03 Deployment for Internet Surveillance

7/30/2019 03 Deployment for Internet Surveillance

1/29

Marketing Department

Decision Group

Aug. 2011


2/29

Internet Surveillance Exists in most developed countries, including US, UK,

Japan

Huge scope with multiple surveillance points

Target on suspects and suspicious contents withnational security, terrorismetc

Maintain certain level of network performance

Focus on several public Internet services, such as email,IM, social networksetc

Strong capability on text mining and secondaryanalysis


3/29

Objectives Target on cyber space with violence, fraud, extremism,

hatred, cult, threat, racial and sexual harassment andassaultetc, which will causes serious social uprisingand impacts economic activities

Track suspect IPs, account names involving the aboveactivities from intercepted online data

Analyze collected information and forecast thebehavior pattern of the above cyber crimes in order toprevent the future anti-social activities happenedagain


4/29

Scope Target on specific groups, persons

Mostly on domestic online communication

Track suspected targets by MAC address, account namein the black list

IP address as reference of target

Take mobile or handheld devices into account

Target on keywords in cyber space Online content filtering Analysis on intercepted content information

Management on structured, unstructured and analogdata


5/29

Data Management Not necessary if only content filtering

Very important with large volume of reconstructed

data Focus on most popular online services, such as emails,

Instant Messengers, social media, SMSetc.

Primary analysis for data scoping, linking and statistics

by effective search engine Secondary analysis for behavior pattern, forecast,

comparison by data mining or business intelligencetools


6/29

Data Collection Data collection is very important in Internet

surveillance

Target on online protocols and services

No matter encrypted, decrypted, stream, digital, analogdata

Less duplicated data

Reconstructed data for legal evidence Effective data for analysis


7/29

Network Forensic For reconstructed data from network data packets,

deep packet inspection (DPI) technology behindnetwork forensic tool is the fundamental requirement

Capturing data packet

Protocol recognizing

Data reconstruction based on session, protocol and

service type Formatting and saving reconstructed data

Data presentation

Retention data management


8/29

1010101010100110011110110111011100011011

E-mail/WebmailIM/Chat

HTTPFacebook

TwitterVoIP

101010101010100101010

Port-mirroring or In-linemonitoring

Work Flow of Network Forensic

StatisticalReports

CapturePackets

Reassemble& Decode

ContentReconstruct

Archive

Work Flow


9/29

IM/Chat(Yahoo,MSN, ICQ,QQ, IRC,

Google TalkEtc.)

EmailWebmail

HTTP(Link, Content,Reconstruct,

Upload

Download)

File TransferFTP, P2P

OthersSocial MediaTelnet etc.

Protocols Required for Internet Surveillance

More than 160+

Protocols/Services


10/29

Consideration of Deployment Deployment for International Cyber Space

Cyber message surveillance on contents of emails, http,video stream, VoIP services

Target on specific targets and groups tracking

Deployment for Domestic Cyber Space

Cyber message surveillance on IM, emails, social

networks, video stream and VoIP services Target on information collection, and specific target

tracking


11/29

Deployment for International System deployment in National Exchange Gateway

Centers

Submarine Cable Station

Land Optic Fiber Station

Satellite Station

National backbone network service operator(s)

Take national ARD configuration into account


12/29

Basics of Deployment


13/29

Deployment for Domestic Deployment of network forensic tool is an important

step to collect data

Tactic deployment

Temporary deployment

Direct wired connection with network infrastructure in ISPPoP sites

Wireless interception on specific target or penetration into

VPN Lawful interception deployment

Permanent deployment by country LI law

Following standard of ETSI or CALEA


14/29

Basics of Deployment


15/29

Tactic Deployment For the device deployed inside area nodes (PoP sites)

in ISP network

Direct connection inside infrastructure of bordernetwork or access network

2 types of deployment

Mirror mode

Bridge mode


16/29

Mirror Mode Implementation

Mirror Mode Deployment

In Border Network of ISP


17/29

Bridge Mode Implementation

Bridge Mode Deployment

In Border Network of ISP


18/29

Distributed Deployment For centralized management on multiple E-Detectives For bandwidth management For protocol management


19/29

Lawful Interception Deployment Following ETSI or CALEA Standards

As a lawful interception system for parsing raw packetdata stream from ISPs

Decoding all data packets associated with protocolbased on service port number and session

Saving un-decoded data into specified directory in

pcap format Primary data analysis management system


20/29

Lawful Interception Deployment

Mediation

Platform

E-Detective/LEMFData PacketReconstructionSystem

Analysis Server (DataMining, BI or KB)

1

3

2

ISPCommunicationCenters

2. Connection :- FTP- pcap Files upload

4. Connection :-FTP

3. System:-download pcap files frommediation platform-Case ID Management-Web based LawfulEnforcement Management

Utilities

T1/T3connection

Data RetentionManagement System

ETL downloading

ArchiveUploading

Lawful InterceptionCenter in Police orNational Security

1. Send pcap data toLI Center

4


21/29

Gmail Interception Gmail service protected by HTTPS/SSL

Deployment only by Tactic way

Warning message of certificate appeared in thebrowser of intercepted subscribers

National Certificate introduced

CA control mechanism customization by case


22/29

Deployment for Gmail Interception


23/29

VPN Penetration Most VPN protected by IPSec

Hard to intercept VPN connection directly

Find the ends of VPN connection Try to penetrate with Wireless Interception into

private LAN


24/29

Distributed Wireless Interception Target on private

LAN

Get privateidentity

IntrusionInvestigation Acquire VPN

access

Collect syslogs

Collect loginrecord

Follow LI Law


25/29

Network Forensic on Internet

Censorship It is the critical step in the procedure of Internet censorship

Focus on target IP(s), MAC(s) or account name(s) andrelated all Internet activities

Keep record on all related Internet activities for law suiteand text mining against terrorists , cyber criminals andconspirators

Intercept as much Internet protocols/services as better

Only focus on highly suspicious objects and persons

Keep minimal or no impact on network performance

Hide identity of network forensic equipments in Internet


26/29

What We have Network forensic equipments for Internet censorship

at national level e-Detective,Wireless-Detective,Data Retention Management System and CentralManagement System

Complete cyber crime investigation training programwith experienced cyber investigators from Taiwancyber crime investigation units

Consulting service on investigation and legalprocedures


27/29

What We Provide Solid consulting and

delivery services to takeInternet surveillance by

Clear objectives Appropriate surveillance

systems

Vulnerability assessment

Deployment plan Legal procedure

Data analysis/text mining

Full training programs for

Train-the-trainer

National security officials

Administrators

Future development plan

Technology update andupgrade

Technical skill shift

Integration with backendLI system


28/29

Reference Confidential information upon request


29/29

Thank you for your attention

03 Deployment for Internet Surveillance

Documents

Transcript of 03 Deployment for Internet Surveillance