What's the best way to wiretap a network?
Scott McGrath
mcgrath at fas.harvard.edu
Tue Jan 20 17:14:35 UTC 2004
Scott C. McGrath
On Tue, 20 Jan 2004, Eriks Rugelis wrote:
>
> Sean Donelan wrote:
> > Assuming lawful purposes, what is the best way to tap a network
> > undetectable to the surveillance subject, not missing any
> > relevant data, and not exposing the installer to undue risk?
>
> 'Best' rarely has a straight-forward answer. ;-)
>
> Lawful access is subject to many of the same scaling issues which we
> confront in building up our networks. Solutions which can work well for
> 'small' access or hosting providers may not be sensible for larger scale
> environment.
>
> If you have only a low rate of warrants to process per year,
> and if your facilities are few in number and/or geographically close
> together,
> and if your 'optimum' point of tap insertion happens to be a link which
> can be reasonably traced without very expensive ASIC-based gear
> and if your operation can tolerate breaking open the link to insert the
> tap,
> and if the law enforcement types agree that the surveillance target is
> unlikely to notice the link going down to insert the tap...
>
> then in-line taps such as Finisar or NetOptics can be quite sensible.
>
> If your operation can tolerate the continuing presence of the in-line tap
> and you only ever need a small number of them then leaving the taps
> permanently installed may be entirely reasonable.
>
> On the other hand, if your environment consists of a large number (100's) of
> potential tapping points, then you will quickly determine that in-line taps
> have very poor scaling properties.
> a) They are not rack-dense
> b) They require external power warts
> c) They are not cheap (in the range of US$500 each)
> d) Often when you have that many potential tapping points, you are
> likely to be processing a larger number of warrants in a year. An in-line
> tap arrangement will require a body to physically install the recording
> equipment and cables to the trace-ports on the tap. You may also need to
> make room for more than one set of recording gear at each site.
>
> Large-scale providers will probably want to examine solutions based on
> support built directly into their traffic-carrying infrastructure (switches,
> routers.)
Using cisco's feature set on a uBR it would be
cable intercept interface x/y <Target MAC> <Logging Server IP> <port>
as an example of lawful access on infrastructure equipment
>
> You should be watchful for law enforcement types trying dictate a 'solution'
> which is not a good fit to your own business environment. There are usually
> several ways of getting them the data which they require to do their jobs.
>
> Eriks
> ---
> Eriks Rugelis -- Senior Consultant
> Netidea Inc. Voice: +1 416 876 0740
> 63 Charlton Boulevard, FAX: +1 416 250 5532
> North York, Ontario, E-mail: eriks at netideainc.ca
> Canada
> M2M 1C1
>
> PGP public key is here:
> http://members.rogers.com/eriks.rugelis/certs/pgp.htm
>
>
>
More information about the NANOG
mailing list