In May 2006 I wrote an article about
Achieving CALEA
Compliance in the U.S. It highlighted the origins of CALEA, the components of a lawful intercept (wiretapping) solution and the need behind the requirement. In
today's article we look specifically at the impact of CALEA on higher education.
Is Lawful Intercept new?
Although CALEA and the standards are relatively new to Higher Ed, the legal interception of communications for the purposes of law enforcement and the laws it is based on are not. The origins stem from the definition of
"service providers" in the Communications Act of 1934 and continued with the passage of the Omnibus Crime Control and Safe Streets Act in 1968. The Omnibus Act laid out the procedures law enforcement must follow to obtain judicial authorization to conduct electronic surveillance.
From the 60s through the 70's plain old telephone service (POTS) stayed just that
-- plain. In the early 80's however, things began to change rapidly; new digital, residential services (call waiting, call forwarding) were introduced and then later in the
80's mobile telecommunications first appeared along with the World Wide Web. As a result, Congress passed the Electronic Communications Privacy Act which broadened the Omnibus Crime Act to include the lawful interception of electronic communications (including email, data transmissions, faxes, and pagers).
Although authorization was now in place to perform electronic surveillance it
didn't define how it would be achieved. Moving into the 1990's these new technologies, along with no uniform way to intercept them, became the triggers that caused law enforcement to ask Congress to request help from the industry to provide them with a means to accurately and readily access these new services and technologies. They
weren't asking for additional powers or authorization, that had already been established in the earlier legislation, CALEA was all about addressing the challenges that law enforcement faced in accessing communication sessions in these emerging networks.
Who does it apply to?
Based on the 1968 Omnibus Crime Act, law enforcement has always been able to serve any carrier or enterprise with a warrant soliciting their assistance but compliance with CALEA itself was defined in the initial CALEA legislation and succeeding Report and Orders from the FCC. Under the definition of those documents, carriers providing
"information services" were originally specifically excluded from CALEA compliance. But with the issuance of the
FCC's First Report and Order in August of 2005 (and a second one in May 2006), Broadband access providers and interconnected VoIP providers were no longer excluded and now have to be compliant by May 14, 2007. In a parallel action, a lawsuit was filed in protest to the FCC report and orders but the DC Circuit Court sided with the FCC in May of 2006 and upheld the
FCC's right to define additional entities subject to CALEA.
At this point a question remains regarding who falls under the definition of either a
"broadband access" provider or an "interconnected VoIP" provider. Clearly most service providers fall under this definition but how Higher Ed is affected by this definition is a little murkier. Fortunately, one thing that the DC court system did do in its ruling was to help define how CALEA compliance is to be applied. It stated that CALEA only applies to public, facilities-based broadband access and VoIP providers. Since most universities consider their networks to be private, there may be an opportunity to define the majority of the network as private and only implement CALEA solutions to those areas of the network that actually touch the internet (i.e. gateways). At the same time however, there are plenty of examples of universities that fall under the
"public" definition since they are actively reselling broadband access to entities (elementary schools, municipal govts. etc.) outside of the university. For now the practical approach is to bring the
"public" networks into compliance and to equip the edges of the "private" networks with CALEA compliant equipment where they touch the internet.
Why is it needed?
As noted above, advances in telecommunication and data services have made it very difficult for law enforcement to use the same lawful intercept techniques utilized in traditional wireline phone networks. Those networks
didn't have mobile users, distributed nodes, separate signaling and bearer paths, and hundreds of equipment providers instead of three or four large
"all in one" switch providers. Today's deployed networks and the emerging IMS architectures, provide many new choices for
today's service providers but also pose a serious challenge to a law enforcement community that does not have core expertise in all of the different technologies, types of equipment, protocols and deployment methodologies available.
By defining and standardizing both the components and the delivery methods of a lawful intercept solution, the industry has created well defined demarcation points and expectations with regard to what information is available, how it will be delivered and what form it will take. The benefits of this approach include a more secure solution, single points of connection for law enforcement to a service
provider's network, the ability to more easily test solutions and the deployment of carrier grade equipment at the service provider location while law enforcement deploys PC based applications at their locations.
Is this technology new for Higher Ed?
Even though CALEA, the support of it and even the knowledge of its existence is new to many people in Higher Ed, the technology and techniques are not. The solutions being recommended for Higher Ed are the same ones that have been in use in the traditional carrier networks for over ten years with hundreds of deployments. The only real differences are active components and scale. Traditional enterprise network elements may not have inherent LI capability thus requiring more
"passive solutions" and the LI solutions have been scaled down to accommodate the reduced requirements of a university as compared to a nationwide service provider with millions of subscribers.
What does a solution look like?
Functionality
A lawful intercept solution has one basic objective: to unobtrusively obtain a copy of the
target's communications and deliver it to law enforcement. Fundamentally, this requires two different types of activities to take place. The first is the identification of the target during some kind of authentication/authorization event. This normally occurs at a centralized point in the network and could be a login event, the registration of a wireless phone with a network, the powering up of a cable modem or off-hook on a VoIP phone etc. These different events both identify the target and indicate that activity has commenced. The second type of activity is the replication of the communication at the edge of the network (vs. the identification events that are at the core). The replication of traffic occurs after the identification and notification of activity has occurred.
An example that illustrates the difference between these two activities is a user browsing the internet. The user could attach to the network, login and authenticate through a AAA server, thereby fulfilling the centralized identification. Information about the ingress point of the user would then be available and an intercept request would be sent to that edge device (router, switch, gateway etc.) serving the user, asking it to replicate that specific
user's traffic so it can be sent to law enforcement.
Components
As defined by standards bodies around the world, a lawful intercept solution has three components:
Access Function -- the devices in the network that have access to a
target's traffic and are able to replicate it. Access Functions (AFs) are the Intercept Access Points (IAPs) in the network and can either be existing network equipment (routers, switches, gateways etc.) or passive probes that are placed strategically in the network.
Delivery Function -- this is the secure, carrier grade, centralized command and control platform for the LI solution. The warrant for the target is entered into the Delivery Function (DF) and it communicates with the Access Functions to both provision them with target identifying information (phone number, IP address, email address, chat handle etc.) and receives intercepted traffic from all AFs in the network. The DF then takes the intercepted traffic, formats it, encapsulates it according to the interface standards and delivers it to law enforcement.
Collection Function -- this is the PC based application that receives the intercepted traffic from the DF at the service
provider's location. It complies with the delivery standards and provides advanced tools for analyzing data, building relationships between targets, creating link charts, tracking target activities and compiling evidence for court.
The Access Function and Delivery Function both operate within the service
provider's network while the Collection Function is owned and operated by law enforcement with the delivery standards serving as the bridge between the two operating environments.
The diagram below depicts the components of the solution.
Active versus Passive
The Access Function can either be an active or passive component. An active component is an existing network element (router, switch etc.) that supports LI functionality such that it is able to be provisioned with target identifying information, replicate that
target's communications and forward it to the Delivery Function. When a portion of a network is not covered by active components then passive probes can be deployed instead. These probes are provisioned with the same target identifying information, watch the traffic traversing the
"wire", identify target traffic, replicate it and send it to the delivery function. Both solutions have pros and cons and typically get deployed together in a hybrid configuration that meets the specific network configuration and the size of the deployment.
Implementation
Although all solutions share common components and functionality, implementations need to be fitted to the specific network. This entails identifying the vendor, models and releases of equipment in the network, determining what LI functionality is available on those elements, determining routing and switching of traffic, specifying the authentication protocols, locating the likely IAPs, estimating required capacity and finalizing the quantity and placement of any needed probes. This process is consultative in nature and typically requires the sharing of a network diagram as well as a meeting to properly specify a solution.
Solution
The ultimate solution for a Higher Ed institution typically consists of a single central server that interfaces with the Access Functions, receives data from them, performs provisioning, hosts the user interface, maintains error logs and alarms, stores data in a database, and interacts with probes if needed. The same server then communicates with the Collection Function(s) and delivers the information to law enforcement. In a network where a completely active solution
isn't possible, then one or more probes can be used. Organizations follow different strategies for deploying probes with some installing them permanently and others deploying them on an as needed basis.
An example of a typical university network is depicted below. In this example a decision was made to intercept at the gateway router where it connects to the Internet and illustrates both a passive intercept solution and an active intercept solution.
Click for a larger view of this figure
In this diagram, only the traffic that reaches the internet is deemed to fall under the requirements of lawful intercept compliance and is intercepted. Other traffic on the network is categorized as private and is allowed to move amongst users confined to the
universities' network.
In both solutions the SS8 Delivery Function (Xcipio) is installed in the data center with IP connectivity and access to both the network where the intercept is going to take place and to the LEA. In most cases the LEA prefers a VPN connection from their Collection Function to the
university's network. Connectivity is then established from the university end of the VPN to the Delivery Function.
1A Provisioning of Passive Probe with target identifier
1B Provisioning of the gateway with the target identifier
2A Passive Intercept of traffic from the line splitter
2B Passive Intercept with probe sending traffic to Xcipio
2C Active Intercept utilizing interface to the router
3 Delivery of standardized traffic to Law Enforcement
Active
In the active solution, the inherent lawful intercept capability of the gateway router is leveraged. In this solution IP connectivity to the gateway (1B) is utilized by the Delivery Function to provision the gateway(s) with the
target's IP address. In return, the gateway provides a copy of the target's traffic (2C), to the Delivery Function everytime there is activity. From there the information is matched up with the appropriate LEA/warrant, formatted and delivered to that LEA.
In this solution the key responsibilities of the university are:
- Maintain the Solaris based Sun server that operates the Xcipio software application
- Provide connectivity to the gateway
- Provide connectivity to the LEA
- Identify the IP address of the target
Passive
In the passive solution the gateway router is not used and a splitter/tap (for instance, NetOptics) is inserted in the path leading to the gateway. All traffic is replicated and sent to the SS8 passive probe (2A). The probe is provisioned (via 1A) with the same target identifier (IP address) that is used in an active solution except in this case the probe identifies the target traffic, filters it out and sends it to the DF (2B). The information then follows the same process as when it was received from the gateway. It is matched up to the proper LEA/warrant, formatted and sent to the appropriate LEA(s).
In this solution the key responsibilities of the university are:
- Maintain the Solaris based Sun server that operates the Xcipio software application
- Assist SS8 in the installation of the NetOptics splitter
- Maintain the NetOptics splitter
- Provide connectivity to the LEA
- Identify the IP address of the target
Summary
The FCC's 2nd Report and Order has clearly identified that May 14, 2007 is the deadline for CALEA compliance for both
"interconnected VoIP providers" and "broadband access providers". For Higher Ed, the definition about who needs to comply is a little more ambiguous. Certainly those providers reselling access/services need to be compliant but those that can define their networks as
"private" may be able to pursue a course that only requires specific points in the network that access the internet to be compliant.
In terms of implementing a solution, although there are some large universities with large populations, the majority of universities are going to be smaller than most tier 1 and tier 2 carriers in the U.S. Therefore, solutions that have already been architected and deployed are readily available to be appropriately sized and implemented for higher education institutions to achieve compliance.
About
the Author
|
|
Scott Coleman is currently
Director of Marketing for Lawful Intercept at SS8 Networks, with over 17
years experience working in the Telecommunications industry, with 7 of
those years focused on the lawful intercept and recording markets. Scott
has focused on industry wide activities including emerging standards,
industry forums and law enforcement seminars for both local and national
agencies domestically and internationally. His speaking engagements
include industry forums for carriers and law enforcement agencies,
specifically Pennsylvania Telecommunications Carriers, NY State Police,
FBI, RCMP, Greek Security Services, Taiwanese Security Services,
Canadian Telecommunications Forum, Association of Public Safety
Communications, Internet Telephony Conference, Public Safety and
Emergency Preparedness Canada and media outlets like Yankee Group,
Gartner Group, IDG and the Wall Street Journal.
|
About SS8
Networks
|
|
SS8
Networks provides a complete
range of messaging, lawful intercept, and signaling solutions that
enable network operators to optimize their investment in traditional,
legacy networks while smoothing the transition to 21st century
architectures. Through a series of extended relationships, lawful
intercept solutions are now also available for government and law
enforcement agencies worldwide. SS8 Networks' solutions are
installed in global tier one wireless, wireline, VoIP and cable networks
and are also available through a channel of major international switch
vendors. SS8 Networks has been
recognized and named a Red Herring 100 and AlwaysOn company in
North America
in 2005, for its innovation, quality of management, execution of
strategy, and dedication to research and development. SS8 Networks is
headquartered in
San Jose
,
Calif.
, with offices worldwide.
|
