Finfisher Overall Spy

7/29/2019 Finfisher Overall Spy

1/13

1

Gamma: Strategy for an

overall IntelligenceConcept

Th. Fischer May 04, 2011


2/13

2Introduction

Scope and Preconditions

The three companies Gamma Group, Desoma and Dreamlab intend to create Telecommunication IntelligenceSystems for different telecommunication networks to fulfill the customers needs and requirements regardingLawful Interception, Massive Data Interception, Data Retention and traffic/application/protocol Control (TrafficBlocking and Shaping).

These different intelligence methods and technologies are to be deployed in different network environments likeclassic fixed and mobile networks as well as in IP-based (packet oriented) networks. However, not everytechnology/method will be used in every network in the same way if it will be used at all.

The Intelligence Systems must be modular/scalable and have to be combined depending on the communicationenvironments and needs in different project/countries.

The main expertise of all three partners is the IP-world. There should be some technological competence onDesomas side regarding the classic networks (PSTN,Mobile), while Gamma has the world wide marktet accessand competence regarding sales and marketing for all technologies mentioned above.

Beside some restrictions regarding specific knowledge (which has to be evaluated) there are for surerestrictions regarding man power, time and money.

A strategy has to be defined to create Intelligence System(s) which can be realized in a rather short period oftime to generate RoI, being

competitive and making the most use of currently available knowledge and experience of all partners.

The following slides will give an overview of the different Intelligence Solutions requirements and technologiesand an indication regarding the availability of solutions and/or the capability to solve the technial requirements.


3/13

3Networks IntelligenceMethods used

NetworksMethods PSTN(ISDN/POTS) Mobile(GSM/GPRS/UMTS/LTE)

IP-Networks

LawfulInterception

Yessupported by Network

YesSupported by Network

Yespartly supported by

NWmainly own Appliances

Mass DataInterception

YesInternational

Gateways ?

Yes

Internet Gateways

Blocking / Shaping Nopartly

for/in the IP-part of theNW

Yesi.e. at Internet

Gateways

Data RetentionYes

supported by NetworkYes

supported by Network

Yesusing NW elements

and/or

own Appliances

InfectionNot inside the NW butfor PC/Nb indirectly via

IP-NW

For PC/Nb possible inMobile NW or

indirectlyvia IP-NW (FinFly ISP).

For mobilePhones/PDA etc. ownFinFisher-Application

YesFinFly ISP


4/13

4Networks (Intelligence Methods) Solutions / Technologies

NetworksMethods

PSTN(ISDN/POTS)

Mobile(GSM/GPRS/UMTS/L

TE)IP-Networks

Lawful Interception

Admin HI1: inside NWIRI HI2:IP/X.25-ReceiverCC HI3: S2m-RecorderTgt.-Ident: inside NW

Admin HI1: inside NWIRI HI2:IP/X.25-ReceiverCC HI3: S2m-RecorderCC HI3 IP: own IP-ApplianceTgt.-Ident: inside NW

Admin HI1: own AdminHI2 (= HI3): n/aCC HI3: own IP-ApplianceTgt.-Ident: own IP-Appliance

Mass DataInterception

Admin:own AdminIRI HI2:???CC HI3: S2m-Recorder

?????

Admin HI1: own AdminHI2 (= HI3): n/aCC HI3: own IP-Appliance

Blocking / Shaping n/a

IP-Part of the NW:Admin:own AdminBlock/Shape: own IP-ApplianceTgt.-Ident: own IP-Appliances

Admin:own AdminBlock/Shape: own IP-ApplianceTgt.-Ident: own IP-Appliance

Data RetentionNetwork Elements(OSS/BSS) provide Info forDRS (CDRs)

Network Elements(OSS/BSS) provide Info forDRS (CDRs)

Using Network Elements(OSS/BSS) and/or own IP-Appliances

InfectionIndirectly: See IP-Networks

See IP-Networks for PC/Nb

Mobile Phones:Admin:own AdminTgt.-Ident: manually (?)Delivery: ownMethods

Admin:own AdminTgt.-Ident: own IP-ApplianceDelivery: own IP-Appliance


5/13

5Solutions / Techologies Availability on ourside

PSTN (ISDN/POTS) Mobile (GSM/UMTS/LTE) IP-Networks

TASKS LI MassData B & S DRS INFEC LIMassData

B & S(IP-

only)

DRSINFECMobile

LIMassData

B & S DRS INFEC

Front-End

Administration NW

Desoma/

3rdParty

n/a Tbd n/a NW n/aDreaml

abTbd GG DE/DL DE/DL DE/DL Tbd DL/GG

Data Capturing /Handling

NW

Desoma/

3rdParty


abTbd GG

Dreamlab

Dreamlab

Dreamlab

Tbd DL/GG

Target Identification NWManuall

yNW


abTbd GG

Dreamlab

Dreamlab

Dreamlab

TbdDreaml

ab

Mediation IRI only ??? n/a Tbd n/aIRI-NWIP DL

n/a n/a Tbd n/aDreaml

abDreaml

abn/a Tbd n/a

Back-End

Receiving Data

Desoma/

3rdParty

Desoma/

3rdParty

n/a Tbd n/aDesom

an/a n/a Tbd GG

Desoma

Desoma

n/a Tbd GG

DB (Storage/Archive) DesomaDesom

an/a Tbd n/a

Desoma

n/a n/a Tbd GGDesom

aDesom

an/a Tbd GG

Decode / Demodul DesomaDesom

an/a Tbd n/a

Desoma

n/a n/a Tbd n/a DE/DL DE/DL n/a Tbd n/a

Reconstruction DesomaDesom

an/a Tbd n/a

Desoma

n/a n/a Tbd n/a DE/DL DE/DL n/a Tbd n/a

Back-End Admin DE/DL DE/DL n/a Tbd n/a DE/DL n/a n/a Tbd GG DE/DL DE/DL DE/DL Tbd DL/GG

User Management DE/DL DE/DL n/a Tbd n/a DE/DL n/a n/a Tbd GG DE/DL DE/DL DE/DL Tbd DL/GG

Legend:

provided/available by eihter the NW or bya partnerto be defined OR using 3rd Party solution(DRS)

not needed / notapplicableto bedone/defined/created

needs moreinvestigation/analysisunder investigation


6/13


7/13

7IP-Network Mass IP Interception

ISPAAANetworks

Mediation

Front-End

Back-End

Targets

IM Mass (IP)

Index. IP-Probe

active/passive

Tgt.-IDProbe

Methodology

Admin

Receiving

DecodeDemod

StorageArchiving

AnalysisEvaluation

NFS orUDP

Ring-BufferModule

GRID Detection

Mod

AssemblyModule

DATA WAREHOUSE

IP IP

Users / Evaluator /Operators

DL/DE-Admin

Mass-IP

Ethernet

Data Capturing:DAISY from Desoma is curretly using a CS-2000 or PN41-Blade (IBM) to connectpassively or actively to

the network (Indexing Module = IP-Probe). This has to be changed to use HP-Servers withappropriate

NICs from Dreamlab.

Active will be chosen in case a Man-in-the-Middle attack is planned for SSL certificates(using Bypass

Function). In this module data filtering takes place to search for specific data and reducethe amount of

data to be sent to the Back-End. It has to be defined whether String Search must beintegrated into the

IP-Probes to reach a finer granularity for Filtering data of interest.

Target Identif.: Dreamlab has Tgt-Id-Probes available in case Mass IP-Interception has to bespecified for dedicated

subscribers (exceptional case)

Data handover:NFS and/or UDP is used currently and will be implemented into the Dreamlab IP-Probes too, to

handover the captured IP-data to the Ring-Buffer / GRID Detection Module.

Admin: Has to take care about the workflow in the Mass IP Interception System. The user can enter

Filter

Criteria which are forwarded to the IP-Probe(s) to filter/capture data of interest. If necessarythe Tgt-Id-

Probes are configured as well.

The Admin has to be designed and has to integrate a User Management with several layersof user

rights (who has the right to access what kind of data; Admin, User, Auditor etc.)

Ring-Buffer &

GRID Detection: These Modules receive the captured IP-data from the Front-End (IP-Probe)

and generate so

called additional Meta-Data. Data are stored with different Storage solutions. GRID is

res onsible to mer e sin le ackets into com lete sessions and extracts La er 2-4 info and


8/13

8IP-Network Lawful Interception

ISPAAANetworks

Mediation

Front-End

Back-End

Targets

LI - (IP)

LI-Probepassive

NetworkElement

s

Methodology

Admin

Receiving

DecodeDemod

StorageArchiving

AnalysisEvaluation

Ring-BufferModule

GRID Detection

Mod

AssemblyModule

DATA WAREHOUSE

DLMediation

IP

DL-ADMFLI

HI2/HI3IRI/CC

EthTCP/IP

??? Module

HI3 CC

??? Module

IP IP IP

Users / Evaluator / Operators

Tgt.-IDProbe

Ethernet

Data Capturing:This will be the same kind of HP-Servers used for Mass IP-dataInterception to capture

IP-Data for LI passively. In addition Dreamlab is capable of handling IP-data

provided byNetwork Elements (Juniper, Cisco, Huawei).

Target Identif.: Dreamlab has Tgt-Id-Probes available to capture assinged IP-addresses of Targets by

searching for their nw access credentials.

Data Handover

= Mediation: This Dreamlab appliance can convert the captured IP-data into several

data formats

(i.e. ETSI) for IP-datza handover to several Monitoring Centers simultaneously.

Admin: Has to take care about the workflow in the LI System. The user can enter theNW access

credentials for the Targets of interest forwarded to the Tgt-Id-Probe(s). For LIthe

handling of a LIIDs is esssential (to create warrants).

The Admin has to be designed and has to integrate a User and WarrantManagement

with several layers of user rights (who has the right to access what kind ofdata; Admin,

User, Auditor etc.). This LIID structure will aply for LI in PSTN / Mobile NW too.

Receiving Data:It has to be analyzed whether the concept using the Ring-Buffer, GRIDand

Assembly Modules of the Mass IP Interception solution can be used for LI

as well.


9/13

9IP-Network Blocking/Shaping and Infection

Networks

Mediation

Front-End

Back-End

Targets

INF -(IP)

ISPAAA

Methodology

Infect. Proxyactive

BS IP-Probeactive

Admin

Receiving

DecodeDemod

StorageArchiving

AnalysisEvaluation

DATA WAREHOUSE

DL-ADMFBS

DL-ADMFFF-ISP

No incoming DATA

FinSpyMASTER

IP

Users / Evaluator /Operators

Tgt.-IDProbe

Block -(IP)

Ethernet

Remarks: The solutions IP-traffic Blocking & Shaping and the Infection using FF ISP aredifferent form other

Intelligence Methods described because Blocking & Shaping doesnt require any data to be

transferredfrom the Front to the Back-End. The same applies in the first step for the data provided by

remotely

controlled targets. These data are received by FinSpy Server and can be pushed into toData

Warehouse on demand.

Data Handling: Again HP-Servers will be used but for both Blocking & Shaping and Infection theseServers MUST be

actively inline for data manipulations. The Bypass Function is a must have too.

Target Identif.: Tgt-Id-Probes are needed and used in the same way as for LI. In addition they canbe used to block

and/or shape the traffic of subscribers of interest. Without Tgt-Id-Probes B&S will take careabout

protocols / applications only without target awareness.

It has to be defined whether String Search must be integrated into the IP-Probes to reach afiner

granularity for blocking / shaping and maybe infection.

Data handover:Only defined for FinSpy (Master).

Admin: The Admin is available for FF ISP.

An Admin System has to be designed taking care about the workflow in theBlocking/Shaping System.

The user can enter Filter Criteria = Blocking/Shaping Criteria (which might be the same

used for the

Mass IP-data System). Using Tgt-Id-probes NW access credentials must be administeredtoo.


10/13

10

PSTN

MobileNetworks

Mediation

Front-End

Back-End

Targets

LI (Voice + IP) LI (Voice +IP)

Methodology

Admin

Receiving

DecodeDemod

StorageArchiving

AnalysisEvaluation

DATA WAREHOUSE

HI3 CCVoice

Recorder

HI2 IRIReceiver

HI3 CCVoice

Recorder

HI2 IRIReceiver

VOICE

IRI

HI3 CC

ISDN

HI2 IRIX.25, TCP/IP,

X.31FTAM, FTP,

Rose

HI3 CCEth

TCP/IP

HI3 CC

ISDN

Mediation

Mobile

VOICE

IRIIP

Users / Evaluator / Operators

??? Modules

HI3 CC??? Module

Eth/X.25

ISDNS2m

Eth/X.25

Eth

HI2 IRIX.25, TCP/IP,

X.31FTAM, FTP,

Rose

MobileIntercepti

onMgmt.

PSTNIntercepti

onMgmt.

HI1MarkingTargets

ISDNS2m

HI1MarkingTargets

PSTN & Mobile NW Lawful Interception(Voice and IP) Data Capturing:In both Networks (PSTN and Mobile) data capturing is performed

inside the NW

using NW-vendor specific solutions (assuming the NW-vendor isproviding such

kind of solutions). This applies for both Voice (voice, modem, fax) and IP-data.

Target Identif.: This is also part of the NW-LI-functions.

Admin: Also the Admin-Function of the NW is part of the NW-environment.Subscribers

(fixed / mobile) will be marked for LI inside the NW. The InterceptionMgmt.

Systems (PSTN/Mobile) also provide the IRI-data (either ASN.1 encoded

or asASCII-files). Assigning a LIID is part of this admin process and it has to

refer to the

LIID used in the Monitoring Center for admin the LI-warrant.

Data Handover

CC-Voice: Voice data will be transferred via ISDN (S2m) to the Back-End(PCM30, A-law

encoded) from the switches of the NW.

IRI: IRI-Record can be either FTAM, FTP or Rose on X.25/X.31 or TCP/IPprovided via

the NW-LI-Management System(s).

CC-IP

= Mediation: IP-data from GPRS/UMTS will be mediated using DreamlabsMediation

Appliance to provide i.e. ETSI-formated data to the Back-End.

Receiving Data:Receiving CC-Voice and IRI-Records will made own/separate

Appliancesnecessary. IP-Data from GPRS/UMTS via DL Mediation have to be handled

in the


11/13

11All Networks Data Retention System

ISPAAA

PSTN

MobileNetworks

Mediation

Front-End

Back-End

Targets

Methodology

Admin

Receiving

DecodeDemod

StorageArchiving

AnalysisEvaluation

DATA WAREHOUSEUsers / Evaluator /

Operators

DRS

Collection

Devices

DRSSERVER

IP

Ethernet

Data Capturing:Data to be captured accross all kinds of NWs are:

WHO (IP, Username, [Mobile] Phone No., IMSI, IMEI)is/was

communicating with WHOM (IP....) at what DATE/TIMEusing

what KIND OF METHOD/PROTOCOL (Mail, WWW, Skype,

Chat, Voice, Fax, SMS...). It might be possible to keepi.e.

also the subjects of Emails etc. (which extends theclassic

DRS). Data are provided either by the Networksthemselves

by interfacing OSS/BSS (Billing Systems; CDRs), or using

NW-elements in IP-NW (Switches, Routers Cisco,Juniper,

...) or using own IP-Appliances in IP-NWs to create these

kind if data by analyzing/capturing the traffic. In IP-Networks

existing Target-Id-Probes (for LI, FF ISP) can be used

additionally to get user data.

Data Handover:The different DRS-data have to be more or lessnormalized

depending from which source/NW they are coming fromto

be stored in the Data Warehouse and being retrievedagain

on demand.

Data Wareh.: Due to the huge amount of data and the highdata rates

coming from different NWs it will make sense to keep the

data in a separate storage/Data Warehouse.

Admin: Due to the very specific usage of a DRS and the different


12/13

12Conclusion proposal how to proceed ...Conclusion

This conclusion is based on the following assumptions and facts:

1. More IP-knowledge than classic PSTN/Mobile NW knowledge available within the 3 partners

2. Sales experience and market access is available for all solutions

3. PSTN/Mobile Voice data need a complete different handling (receiving, decoding, evaluation) than IP-data

4. No. 2 becomes even more difficult dealing with decoding of modem and fax transmissions

5. LI for classic PSTN/Mobile NWs depend very much on the LI-implementations provided by the different NW-vendors

6. DRS is characterized by huge amounts of data, a wide range of different intefaces needed to capture/receivedata, different Hand-over-Interfaces (HI-A, HI-B) and different approaches when data are to be retrieved,

own/different user management etc.

7. Different Intelligence Methods need different kinds of administration functions

8. Different Intelligence Methods need different ways of storage (data structures), different decoding andanalysis/evaluation methods

The proposed way to go should be:

9. Start with Mass IP-Data Interception (for this Intelligence Method the most work is done / solutions are available)

10.Next Step will be LI in IP-Networks (a lot of components can be used and/or are available and can be modified

accordingly)

11.Due to the fact that Infection solutions are products ready to use (FinFly ISP, FinFlyWeb, FinFlyUSB) the datacoming from FinSpy Master have to be integrated into the Data Warehouse (like we did for other MCs).

12.Blocking and Shaping has no real impact on the Back-End because no data transfer towards the BE has to takeplace. It can be kept as a separate product, making use of filter criteria also used for Mass IP-data Interception.Having an own GUI running on the same Management Workstation like Mass IP Interception and/or LI and/orInfection will be sufficient.

13.Although LI in PSTN/Mobile networks provide a lot of functions as part of the networks we still will need a lot ofadditional equipment (HW/SW) to receive, decode and evaluate captured data. Maybe Appliances and Softwarefrom 3rd Parties might be a solution (ASC, Spectronic, others). For us integrating the data in the Warehouse thenwould be the major task together with an overall System/Warrant administration. Interfacing to other data

-


13/13

13Vielen Dank fr die Aufmerksamkeit

Documents

Finfisher Overall Spy