FT-system
wiretap solution
all-speed Ethernet and optical fiber tap units Innovative Design Delft

Any Dutch ISP can have a government compliant system in approximately two weeks

For 7000 euro, any ISP, small or large, can acquire an FT-E10/100 unit and can, in approximately two weeks, have a working interception system that is compliant with Dutch Law. IDD will assist ISP personnel in setting up the system and in obtaining and exchanging X.509 certificates used for authentication with government systems. All FT-system units come with one year of maintenance, including gradual software updates and installation of these updates. All components are guaranteed to have minimal impact on normal operations of the ISP. If you have any questions, please don't hesitate to ask: contact@idd.nl

----------------------------------

Setup for medium and large ISPs

This section gives a general overview of what may be required to set up an FT-system to make a medium or large internet provider's network interceptable.

overview of a typical tapping solution using FT-x units, click to enlarge

Connection Archive

The connection archive is a server that maintains a database of all connections provided during six months (default). It keeps track of all current connections by communicating with the IP-assigning servers on the network and of all other connections that have to be stored for retrieval by Law Enforcement. When the Connection Archive is started, it initiates contacts with all IP-assigning servers it knows. After initiation by the Connection Archive, the IP-assigning servers keep the Connection Archive up to date with connection information. The Connection Archive continuously synchronizes all stored information to a backup server. If the primary Connection Archive fails, an operator can immediately revert to the backup Archive.

DHCP/Radius

All common versions of DHCP and Radius are supported, also DHCP option 82 in it's various forms is included with the basic FT-x software.

Tap Manager

This server has a permanent connection with the Connection Archive. When a warrant is received, an operator enters the required customer information into the Tap Manager. The Tap Manager keeps track of the operation of all tapping devices, such as the FT-x tap units and any mail-servers with tap-clients. The Tap Manager continuously synchronizes it's information with a backup server. If the primary tap server fails an operator can immediately revert to the backup server.

FT-x

The actual tap unit. After startup the FT-x passively waits for polling requests of the initiating Tap Manager. On initialization, the tap unit receives all necessary information from the Tap Manager to tap the desired IP numbers, and to send the intercepted data to LEMF through the TIIT protocol. The FT-x tapping modules are highly secure units that start from a CDROM.

Mail-server

Because for example also BCC headers are needed by law the mail-server software will require a patch to copy to be tapped mail and send it to a shadow mail box. All shadow boxes are read by the FT-x system and contents are sent to law enforcement with TIIT encapsulation.

---------------------------------- FT-System schematic
overview, click to enlarge

Feature list of the FT-x units

  • Portable 1U 19" box allows flexible insertion for the duration of an interception warrant.
  • Optical transceivers are interconnected in hardware. Software setup can never interfere with the normal operation of the connection.
  • Undetectable as required by law, no IP stack involved, no change in hop count.
  • TIIT S1 and S2 functionality available in one box:
    • No management of separate S2 box required to perform all encryption and transport for multiple S1 boxes.
    • No dependencies regarding untested S1-S2 protocol.
    • Only standard communication protocols are used for setup and data transport over one or two 10/100/1000 Ethernet interfaces.
    • Multiple providers can share a single FT-x unit
  • Providers may, if they wish, configure one of the two available Ethernet interfaces for setup and control, and the other for connection to the LEMF (Law Enforcement Monitoring Facility).
  • Providers may, if they wish, route all encrypted TIIT communication to a central office and bridge the TIIT communication to LEMF from there.
  • Cascadable design. Multiple units can be connected to the same fiber connection.

Specifications

  • FT-3/12 and FT-48 units support both ATM and POS
  • MPLS support standard up to 5 layers
  • L2TP support except LAC-LNS fragmentation and PPP encryption.
  • 64 simultaneous ATM virtual circuits supported
  • 512 IP addresses or IP masks
  • FT-3/12: Dual 155-622 Mbit/s link speed with Intermediate Range SC transceivers
  • FT-G1: 1000 Mbit/s link speed with Intermediate Range SC transceivers
  • FT-48: 2.5 Gbit/s link speed with Short Range SC transceivers

Product range

FT-E10/100/1000 Can tap 2x 10/100/1000 Mbit/s Ethernet.
FT-3/12 Optical tap for 2x full-rate (up/down) OC-3 en OC-12 ATM/POS.
FT-G1 Optical tap for 2x full-rate (up/down) Gigabit Ethernet 1000 Mbit/s.
FT-48 Optical tap for 2x full-rate (up/down) OC-48 ATM/POS.
FT-M Mail-TIIT gateway. Add-On server for instances where the TIIT protocol cannot be handled by the mail-server for capacity reasons. Does not include patches to mail-server software.
FT-TM Server with Tap Manager software. OpenBSD system running a basic XML database, which can easily be backed up at will. Can be controlled using a web-browser with SSL, or from the console.
FT-CA Connection Archive. OpenBSD system running a PostgreSQL or MySQL database.
Radius
DHCP
Tacacs
To be able to guarantee the right IP number is tapped IDD recommends integration of Radius, DHCP or Tacacs IP-address assignment software with the tapping equipment instead of sniffing. To offer a price quotation for integration we will require the source code to the operational address assignment software. Universal sniffing software for Radius, Radius accounting and DHCP traffic is available for the equipment at no extra cost.

All tapping units and servers are currently based on 1U servers with a least two 10/100/1000 Ethernet ports.

All tapping equipment comes with 1 year on site maintenance and gradual software updates. Contracts will be subject to our Conditions and Terms (Dutch)

Options

  • Other Optical Transceiver ranges and connector types available upon request
  • Extra IP address capacity
  • Extra ATM Virtual Channel capacity
  • PPP over ATM (ADSL)

Innovative Design Delft - Box 3215 - 2601 DE Delft - Netherlands - Phone +31 15 214 02 44 - contact@idd.nl