Lawful Interception Case Studies for ISS Solutions
1. Special Topic of Telecommunication Network
Chapter 7
Case Studies for ISS Solutions
Aris Cahyadi Risdianto
23210016
2. Case Study 1: Wireline Voice Intercept and
Surveillance Solutions from Lucent Technologies
3. Case Study 1: Wireline Voice Intercept and
Surveillance Solutions from Lucent Technologies
CALEA function provide by TSP
•Access: network entity intercepts and reports call data and/content to
LEA
•Delivery: network platform provide interface to LEAs for delivery of call
content/data
•Administration: capability that establishes and maintains surveillance
with TSP
Level of Surveillance
•Level I — call related information: Only call-identifying
information (CII) is reported, and it is intended to satisfy pen
register and trap and trace court orders.
•Level II — call and content related information: The intent is to
satisfy a Title-III court order.
4. Case Study 1: Wireline Voice Intercept and
Surveillance Solutions from Lucent Technologies
CALEA Interfaces (SAS, CDC, and CCC)
Surveillance administration system (SAS) for provisioning using
existing 5ESS TTY ports
CDC for reporting CII (CDC messages) from the switch to the LEA
CCC for delivering call content from the switch to the LEA
Conclusions
J-STD-025 compliance : allowing TSPs to meet their obligations under
CALEA
Flexibility: Different LEAs in different locations may require different
CALEA interfaces
Cost: Integrated delivery function and dial-out capability significantly
reduced the costs
Evolution: Current 5ESS CALEA solution can be adapted to future
technologies without any effect
5. Case Study 2: Lawful Interception in CDMA Wireless
IP Networks from SS8 Networks
6. Case Study 2: Lawful Interception in CDMA Wireless
IP Networks from SS8 Networks
7. Case Study 2: Lawful Interception in CDMA Wireless
IP Networks from SS8 Networks
Reference Function
AF through IAP responsible for providing access to an intercept
subject’s communications and CII.
DF is responsible for delivering intercepted communications and CII to
collection functions.
CF is responsible for collecting lawfully authorized intercepted
communications and CII for an LEA. CF handle by the LEA
IAP on the CDMA 2000 Packet Data Network
AAA (IAP for CII)
PDSN (call-content IAP for simple IP)
HA (call-content IAP for mobile IP)
8. Case Study 2: Lawful Interception in CDMA Wireless
IP Networks from SS8 Networks
Typical call flow scenarios are addressed
Scenario 1: Intercept Provisioning, Target Not Involved in Data
Session
Scenario 2: Intercept Provisioning, Target Involved in Data Session
Scenario 3: Data Session Termination
Scenario 4: Intercept Expiration, Target Inactive
Scenario 5: Intercept Expiration, Target Active
9. Case Study 3: LIs for 3G Networks Using ALIS
Uses of 3G Technology and Implications for Lawful
Interception
Voice, increasing proportion of LI requests from LEAs because
increasing amount of voice traffic as users migrate from wireline to
wireless services.
SMS, LI will have to address growing use of the service among
interception targets.
General Internet connectivity, added complication of the mobility of
the target, the proportion of Internet communications over mobile
networks will grow because more "safer" for crimininals and variety of
devices with which to communicate (modem, PDA, etc)
High-speed photo and video clip upload and download, LI need to
be prepared to intercept video and still imagery in against abusers.
Multimedia games, LI tracking users and sources of games involving
illicit thematic material (child pornography, gambling, and hate
targeting).
VoIP, VoIP traffic raises a number of technical and legal issues that
cannot be ignored.
10. Case Study 3: LIs for 3G Networks Using ALIS
Lawful Interception in 3G Networks
Figure 7.16 and Figure 7.17, give visualization of where to capture call
data (IRI) and call content and also where LI management functions
flow.
Figure 7.18, provide a closer view of interception topology in 3G
networks (sufficiently general to include cdma2000) for circuit-
switched network operations.
LI management commands are conveyed between the administrative
function (ADMF) and other network elements via the X1 interface.
Intercepted call data (IRI) are conveyed via the X2 interface.
Intercepted call content is gathered via the X3 interface, and relayed
to LEA using HI3.
15. Case Study 3: LIs for 3G Networks Using ALIS
ALIS in 3G Networks
Implementation of ALIS as a mediation platform in a UMTS and
cdma2000 network shown in Figure 7.20 and Figure 7.21
Important are the call data, call content, and LI management paths
leading from ALIS-D and ALIS-M to the appropriate network elements
and functions.
Conclusions
The processes are delineated by architectures, such as specified by
ETSI, 3GPP, and ANSI, that facilitate systematic implementations and
provisioning of LI systems.
The challenges to lawful interception remain, including the need to
support a diversity of services, vendor technologies, wireless
networking technologies, voice, and a multiplicity of high-speed data
services.
18. Case Study 4: Lawful Interception for IP Networks
Using ALIS
Interception of Internet traffic involves complications
Target source and destination identities embedded on overall data
flow
Target and non-target data are mixed at numerous IP circuits and
network elements
Many parties involved in transporting data (access, transport, core)
Current laws on how to handle Internet interception are not clear.
Separation of applications and data from the flow are difficult
There is a lack of standards implementation
19. Case Study 4: Lawful Interception for IP Networks
Using ALIS
IP Interception Examples (Internet Access)
Internet Access Target Identification : LEA must coordinate
interception activities with the TSP, regarding IP addresses which
assigned through DHCP (including AAA) and fixed IP addresses
assigned to customers business (T1, xDSL, etc). Others identifiers
(username, ethernet address, Dial-in calling number identity, etc)
Collected Data (IRI) : Identity target, service and access, time of
access success or denied, access location, etc. This data delivered to
LEA through HI3 interfaces, but make sure LEA not become IP
address spoofing
Lawful Interception Configurations for Network Access (shown in
Figure 7.24a to Figure 7.24d) : interception points implement internal
interception by applying probes or networking interfaces to local
networks,access loops, routers, gateways, AAA functions, and so forth
20. Case Study 4: Lawful Interception for IP Networks
Using ALIS
21. Case Study 4: Lawful Interception for IP Networks
Using ALIS
22. Case Study 4: Lawful Interception for IP Networks
Using ALIS
23. Case Study 4: Lawful Interception for IP Networks
Using ALIS
24. Case Study 4: Lawful Interception for IP Networks
Using ALIS
IP Interception Examples (Email)
Collected Data (IRI) : Server IP, Client IP, Server port, Client port, E-
mail protocol ID, E-mail sender, E-mail recipient list, Total recipient
count, Server octets sent, Client octets sent, Message ID, Status.
Internal interception take place in the context of any e-mail server to
identify targeted e-mail traffic and route the corresponding call data
(CD) information to the mediation platform
LEAs as well must deal with spam to ensure not receive modified
header on the email, use reverse DNS lookup practices to
authenticate the origination of an e-mail, and subscribe to the e-mail
blacklists for spam prevention.
25. Case Study 4: Lawful Interception for IP Networks
Using ALIS
26. Case Study 4: Lawful Interception for IP Networks
Using ALIS
IP Interception Examples (VoIP)
Call control events : answer and origination target, release and
terminated attempt.
Signaling events : Dialed digit extraction/DDE (captured extra digit
after call connected), Direct signal reporting (signaling message),
Network signal (activity network for provide signal), Subject Signal
(signal initiate features)
Feature use events : signaling associated with conference calling,
call transfer, and other call feature
Registration events : occur when the target provides address
information to the VoIP network
27. Case Study 4: Lawful Interception for IP Networks
Using ALIS
28. Case Study 4: Lawful Interception for IP Networks
Using ALIS
ALIS for IP
ALIS Internet access (Figure 7.28) : data information is extracted from
RADIUS server and access termination point (CMTS, DSLAM, or
modem pool). An internal intercept function (IIF) in a router replicates
call content to and from the target and sends this data to ALIS-D.
ALIS mediation platform for e-mail (Figure 7.29) : Relevant e-mail
header and other protocol information captured directly from the e-
mail server as call data and routed to ALIS-D for reformatting and
delivery to the LEA, while contents of e-mail messages routed to
ALIS-D as call content.
ALIS for VoIP Calling (Figure 7.30) : ALIS-M sets triggering events for
relevant network equipment, including the call agent (gatekeeper, SIP
server, gateway, etc.) and routers assigned to capture data flow. Call
data information is extracted via internal interception and sent to ALIS-
D for processing.
29. Case Study 4: Lawful Interception for IP Networks
Using ALIS
30. Case Study 4: Lawful Interception for IP Networks
Using ALIS
31. Case Study 4: Lawful Interception for IP Networks
Using ALIS
32. Case Study 6: Monitoring and Logging Activities
Features of monitoring and logging for conducting LIs:
●
Site-usage analysis: provides an understanding of how visitors
(target) interact with Web sites
●
Site-user analysis: particular messages to increase the likelihood that
site visitors (targets) will be interested on web site information
●
Site-content analysis: analyzes the content and structure of Web sites
that may help indirectly with recognizing usage patterns
Features and Attributes of Monitoring and Logging Tools
●
Monitoring devices used at distributed locations
●
Monitors are passively measuring the traffic in the network segments
●
Data-capturing technique is also very important (location of probe,
capturing schedule, location of logs)
●
Intelligent filtering during collection and data compression/compaction
●
Management of log files is very important (automatic log cycling,
Visitors clustered)
●
Predefined reports (template) and scheduler report
33. Case Study 6: Monitoring and Logging Activities
IP Monitoring System (IMS) from GTEN AG
●
Data Collection and Filtering Subsystem : deployed in strategic field
with DCFD as for target monitoring based on log-in identification.
●
Mass Storage Subsystem : file server acting as the mass storage
which receive pre-filtered data from data collection and filter subsystem
manually or automatic triggered.
●
Data Re-Creation and Analysis Subsystem : recorded data viewed
by standard browser (example e-mail displayed in e-mail format and an
Internet page displayed as Internet page) including WWW sessions,
FTP transfer, Email, Chat, Radius, etc.
Typical Monitoring Applications
●
Web-Site Monitoring : collect all traffic moving to and from a particular
Web site, which done by wiretaps on Internet line and on Radius Server
connection in order to correlate data recorded.
●
Target Monitoring : monitored target must have unique ID (fixed IP
address or user ID in RADIUS server), which DCFD sniff the all the
packet after retrieves assigned IP address from RADIUS.
35. Case Study 9: MC Case Examples from Siemens AG
Fixed Network — PSTN
●
Network Protocols : E1 to network switches and EDSS1 line protocol.
●
Network Switches : Any manufacturer switch comply to ETSI standard
such as Siemens, Ericsson, Alcatel, and Nokia switches.
●
Interception and Recording Modes : can be setup as mono or stereo,
and compression mode to save space
●
Types of Interception : conversation, call-related information, DTMF
transmission, SMS, Fax, and modem
●
Interception Management Systems : Any IMS comply ETSI standard
such as Siemens LIOS, Utimaco IMS, Ericsson IMS, and Alcatel IMS
Mobile Network — GSM
●
Feature highlights are identical with intercepting fixed networks.
●
Add-On Systems : location of the mobile cell is known through GIS
38. Case Study 9: MC Case Examples from Siemens AG
Mobile Networks — GPRS/UMTS
●
Network Protocols : E1 to network switches and EDSS1 line protocol.
●
Network Switches : Any manufacturer switch comply to ETSI standard
●
Interception Types : IP traffic on the packet-switch
●
Add-On Systems : based on current location information can indicate the
direction of travel
●
Feature Highlights : IP traffic with the attributes read, view, navigate entire
Web, e-mail, FTP, and chat sessions.
Internet Monitoring
●
Data Collectors : data collectors to connect points on the Internet to intercept
●
Internet Applications : all IP traffic with decoding support for Web, Email
(SMTP, POP3, Webmail), and Chat (IRC)
●
Internet Access Points : collectors to any IP source such as GPRS switches,
ISP SPAN ports, Internet backbone links, orInternet core computers
●
Physical Interfaces : support many physical interfaces include Ethernet 100
Mbps, Ethernet 1000 Mbps, and OC3
●
Filtering : applied by the MC mediation device to collector, and filters IP data
●
Back-End Internet Applications : operator can replay visited Web sites and
viewed Web pages by the target user
●
Interception Management Features : offered a single unified set of interception
management features
41. Conclusion
Case studies, in addition to the necessary level of awareness
regarding product features, can help provide an understanding
of how to deal with practical solutions. This chapter has
addressed nine different cases — with some overlaps — that
represent actual telecommunications services and products.
These case studies, e.g., for wireless networks, packet data
applications and VoIP, show that there are no technological
barriers to lawful interception activities