There is a constantly increasing volume of communication occurring on the Internet via social media, web sites, and email. Monitoring this data flow, when doing so is warranted by threats or criminal activity, has become an essential aspect of authorized surveillance.
Title III of the Federal Omnibus Crime Control and Safe Streets Act mandates that agencies at all levels of government must obtain judicial authorization for intercepting communications between individuals and among groups. Intended originally for electronic eavesdropping of spoken conversations, intercepting telegrams, or doing “wiretaps” (listening devices intercepting in person or phone conversations,) it was expanded by the the Electronic Communications Privacy Act of 1986, which added all other forms of “electronic communication” (e.g. emails, faxes, and even pagers) to the media types which are eligible for authorized surveillance.
The Patriot Act, passed in the wake of the 9/11 tragedy, gave very broad surveillance authority to the Federal government. The USA Freedom Act of 2015, which replaced it, had provisions to ensure privacy protection for US citizens, guard against unauthorized collection of their metadata, but the Communications Assistance for Law Enforcement Act continues to provide a valid and legal means for investigation of suspected criminal and terrorist activity. A new set of rules – known as “Section 702” of the Foreign Intelligence Surveillance Act, allows the NSA, CIA, and FBI, to capture and search through millions of communications gathered with the assistance of American companies, but still protects the privacy rights of individuals.
Massive data flow volumes dictate that computer technology is required to analyze the intercepted traffic and search through it with automated functions to identify key phrases, word, patterns, etc. Telecommunications companies, who provide Internet service and VOIP (Voice Over Internet Protocol, commonly called “broadband phone service”) are mandated to install and maintain the packet capture infrastructure in their networks that allow government agencies to execute Lawful Intercept orders at any time required, and give access to investigators, to gather this data. Post-capture, analysis tools that deploy pattern recognition, heuristics, and even Artificial Intelligence are used to isolate and identify the pertinent information that may provide evidence of a crime.
Corporate surveillance of employee computer activity is also very common. It can be used to safeguard sensitive Intellectual Property, monitor productivity, and ensure that the company network and devices are not used for inappropriate purposes. It is outside the scope of this article, but uses similar infrastructure and mechanisms to collect the raw data.
How Do Network Taps Enable and Improve Network Surveillance?
Early networks had shared hardware resources such as hubs and bridges, as well as protocols (sets of rules for data communication) that made it easy to monitor activity at a few key access points. Monitoring of network traffic has become more difficult since the mid-1990’s, due to the fact that network switches, tasked with facilitating fast error-free communication between different network segments, began hiding errors that could previously be monitored with a few popular software applications. Switching data packets via layered MAC addresses (fixed machine hardware addresses) and assigned network IP addresses, has long since become the standard in both open and closed network communications. Data transfer protocols such as IP, UDP, and TCP (Internet Protocol, User datagram Protocol, and Transmission Control Protocol – which is the retransmission partner of IP – making it a “reliable” protocol) facilitate faster data transfer rates and can significantly reduce network downtime. Network surveillance has become more difficult because of these changes in network design and deployment. Network administrators need to isolate problems in real-time, and trace root causes to specific machines or network segments, often on large networks with thousands of devices and users.
Network taps can help IT professionals and network administrators better monitor bandwidth usage and test individual network areas for communication and security errors. By installing a physical hardware tap on part of a network, third parties can monitor all traffic exchanged between any two computers, access points and/or network devices. This data capture infrastructure, once installed, also provides the key access points at which governmental entities can collect surveillance data. If necessary, investigators can even bring portable fiber or copper taps with them in the field to create non-intrusive access points on the fly.
Taps 101: How a Network Tap Works
When network communication between two points or devices is facilitated by a fiber optic or copper cable (vs. wireless data transfer,) then a non-intrusive physical network tap can be installed into the cabling between devices, allowing full data capture and surveillance of all traffic being exchanged between these two points. Collection of these data copies is transparent to the activities on the network. There is no statistically significant latency introduced by the tap itself, it is invisible to the rest of the network, and network traffic will continue uninterrupted even if a tap itself were ever to fail due to power loss or a hardware problem. A variety of tap models is available, depending on media type, link speed, and the number/type of devices that must monitor or capture the data. Network administrators are able to monitor for troubleshooting and performance management. A tap also provides a permanent access point for engaging in uninterrupted network surveillance and capturing data for lawful intercepts and subsequent analysis.
Some tap models can even filter the collected data, so that only conversations from or between specific IP Addresses ae forwarded to the collection tool. This can ensure privacy for individual communications that are not within the purview of the authorized lawful intercept, and has a significant additional benefit. Notebook PC’s are typically the field tool of choice for investigators who are gathering data, and have been given access to access points provided by network taps. The data collection tools used in Telecom networks are typically large rack mounted, robust, industrial strength servers – with hardware and operating systems optimized for high data rate collection and storage of very large volumes of data. Notebook PCs – even the highest performance models – are unable to successfully capture such large amounts of data, and may suffer performance issues and packet loss of they receive too large a volume of data too quickly . Hardware based Filtering in certain taps can be configured to include only traffic of specific interest to the investigation. This allows the most efficient utilization of the investigator’s primary field tool, and allows collection of a larger volume of pertinent data within the allocated window of time,
In short, network taps provide an ideal access point for governmental network surveillance. Taps allow administrators and IT professionals to have strategic and continuous network monitoring, allowing their organizations to know exactly what is happening on a network at any one moment. Once a tap is installed, administrators never have to worry about how to access, analyze or troubleshoot traffic and bandwidth usage problems in the future. Installing taps with multiple monitor ports can allow governmental entities to gather surveillance data without ever interrupting the monitoring activity of the network administrators.
Network Tap vs. Other Network Surveillance Access Strategies
Given how integral network surveillance and network bandwidth monitoring is to almost every modern organization, it is not surprising that a broad array of different surveillance and monitoring tools is available to network administrators. An alternative to using dedicated hardware taps will often involve using network switch SPAN Ports to mirror network traffic (SPAN is a Cisco Systems term describing a designated monitoring port – it is now widely used in the industry as a term to describe any network switch monitoring or mirror port.) SPAN ports allow monitoring of traffic without the need for a separate network tap. This is sometimes the preferred choice for network surveillance, when it is necessary to see backplane traffic on a large core Ethernet switch, or a specific VLAN. SPAN ports are also convenient for smaller businesses and organizations with smaller budgets, smaller overall networks, less sensitive network data, and only a need for occasional reactive troubleshooting.
Using SPAN ports to mirror network traffic is not as effective or as secure as using network taps. SPAN ports are dynamic. An engineer may change the configuration for a given SPAN port when doing reactive short-term troubleshooting, while the administrator may have previously configured it for a role in long term network monitoring. With a properly designed and rigorously enforced Change Control Policy in place, such situations may be avoided, but with human nature being what it is – an alternate solution using taps is usually preferred. There are also environments such as securities trading, where literally nothing on the network – not a SPAN port setting or even an installed cable – can be touched or configured beginning 1 hour before the trading day commences, and ending 1 hour after trading stops. IN these networks, taps are an absolutely essential means of gathering data during busy production hours
Fiber optic taps are completely passive, and copper taps – which require active (powered) components to borrow data, are completely non-intrusive and power fault tolerant. When in operation, taps do not increase traffic load on network switches, add no statistically significant latency, and are not “visible” to the network. More significantly, network surveillance and bandwidth monitoring using SPAN ports depends completely on individual port and switch configurations. A network tap will mirror all traffic on a link, completely unimpeded, but SPAN ports may drop specific packet types (CRC’s, runts, fragments, etc.) or strip portions of headers from certain packet types. At the same time, even a properly configured SPAN port may not always transmit an accurate mirror of network traffic, because heavily utilized network switches prioritize traffic forwarding over traffic mirroring, thus dropping some of the packet copies destined for the SPAN port during times of high activity. No notification of such packet drops is readily visible unless one digs deep into the IOS of the switch. Even then – it is possible only to determine how many packets were dropped – not where they came from, where they were going to, or what type of packets they were.
SPAN ports remain as an important source for network monitoring, along with network taps. Remember to use SPAN ports when you need to have permanent, long term visibility to the backplane of a network core switch, or for short term reactive troubleshooting, but only in cases where it is not imperative to see every single packet.
Location Location Location
The comprehensive network surveillance and network bandwidth monitoring benefits of network taps are inarguable. In fact, many IT professionals are of the opinion that taps should be a standard element of any new network deployment. A recommended practice for network architects is to incorporate strategic placement and deployment of network taps in all new network design. This ensures maximum visibility for security and performance monitoring, as well as data capture and recording for lawful intercepts and compliance purposes. For best results, it is important to remember that when placing taps on a network, they should be positioned in accordance with the physical locations of the network’s most critical resources. At the same time, larger networks will likely want to combine tap and span output together for the most comprehensive view, as well as facilitating short term reactive troubleshooting – a tactic most easily accomplished with SPAN ports.
Are you about to deploy a new network? If so, do not leave your network security or performance to chance. Instead, make sure to incorporate taps into your next deployment and in doing so, better ensure the viability of your network and data integrity.