Home

CALEA Workshop - MUM

1. package installed By selecting either action the following options will be available sniff id Packet Cable protocol only packet stream case ID sniff target IP address of the data retention server sniff target port UDP port that the data retention server 1s listening on Slide 24 Mikrotik User Meeting 2007 Butch Evans Consulting Orlando Florida butche butchevans com Data Retention CALEA Server e Install the CALEA server package for your RouterOS version in the normal fashion e You will have an additional tool menu option e tool calea e Allows you to save incoming intercept data streams e The server will create separate files for each stream e One data file and one hash file 1f configured e File Size determined by configuration options detailed in the next slide Slide 25 Mikrotik User Meeting 2007 Butch Evans Consulting Orlando Florida butche butchevans com Data Retention Server Configuration case id case ID set by the intercepting router sniff id property intercept ip IP address of the intercepting router IP address to receive the stream from intercept port UDP port to listen on Set by the intercepting router sniff target port property action storage format only pcap for now pcap file stop interval This sets the maximum TIME between filesets A new fileset will be created when this time is reached unless the pcap file stop size value is reached first pcap file stop siz
2. Mikrotik User Meeting 2007 Butch Evans Consulting Orlando Florida butche butchevans com CALEA Workshop Implications and procedures for Mikrotik WISPs Mikrotik User Meeting 2007 Butch Evans Consulting Orlando Florida butche butchevans com About Me e ANAL nor do I play one on TV e have worked with Mikrotik RouterOS for 3 4 years e ve been involved with the ISP business since 1993 Full time consulting since 2006 e amanetwork engineering consultant and a certified Mikrotik Trainer doengineering work as well as troubleshooting e I have one fully developed course for Mikrotik in partnership with WISP Router and another is under development see Eje for some flyers about the courses e am working with WISPA to help create an industry standard that will provide a safe harbor for WISPs using Mikrotik Slide 2 Mikrotik User Meeting 2007 Butch Evans Consulting Orlando Florida butche butchevans com Some Background about CALEA e What IS CALEA anyway e Communications Assistance for Law Enforcement Act e Ok so WHAT IS CALEA CALEA is a statute that defines obligations of telecommunications carriers including WISPs to insure their ability pursuant to lawful authorization to 1solate and enable government to intercept electronic communications of a subject as well as the delivery of intercepted communications to Law Enforcement Slide 3 Mikrotik User Meeting 2007 Butch Evans Consulting Orlando Flori
3. ch Evans Consulting Orlando Florida butche butchevans com CALEA Server Side Configuration CALEA Server package ts required This 1s the stream receiver for the preceeding slide tool calea add action pcap intercept port 1888 case id 477 intercept ip 192 168 5 140 To see the configured intercepts tool calea print Flags X disabled 0 case id 477 intercept ip 192 168 5 140 intercept port 1888 action pcap pcap file stop interval 15m pcap file stop size 1024 pcap file hash method md5 Slide 22 Mikrotik User Meeting 2007 Orlando Florida Butch Evans Consulting butche butchevans com File System M File list Bj Bx File Name hotspot hotspat img hotspat lv El laes case 477 20070525 040445 pcap laes case 477 20070525 040445 pcap md5 laes case 477 20070525 040639 pcap Creation Time Directory Directory Directory File File File Slide 23 OB May 21 2007 02 26 34 DB May 21 2007 02 26 34 DB May 21 2007 02 26 34 1234 KB May 25 2007 04 06 39 amp 3B May 25 2007 04 06 33 66 0 MB May 25 2007 04 08 04 Mikrotik User Meeting 2007 Butch Evans Consulting Orlando Florida butche butchevans com Intercept Options The IP Firewall filters now have two additional actions sniff generates a tzsp stream that can be directed to any Wireshark Ethereal server sniff pc generates a Packet Cable stream that can be directed to a MikroTik RouterOS system with the calea
4. da butche butchevans com How does CALEA affect ME e Who does CALEA apply to e In April 22 2005 Wireless Broadband Task Force Report GN Docket No 04 163 e The Department of Justice filed comments with the FCC requesting that the Commission continue to preserve the vital national security and criminal law enforcement capabilities of CALEA as it develops a deregulatory framework for wireless broadband Internet access services e Doesn t anybody care that I don t have the money for this e NO kind of e These statutes apply to WISPs even if you we don t like it Slide 4 Mikrotik User Meeting 2007 Butch Evans Consulting Orlando Florida butche butchevans com What are my capability requirements e What Do I Actually Have to Be Able to Do Pursuant to a court order or other lawful authorization WISPs must be able to e Expeditiously isolate all wire and electronic communications of a target transmitted by the carrier within its service area e Expeditiously isolate call 1dentifying information of a target e Provide intercepted communications and call identifying information to law enforcement and Slide 5 Mikrotik User Meeting 2007 Butch Evans Consulting Orlando Florida butche butchevans com Capability Requirements cont e Carry out intercepts unobtrusively so targets are not made aware of the electronic surveillance and in a manner that does not compromise the privacy of othe
5. e maximal file size in KiB pcap file hash method hashing algorithm md5 or shal for the data file saved once the data file is completed and closed no file is created 1f set to none Slide 26 Mikrotik User Meeting 2007 Butch E ies eden is Orlando Florida buteheG butch A Short Firewall Primer A firewall entry has two parts e The MATCH portion The ACTION portion e f the MATCH portion of the rule matches the packet being processed 100 then the ACTION will be taken for that packet Slide 27 Mikrotik User Meeting 2007 Butch Evans Consulting Orlando Florida butche butchevans com Matching Packets e The built in chains e INPUT Packets destined for the router e OUTPUT Packets coming from the router e FORWARD Packets going THROUGH the router e Custom chains e You can create custom chains and then use a rule with action of jump to process these chains Slide 28 Mikrotik User Meeting 2007 Butch Evans Consulting Orlando Florida butche butchevans com More On Matching e The Mikrotik firewall has no sense of direction that is added by your rule e src address dst address dst port in interface etc e INPUT OUTPUT and FORWARD are NOT related to packet direction e CALEA rules can be added for INPUT and FORWARD though generally you will be using FORWARD chain e Any field that is not specified in the rule is NOT TESTED to see if it matches Slide 29 Mikrotik User Meetin
6. ernet Border nod 7 7 aes Internal CALEA Server Access Point Routed Access Point Routed Access Point Routed TAP LOCATION Slide 33 Mikrotik User Meeting 2007 Butch Evans Consulting Orlando Florida butche butchevans com Using external APs Alik rotik Router AP Bridge Hub or managed agg ae eee AP Bridge Client If using an external AP you must insure that communications between customers of a single AP cannot communicate with one another Mikrotik calls this forwarding Other names for this feature include InterBSS Relay and client to client communication Slide 34 Mikrotik User Meeting 2007 Butch Evans Consulting Orlando Florida butche butchevans com VPN and PPPoE Network Mikrotik Router Tap Location VPN Connection C c o w o a a LI A e m 7 Terminal Slide 35 Mikrotik User Meeting 2007 Butch Evans Consulting Orlando Florida butche butchevans com A Few Examples to Capture Capture all traffic to and from 10 10 10 10 e Capture all email SMTP and POP3 traffic to and from 10 10 10 10 Capture all traffic between 10 10 10 10 and 10 10 10 11 Capture all HTTP traffic to and from 10 10 10 10 Slide 36 Mikrotik User Meeting 2007 ns Consulting ida Butch Eva Orlando Flor butche butchevans com Contacting Butch Evans Butch Evans Consulting 802 Stokelan Drive Malden MO 63863 573 276 2879 ht
7. g 2007 Butch Evans Consulting Orlando Florida butche butchevans com Actions e The defined action will be taken ONLY if the MATCH portion matches the packet 100 e Some actions will enable other parameters e sniff pc for example enables sniff id and the other CALEA related parameters e Some actions will prevent later rules from being processed e Rules are processed in order e Be careful of how your rules are sorted in Winbox Slide 30 Mikrotik User Meeting 2007 Butch Evans Consulting Orlando Florida butche butchevans com CALEA and the Firewall Generally you will use the FORWARD chain to intercept traffic The rules should be placed at the TOP of your FORWARD chain but this should be discussed with the LEA The intercept rules sniff pe and sniff actions will allow the packet to be processed against the later rules e You could conceivably intercept traffic that will be dropped later in the firewall Insure that the firewall does NOT block your stream e UDP and a user specified port Slide 31 Mikrotik User Meeting 2007 Butch Evans Consulting Orlando Florida butche butchevans com Bridged Network Layout Internet Border Router Internal CALEA Server Access Point Bridge Access Point Bridge CAES T a Access Point Bridge w3 TAP LOCATION Slide 32 Mikrotik User Meeting 2007 Butch Evans Consulting Orlando Florida butche butchevans com Routed Network Layout Int
8. l enforcement 1s human anyway e As long as you can provide the necessary information you SHOULD be ok e You should know your limitations Slide 9 Mikrotik User Meeting 2007 Butch Evans Consulting Orlando Florida butche butchevans com SO what do I do now e DON T PANIC e CALEA is not to be ignored but it isn t THAT big a deal e CALEA action is going to be VERY RARE MANY vendors are incorporating CALEA compliance solutions including Mikrotik that s why we re here Slide 10 Mikrotik User Meeting 2007 Butch Evans Consulting Orlando Florida butche butchevans com CALEA Compliance Options e Compliance options e Do it yourself e Network design and documentation MUST begin NOW e TTP e They can assist with some of the technical requirements of compliance but the responsibility of compliance still lies with you Slide 11 Mikrotik User Meeting 2007 Butch Evans Consulting Orlando Florida butche butchevans com First and Foremost e Some forms that should already be filed e Form 445 This form basically updates the FCC on how you are planning to become compliant It was due on Feb 12 2007 e Your SSI System Security and Integrity manual This is a plan that states how you will respond to a subpoena Due on March 12 2007 e Final compliance date 1s was May 12 2007 Slide 12 Mikrotik User Meeting 2007 Butch Evans Consulting Orlando Florida butche butchevans com Getting Legal As
9. p 1s a device that provides a tee that mirrors all data allowing for that data to be intercepted e A software tap is the name given to a device that will see all data on a given segment and has the ability to capture that data and send it to a storage server Mikrotik s CALEA support provides a software tap Slide 16 Mikrotik User Meeting 2007 Butch Evans Consulting Orlando Florida butche butchevans com More Definitions e Intercept the process of collecting capturing data for the LEA e Tap point the location in the network where the data is actually collected Network design issues will affect where this point must be e Storage Server CALEA server A device serves as a store and forward location Collected data is sent here to be collected at a later time by the LEA Slide 17 Mikrotik User Meeting 2007 Butch Evans Consulting Orlando Florida butche butchevans com Mikrotik CALEA Feature List e Multiple subject multiple destination packet interception e Streaming support for the following formats e PacketCable 2 0 Packet Cable Electronic Surveillance Delivery Function to Collection Function Interface Specification e IPCalblecom Electronic Surveillance Standard e Approved method for Communication Content delivery to LEA according to ATIS 1000013 2007 Lawfully Authorized Electronic Surveillance For Internet Access and Services e TZSP format for reception with Ethereal tcpdump t
10. r network users Deliver the intercept traffic to the requesting LEA you must be capable of starting this stream within 48 hours of receiving a subpoena court order and it is required to be in a specific format T1 IAS Slide 6 Mikrotik User Meeting 2007 Butch Evans Consulting Orlando Florida butche butchevans com About Sate Harbor e What is Safe Harbor e To be covered by a safe harbor means that your network meets standards that are adopted by industry or the FCC e TI IAS is a safe harbor standard e WISPA http www wispa org is developing a standard that will provide safe harbor which Mikrotik will meet that s MY goal anyway Slide 7 Mikrotik User Meeting 2007 Butch Evans Consulting Orlando Florida butche butchevans com More than one type of subpoena e Some subpoenas will require different response times e Some subpoenas will require different data captures e There are cases where you will possibly be required to begin capturing data before a subpoena is delivered e These are extreme cases life and death type deals e MOST of the time you will have a court order that tells exact details of the request Slide 8 Mikrotik User Meeting 2007 Butch Evans Consulting Orlando Florida butche butchevans com The letter vs spirit of the law e Requirements are very stringent e Some requirements are intentionally vague e Lots of wiggle room in the law e The law has a human side wel
11. rafr sniffer stream reader for linux Slide 18 Mikrotik User Meeting 2007 Butch Evans Consulting Orlando Florida butche butchevans com Mikrotik CALEA Support Two parts CALEA server package e Provides support for accepting multiple CCC streams e Stores streamed content for delivery to LEA e Uses libpcap format industry standard e Automatically creates new files based on e User specified file size e User specified packet count e User specified interval e Automatically creates a hash file md5 shal sha256 Slide 19 Mikrotik User Meeting 2007 Butch Evans Consulting Orlando Florida butche butchevans com Mikrotik CALEA Support cont e Part two e Intercept portion tap e Manage multiple intercepts for a given target e Manage multiple intercepts for multiple targets e Implemented using firewall filters e Currently only CLI Slide 20 Mikrotik User Meeting 2007 Butch Evans Consulting Orlando Florida butche butchevans com Sample Configuration for an Intercept Intercept requirements Capture all data to and from a user with IP address of 10 10 10 10 Intercept router tap configuration ip firewall filter add action sniff pc chain forward sniff id 4 77 sniff target 192 168 5 140 sniff target port 1888 src address 10 10 10 10 add action sniff pc chain forward dst address 10 10 10 10 sniff id 477 sniff target 192 168 5 140 sniff target port 1888 Slide 21 Mikrotik User Meeting 2007 But
12. sistance e These forms can be completed by you or your attorney e Kris Twomey can do this for you for 250 maybe less ekrisGlokt net 202 250 3413 http www lokt net Slide 13 Mikrotik User Meeting 2007 Butch Evans Consulting Orlando Florida butche butchevans com What 1f my equipment can t e Hotspots e If you have a hotel as an ISP customer and they run a hotspot free or otherwise e If you have a NAT device that does not allow you to capture data e You may be required to capture all data to and from that device e Live streaming requirement and your bandwidth availability Slide 14 Mikrotik User Meeting 2007 Butch Evans Consulting Orlando Florida butche butchevans com Network Design and Documentation e Your design choices will affect how and where a tap must be located e Bridged Static Routed Dynamic Routed e Firewall can affect this as well e Wireless default forwarding e NAT e Static Addressing DHCP e PPPoE PPtP e YOU MUST be able to determine the identity of every customer and you CANNOT wait until you get a subpoena Slide 15 Mikrotik User Meeting 2007 Butch Evans Consulting Orlando Florida butche butchevans com Definitions e Tap hardware or software device that facilitates the intercept capture of the data traffic e Historically a tap was a hardware device that provided a place in the network to facilitate recording of a phone call e A hardware ta
13. tp www butchevans com butche Qbutchevans com Slide 37

CALEA Workshop - MUM

Contents

Download Pdf Manuals

Related Search

Related Contents