Scott C. McGrath On Tue, 20 Jan 2004, Eriks Rugelis wrote:
Sean Donelan wrote:
Assuming lawful purposes, what is the best way to tap a network undetectable to the surveillance subject, not missing any relevant data, and not exposing the installer to undue risk?
'Best' rarely has a straight-forward answer. ;-)
Lawful access is subject to many of the same scaling issues which we confront in building up our networks. Solutions which can work well for 'small' access or hosting providers may not be sensible for larger scale environment.
If you have only a low rate of warrants to process per year, and if your facilities are few in number and/or geographically close together, and if your 'optimum' point of tap insertion happens to be a link which can be reasonably traced without very expensive ASIC-based gear and if your operation can tolerate breaking open the link to insert the tap, and if the law enforcement types agree that the surveillance target is unlikely to notice the link going down to insert the tap...
then in-line taps such as Finisar or NetOptics can be quite sensible.
If your operation can tolerate the continuing presence of the in-line tap and you only ever need a small number of them then leaving the taps permanently installed may be entirely reasonable.
On the other hand, if your environment consists of a large number (100's) of potential tapping points, then you will quickly determine that in-line taps have very poor scaling properties. a) They are not rack-dense b) They require external power warts c) They are not cheap (in the range of US$500 each) d) Often when you have that many potential tapping points, you are likely to be processing a larger number of warrants in a year. An in-line tap arrangement will require a body to physically install the recording equipment and cables to the trace-ports on the tap. You may also need to make room for more than one set of recording gear at each site.
Large-scale providers will probably want to examine solutions based on support built directly into their traffic-carrying infrastructure (switches, routers.)
Using cisco's feature set on a uBR it would be cable intercept interface x/y <Target MAC> <Logging Server IP> <port> as an example of lawful access on infrastructure equipment
You should be watchful for law enforcement types trying dictate a 'solution' which is not a good fit to your own business environment. There are usually several ways of getting them the data which they require to do their jobs.
Eriks --- Eriks Rugelis -- Senior Consultant Netidea Inc. Voice: +1 416 876 0740 63 Charlton Boulevard, FAX: +1 416 250 5532 North York, Ontario, E-mail: eriks@netideainc.ca Canada M2M 1C1
PGP public key is here: http://members.rogers.com/eriks.rugelis/certs/pgp.htm