[AusNOG] Interception Questions
Ben B
bb.ausnog at bb.cactii.net
Fri Jul 21 18:49:00 EST 2006
Skeeve Stevens <skeeve at skeeve.org> uttered the following thing:
>
> Presently we're looking at mirroring switch ports and taking that
> into a Linux box/laptop/etc to be collected by TCPDump or some such. Is
> that all they need to be able to get what they want? There are programs
> like VoIPong which can record VoIP calls in raw format, but I'm not sure if
> they want us to go to that extend.
I would expect that any LEA worth their salt would want the data in the
most uncut, raw format they can get, to assist any forensics. In which
case, a tcpdump (remembering a large enough value to '-s') should suffice.
For the beez-knees of LI that maintains separation from your regular
operations, optical splitters on your fibre uplinks are the way to go,
including a switch that can perform L3 filtering (eg C3750). It also
means that taps which have been placed are only visible to 'approved'
individuals instead of your whole engineering group.
Where I am, we have a (legally required) system built around PKI for
authenticated taps to be placed by the LEA itself, and the raw data
is delivered to them in real-time.
YMMVDOB (DOB = depending on budget)
BB
More information about the AusNOG
mailing list