1
Gamma:
Strategy for an
overall Intelligence Concept Th. Fischer – May 04, 2011
Introduction
2
Scope and Preconditions The three companies Gamma Group, Desoma and Dreamlab intend to create Telecommunication Intelligence Systems for different telecommunication networks to fulfill the customers‘ needs and requirements regarding Lawful Interception, Massive Data Interception, Data Retention and traffic/application/protocol Control (Traffic Blocking and Shaping). These different intelligence methods and technologies are to be deployed in different network environments like „classic“ fixed and mobile networks as well as in IP-based (packet oriented) networks. However, not every technology/method will be used in every network in the same way if it will be used at all. The Intelligence Systems must be modular/scalable and have to be combined depending on the communication environments and needs in different project/countries. The main expertise of all three partners is the „IP-world“. There should be some technological competence on Desoma‘s side regarding the classic networks (PSTN,Mobile), while Gamma has the world wide marktet access and competence regarding sales and marketing for all technologies mentioned above. Beside some „restrictions“ regarding specific knowledge (which has to be evaluated) there are for sure restrictions regarding man power, time and money. A strategy has to be defined to create Intelligence System(s) which can be realized in a rather short period of time to generate RoI, being competitive and making the most use of currently available knowledge and experience of all partners. The following slides will give an overview of the different Intelligence Solutions‘ requirements and technologies and an indication regarding the availability of solutions and/or the capability to solve the technial requirements.
Networks <-> Intelligence Methods used Networks Methods
3
PSTN (ISDN/POTS)
Mobile (GSM/GPRS/UMTS/ LTE)
IP-Networks
Lawful Interception
Yes supported by Network
Yes Supported by Network
Yes partly supported by NW mainly own Appliances
Mass Data Interception
Yes International Gateways
?
Yes Internet Gateways
No
partly for/in the IP-part of the NW
Yes i.e. at Internet Gateways
Yes supported by Network
Yes supported by Network
Yes using NW elements and/or own Appliances
Not inside the NW but for PC/Nb indirectly via IP-NW
For PC/Nb possible in Mobile NW or indirectly via IP-NW (FinFly ISP). For mobile Phones/PDA etc. own FinFisher-Application
Yes FinFly ISP
Blocking / Shaping
Data Retention
Infection
Networks (Intelligence Methods) <-> Solutions / Technologies Networks Methods
Lawful Interception
Mass Data Interception
Blocking / Shaping
PSTN (ISDN/POTS)
Admin HI1: inside NW IRI HI2:IP/X.25-Receiver CC HI3: S2mRecorder Tgt.-Ident: inside NW Admin:own Admin IRI HI2:??? CC HI3: S2mRecorder
n/a
Mobile (GSM/GPRS/UMTS/L TE) Admin HI1: inside NW IRI HI2:IP/X.25-Receiver CC HI3: S2mRecorder CC HI3 IP: own IPAppliance Tgt.-Ident: inside NW ?????
4
IP-Networks Admin HI1: HI2 (= HI3): CC HI3: Appliance Tgt.-Ident: Appliance
own Admin n/a own IP-
Admin HI1: HI2 (= HI3): CC HI3: Appliance
own Admin n/a own IP-
own IP-
IP-Part of the NW: Admin:own Admin Block/Shape: own IPAppliance Tgt.-Ident: own IPAppliances
Admin:own Admin Block/Shape: own IPAppliance Tgt.-Ident: own IPAppliance
Network Elements (OSS/BSS) provide Info for DRS (CDRs)
Using Network Elements (OSS/BSS) and/or own IPAppliances
Data Retention
Network Elements (OSS/BSS) provide Info for DRS (CDRs)
Infection
See IP-Networks for PC/Nb Mobile Phones: Indirectly: See IP-Networks Admin:own Admin Tgt.-Ident: manually (?) Delivery: own „Methods“
Admin:own Admin Tgt.-Ident: own IPAppliance Delivery: own IPAppliance
Solutions / Techologies <-> Availability on our 5 side PSTN (ISDN/POTS) Mobile (GSM/UMTS/LTE) IP-Networks LI
Mass Data
B&S
DRS
INFEC
LI
Mass Data
B&S (IPonly)
DRS
INFEC Mobile
LI
Mass Data
B&S
DRS
INFEC
Administration
NW
Desom a/ 3rd Party
n/a
Tbd
n/a
NW
n/a
Dreaml ab
Tbd
GG
DE/DL
DE/DL
DE/DL
Tbd
DL/GG
Data Capturing / Handling
NW
Desom a/ 3rd Party
n/a
Tbd
n/a
NW
n/a
Dreaml ab
Tbd
GG
Dreaml ab
Dreaml ab
Dreaml ab
Tbd
DL/GG
Target Identification
NW
Manuall y NW
n/a
Tbd
n/a
NW
n/a
Dreaml ab
Tbd
GG
Dreaml ab
Dreaml ab
Dreaml ab
Tbd
Dreaml ab
Mediation
IRI only
???
n/a
Tbd
n/a
IRI-NW IP DL
n/a
n/a
Tbd
n/a
Dreaml ab
Dreaml ab
n/a
Tbd
n/a
Receiving Data
Desoma / 3rd Party
Desom a/ 3rd Party
n/a
Tbd
n/a
Desom a
n/a
n/a
Tbd
GG
Desom a
Desom a
n/a
Tbd
GG
DB (Storage/Archive)
Desoma
Desom a
n/a
Tbd
n/a
Desom a
n/a
n/a
Tbd
GG
Desom a
Desom a
n/a
Tbd
GG
Decode / Demodul
Desoma
Desom a
n/a
Tbd
n/a
Desom a
n/a
n/a
Tbd
n/a
DE/DL
DE/DL
n/a
Tbd
n/a
Reconstruction
Desoma
Desom a
n/a
Tbd
n/a
Desom a
n/a
n/a
Tbd
n/a
DE/DL
DE/DL
n/a
Tbd
n/a
Back-End Admin
DE/DL
DE/DL
n/a
Tbd
n/a
DE/DL
n/a
n/a
Tbd
GG
DE/DL
DE/DL
DE/DL
Tbd
DL/GG
User Management
DE/DL
DE/DL
n/a
Tbd
n/a
DE/DL
n/a
n/a
Tbd
GG
DE/DL
DE/DL
DE/DL
Tbd
DL/GG
TASKS
Fro ntEn d
Ba ckEn d
Lege nd:
provided/available by eihter the NW or by a partner to be defined OR using 3rd Party solution (DRS)
not needed / not applicable to be done/defined/created
needs more investigation/analysis under investigation
Graphical Overview – all Solutions/Methods Methodolog y Targets
Networks
IM – Mass (IP)
LI - (IP)
ISP AAA Tgt.-ID Probe
AAA Index. IPProbe active/passi ve
Tgt.-ID Probe
ISP
Admin
Receiving
Decode Demod Storage Archiving Analysis Evaluatio n
Block (IP)
LI – (Voice + IP)
PST N
ISP
Tgt.-ID Probe
Infect. Proxy active BS IPProbe active
DL Mediation IP
Ethernet DL/DEAdmin Mass-IP
HI3 – CC ISDN
HI2/HI3 IRI/CC Eth TCP/IP
NFS or UDP
Back-End
AAA
LI-Probe passive Network Element s
Mediation
Front-End
INF (IP)
No incoming DATA
Ethernet DL-ADMF LI
Ring-Buffer Module GRID Detection Mod
DL-ADMF FF-ISP
HI3 – CC Voice Recorder
Collecti on Devices
HI2 – IRI Receiver DRS SERVER
HI3 – CC Voice Recorder HI3 – CC ??? Module
??? Module
IP
DRS
Mobil e
HI2 – IRI Receiver
HI3 – CC ??? Module
IP
LI – (Voice + IP)
HI1 HI1 Marking Marking Targets Targets PSTN Mobile Intercepti Intercepti Mediati on on on Mgmt. Mgmt. MobileHI3 – CC ISDN HI2 – IRI HI2 – IRI X.25, TCP/IP, X.25, TCP/IP, X.31 X.31 HI3 – CC FTAM, FTP, FTAM, FTP, Eth Rose Rose TCP/IP ISDN Eth/X. Eth/X. Eth Ethernet S2m 25 25
DL-ADMF BS FinSpy MASTER
Assembly Module
IP
ISDN S2m
Ethernet
6
??? Modules
IP
VOIC E
DATA WAREHOUSE
Users / Evaluator / Operators
IRI
IP
VOIC E
IRI
IP
IP-Network – Mass IP Interception Methodolog y Targets
Networks
7
Data Capturing:DAISY from Desoma is curretly using a CS-2000 or PN41-Blade (IBM) to connect passively or actively to
IM – Mass (IP)
the network (Indexing Module = IP-Probe). This has to be changed to use HP-Servers with appropriate NICs from Dreamlab.
ISP
Active will be chosen in case a Man-in-the-Middle attack is planned for SSL certificates (using Bypass
AAA Tgt.-ID Probe
Index. IPProbe active/passi ve
Function). In this module data filtering takes place to search for specific data and reduce the amount of data to be sent to the Back-End. It has to be defined whether String Search must be integrated into the
Mediation
IP-Probes to reach a finer granularity for Filtering data of interest. Target Identif.: Dreamlab has Tgt-Id-Probes available in case Mass IP-Interception has to be specified for dedicated
NFS or UDP
Front-End Back-End Admin
Receiving
Decode Demod
subscribers (exceptional case)
Ethernet
Data handover: NFS and/or UDP is used currently and will be implemented into the Dreamlab IPProbes too, to
DL/DEAdmin Mass-IP
handover the captured IP-data to the Ring-Buffer / GRID Detection Module.
Ring-Buffer Module GRID Detection Mod
Admin: Has to take care about the workflow in the Mass IP Interception System. The user can enter Filter
Assembly Module
Criteria which are forwarded to the IP-Probe(s) to filter/capture data of interest. If necessary the Tgt-IdProbes are configured as well.
Storage Archiving Analysis Evaluatio n
IP
The Admin has to be designed and has to integrate a User Management with several layers
IP
DATA WAREHOUSE Users / Evaluator / Operators
of user rights (who has the right to access what kind of data; Admin, User, Auditor etc.) Ring-Buffer & GRID Detection: and generate so
These Modules receive the captured IP-data from the Front-End (IP-Probe)
called additional Meta-Data. Data are stored with different Storage solutions. GRID is
IP-Network – Lawful Interception Methodolog y Targets
LI - (IP)
Networks
AAA Tgt.-ID Probe
Data Capturing:This will be the same kind of HP-Servers used for Mass IP-data Interception to capture IP-Data for LI passively. In addition Dreamlab is capable of handling IP-data provided by
ISP
Network Elements (Juniper, Cisco, Huawei).
LI-Probe passive Network Element s DL Mediation IP
Mediation
Target Identif.: Dreamlab has Tgt-Id-Probes available to capture assinged IPaddresses of Targets by searching for their nw access credentials. Data Handover = Mediation: data formats
HI2/HI3 IRI/CC Eth TCP/IP
Front-End
8
This Dreamlab appliance can convert the captured IP-data into several
(i.e. ETSI) for IP-datza handover to several Monitoring Centers simultaneously.
Ethernet
Back-End
Admin: Has to take care about the workflow in the LI System. The user can enter the NW access
DL-ADMF LI
Admin
credentials for the Targets of interest forwarded to the Tgt-Id-Probe(s). For LI Receiving
Decode Demod Storage Archiving Analysis Evaluatio n
the
Ring-Buffer Module GRID Detection Mod
HI3 – CC ??? Module
Assembly Module
IP
??? Module
IP
IP
handling of a LIIDs is esssential (to create warrants). The Admin has to be designed and has to integrate a User and Warrant Management with several layers of user rights (who has the right to access what kind of data; Admin, User, Auditor etc.). This LIID structure will aply for LI in PSTN / Mobile NW too.
DATA WAREHOUSE Users / Evaluator / Operators
Receiving Data: It has to be analyzed whether the concept using the Ring-Buffer, GRID and Assembly Modules of the Mass IP Interception solution can be used for LI as well.
IP-Network – Blocking/Shaping and Infection Methodolog y Targets
Networks
INF (IP)
AAA
Block (IP)
Remarks: The solutions IP-traffic Blocking & Shaping and the Infection using FF ISP are different form other Intelligence Methods described because Blocking & Shaping doesn‘t require any data to be transferred
ISP
Tgt.-ID Probe
9
from the Front to the Back-End. The same applies in the first step for the data provided by remotely
Infect. Proxy active BS IPProbe active
controlled targets. These data are received by FinSpy Server and can be pushed into to Data Warehouse on demand.
Mediation Data Handling: Again HP-Servers will be used but for both Blocking & Shaping and Infection these Servers MUST be actively inline for data manipulations. The Bypass Function is a must have too. No incoming DATA
Front-End Back-End Admin
Receiving
Target Identif.: Tgt-Id-Probes are needed and used in the same way as for LI. In addition they can be used to block
Ethernet DL-ADMF FF-ISP
and/or shape the traffic of subscribers of interest. Without Tgt-Id-Probes B&S will take care about
DL-ADMF BS
protocols / applications only without target „awareness“.
FinSpy MASTER
It has to be defined whether String Search must be integrated into the IP-Probes to reach a finer granularity for blocking / shaping and maybe infection.
Decode Demod Storage Archiving Analysis Evaluatio n
Data handover: Only defined for FinSpy (Master). IP
DATA WAREHOUSE Users / Evaluator / Operators
Admin: The Admin is available for FF ISP. An Admin System has to be designed taking care about the workflow in the Blocking/Shaping System. The user can enter Filter Criteria = Blocking/Shaping Criteria (which might be the same used for the Mass IP-data System). Using Tgt-Id-probes NW access credentials must be administered too.
PSTN & Mobile NW – Lawful Interception 10 Data Capturing:In both Networks (PSTN and Mobile) data capturing is performed Methodolog (Voice and IP) LI – (Voice + LI – (Voice + IP) inside the NW y Targets
Networks
IP)
PST N
HI3 – CC ISDN
Back-End
ISDN S2m
Admin
Receiving
kind of solutions). This applies for both Voice (voice, modem, fax) and IP-
Mobil e
data. Target Identif.: This is also part of the NW-LI-functions.
HI1 HI1 Marking Marking Targets Targets PSTN Mobile Intercepti Intercepti Mediati on on on Mgmt. Mgmt. MobileHI3 – CC ISDN HI2 – IRI HI2 – IRI X.25, TCP/IP, X.25, TCP/IP, X.31 X.31 HI3 – CC FTAM, FTP, FTAM, FTP, Eth Rose Rose TCP/IP ISDN Eth/X. Eth/X. Eth S2m 25 25
Mediation
Front-End
using NW-vendor specific solutions (assuming the NW-vendor is providing such
HI2 – IRI Receiver HI3 – CC Voice Recorder
(fixed / mobile) will be marked for LI inside the NW. The Interception Mgmt. Systems (PSTN/Mobile) also provide the IRI-data (either ASN.1 encoded or as ASCII-files). Assigning a LIID is part of this admin process and it has to refer to the LIID used in the Monitoring Center for admin the LI-warrant. Data Handover CC-Voice: Voice data will be transferred via ISDN (S2m) to the Back-End (PCM30, A-law
HI2 – IRI Receiver
encoded) from the switches of the NW.
HI3 – CC Voice Recorder HI3 – CC ??? Module
Decode Demod
Admin: Also the Admin-Function of the NW is part of the NW-environment. Subscribers
IRI: IRI-Record can be either FTAM, FTP or Rose on X.25/X.31 or TCP/IP provided via
??? Modules
the NW-LI-Management System(s). CC-IP
Storage Archiving Analysis Evaluatio n
VOIC E
IRI
IP
VOIC E
IRI
DATA WAREHOUSE
= Mediation: Mediation
IP-data from GPRS/UMTS will be mediated using Dreamlabs
Appliance to provide i.e. ETSI-formated data to the Back-End.
Users / Evaluator / Operators
Receiving Data: Receiving CC-Voice and IRI-Records will made own/separate Appliances necessary. IP-Data from GPRS/UMTS via DL Mediation have to be handled in the
All Networks – Data Retention System Methodolog y Targets
Networks
DRS
11
Data Capturing:Data to be captured accross all kinds of NWs are: WHO (IP, Username, [Mobile] Phone No., IMSI, IMEI) is/was
ISP AAA
PST N
communicating with WHOM (IP....) at what DATE/TIME
Mobil e
using what KIND OF METHOD/PROTOCOL (Mail, WWW, Skype, Collecti on Devices
Chat, Voice, Fax, SMS...). It might be possible to keep i.e. also the subjects of Emails etc. (which extends the classic
Mediation
DRS). Data are provided either by the Networks themselves by interfacing OSS/BSS (Billing Systems; CDRs), or using NW-elements in IP-NW (Switches, Routers – Cisco, Juniper,
Front-End Back-End Admin
...) or using own IP-Appliances in IP-NWs to create these Ethernet
kind if data by analyzing/capturing the traffic. In IPNetworks existing Target-Id-Probes (for LI, FF ISP) can be used
DRS SERVER
additionally to get user data.
Receiving
Data Handover: The different DRS-data have to be more or less normalized
Decode Demod
to
depending from which source/NW they are coming from be stored in the Data Warehouse and being retrieved again Storage Archiving Analysis Evaluatio n
IP
on demand.
Data Wareh.: DATA WAREHOUSE
Users / Evaluator / Operators
Due to the huge amount of data and the high
data rates
coming from different NWs it will make sense to keep the data in a separate storage/Data Warehouse. Admin: Due to the very specific usage of a DRS and the different
Conclusion – proposal how to proceed ...
12
Conclusion This conclusion is based on the following assumptions and facts: 1. More IP-knowledge than classic PSTN/Mobile NW knowledge available within the 3 partners 2. Sales experience and market access is available for all solutions 3. PSTN/Mobile Voice data need a complete different handling (receiving, decoding, evaluation) than IP-data 4. No. 2 becomes even more difficult dealing with decoding of modem and fax transmissions 5. LI for classic PSTN/Mobile NWs depend very much on the LI-implementations provided by the different NWvendors 6. DRS is characterized by huge amounts of data, a wide range of different intefaces needed to capture/receive data, different Hand-over-Interfaces (HI-A, HI-B) and different approaches when data are to be retrieved, own/different user management etc. 7. Different Intelligence Methods need different kinds of administration functions 8. Different Intelligence Methods need different ways of storage (data structures), different decoding and analysis/evaluation methods The proposed way to go should be: 9. Start with Mass IP-Data Interception (for this Intelligence Method the most work is done / solutions are available) 10. Next Step will be LI in IP-Networks (a lot of components can be used and/or are available and can be modified accordingly) 11. Due to the fact that Infection solutions are products ready to use (FinFly ISP, FinFlyWeb, FinFlyUSB) the data coming from FinSpy Master have to be integrated into the Data Warehouse (like we did for other MCs). 12. Blocking and Shaping has no real impact on the Back-End because no data transfer towards the BE has to take place. It can be kept as a separate product, making use of filter criteria also used for Mass IP-data Interception. Having an own GUI running on the same Management Workstation like Mass IP Interception and/or LI and/or Infection will be sufficient. 13. Although LI in PSTN/Mobile networks provide a lot of functions as part of the networks we still will need a lot of additional equipment (HW/SW) to receive, decode and evaluate captured data. Maybe Appliances and Software from 3rd Parties might be a solution (ASC, Spectronic, others). For us integrating the data in the Warehouse then would be the major task together with an overall System/Warrant administration. Interfacing to other data
Vielen Dank für die Aufmerksamkeit
13