Skip to content

Five Questions For Evaluating Lawful Intercept Devices

February 2, 2011

Breaking Point, 1 Feb 2011: As cyber threats continue to become more dangerous, many governments have enacted legislation designed to help law enforcement and intelligence groups gather data. One of the best-known pieces of legislation, the Patriot Act, was enacted by the United States government in the wake of the September 11th attacks.

One result of these laws is to require telecom service providers to capture and disclose, in real time, detailed data that could be used as intelligence information or legal evidence. This information could be from Internet or wireless communications and from targets previously classified as criminal or terrorist suspects. This process, as many readers of this blog will know, is called “Lawful Intercept,” or simply LI. The same technology has important government and military applications in the area of intelligence analysis; it is also used in Data Loss Prevention (DLP) solutions to search for sensitive information like credit card or Social Security numbers in local network traffic.

Obviously, the idea behind LI is not new. No matter the communication form, there has always been a desire to “tap” sources to collect vital information. Because of how our world is networked today, governments must work with telecommunications companies to do this.

The Challenge of Effective Lawful Intercept

The explosive growth of the Internet and wireless technology has made the task of developing equipment and techniques for monitoring communications much more difficult. Some of the important factors adding to this challenge are:

  • The sheer volume of traffic.
  • The continuous expansion and decentralization of interconnected networks.
  • The variety of protocols used, including IM, e-mail, voice over Internet Protocol (VoIP), social networking, and more.
  • Ever-changing application protocols, especially for communications protocols such as IM and Web-based e-mail.
  • Mobile broadband.

LI gets even more complicated because service providers must meet specific requirements laid down in the relevant statutes, or else the evidence collected by LI systems might not stand up in court. In the end, law enforcement agencies are the customers who must be satisfied by the information gathered by the service providers.

To be effective, LI must happen in real time without any disruption or degradation of service, which could tip off the suspects under surveillance. Earlier generations of network equipment have been able to perform some of the required tasks for LI, but after many years of innovation in deep packet inspection (DPI), equipment manufacturers are now producing devices and systems designed specifically to meet the unique demands for fully-functioning LI. But how can a service provider or a government agency verify that a complex piece of LI equipment actually does what the manufacturer claims it will do? How can they evaluate that expensive piece of hardware before committing a lot of money for its purchase?

Validating Lawful Intercept Stability, Performance, and Security

Loyal blog readers already know that the BreakingPoint Storm CTM is the only device available that’s capable of validating the performance, security, and stability of LI systems. Our Lawful Intercept Lab makes it straightforward to bombard an LI device with a mix of real-world network traffic at the speed and volume necessary to simulate what it will will face on your network. Our Evergreen Applications program keeps the product updated with the most current versions of application protocols. Using these features, you can embed specific trigger words, images, or numbers into the normal flood of network traffic, then see whether the LI device being validated can catch each instance and report it accurately.

Armed with these capabilities, you’re ready to ask these five key questions when evaluating a Lawful Intercept device:

1. Can the device identify targets amid a large flow of benign traffic?

Any device can find a specific target word in a single stream of traffic in an artificial test environment. But will the device be able to find that target when it has to filter through a river of real-world application traffic at the speed and volume seen on the service provider’s network? Rather than rely any vendor’s claims, you should validate an LI device’s capabilities for yourself. The “needle in a haystack” situations that the product will face in the real world are so tough because the haystack is huge and complex – representing harmless traffic from hundreds of application protocols – and because the needles are buried so well.

Think about it: the same target keyword will be encoded differently in Gmail, AOL IM, and a chat inside World of Warcraft, among many other possibilities. Your LI system must be able to see through all of this mayhem to pluck out that keyword accurately, regardless of which protocol is being used to transmit it. This gets even tougher when you consider that Web applications are highly dynamic, so that any changes in them could potentially lead to missing triggers in your validation scenarios.

When you validate LI equipment, your scenarios should take all of this into account. To make sure you’re getting the most for your money, you should also run the same scenarios against devices from different vendors so that you can compare them head-to-head.

2. Can the device perform consistently in its identification of targeted information?

An LI device must perform the same way each time it tries to identify a given target. Any inconsistencies in how it finds and reports targets may create a “cry wolf” scenario, in which real threats might be ignored following a series of false positives. When you put LI equipment through its paces, you should repeat scenarios that have predictable results so that you can validate the equipment’s ability to operate consistently.

3. Can the device catch target information when the network is under attack?

Even when you’ve verified everything mentioned above, you still need to find out how the LI solution will perform when the network is under attack. In the real world, you cannot afford to miss a vital piece of target information – a phone number, keyword, credit card number, or even a picture – because your network is also fighting off the effects of malware or a DDoS attack. Validate the equipment before you buy it to make sure that it will find that buried “needle” under a variety of attack scenarios.

4. Can the device properly handle Lawful Intercept within the legal requirements?

An LI device could catch every target and still fail in its mission if it failed to provide the audit trail necessary for proper presentation of legal evidence. Clear, compliant reporting is a key necessity for LI, so be sure to review a real example of the reports generated by the device being evaluated. If the reporting isn’t clear and easy to analyze, keep looking.

5. Can the search for a “needle in a haystack” be done quickly and efficiently?

The performance reports that a vendor shows you may give you an indication of how quickly an LI solution will perform in your environment, but if you really want to answer this question, you have to validate it for yourself. If an LI device degrades the normal speed and reliability of the network, it could be a tip-off to suspects — and a source of frustration for other network users. Even though LI systems can be highly resource-intensive, they still must do their job with speed and stealth. As you run the validation scenarios in the previous steps, keep returning to the question, “Is it fast enough?”

The ancient military thinker Sun Tzu said “Know thy self, know thy enemy.” When evaluating LI systems, the same message holds true. High-performance LI equipment should hold up under the most intense real-world conditions so that it will not miss a piece of critical information. Make sure the device you are relying upon has been validated to perform under those conditions. The five questions above will help get you started.


Comments are closed.

%d bloggers like this: