1

Gamma:

Strategy for an

overall Intelligence Concept

Th. Fischer May 04, 2011

Introduction
Scope and Preconditions
The three companies Gamma Group, Desoma and Dreamlab intend to create Telecommunication Intelligence Systems for different telecommunication networks to fulfill the customers needs and requirements regarding Lawful Interception, Massive Data Interception, Data Retention and traffic/application/protocol Control (Traffic Blocking and Shaping).

These different intelligence methods and technologies are to be deployed in different network environments like classic fixed and mobile networks as well as in IP-based (packet oriented) networks. However, not every technology/method will be used in every network in the same way if it will be used at all. The Intelligence Systems must be modular/scalable and have to be combined depending on the communication environments and needs in different project/countries. The main expertise of all three partners is the IP-world. There should be some technological competence on Desomas side regarding the classic networks (PSTN,Mobile), while Gamma has the world wide marktet access and competence regarding sales and marketing for all technologies mentioned above. Beside some restrictions regarding specific knowledge (which has to be evaluated) there are for sure restrictions regarding man power, time and money. A strategy has to be defined to create Intelligence System(s) which can be realized in a rather short period of time to generate RoI, being competitive and making the most use of currently available knowledge and experience of all partners. The following slides will give an overview of the different Intelligence Solutions requirements and technologies and an indication regarding the availability of solutions and/or the capability to solve the technial requirements.

Networks <-> Intelligence Methods used

Networks Methods PSTN (ISDN/POTS) Mobile (GSM/GPRS/UMTS/ LTE)
Yes Supported by Network

IP-Networks
Yes partly supported by NW mainly own Appliances Yes Internet Gateways Yes i.e. at Internet Gateways Yes using NW elements and/or own Appliances

Lawful Interception

Yes supported by Network Yes International Gateways

Mass Data Interception

Blocking / Shaping

No

partly for/in the IP-part of the NW Yes supported by Network For PC/Nb possible in Mobile NW or indirectly via IP-NW (FinFly ISP). For mobile Phones/PDA etc. own FinFisher-Application

Data Retention

Yes supported by Network

Infection

Not inside the NW but for PC/Nb indirectly via IP-NW

Yes FinFly ISP

Networks (Intelligence Methods) <-> Solutions / Technologies

Networks Methods PSTN (ISDN/POTS) Mobile (GSM/GPRS/UMTS/L TE)
Admin HI1: inside NW IRI HI2:IP/X.25-Receiver CC HI3: S2mRecorder CC HI3 IP: own IPAppliance Tgt.-Ident: inside NW ????? IP-Part of the NW: Admin:own Admin Block/Shape: own IPAppliance Tgt.-Ident: own IPAppliances Network Elements (OSS/BSS) provide Info for DRS (CDRs)

IP-Networks
Admin HI1: HI2 (= HI3): CC HI3: Appliance Tgt.-Ident: Appliance Admin HI1: HI2 (= HI3): CC HI3: Appliance own Admin n/a own IPown IPown Admin n/a own IP-

Lawful Interception

Admin HI1: inside NW IRI HI2:IP/X.25-Receiver CC HI3: S2mRecorder Tgt.-Ident: inside NW Admin:own Admin IRI HI2:??? CC HI3: S2mRecorder

Mass Data Interception

Blocking / Shaping

n/a

Admin:own Admin Block/Shape: own IPAppliance Tgt.-Ident: own IPAppliance Using Network Elements (OSS/BSS) and/or own IPAppliances Admin:own Admin Tgt.-Ident: own IPAppliance Delivery: own IPAppliance

Data Retention

Network Elements (OSS/BSS) provide Info for DRS (CDRs)

Infection

See IP-Networks for PC/Nb Mobile Phones: Indirectly: See IP-Networks Admin:own Admin Tgt.-Ident: manually (?) Delivery: own Methods

Solutions / Techologies <-> Availability on our 5 side PSTN (ISDN/POTS) Mobile (GSM/UMTS/LTE) IP-Networks
TASKS
LI Mass Data Desom a/ 3rd Party Desom a/ 3rd Party Manuall y NW ??? Desom a/ 3rd Party Desom a Desom a Desom a DE/DL DE/DL B&S DRS INFEC LI Mass Data B&S (IPonly) Dreaml ab DRS INFEC Mobile LI Mass Data B&S DRS INFEC

Fro ntEn d

Administration Data Capturing / Handling Target Identification Mediation Receiving Data

NW

n/a

Tbd

n/a

NW

n/a

Tbd

GG

DE/DL

DE/DL

DE/DL

Tbd

DL/GG

NW

n/a

Tbd

n/a

NW

n/a

Dreaml ab Dreaml ab n/a

Tbd

GG

Dreaml ab Dreaml ab Dreaml ab Desom a Desom a DE/DL DE/DL DE/DL DE/DL

Dreaml ab Dreaml ab Dreaml ab Desom a Desom a DE/DL DE/DL DE/DL DE/DL

Dreaml ab Dreaml ab n/a

Tbd

DL/GG

NW IRI only Desoma / 3rd Party Desoma Desoma Desoma DE/DL DE/DL

n/a n/a

Tbd Tbd

n/a n/a

NW IRI-NW IP DL Desom a Desom a Desom a Desom a DE/DL DE/DL

n/a n/a

Tbd Tbd

GG n/a

Tbd Tbd

Dreaml ab n/a

n/a

Tbd

n/a

n/a

n/a

Tbd

GG

n/a

Tbd

GG

Ba ckEn d

DB (Storage/Archive) Decode / Demodul Reconstruction Back-End Admin User Management

n/a n/a n/a n/a n/a

Tbd Tbd Tbd Tbd Tbd

n/a n/a n/a n/a n/a

n/a n/a n/a n/a n/a

n/a n/a n/a n/a n/a

Tbd Tbd Tbd Tbd Tbd

GG n/a n/a GG GG

n/a n/a n/a DE/DL DE/DL

Tbd Tbd Tbd Tbd Tbd

GG n/a n/a DL/GG DL/GG

Lege nd:

provided/available by eihter the NW or by a partner to be defined OR using 3rd Party solution (DRS)

not needed / not applicable to be done/defined/created

needs more investigation/analysis under investigation

Graphical Overview all Solutions/Methods

Methodolog y Targets

6
LI (Voice + IP) DRS

IM Mass (IP)

LI - (IP)

INF (IP)

Block (IP)

LI (Voice + IP)

Networks

ISP
AAA
Tgt.-ID Probe Index. IPProbe active/passi ve

AAA
Tgt.-ID Probe

ISP
LI-Probe passive Network Element s DL Mediation IP

AAA

ISP
Infect. Proxy active BS IPProbe active

PST N

Mobil e

Tgt.-ID Probe

Collecti on Devices

Mediation

HI3 CC ISDN

NFS or UDP

Front-End Back-End
Admin

HI2/HI3 IRI/CC Eth TCP/IP Ethernet DL-ADMF LI

No incoming DATA Ethernet DL-ADMF FF-ISP DL-ADMF BS FinSpy MASTER ISDN S2m

Ethernet DL/DEAdmin Mass-IP Ring-Buffer Module GRID Detection Mod Assembly Module

HI1 HI1 Marking Marking Targets Targets PSTN Mobile Intercepti Intercepti Mediati on on on Mgmt. Mgmt. MobileHI3 CC ISDN HI2 IRI HI2 IRI X.25, TCP/IP, X.25, TCP/IP, X.31 X.31 HI3 CC FTAM, FTP, FTAM, FTP, Eth Rose Rose TCP/IP ISDN Eth/X. Eth/X. Eth Ethernet S2m 25 25

HI2 IRI Receiver HI3 CC Voice Recorder

HI2 IRI Receiver HI3 CC Voice Recorder HI3 CC ??? Module ??? Modules DRS SERVER

Receiving

HI3 CC ??? Module ??? Module

Decode Demod Storage Archiving Analysis Evaluatio n

IP

IP

IP

IP

DATA WAREHOUSE

VOIC E

IRI

IP

VOIC E

IRI

IP

Users / Evaluator / Operators

IP-Network Mass IP Interception

Methodolog y Targets

IM Mass (IP)

Data Capturing:DAISY from Desoma is curretly using a CS-2000 or PN41-Blade (IBM) to connect passively or actively to the network (Indexing Module = IP-Probe). This has to be changed to use HP-Servers with appropriate

Networks

ISP
AAA
Tgt.-ID Probe Index. IPProbe active/passi ve

NICs from Dreamlab. Active will be chosen in case a Man-in-the-Middle attack is planned for SSL certificates (using Bypass Function). In this module data filtering takes place to search for specific data and reduce the amount of data to be sent to the Back-End. It has to be defined whether String Search must be integrated into the IP-Probes to reach a finer granularity for Filtering data of interest. Target Identif.: Dreamlab has Tgt-Id-Probes available in case Mass IP-Interception has to be specified for dedicated subscribers (exceptional case) Data handover: NFS and/or UDP is used currently and will be implemented into the Dreamlab IPProbes too, to handover the captured IP-data to the Ring-Buffer / GRID Detection Module. Admin: Has to take care about the workflow in the Mass IP Interception System. The user can enter Filter Criteria which are forwarded to the IP-Probe(s) to filter/capture data of interest. If necessary the Tgt-IdProbes are configured as well. IP of user rights (who has the right to access what kind of data; Admin, User, Auditor etc.) Ring-Buffer & GRID Detection: and generate so These Modules receive the captured IP-data from the Front-End (IP-Probe) The Admin has to be designed and has to integrate a User Management with several layers

Mediation

NFS or UDP

Front-End Back-End
Admin

Ethernet DL/DEAdmin Mass-IP Ring-Buffer Module GRID Detection Mod Assembly Module

Receiving

Decode Demod Storage Archiving Analysis Evaluatio n

IP

DATA WAREHOUSE
Users / Evaluator / Operators

called additional Meta-Data. Data are stored with different Storage solutions. GRID is

IP-Network Lawful Interception

Methodolog y Targets

LI - (IP)

Data Capturing:This will be the same kind of HP-Servers used for Mass IP-data Interception to capture IP-Data for LI passively. In addition Dreamlab is capable of handling IP-data provided by Network Elements (Juniper, Cisco, Huawei). Target Identif.: Dreamlab has Tgt-Id-Probes available to capture assinged IPaddresses of Targets by searching for their nw access credentials. Data Handover = Mediation: data formats This Dreamlab appliance can convert the captured IP-data into several

Networks

AAA
Tgt.-ID Probe

ISP
LI-Probe passive Network Element s DL Mediation IP

Mediation

Front-End Back-End
Admin
Ring-Buffer Module GRID Detection Mod Assembly Module

HI2/HI3 IRI/CC Eth TCP/IP Ethernet DL-ADMF LI

(i.e. ETSI) for IP-datza handover to several Monitoring Centers simultaneously.

Admin: Has to take care about the workflow in the LI System. The user can enter the NW access credentials for the Targets of interest forwarded to the Tgt-Id-Probe(s). For LI the
HI3 CC ??? Module ??? Module

Receiving

handling of a LIIDs is esssential (to create warrants). The Admin has to be designed and has to integrate a User and Warrant Management with several layers of user rights (who has the right to access what kind of data; Admin, User, Auditor etc.). This LIID structure will aply for LI in PSTN / Mobile NW too. Receiving Data: It has to be analyzed whether the concept using the Ring-Buffer, GRID and Assembly Modules of the Mass IP Interception solution can be used for LI as well.

Decode Demod Storage Archiving Analysis Evaluatio n

IP

IP

IP

DATA WAREHOUSE
Users / Evaluator / Operators

IP-Network Blocking/Shaping and Infection

Methodolog y Targets

INF (IP)

Block (IP)

Remarks: The solutions IP-traffic Blocking & Shaping and the Infection using FF ISP are different form other Intelligence Methods described because Blocking & Shaping doesnt require any data to be transferred from the Front to the Back-End. The same applies in the first step for the data provided by remotely controlled targets. These data are received by FinSpy Server and can be pushed into to Data Warehouse on demand. Data Handling: Again HP-Servers will be used but for both Blocking & Shaping and Infection these Servers MUST be actively inline for data manipulations. The Bypass Function is a must have too.

Networks

AAA

ISP
Infect. Proxy active BS IPProbe active

Tgt.-ID Probe

Mediation

No incoming DATA

Front-End Back-End
Admin

Ethernet DL-ADMF FF-ISP DL-ADMF BS FinSpy MASTER

Target Identif.: Tgt-Id-Probes are needed and used in the same way as for LI. In addition they can be used to block and/or shape the traffic of subscribers of interest. Without Tgt-Id-Probes B&S will take care about protocols / applications only without target awareness. It has to be defined whether String Search must be integrated into the IP-Probes to reach a finer granularity for blocking / shaping and maybe infection.

Receiving

Decode Demod Storage Archiving Analysis Evaluatio n IP

Data handover: Only defined for FinSpy (Master).

DATA WAREHOUSE
Users / Evaluator / Operators

Admin: The Admin is available for FF ISP. An Admin System has to be designed taking care about the workflow in the Blocking/Shaping System. The user can enter Filter Criteria = Blocking/Shaping Criteria (which might be the same used for the Mass IP-data System). Using Tgt-Id-probes NW access credentials must be administered too.

PSTN & Mobile NW Lawful Interception 10 Data Capturing:In both Networks (PSTN and Mobile) data capturing is performed Methodolog (Voice and IP) LI (Voice + LI (Voice + IP) inside the NW
y Targets

IP)

using NW-vendor specific solutions (assuming the NW-vendor is providing such kind of solutions). This applies for both Voice (voice, modem, fax) and IPdata. Target Identif.: This is also part of the NW-LI-functions. Admin: Also the Admin-Function of the NW is part of the NW-environment. Subscribers (fixed / mobile) will be marked for LI inside the NW. The Interception Mgmt. Systems (PSTN/Mobile) also provide the IRI-data (either ASN.1 encoded or as ASCII-files). Assigning a LIID is part of this admin process and it has to refer to the LIID used in the Monitoring Center for admin the LI-warrant. Data Handover CC-Voice: Voice data will be transferred via ISDN (S2m) to the Back-End (PCM30, A-law encoded) from the switches of the NW. IRI: IRI-Record can be either FTAM, FTP or Rose on X.25/X.31 or TCP/IP provided via the NW-LI-Management System(s). CC-IP VOIC E IRI = Mediation: Mediation IP-data from GPRS/UMTS will be mediated using Dreamlabs

Networks

PST N

Mobil e

Mediation
HI3 CC ISDN

Front-End Back-End
Admin

ISDN S2m

HI1 HI1 Marking Marking Targets Targets PSTN Mobile Intercepti Intercepti Mediati on on on Mgmt. Mgmt. MobileHI3 CC ISDN HI2 IRI HI2 IRI X.25, TCP/IP, X.25, TCP/IP, X.31 X.31 HI3 CC FTAM, FTP, FTAM, FTP, Eth Rose Rose TCP/IP ISDN Eth/X. Eth/X. Eth S2m 25 25

HI2 IRI Receiver HI3 CC Voice Recorder

HI2 IRI Receiver HI3 CC Voice Recorder HI3 CC ??? Module ??? Modules

Receiving

Decode Demod Storage Archiving Analysis Evaluatio n VOIC E IRI

IP

DATA WAREHOUSE

Users / Evaluator / Operators

Appliance to provide i.e. ETSI-formated data to the Back-End. Receiving Data: Receiving CC-Voice and IRI-Records will made own/separate Appliances necessary. IP-Data from GPRS/UMTS via DL Mediation have to be handled in the

All Networks Data Retention System

Methodolog y Targets

11

DRS

Data Capturing:Data to be captured accross all kinds of NWs are: WHO (IP, Username, [Mobile] Phone No., IMSI, IMEI) is/was

Networks

ISP
AAA

PST N

Mobil e
Collecti on Devices

communicating with WHOM (IP....) at what DATE/TIME using what KIND OF METHOD/PROTOCOL (Mail, WWW, Skype, Chat, Voice, Fax, SMS...). It might be possible to keep i.e. also the subjects of Emails etc. (which extends the classic DRS). Data are provided either by the Networks themselves by interfacing OSS/BSS (Billing Systems; CDRs), or using NW-elements in IP-NW (Switches, Routers Cisco, Juniper,

Mediation

Front-End Back-End
Admin

...) or using own IP-Appliances in IP-NWs to create these

Ethernet

kind if data by analyzing/capturing the traffic. In IPNetworks existing Target-Id-Probes (for LI, FF ISP) can be used additionally to get user data. Data Handover: The different DRS-data have to be more or less normalized depending from which source/NW they are coming from to be stored in the Data Warehouse and being retrieved again

DRS SERVER

Receiving

Decode Demod Storage Archiving Analysis Evaluatio n IP

on demand. Due to the huge amount of data and the high data rates

Data Wareh.: DATA WAREHOUSE

Users / Evaluator / Operators

coming from different NWs it will make sense to keep the data in a separate storage/Data Warehouse. Admin: Due to the very specific usage of a DRS and the different

Conclusion proposal how to proceed ...

Conclusion
This conclusion is based on the following assumptions and facts: 1. More IP-knowledge than classic PSTN/Mobile NW knowledge available within the 3 partners 2. Sales experience and market access is available for all solutions 3. PSTN/Mobile Voice data need a complete different handling (receiving, decoding, evaluation) than IP-data 4. No. 2 becomes even more difficult dealing with decoding of modem and fax transmissions 5. LI for classic PSTN/Mobile NWs depend very much on the LI-implementations provided by the different NWvendors 6. DRS is characterized by huge amounts of data, a wide range of different intefaces needed to capture/receive data, different Hand-over-Interfaces (HI-A, HI-B) and different approaches when data are to be retrieved, own/different user management etc. 7. Different Intelligence Methods need different kinds of administration functions 8. Different Intelligence Methods need different ways of storage (data structures), different decoding and analysis/evaluation methods The proposed way to go should be:

12

9. Start with Mass IP-Data Interception (for this Intelligence Method the most work is done / solutions are available) 10. Next Step will be LI in IP-Networks (a lot of components can be used and/or are available and can be modified accordingly) 11. Due to the fact that Infection solutions are products ready to use (FinFly ISP, FinFlyWeb, FinFlyUSB) the data coming from FinSpy Master have to be integrated into the Data Warehouse (like we did for other MCs). 12. Blocking and Shaping has no real impact on the Back-End because no data transfer towards the BE has to take place. It can be kept as a separate product, making use of filter criteria also used for Mass IP-data Interception. Having an own GUI running on the same Management Workstation like Mass IP Interception and/or LI and/or Infection will be sufficient. 13. Although LI in PSTN/Mobile networks provide a lot of functions as part of the networks we still will need a lot of additional equipment (HW/SW) to receive, decode and evaluate captured data. Maybe Appliances and Software from 3rd Parties might be a solution (ASC, Spectronic, others). For us integrating the data in the Warehouse then would be the major task together with an overall System/Warrant administration. Interfacing to other data

Vielen Dank fr die Aufmerksamkeit

13