butch_2
DESCRIPTION
MTpTRANSCRIPT
-
CALEA Compliance on a Budget
WISPACALEAStandardforIPNetworkAccess
WISPACSIPNAv.1WISPACAIPNAv.2
-
INTRODUCTION(S)
Who is WISPA? Trade Organization for WISPs Lobby (voice) in DC
What was done? WISPA created a committee of several members,
along with some outside assistance to create an industry standard
-
So What is CALEA?
TheCommunicationsAssistanceforLawEnforcementAct(CALEA)isaUnitedStateswiretappinglawpassedin1994(Pub.L.No.103414,108Stat.4279,codifiedat47USC10011010).Initsownwords,thepurposeofCALEAis:
Toamendtitle18,UnitedStatesCode,tomakeclearatelecommunicationscarrier'sdutytocooperateintheinterceptionofcommunicationsforLawEnforcementpurposes,andforotherpurposes.
-
The CALEA Committee Process
ProcessstartedaroundAprilof2007withatriptoQuanticotointerviewtheFBICALEAImplementationUnit.
MuchworkwasdoneonamailinglistwiththeaidofaWiki.
WecreatedastandardthatwillfacilitateantheimplementationofanOpenSourceCALEAsolution.
Whatdidwedo?
-
Goals of the Process
OpensourcesolutiontotheCALEAstandardseffortforIPnetwork.Status:Indevelopment(codeisbeingwritten).
AstandardwhichwouldpassreviewoftheFBIStatus:Accomplished.
Astandardwhichvendorscouldimplement.Status:Accomplished.
ObtaintemporarysafeharborforWISPswhocannotmeettheisolationrequirementtoday.
Status:Accomplished.
-
Safe Harbor
Whatissafeharbor?SafeHarborisimmunityfromprosecutionforfailingtobeabletosatisfyaCALEAaction.
SomenetworkarchitecturesdonotlendthemselvestoCALEAcomplianceandneedtobegrandfatheredunderastandardwhichallowsoperatorstobecomecompliantovertime.
Weweregivenoneyear.IPNAv.1sunsetsoneyearfromnowandversiontwohasnoNATexclusion.
-
CALEA Collection Model
AccessFunctionFileStructuringFunction
CollectionFunction
InterfaceA
InterfaceB
LEA(W)ISP
TAP RECORDER
-
CALEA Requirements
Thereare13legalprincipleswhichmustbemettosatisfyanactionundertheCALEAstatute.
TheseprinciplesexisttoprotecttheprivacyofallpartiesandtoensurethatLEAsreceiveproperlyhandledevidence.
-
CALEA Requirements
Transparency.
Yourcollectionmustbetransparenttothetargetofthecollection.R10...thesubjectcannotdetect...R20...interceptshallbetransparent...toallothernonauthorizedpersons...
-
CALEA Requirements
ConfidentialityandAccessControl
Yourcollectionmustbeconductedinconfidentiallyandnounauthorizedpersonsmaybeawareoftheintercepts.R30...onlyauthorizedpersonsshallhaveknowledge...oraccess...
-
CALEA Requirements
AuthenticationandIsolation(1)
Youmustbeabletoprovethedatayoucollectwasinfactfromthetargetoftheinvestigation.R40...totheextentusedin...business...ensure...communicationoriginatesfromorisdirectedto...subject
AND...shallnotdelivercommunicationswhichdonotoriginatefromorarenotdirectedto...subject
-
CALEA Requirements
AuthenticationandIsolation(2)
R50Isolation...isrequired...isolatethetargetstreamregardlessof...NAT...
V.1SafeHarborsunsetsinoneyear
-
CALEA Requirements
AuthenticationandIsolation(3)
TheNATexemption(R50)
R50(cont)...requiredtoattemptfullcompliance...Ifnoreasonablealternativeexists,youmaybeexempted...IfyoumeetallotherrequirementsofCALEA.Verystrictexemption.
Expiresinoneyear.
-
CALEA Requirements
Validation
Youmustbeabletoprovethatthedatayoucollectedisthedatathetargetprocessed.R60...ensurethattheinterceptedcommunications...areassociatedwiththesubject...
-
CALEA Requirements
Nonrepudiation(1)
TheLEAmustbeabletoprovethatthedatayoureportedisthedatatheytooktocourt.R70...keepandsecure...accuraterecords...ofinterceptsandhashes...
R80...keepandsecure...sufficientrecordstoprove,aftertheintercept...thecommunicationswereassociatedwiththesubject...
-
CALEA Requirements
Nonrepudiation(2)
TheLEAmustbeabletoprovethedatayoureportedisthedatatheytooktocourtR90...SHA256...shallbeused...fordataintegrity...R100Copiesofthehash...shallbedeliveredtotheLEA...ANDthoseshallbemaintained...asabusinessrecord...
-
CALEA Requirements
Correlation(1)
Thedatayoucollectmustbecorrectlytimestampedsothatitcanbecorrelatedbytrafficflowandbypacket.R110...ensure...OOBeventsandpacketcaptures...orsummaryreports...areaccuratelycorrelated...(bytimestamp)
R120...shallensure...interceptcategoriesarecorrectlycorrelated...(bytimestamp)
-
CALEA Requirements
Correlation(2)
Thedatayoucollectmustbecorrectlytimestampedsothatitcanbecorrelatedbytrafficflowandbypacket.R130...allsystems...havecoordinatedsystemtimes...accurateto200ms...
R140...shalluseIAPandFSFtimestampsasthebasisforOOBmessagecorrelation...
-
CALEA Requirements
Proportionality
TheLEAisnotallowedtoacceptunauthorizeddataandwearenotallowedtocollectit.R150WISPshallensurethatonlyauthorizedcommunicationscategories...aredelivered...
-
CALEA Requirements
Completeness
TheWISPmustcollectallcommunicationscitedintheactionR150...shallensure...completecommunications...shallbeintercepted...
-
CALEA Requirements
Compression
IfcompressionisusedtodeliverdatatotheFSFthecompressionusedmustbelossless.CompressionmaynotbebetweenFSFandLEAR160If...compressionisemployed...acrosstheainterface...(it)shallnotallowlossofdata...WISPshallnotusecompression...transmitting,buffering,storing,ordelivering...totheLEA
-
CALEA Requirements
Encryption
TheWISPmustprovideeitherdecrypteddataorthekeyswhenheprovidestheencryptionservice.C10...deliver...intercepteddata...inunencryptedformor...providealgorithmsused...andkeys
-
CALEA Requirements
Performance
MustbeabletocollectmultipleinterceptsonmultiplesubjectsatthesametimeR180...capableof...multiplesimultaneousinterceptspersubject.
R190...capableof...multiplesimultaneousintercepts...multiplesubjects.
-
CALEA Requirements
TransparentacrossLawEnforcementAgencies
NoagencymayknowwhatotheragenciesaredoingandpersonelinvestigatingonecaseIDmaynotknowaboutothercaseIds.R200MultipleLEAinterceptsforthesame...ordifferentsubjects...transparenttotherespectiveLEAs...orperformedforthesameLEAunderdifferentcaseIDs.
-
CALEA Requirements
AvailabilityandReliability
Youmustensurethecollectionsystemdoesnotlooseorcorruptintercepteddata.R210...useappropriateperformanceandreliabilitymechanisms...thateliminate(s)...likelyhoodthat...interceptwillbecorrupted...mayrequireareliabletransportprotocol...
-
Current Status of MikroTik's Implementation
Still in development Client/Server parts are done
Intercept portion (client side) is CLI access only You need to be familiar with command line firewall rules
to build an intercept Server side will accept a stream from the client
Much of the work has already been done Intercept capability is there Directory structure is there Transparency between logins is done
Completion is just weeks away This will support the WISPA CALEA Standard
-
Time for a quick How-To
Your network is running PPPoE Scenario 1
Collect ALL data for a customer who you know to be using userid of joeblow
Scenario 2 Collect only emails sent and received by customer
using IP address 10.10.10.2 We will demonstrate ONLY POP3 (TCP/110) and SMTP
(TCP/25)
-
CALEA Considerations in Network Implementation
AP
APAP
AP
AP
Target
NOC
Internet
Internet
MeshnetworksnecessitatethecollectionfunctionbeinstalledattheAPwheretheclientconnects.
CF
FSF
LEA
WhichGatewayisTargetUsing?
-
CALEA Considerations in Network Implementation
TargetAP
BH
BH
NOC
Internet
NATbetweenthe(W)ISPandthecustomermandatestheimplementationoftheCollectionFunctionattheAP.
Innocent
Innocent NAT LEA
FSF
CF
Howdoweprotecttheinnocent?
-
CALEA Considerations in Network Implementation
APGateway
Target
NOC
AP
AP
Switch
CFMirrorPort
FSF
AswitchonthebackboneallowsmoreflexibleplacementoftheCF.
-
References and Further Information
MikroTik's wiki http://wiki.mikrotik.com/wiki/Calea
WISPA Website Main Page: http://www.wispa.org/ CALEA Standard page:
http://www.wispa.org/calea/WCS/ Butch Evans Consulting
http://www.butchevans.com/
Slide 1Slide 2Slide 3Slide 4Slide 5Slide 6Slide 7Slide 8Slide 9Slide 10Slide 11Slide 12Slide 13Slide 14Slide 15Slide 16Slide 17Slide 18Slide 19Slide 20Slide 21Slide 22Slide 23Slide 24Slide 25Slide 26Slide 27Slide 28Slide 29Slide 30Slide 31