“Aggregation Tap” versus “Tap Aggregation” (by Denny K Miu and Tim O’Neill)
CliniTech on NetQoS

CALEA Compliance – Bitter but Good Medicine (by Tim O’Neill)

  • What is CALEA?
  • Does CALEA affect me?
  • What should I know about CALEA?
  • Are there any lessons that I can learn from CALEA Compliance that would help me better manage my enterprise network?


Tim_oneillEditor Profile - Tim O’Neill is an independent technology consultant. He has over 30 years experience working in the WAN, Analog, ISDN, ATM and LAN test market. Tim has worked with companies like Navtel, Network General, Ganymede and ClearSight Networks and is now helping companies get lab recognition and technology verification. Tim is also the Chief Contributing Editor for LoveMyTool.com, a website designed to help network managers gain access to valuable information and real solution stories from other customers. Tim is a patent holding, published and degreed engineer, who has seen this technology grow from Teletype (current loop) data analysis to today’s 10 Gigabit LAN’s focused on business applications with heavy compliance demands. Tim can be reached at oldcommguy (at) bellsouth (dot) net.


CALEA is an acronym for Communications Assistance for Law Enforcement Act, originally enacted in 1984 by the U.S. Congress.

This law as previously drafted was focused only on the monitoring and capturing requirements for telecommunication carriers and service providers when mandated through court orders or other lawful authorizations.

As of May 2006, the law has been broadly extended to include all VoIP carriers forcing many smaller non-traditional providers to comply with the same access and capture parameters.

There is even serious talk about removing the exemption for both public and private Universities and requiring them to come into compliance in the near future.

Calea_zacatechichiInterestingly, CALEA is also the name of a plant that is alleged to be capable of “clarifying the senses”, which the Chontal medicine men call thle-pela-kano, meaning “Leaf of God”. According to Wikipedia, Calea Zacatechichi, also known as Dream Herb, Cheech, and Bitter Grass, is still used by the indigenous Chontal of the Mexican state of Oaxaca for oneiromancy, which is a form of divination based on dreams. Whenever they desire to investigate the cause of an illness or the location of a lost or distant relative, dry leaves of the plant are smoked, drunk in infusions, and put under the pillow before going to sleep, expecting the answer to the difficult question to materialize in a dream.

I believe CALEA Compliance is the “Bitter Grass” of our time. While painful to implement, once successfully deployed, CALEA compliance tools can actually provide us with previously unavailable visibility to our own network, allowing us to “clarify our senses”.


CALEA and Lawful Intercept

Often you hear the phrase “Lawful Intercept” as a definition of CALEA such that any enactment resulting from a warrant or court order would be a “Lawful Intercept”. However, Lawful Intercept has a much broader spectrum of applicability than CALEA. I prefer to use the term “Lawful Monitoring” since it extends to anyone who has authority under the law to support monitoring in order to prevent misusage of networks, which extend beyond telecom to include enterprises and educational networks and facilities.

“Lawful Monitoring” involves network managers and technicians who as part of their ongoing support of a network have lawful access to monitor, record, analyze and report on network activities and user behavior. Increasingly, managers and technicians are subpoenaed as witnesses to testify against aberrant behaviors including abuse of corporate policies and/or potential violation of the laws of the land – municipal, city, county, state, federal and even international; such actions could be the result of a lawsuit or even part of a Freedom of Information inquiry.


What should I know about CALEA?

Basically CALEA requires that traffic access points (TAP's) be installed throughout the network, giving FULL ACCESS to every packet traversed within the production network. When a warrant is issued, this access device would be connected to the warrant device, which would be configured to capture the IP address specified or other traffic variables required within the authority of the warrant. Once the time or event prescribed in the warrant has occurred, the data (evidence) is gathered and stored in a transferable medium or routed through a third party network to the requesting agency, with appropriate time stamping, etc.

Trusted Third Parties like Apogee Intercept Service and SS8 are companies that install access points and their special recording device for either a set cost or monthly fee, or both. When a warrant is issued, the Trusted Third Party configures their router device to forward the specified traffic to either a remote capture device or to the requesting agency directly. Associated fees charged by Trusted Third Parties to execute the warrant(s) can add up quickly, so one needs to have a complete and thorough understanding of the cost structure before engaging third party providers.


Are there any lessons that I can learn from CALEA compliance that would help me better manage my enterprise network?

If customers do not wish to relinquish control of their network to third parties, which is almost always the case, they need to deploy CALEA solution and access taps directly and handle all warrant activities on their own. The followinging shows a typical CALEA compliance tool set which involves three interoperating components: 1) a number of passive taps (e.g., Network Critical), 2) if the network is complex enough, an aggregation and data access switch (e.g., Gigamon Systems) and 3) a line-rate packet capture forensics recorder with off-line storage capability (e.g., Solera Networks).


Caleacompliancetool


In addition to substantial cost saving, deploying your own CALEA compliance tools can be a very valuable investment for network managers since each of these components can bring tremendous benefits in normal network operations:

  1. To be able to do their job as network managers, they need to have full access to their network at anytime from anywhere for any and all types of monitoring, analysis, etc. Obviously, once a network is deemed CALEA compliant, it is essentially fully instrumented. Taps installed for the purpose of CALEA compliance can be used to gain unobtrusive and high fidelity access to the production traffic. These taps can be used in collaboration with the SPAN ports that are already available on the switches.

    (For more information on taps, please review my recent article on SPAN Ports versus Taps.)

  2. Once their network is CALEA compliant, as network managers, they have in their tool arsenal a powerful packet capture engine with sufficient storage capacity so that they constantly have a few days worth of stored data to review issues and anomalies that have occurred while they were not watching the network. Capturing all packets is a necessity for complete forensic analysis.

    (For more information on data capturing, please review a recent article by J. Scott Haugdahl on Network Forensics.)

  3. Most CALEA compliant solution provides the ability to aggregate traffic from multiple taps and perform hardware packet filtering in order to focus the investigation on certain logical attributes, application type, IP address, VLAN, etc. This capability would be a value-add to the network managers since they now have the means to perform focused troubleshooting and performance review.

    (For more information on packet filtering, please review a recent article on Aggregation Tap versus Tap Aggregation.)


CALEA Compliance is a bitter medicine.

Even though enterprise managers are not currently required to be CALEA compliant, it is in every manager’s best interest to learn from the best practice CALEA compliance solution to define and support their internal policies and procedures.

Managers should take full advantage of any ability to have 100% access to their data with taps correctly placed in their network, capturing all the data or filtering (pre or post capture) the data so they can perform forensics review for a period that is longer than a few days. Whatever platform they choose for packet-capture should be very flexible and have the ability to expand as the network and support requirements grow.

There are over 20 vendors supporting LoveMyTool.com with a large number of documented case studies, success stories and customer testimonials. Readers should drill down on each of the following technology categories for more details.

Finally, when purchasing a CALEA Compliance product or solution, keep in mind the following:

  • The product should fit your needs today in supporting your network, i.e., defining network policies, enforcing current corporate policies, troubleshooting and analysis requirements.
  • Always purchase a solution that is as open to many other applications as possible, from Open Source to Proprietary
  • Try to buy a solution that is compatible with your current legacy monitoring, analysis, reporting and other applications. (Do not get caught up buying an all-proprietary technology unless you are sure that it is exactly what you need.)
  • Always purchase a solution that can be upgraded easily and at a reasonable cost. If possible purchase a solution that you have tried in your network and have very good references for.

Our vision for LoveMyTool.com is to be a great resource for customer testimonials and unbiased expert reviews.

Specifically, we have a recent success story whereby a small ISP, Skyriver Communications, struggles to find an affordable CALEA compliance solution, and subsequently discovers the added benefits that their new founded tools provided to their network management needs.


Summary

Time to drink the bitter medicine and rejoice the clarity.

CALEA is only one of many compliance standards facing businesses today. They will soon spread to all areas of networking, so be prepared and be proactive! Adopting a CALEA mindset to supporting one’s network will definitely pay off.


Continue reading other Editorial posts by Tim O'Neill »


Comments from Industry Experts

Druce MacFarlane - A private networking consultant

Tim, This is a great article. This should get managers thinking about how they access and manage their network today and in the future. Just as important as it is for Enterprises to prepare themselves with CALEA compliance, so is it to ensure that they have a well thought out and articulated corporate voice and data policy. It shouldn't come as a surprise to any corporate user, from the CEO to the temporary office worker, that information that passes through the network is as secure as a picture postcard, and users should treat it as such.

This subject is a hot button topic for many, on both sides of the aisle.

On one side you have people crying that this is a violation to their rights to privacy and that this is just begging to be abused, and on the other side people feel that this is an unavoidable requirement, and failing to implement such a system is paramount to turning a blind eye to another potential 9/11 event. You seem to not address either side of this issue and just talk about it very clinically.

Editor’s Note – Thank you for your comments and question. I did try to keep away from the politics and keep it technical. As you know I am not a politician and therefore I always try to just be technical. The Government has had the right to tap lines of communications for many years going back into the 1920's, even during the Civil War telegraphs were intercepted. However I agree that CALEA is the beginning of a new era of this type of access mandates but really the act only says that there must be a common plane of access but they still need a warrant to monitor. I think the majority of the enterprise issue falls on the CEO’s to create policies and enforce them. The goal of this paper to warn the enterprise community that this will soon be laid on their door step and if they have created the correct infrastructure for monitoring and policies to protect their company, than they will be ready.

Burt Bennett – General Manager of Valparaiso Broadband Communication Systems

Tim - Good paper and to the point. This does sound like George Orwell’s “1984” Revisited. I have an issue with third party solution. I for one do not like the idea of an unknown party accessing my network. Even though this access is for law enforcement purposes, the Network Administrator has no idea of what or when the activity is taking place. Another problem is Federal Mandates without monetary compensation could severely (and economically) hinder a small operator and no one seems to be thinking about this.

I definitely agree that there needs to be some sort of mechanism in place to capture illegal activity(s). In law enforcement issues I would suggest the use of a capture device provided to the Network Administrator by the law enforcement agency. The Network Administrator could then install the device, capture the traffic, and then turn the device over to the appropriate authorities once the warrant has been fulfilled.

Bruce Boardman – Network Engineer – Syracuse University

Tim – Nice article - CALEA is a wake up call to get IT monitoring in order. No longer is network management a 'nice to have'. Enterprises and very likely EDU’s are going to be forced into insuring monitoring is done right!

Tom Tosh – Principal Consultant for Chi Metrix LC

Tim – This is a very interesting and thought provoking article and should be a wake up for all managers. As one of the thrusts of your article regards the possible future impact of CALEA on private enterprise, here is my thought on that:

Law enforcement agencies are growing more technically aware and adept, but the vast majority of agencies are still far down on the learning curve – legislators even more so. As soon as investigations of importance to national security become stymied because the origins or destinations of the traffic are being NAT-ed by a private business, a move to extend CALEA requirements behind the firewalls and proxies of private enterprise is nearly a sure bet.

Arthur Knapp – Former Senior Project Manager for a major carrier

Tim – This is very interesting and enlightening - This article should be helpful to the network manager, especially in their future! In light of your earlier article on SPAN vs. Tap, it should be emphasized that SPAN ports is not a reliable option for CALEA compliant data access.

Betty DuBois – Sniffer Expert, Course Developer, Trainer, Writer and Network Consultant

Wow! I love this article. I think it is very timely and should be the stimulus for some lively conversations.

Chris Bihary – U.S. Operations Manager – Network Critical

Tim this is a good article and points out the overall effects of the new monitoring requirements. We at Network Critical believe mandates like CALEA reinforce the fact that proper monitoring is inseparable from access. And when law enforcement needs to monitor calls or data for public safety, even national security, the trusted choice for access is TAP technology. As an international company, we’re helping organizations adopt proper access techniques worldwide, wherever monitoring is critical: lawful intercept, enterprise security, quality of service, performance, and much more.

Hartmut Marschall - Sr. Technologist and Consultant

Tim, I fully agree with what you say in your article and I want to add that I am sure that CALEA will be expanded also to other entities including Universities and enterprises because some of the conversations that need to be intercepted can only be accessed within the enterprise or University network and won't traverse over any carriers network. We will also see other security measures be introduced by the government over the next months and years.


Continue reading other Editorial posts by Tim O'Neill »

Comments