Sharon’ Besser, Net Optics VP of Technology, Net Optics, discusses Lawful Intercept at ISS Event

Uploaded on

Meaningful Lawful Intercept (LI) demands the capture and analysis of 100 percent of the traffic crossing a network—whether in 10G or 1G interfaces, or a combination. Sharon likens the challenge to …

Meaningful Lawful Intercept (LI) demands the capture and analysis of 100 percent of the traffic crossing a network—whether in 10G or 1G interfaces, or a combination. Sharon likens the challenge to “finding the needle in the haystack,”

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide
  • Capture – CC (Content of Communication) and IRI (Intercept Related Information) related to the subject are extracted from the network.Filtering – information related to the subject that falls within the topic of the inquiry is separated from accidentally gathered information, and formatted to a pre-defined delivery formatDelivery – requested information is delivered to the LEMF The Administration Function (ADMF) receives interception ordersfrom the LEA and hands them over to• Internal Intercept Functions (IIF), which are located tactically within network nodes and generate the two desired types of information, CC and IRI.• Mediation Functions (MF) take charge of delineation between thetwo networks. They implement Internal Network Interfaces (INI),which may be proprietary, to communicate within the PTN, andstandardized interfaces, to deliver requested information to one ormoreLEMFs.
  • From Cisco:The switch fabric performs the duplication of the original filtered packet. One packet is forwarded to the egress line card. The other packet is forwarded to the Route Processor or to the SIP-400 for LI hardware acceleration.


  • 1. Identifying the needle in the 10/40/100G haystackSharon Besser, VP Technologies Net Optics
    Intelligent Access and Monitoring Architecture
  • 2. Goal
    Present a methodology and solution of leveraging access switching to overcome current and future Lawful Interception challenges
  • 3. Net Optics In a Nutshell
    Financial, Telco, Healthcare & Government
    85% of the Fortune 100
    50% of the Fortune 500
    7000 Global Deployments
    Founded in 1996, Private, Self-Funded
    55 Quarters of Growth & Profitability
    Strong Management Team
    Sales Offices in New York, Atlanta, Germany
    300 plus new direct customers annually
    Go to Market Strategy
    30% Direct Sales
    25% OEM/Partner Relationship
    45% Global Channel
    20+ Patents and Patent Pending Requests
  • 4. Cause and Effect
    Industry / Networking
    Data Center
    Lawful Interception
  • 5. Industry Trends
    Expanding continuous layering of new applications
    • VoIP/Tele Presence, public and private clouds
    Expanding compliance requirements
    • PCI DSS Basel II, CALEA to name a few
    Increasing internal and external intrusions
    • Organized crime and governments; each with different agenda
    Convergence of voice, data and video traffic
    • Telecom phone-TV-Internet “Triple-play”
    Networks becoming faster and more complex
    • 10 GbE now, 40GbE & 100GbE coming
  • Data Center Trends
    10G is a reality. 40G/100G around the corner
    • Most tier I carriers start to plan and deploy 100G networks. Enterprises follow
    • Great CAPEX improvements, not so great visibility
    • 6. Passive monitoring of Inter-VM traffic is MIA
    ToR and 10G copper switch implementation
    • Less cabling less span opportunities
    • 7. ToR and EoR deployments increase monitoring oversubscription
    Convergence of data and storage
    • Links are more saturated
  • Trends Affecting Lawful Interception
    Triple Play Networks, Increased bandwidth, advanced services driving new LI design requirements
    Source: ETSI ES 201 158
  • 8. Unique Operational Challenges with 10G
    Net Optics observe exponential growth of 10G network deployments. Some common LI deployment challenges:
    Lack of tools
    • Availability of 10G monitoring tools and 10G security tools
    • 9. Tools ability to operate at line rate with low latency
    • Content classification as an example: it’s hard enough on 1G…
    Ridiculous cost
    • New 10G tools (not the 10G network interface cards)
    • 10. Leveraging existing investments of 1G tools
    • 11. Cost of knowledge, migration, operations  TCO
    Source: Net Optics Customer Advisory Board 7/2010
  • 12. Other Technical Challenges
    Jitter, Oversubscription and Blocking are more severe with 10G networks:
    Switching oversubscription takes place when two input ports forward all the packets to the same output port
    • If the queue exceeds the size of the physical hardware buffer, packets are dropped
    Substantial latency variability and jitter can be introduced under moderate or low traffic condition as well due to head of line blocking
    • At any time, only one packet can be transmitted from each physical output port of a switch
    • 13. Resource contention might happen when two packets arrive from separate input ports to the same output port (e.g. uplink) at about the same time
  • Microburst
    Even at low traffic, when average traffic is low, head of line blocking phenomenon (“oversubscription” ) causes queuing short periods where the instantaneous bandwidth can reach maximum utilization
  • 14. Oversubscription
    Source: Cisco
  • 15. What Customers Want
    Meet Lawful interception challenges in high capacity networks
    But how?
  • 16. The LI Foundation: Reliable Copy
    End user 1
    End user 2
    Interception Node
    Link + Physical
    Link + Physical
    Link + Physical
    LEA Site
    LEMF Application
    Link + Physical
    Link + Physical
    Source: ETSI TR 101 943 Concepts of Interception in a Generic Network Architecture
  • 17. Current Approach Is Not Scalable
    Invest in new systems capable to handle 10G/40G/100G
    Packet duplication add burden on the network
    Source: Cisco systems 2010: Lawful Interception for 3GPP: Cisco Service Independent Intercept in the GGSN
  • 18. The Solution: Leveraging Access Switching
    Leveraging Access Switching
    • Packet duplication does not burden on the network
    Source: Cisco systems 2010: Lawful Interception for 3GPP: Cisco Service Independent Intercept in the GGSN
  • 19. Access Switching: Do More With Less
    10/40/100Load Balancing
    Share the load between multiple tools
    Centralized intelligence for more endpoint
    Leverage existing / cheap / 1G tools
    Plan for growth
    Pre-filter w/ DPI to detect desired traffic on any port
    Pre-filtering is a mature technology
    DPI allows to identify data of interest and forward to the monitoring/recording tool
    GRE tunneling
    Distribute the collection infrastructure
    Cloud Monitoring
    Inter-VM and cloud based monitoring
    Any type of media
    Fiber, copper or both
  • 20. Summary
    Modern and advanced Access switching technology provides the scalable solution to meet Lawful Interception challenges in high capacity networks by focusing on improving collection infrastructure
  • 21. Thank You!