The first tool available to track bad guys is with a subpoena for call records. This is done on a regular basis and 10’s of thousands of these are done on an annual basis. These are literally copies of relevant phone bills that are sent to the LEA either electronically or as paper copies. Many times they are uploaded into a Collection Function for analysis. The next step is to get a warrant for a Pen Register or Trap and Trace. These are historical terms used to identify calling activities (off-hook, ringing, answer, disconnect, call forward, hookflash etc.). These events are sent in real time from the delivery function to the collection function for analysis. Far fewer of these are done then the subpoenas for call records The last step is to get a Title III. This is usually only approved after a true need is demonstrated to the judge. This is also quite expensive for Law Enforcement. US law dictates that the intercept must be monitored live, 24 hours a day, by a Law Enforcement agent and any part of the conversation that isn’t relevant to the case must be “minimized”. In addition to the live monitoring (requiring multiple teams), there is usually a ground team surveiling the target. So due to the significant burden to justify the grounds for such a warrant and the manpower required to support it, very few (relatively speaking ~1700) are done each year.

19 CALEA Report Requirements for Congress
Department of Justice - CALEA Audit Report DOJ Inspector General – April * Department of Justice - FISA DOJ Attorney General Report - April Federal and State LEA Admin. Office of US Courts – Wiretap Report - April Congress * Not covered here

20 Recent Events In 2004 the FBI, DOJ and DEA filed a joint petition asking the FCC to clarify the implementation of CALEA for Broadband and VoIP providers. In August 2005 the FCC issued a “First Report and Order” deeming that “Facilities based and inter-connected VoIP providers” must provide CALEA support. It also required that compliance be achieved within 18 months of the Order. In May 2006 the FCC issued a “Second Report and Order” confirming that there would be no extensions and that the service providers must come into compliance by the original date stated in the First Report and Order. On June 9th, an appeal made on behalf of Service providers seeking to stall or alter the FCC report was denied by the DC Circuit Court and the FCC ruling was upheld. Service providers now have a true call to action and must come into compliance by May 14th 2007

21 Impact

22 Number of Intercept Orders
2004 Authorized Intercept Orders: 1,710 Increase of 19% from prior year Federal: State: 980 Federal increase of 26% State increase of 13% Four states accounted for 76% of intercept orders New York - 347 New Jersey - 144 California – 144 Florida - 72

23 Intercept Applications by Offense Type
.

24 Duration of Intercept Orders
Average duration of 43 days Decrease from prior year of 44 days Average original duration of 28 days 1,341 extensions averaging 28 days authorized Increase of 17% from prior year Longest was 390 days Federal: racketeering (IL) State: narcotics (NY) 24 (Federal) and 59 (State) in operation for less than one week

25 Activity of Intercept Orders
Average number of persons communications intercepted 126 per order Average number of communications per order was 3,017 Increase from prior year of 116 per order Average percentage of communications that were incriminating was 21% Decrease of 33% from prior year 88% for portable devices (mobile communications) 94% telephonic Most active 206,444 computer messages over 30 days (counterfeiting) 107,779 computer messages over 30 days (racketeering) 681 per day for 30 days (narcotics)

26 Costs of Intercept Orders
Costs reflect installing intercept devices and monitoring communications 2004 cost average of $63,011 Overall up 1% from prior year Federal average cost of $75,527, increase of 5% State average cost of $52,490, decrease of 3%

27 Arrests and Convictions
Statistics skewed due to length of cases beyond reporting period Leveled by filing of Supplemental Reports 4,506 persons arrested based on intercepts Increase of 23% 634 persons convicted (14%) Federal accounted for 53% of arrests and 23% of convictions Supplemental reporting 2,153 arrests and 1,683 convictions based on prior years intercepts

28 Various Case Highlights
15 arrests with 7 Convictions Seizure of 50 kilos cocaine; 3 vehicles; 15 weapons; $2.6M 4 arrests Seizure of 2 tons marijuana; 10 vehicles; 4 weapons; $2.1M 45 arrests Seizure of 16 pounds methamphetamine; 6 kilos cocaine; 2 indoor marijuana operations; 7 vehicle; 26 weapons; $1.1M 11 arrests Seizure of 23 kilos cocaine; 9 vehicles; 20 weapons; $1.7M 11 day wiretap led to arrest of conspirators planning to murder police officer One day wiretap led to recovery of kidnapping victim

29 Department of Justice - FISA Report
Foreign Intelligence Surveillance Act Requirement to report to Congress – filed in April Report is only amount of orders FISA applications and orders are governed by Separate Court system Relatively secret, in fact most Americans do not know of Court’s existence 1,754 application and orders approved This is the extent of information provided

30 Thank You Scott W. Coleman Dir. Of Marketing - LI

Download ppt "SS8 Lawful Intercept Briefing"

Similar presentations

Lawful Intercept Briefing

Lawful Intercept Briefing
Networks & Components Discuss the components required for successful communications Explain the purpose of communications software Identify various sending.

Networks & Components Discuss the components required for successful communications Explain the purpose of communications software Identify various sending.
1 © 2005 Cisco Systems, Inc. All rights reserved. Craig Mulholland Consulting Engineer February 8, 2006 Cisco Systems Lawful Intercept Capabilities The.

1 © 2005 Cisco Systems, Inc. All rights reserved. Craig Mulholland Consulting Engineer February 8, 2006 Cisco Systems Lawful Intercept Capabilities The.
EduCause LI Overview February 2007

EduCause LI Overview February 2007
Telephony Troubleshooting in the Home

Telephony Troubleshooting in the Home
Total LI Compliance using Turn-key Applications and Solutions Rami Mittelman V.P. Product Marketing.

Total LI Compliance using Turn-key Applications and Solutions Rami Mittelman V.P. Product Marketing.
CALEA Compliance in 2006 H. Michael Warren Vice President, Fiduciary Services NeuStar, Inc February 2006.

CALEA Compliance in 2006 H. Michael Warren Vice President, Fiduciary Services NeuStar, Inc February 2006.
The Patriot Act And computing. /criminal/cybercrime/PatriotAct.htm US Department of Justice.

The Patriot Act And computing. /criminal/cybercrime/PatriotAct.htm US Department of Justice.
Responding to Cybercrime in the Post-9/11 World Scott Eltringham Computer Crime and Intellectual Property Section U.S. Department of Justice (202) 353-7848.

Responding to Cybercrime in the Post-9/11 World Scott Eltringham Computer Crime and Intellectual Property Section U.S. Department of Justice (202)
Policing the Internet: Higher Education Law and Policy Rodney Petersen, Policy Analyst Wendy Wigen, Policy Analyst EDUCAUSE.

Policing the Internet: Higher Education Law and Policy Rodney Petersen, Policy Analyst Wendy Wigen, Policy Analyst EDUCAUSE.
Chapter 19: Network Management Business Data Communications, 4e.

Chapter 19: Network Management Business Data Communications, 4e.
Why Converged Networks Make Sense: VoIP a First Step July 26, 2006.

Why Converged Networks Make Sense: VoIP a First Step July 26, 2006.
© 2010 Level 3 Communications, LLC. All Rights Reserved. Level 3 Communications, Level 3, the red 3D brackets and the Level 3 Communications logo are registered.

© 2010 Level 3 Communications, LLC. All Rights Reserved. Level 3 Communications, Level 3, the red 3D brackets and the Level 3 Communications logo are registered.
1 ITC242 – Introduction to Data Communications Week 12 Topic 18 Chapter 19 Network Management.

1 ITC242 – Introduction to Data Communications Week 12 Topic 18 Chapter 19 Network Management.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
A Guide to major network components

A Guide to major network components
Data Centers and IP PBXs LAN Structures Private Clouds IP PBX Architecture IP PBX Hosting.

Data Centers and IP PBXs LAN Structures Private Clouds IP PBX Architecture IP PBX Hosting.
Network security policy: best practices

Network security policy: best practices
VoIP Voice over Internet Protocol or “It is not Voice over IP; it is Everything over IP…” Bob Pepper, FCC.

VoIP Voice over Internet Protocol or “It is not Voice over IP; it is Everything over IP…” Bob Pepper, FCC.
Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.

Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.

Similar presentations

Ads by Google