finfisher overall spy
TRANSCRIPT
-
7/29/2019 Finfisher Overall Spy
1/13
1
Gamma: Strategy for an
overall IntelligenceConcept
Th. Fischer May 04, 2011
-
7/29/2019 Finfisher Overall Spy
2/13
2Introduction
Scope and Preconditions
The three companies Gamma Group, Desoma and Dreamlab intend to create Telecommunication IntelligenceSystems for different telecommunication networks to fulfill the customers needs and requirements regardingLawful Interception, Massive Data Interception, Data Retention and traffic/application/protocol Control (TrafficBlocking and Shaping).
These different intelligence methods and technologies are to be deployed in different network environments likeclassic fixed and mobile networks as well as in IP-based (packet oriented) networks. However, not everytechnology/method will be used in every network in the same way if it will be used at all.
The Intelligence Systems must be modular/scalable and have to be combined depending on the communicationenvironments and needs in different project/countries.
The main expertise of all three partners is the IP-world. There should be some technological competence onDesomas side regarding the classic networks (PSTN,Mobile), while Gamma has the world wide marktet accessand competence regarding sales and marketing for all technologies mentioned above.
Beside some restrictions regarding specific knowledge (which has to be evaluated) there are for surerestrictions regarding man power, time and money.
A strategy has to be defined to create Intelligence System(s) which can be realized in a rather short period oftime to generate RoI, being
competitive and making the most use of currently available knowledge and experience of all partners.
The following slides will give an overview of the different Intelligence Solutions requirements and technologiesand an indication regarding the availability of solutions and/or the capability to solve the technial requirements.
-
7/29/2019 Finfisher Overall Spy
3/13
3Networks IntelligenceMethods used
NetworksMethods PSTN(ISDN/POTS) Mobile(GSM/GPRS/UMTS/LTE)
IP-Networks
LawfulInterception
Yessupported by Network
YesSupported by Network
Yespartly supported by
NWmainly own Appliances
Mass DataInterception
YesInternational
Gateways ?
Yes
Internet Gateways
Blocking / Shaping Nopartly
for/in the IP-part of theNW
Yesi.e. at Internet
Gateways
Data RetentionYes
supported by NetworkYes
supported by Network
Yesusing NW elements
and/or
own Appliances
InfectionNot inside the NW butfor PC/Nb indirectly via
IP-NW
For PC/Nb possible inMobile NW or
indirectlyvia IP-NW (FinFly ISP).
For mobilePhones/PDA etc. ownFinFisher-Application
YesFinFly ISP
-
7/29/2019 Finfisher Overall Spy
4/13
4Networks (Intelligence Methods) Solutions / Technologies
NetworksMethods
PSTN(ISDN/POTS)
Mobile(GSM/GPRS/UMTS/L
TE)IP-Networks
Lawful Interception
Admin HI1: inside NWIRI HI2:IP/X.25-ReceiverCC HI3: S2m-RecorderTgt.-Ident: inside NW
Admin HI1: inside NWIRI HI2:IP/X.25-ReceiverCC HI3: S2m-RecorderCC HI3 IP: own IP-ApplianceTgt.-Ident: inside NW
Admin HI1: own AdminHI2 (= HI3): n/aCC HI3: own IP-ApplianceTgt.-Ident: own IP-Appliance
Mass DataInterception
Admin:own AdminIRI HI2:???CC HI3: S2m-Recorder
?????
Admin HI1: own AdminHI2 (= HI3): n/aCC HI3: own IP-Appliance
Blocking / Shaping n/a
IP-Part of the NW:Admin:own AdminBlock/Shape: own IP-ApplianceTgt.-Ident: own IP-Appliances
Admin:own AdminBlock/Shape: own IP-ApplianceTgt.-Ident: own IP-Appliance
Data RetentionNetwork Elements(OSS/BSS) provide Info forDRS (CDRs)
Network Elements(OSS/BSS) provide Info forDRS (CDRs)
Using Network Elements(OSS/BSS) and/or own IP-Appliances
InfectionIndirectly: See IP-Networks
See IP-Networks for PC/Nb
Mobile Phones:Admin:own AdminTgt.-Ident: manually (?)Delivery: ownMethods
Admin:own AdminTgt.-Ident: own IP-ApplianceDelivery: own IP-Appliance
-
7/29/2019 Finfisher Overall Spy
5/13
5Solutions / Techologies Availability on ourside
PSTN (ISDN/POTS) Mobile (GSM/UMTS/LTE) IP-Networks
TASKS LI MassData B & S DRS INFEC LIMassData
B & S(IP-
only)
DRSINFECMobile
LIMassData
B & S DRS INFEC
Front-End
Administration NW
Desoma/
3rdParty
n/a Tbd n/a NW n/aDreaml
abTbd GG DE/DL DE/DL DE/DL Tbd DL/GG
Data Capturing /Handling
NW
Desoma/
3rdParty
n/a Tbd n/a NW n/aDreaml
abTbd GG
Dreamlab
Dreamlab
Dreamlab
Tbd DL/GG
Target Identification NWManuall
yNW
n/a Tbd n/a NW n/aDreaml
abTbd GG
Dreamlab
Dreamlab
Dreamlab
TbdDreaml
ab
Mediation IRI only ??? n/a Tbd n/aIRI-NWIP DL
n/a n/a Tbd n/aDreaml
abDreaml
abn/a Tbd n/a
Back-End
Receiving Data
Desoma/
3rdParty
Desoma/
3rdParty
n/a Tbd n/aDesom
an/a n/a Tbd GG
Desoma
Desoma
n/a Tbd GG
DB (Storage/Archive) DesomaDesom
an/a Tbd n/a
Desoma
n/a n/a Tbd GGDesom
aDesom
an/a Tbd GG
Decode / Demodul DesomaDesom
an/a Tbd n/a
Desoma
n/a n/a Tbd n/a DE/DL DE/DL n/a Tbd n/a
Reconstruction DesomaDesom
an/a Tbd n/a
Desoma
n/a n/a Tbd n/a DE/DL DE/DL n/a Tbd n/a
Back-End Admin DE/DL DE/DL n/a Tbd n/a DE/DL n/a n/a Tbd GG DE/DL DE/DL DE/DL Tbd DL/GG
User Management DE/DL DE/DL n/a Tbd n/a DE/DL n/a n/a Tbd GG DE/DL DE/DL DE/DL Tbd DL/GG
Legend:
provided/available by eihter the NW or bya partnerto be defined OR using 3rd Party solution(DRS)
not needed / notapplicableto bedone/defined/created
needs moreinvestigation/analysisunder investigation
-
7/29/2019 Finfisher Overall Spy
6/13
-
7/29/2019 Finfisher Overall Spy
7/13
7IP-Network Mass IP Interception
ISPAAANetworks
Mediation
Front-End
Back-End
Targets
IM Mass (IP)
Index. IP-Probe
active/passive
Tgt.-IDProbe
Methodology
Admin
Receiving
DecodeDemod
StorageArchiving
AnalysisEvaluation
NFS orUDP
Ring-BufferModule
GRID Detection
Mod
AssemblyModule
DATA WAREHOUSE
IP IP
Users / Evaluator /Operators
DL/DE-Admin
Mass-IP
Ethernet
Data Capturing:DAISY from Desoma is curretly using a CS-2000 or PN41-Blade (IBM) to connectpassively or actively to
the network (Indexing Module = IP-Probe). This has to be changed to use HP-Servers withappropriate
NICs from Dreamlab.
Active will be chosen in case a Man-in-the-Middle attack is planned for SSL certificates(using Bypass
Function). In this module data filtering takes place to search for specific data and reducethe amount of
data to be sent to the Back-End. It has to be defined whether String Search must beintegrated into the
IP-Probes to reach a finer granularity for Filtering data of interest.
Target Identif.: Dreamlab has Tgt-Id-Probes available in case Mass IP-Interception has to bespecified for dedicated
subscribers (exceptional case)
Data handover:NFS and/or UDP is used currently and will be implemented into the Dreamlab IP-Probes too, to
handover the captured IP-data to the Ring-Buffer / GRID Detection Module.
Admin: Has to take care about the workflow in the Mass IP Interception System. The user can enter
Filter
Criteria which are forwarded to the IP-Probe(s) to filter/capture data of interest. If necessarythe Tgt-Id-
Probes are configured as well.
The Admin has to be designed and has to integrate a User Management with several layersof user
rights (who has the right to access what kind of data; Admin, User, Auditor etc.)
Ring-Buffer &
GRID Detection: These Modules receive the captured IP-data from the Front-End (IP-Probe)
and generate so
called additional Meta-Data. Data are stored with different Storage solutions. GRID is
res onsible to mer e sin le ackets into com lete sessions and extracts La er 2-4 info and
-
7/29/2019 Finfisher Overall Spy
8/13
8IP-Network Lawful Interception
ISPAAANetworks
Mediation
Front-End
Back-End
Targets
LI - (IP)
LI-Probepassive
NetworkElement
s
Methodology
Admin
Receiving
DecodeDemod
StorageArchiving
AnalysisEvaluation
Ring-BufferModule
GRID Detection
Mod
AssemblyModule
DATA WAREHOUSE
DLMediation
IP
DL-ADMFLI
HI2/HI3IRI/CC
EthTCP/IP
??? Module
HI3 CC
??? Module
IP IP IP
Users / Evaluator / Operators
Tgt.-IDProbe
Ethernet
Data Capturing:This will be the same kind of HP-Servers used for Mass IP-dataInterception to capture
IP-Data for LI passively. In addition Dreamlab is capable of handling IP-data
provided byNetwork Elements (Juniper, Cisco, Huawei).
Target Identif.: Dreamlab has Tgt-Id-Probes available to capture assinged IP-addresses of Targets by
searching for their nw access credentials.
Data Handover
= Mediation: This Dreamlab appliance can convert the captured IP-data into several
data formats
(i.e. ETSI) for IP-datza handover to several Monitoring Centers simultaneously.
Admin: Has to take care about the workflow in the LI System. The user can enter theNW access
credentials for the Targets of interest forwarded to the Tgt-Id-Probe(s). For LIthe
handling of a LIIDs is esssential (to create warrants).
The Admin has to be designed and has to integrate a User and WarrantManagement
with several layers of user rights (who has the right to access what kind ofdata; Admin,
User, Auditor etc.). This LIID structure will aply for LI in PSTN / Mobile NW too.
Receiving Data:It has to be analyzed whether the concept using the Ring-Buffer, GRIDand
Assembly Modules of the Mass IP Interception solution can be used for LI
as well.
-
7/29/2019 Finfisher Overall Spy
9/13
9IP-Network Blocking/Shaping and Infection
Networks
Mediation
Front-End
Back-End
Targets
INF -(IP)
ISPAAA
Methodology
Infect. Proxyactive
BS IP-Probeactive
Admin
Receiving
DecodeDemod
StorageArchiving
AnalysisEvaluation
DATA WAREHOUSE
DL-ADMFBS
DL-ADMFFF-ISP
No incoming DATA
FinSpyMASTER
IP
Users / Evaluator /Operators
Tgt.-IDProbe
Block -(IP)
Ethernet
Remarks: The solutions IP-traffic Blocking & Shaping and the Infection using FF ISP aredifferent form other
Intelligence Methods described because Blocking & Shaping doesnt require any data to be
transferredfrom the Front to the Back-End. The same applies in the first step for the data provided by
remotely
controlled targets. These data are received by FinSpy Server and can be pushed into toData
Warehouse on demand.
Data Handling: Again HP-Servers will be used but for both Blocking & Shaping and Infection theseServers MUST be
actively inline for data manipulations. The Bypass Function is a must have too.
Target Identif.: Tgt-Id-Probes are needed and used in the same way as for LI. In addition they canbe used to block
and/or shape the traffic of subscribers of interest. Without Tgt-Id-Probes B&S will take careabout
protocols / applications only without target awareness.
It has to be defined whether String Search must be integrated into the IP-Probes to reach afiner
granularity for blocking / shaping and maybe infection.
Data handover:Only defined for FinSpy (Master).
Admin: The Admin is available for FF ISP.
An Admin System has to be designed taking care about the workflow in theBlocking/Shaping System.
The user can enter Filter Criteria = Blocking/Shaping Criteria (which might be the same
used for the
Mass IP-data System). Using Tgt-Id-probes NW access credentials must be administeredtoo.
-
7/29/2019 Finfisher Overall Spy
10/13
10
PSTN
MobileNetworks
Mediation
Front-End
Back-End
Targets
LI (Voice + IP) LI (Voice +IP)
Methodology
Admin
Receiving
DecodeDemod
StorageArchiving
AnalysisEvaluation
DATA WAREHOUSE
HI3 CCVoice
Recorder
HI2 IRIReceiver
HI3 CCVoice
Recorder
HI2 IRIReceiver
VOICE
IRI
HI3 CC
ISDN
HI2 IRIX.25, TCP/IP,
X.31FTAM, FTP,
Rose
HI3 CCEth
TCP/IP
HI3 CC
ISDN
Mediation
Mobile
VOICE
IRIIP
Users / Evaluator / Operators
??? Modules
HI3 CC??? Module
Eth/X.25
ISDNS2m
Eth/X.25
Eth
HI2 IRIX.25, TCP/IP,
X.31FTAM, FTP,
Rose
MobileIntercepti
onMgmt.
PSTNIntercepti
onMgmt.
HI1MarkingTargets
ISDNS2m
HI1MarkingTargets
PSTN & Mobile NW Lawful Interception(Voice and IP) Data Capturing:In both Networks (PSTN and Mobile) data capturing is performed
inside the NW
using NW-vendor specific solutions (assuming the NW-vendor isproviding such
kind of solutions). This applies for both Voice (voice, modem, fax) and IP-data.
Target Identif.: This is also part of the NW-LI-functions.
Admin: Also the Admin-Function of the NW is part of the NW-environment.Subscribers
(fixed / mobile) will be marked for LI inside the NW. The InterceptionMgmt.
Systems (PSTN/Mobile) also provide the IRI-data (either ASN.1 encoded
or asASCII-files). Assigning a LIID is part of this admin process and it has to
refer to the
LIID used in the Monitoring Center for admin the LI-warrant.
Data Handover
CC-Voice: Voice data will be transferred via ISDN (S2m) to the Back-End(PCM30, A-law
encoded) from the switches of the NW.
IRI: IRI-Record can be either FTAM, FTP or Rose on X.25/X.31 or TCP/IPprovided via
the NW-LI-Management System(s).
CC-IP
= Mediation: IP-data from GPRS/UMTS will be mediated using DreamlabsMediation
Appliance to provide i.e. ETSI-formated data to the Back-End.
Receiving Data:Receiving CC-Voice and IRI-Records will made own/separate
Appliancesnecessary. IP-Data from GPRS/UMTS via DL Mediation have to be handled
in the
-
7/29/2019 Finfisher Overall Spy
11/13
11All Networks Data Retention System
ISPAAA
PSTN
MobileNetworks
Mediation
Front-End
Back-End
Targets
Methodology
Admin
Receiving
DecodeDemod
StorageArchiving
AnalysisEvaluation
DATA WAREHOUSEUsers / Evaluator /
Operators
DRS
Collection
Devices
DRSSERVER
IP
Ethernet
Data Capturing:Data to be captured accross all kinds of NWs are:
WHO (IP, Username, [Mobile] Phone No., IMSI, IMEI)is/was
communicating with WHOM (IP....) at what DATE/TIMEusing
what KIND OF METHOD/PROTOCOL (Mail, WWW, Skype,
Chat, Voice, Fax, SMS...). It might be possible to keepi.e.
also the subjects of Emails etc. (which extends theclassic
DRS). Data are provided either by the Networksthemselves
by interfacing OSS/BSS (Billing Systems; CDRs), or using
NW-elements in IP-NW (Switches, Routers Cisco,Juniper,
...) or using own IP-Appliances in IP-NWs to create these
kind if data by analyzing/capturing the traffic. In IP-Networks
existing Target-Id-Probes (for LI, FF ISP) can be used
additionally to get user data.
Data Handover:The different DRS-data have to be more or lessnormalized
depending from which source/NW they are coming fromto
be stored in the Data Warehouse and being retrievedagain
on demand.
Data Wareh.: Due to the huge amount of data and the highdata rates
coming from different NWs it will make sense to keep the
data in a separate storage/Data Warehouse.
Admin: Due to the very specific usage of a DRS and the different
-
7/29/2019 Finfisher Overall Spy
12/13
12Conclusion proposal how to proceed ...Conclusion
This conclusion is based on the following assumptions and facts:
1. More IP-knowledge than classic PSTN/Mobile NW knowledge available within the 3 partners
2. Sales experience and market access is available for all solutions
3. PSTN/Mobile Voice data need a complete different handling (receiving, decoding, evaluation) than IP-data
4. No. 2 becomes even more difficult dealing with decoding of modem and fax transmissions
5. LI for classic PSTN/Mobile NWs depend very much on the LI-implementations provided by the different NW-vendors
6. DRS is characterized by huge amounts of data, a wide range of different intefaces needed to capture/receivedata, different Hand-over-Interfaces (HI-A, HI-B) and different approaches when data are to be retrieved,
own/different user management etc.
7. Different Intelligence Methods need different kinds of administration functions
8. Different Intelligence Methods need different ways of storage (data structures), different decoding andanalysis/evaluation methods
The proposed way to go should be:
9. Start with Mass IP-Data Interception (for this Intelligence Method the most work is done / solutions are available)
10.Next Step will be LI in IP-Networks (a lot of components can be used and/or are available and can be modified
accordingly)
11.Due to the fact that Infection solutions are products ready to use (FinFly ISP, FinFlyWeb, FinFlyUSB) the datacoming from FinSpy Master have to be integrated into the Data Warehouse (like we did for other MCs).
12.Blocking and Shaping has no real impact on the Back-End because no data transfer towards the BE has to takeplace. It can be kept as a separate product, making use of filter criteria also used for Mass IP-data Interception.Having an own GUI running on the same Management Workstation like Mass IP Interception and/or LI and/orInfection will be sufficient.
13.Although LI in PSTN/Mobile networks provide a lot of functions as part of the networks we still will need a lot ofadditional equipment (HW/SW) to receive, decode and evaluate captured data. Maybe Appliances and Softwarefrom 3rd Parties might be a solution (ASC, Spectronic, others). For us integrating the data in the Warehouse thenwould be the major task together with an overall System/Warrant administration. Interfacing to other data
-
-
7/29/2019 Finfisher Overall Spy
13/13
13Vielen Dank fr die Aufmerksamkeit