• Home
  • Virtually Invisible: Meeting Lawful Intercept Challenges in Virtual Environments, Part One

ArticlePosted on CTR-Computer Technology Review
By Ran Nahmias
 
This article is the first in a two-part series addressing the challenges associated with Lawful Interception (LI) and compliance inherent to virtualization within converged network environments.
Virtualization has provided network architects with exceptional new levels of flexibility and cost-savings in their server deployments. At the same time, however, that flexibility creates new opportunities to conceal unlawful activity and to frustrate or delay enforcement, Lawful Interception (LI), and prosecution by moving a virtual host across legal or geographical jurisdictions.
 
Armed with the appropriate tools and knowledge, companies can address LI and compliance challenges inherent to virtualization within converged network environments and take steps to thwart “jurisdiction hopping.” Protecting the virtual infrastructure calls for innovative strategies and solutions that support Service Providers and Law Enforcement Agencies (LEAs) in carrying out their respective missions.
 

Virtualization, the Cloud Infrastructure, and Lawful Interception Challenges
Law enforcement agencies and service providers are under intense pressure to thwart terrorists and other malicious intruders who are often armed with sophisticated technology expertise and ample resources. In the past, for example, it was relatively easy to identify peer-to-peer applications or chat using well-known port numbers -- but no more. Traffic patterns have changed, and nowadays, with most applications using standard HTTP and SSL to communicate, there’s an added burden on LI systems to identify more targets on larger volumes of data with fewer filtering options.
 
Social networking is also pushing usage to exponential levels, giving lawbreakers a growing range of encrypted communication channels to exploit. Effective Lawful Interception technology must now be able to collect volume traffic and handle data at unprecedented high speeds and with pinpoint reliability.
 
Defending the Network from Multiple Threats
By law, a service provider must maintain the equipment needed to fulfill the unique requirements of LI’s high-stakes missions. Solutions should map to LI standards and be able to isolate suspicious voice, video or data streams for an interception based on IP address, MAC address or other parameters. To carry out its purpose, Lawful Interception needs:
 

  • The ability to intercept all applicable communications of a certain target without gaps in coverage, including dropped packets, where missing encrypted characters may render a message unreadable or incomplete;
  • Total visibility into network traffic at any point in the communication stream -- no blind spots;
  • Adequate processing speed to match network bandwidth;
  • Undetectability, unobtrusiveness, and lack of performance degradation (a red flag to criminals and terrorists on alert for signs that they have been intercepted);
  • Real-time monitoring capabilities, because time is of the essence in preventing a crime or attack and in gathering evidence;
  • The ability to provide intercepted information to the authorities in the agreed-upon handoff format; and
  • The technology to load-share and balance traffic handed to the LI system.

 
Network operators and service providers also have their own respective needs, including cost effectiveness, minimal impact on the network, compatibility with existing technology and scalability for growth.

Virtualization Deployment Raises the LI Stakes Even Higher
Virtualization is more than a trend; it’s a revolution. The adoption of Virtualization and Cloud Services challenges LI compliance in converged (physical and virtual), as well as homogeneous environments. And although virtualization momentum promises great improvements in CAPEX, the ability to passively monitor Inter-Virtual Machine traffic has been almost nonexistent. Cloud computing currently accounts for less than two percent of IT spending today, but IDC estimates that by 2015, nearly 20 percent of information will be “touched” by cloud computing, with as much as 10 percent actually maintained in a cloud.
 
Elasticity and lack of virtual visibility threaten security
In order to conduct effective LI, agencies and service providers need total visibility across the entire network -- data center, core network, and remote branches. Anything not visible is vulnerable. Lack of visibility into inter-VM (virtual machine) traffic reduces the ability to audit data passing between virtual servers, with a consequent inability to pinpoint resource virtualization issues. Until very recently, virtualization itself was practically synonymous with invisibility, creating severe security, monitoring and compliance risks.
 
For LI purposes, virtualized environments and clouds are frustratingly elastic and global. For example, what happens to an LI warrant issued by local Washington State authorities if the VM target of interest transitions to New Jersey? What becomes of an LI warrant issued by U.S. authorities if the VM target of interest transitions to a different country?
 
Unfortunately, the so-called “secure perimeter” no longer exists, giving rise to issues of compliance, internal/external intrusions, lawful interception and cybercrime. Security must become an integral part of the actual network architecture, rather than a point solution. Achieving security, given the lack of, or costliness of 10G monitoring and security tools, is a key challenge -- as is the ability of such tools to operate at line rates with the desired low latency. Inter-VM capacity is growing, and a virtual switch, independent of wired infrastructure, easily operates at 10GB speeds.
 
Network speed and complexity are spiraling
Networks are becoming more complex as new applications of VoIP, 4G/LTE and video gain popularity. To further complicate matters, undesirable effects such as jitter, oversubscription and blocking are all magnified in 10G networks. Accelerating speeds raise concerns over link saturation and oversubscription because at 10G, 40G and 100G rates, current tools and instruments simply can’t keep up.
 
Switching oversubscription occurs as the queue exceeds the size of the physical hardware buffer, and packets are dropped. Even at low or average traffic, oversubscription can cause queuing that leads to short periods of maximum bandwidth utilization. This sets the stage for quality degradation and its unwelcome outcomes.
 
Latency and jitter -- during which only one packet can be transmitted from each physical output port of a switch -- are also risks. Resource contention is another threat to reliable function, arising when two packets arrive from separate input ports to the same output port (uplink) at about the same time.
 
Technical Limitations: Promiscuous Mode and Utilization of SPAN Ports
Existing virtual monitoring solutions require promiscuous mode and utilization of Switched Port Analyzer (SPAN) ports. But switch-level monitoring can degrade vSwitch throughput by up to 50 percent, so this approach may require multiple vSwitches to recreate adequate throughput capacity. Utilization of SPAN ports exposes all traffic -- both relevant and irrelevant -- at a maximum capacity of 10GB per vSwitch. And in a hosting situation, multiple customers may be residing on the same virtual machine (possibly several per physical virtualization server), so complexity can grow astoundingly.
 
Further, mirroring traffic does not allow for filtering to capture traffic of interest only; rather it enables capture of “all or nothing.” This becomes a real limitation given the volume of “useless” traffic sent over the network.
 
A probe is a VM layer machine/appliance that operates only in the confined server it resides on and may be developed only for a specific product. Most local VM probes require a dedicated core to operate; they cannot deliver a broad view of the environment and hence fail to offer “big picture” visibility. Conversely, tools that aggregate traffic see the big picture of patterns across the entire network/data center.
 
Cost issues collide with the LI mission
Service providers also take on new costs when addressing the needs of Lawful Interception. In order to serve the LI agenda, service providers can incur new training, migration and operations costs for LI-relevant technology. These costs are sure to rise, what with the stress of content classification needs and the changing landscape of security threats.
 
Overall costs also rise with the obligation to maintain full monitoring capacity (very likely to be irrelevant) and to transmit all captured data across wired networks to the instrumentation layer -- another expensive infrastructure requirement. For service providers, leveraging the existing investments in 1G tools and postponing purchase of expensive new 10G monitoring tools is very desirable.

 

Part two of this series will introduce the virtual Tap and explain how it can cost-efficiently meet many of the needs of Lawful Interception.

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

More information about formatting options