Lawful Intercept
TAP vs SPAN Solutions
Challenge: How to provide certified forensics packet capture data?
Lawful Intercept (LI) is a term used to describe a scenario when a government Law Enforcement Agency (LEA) is granted the legal means to obtain communications network data pursuant to lawful authority for the purpose of analysis or evidence.
Challenges arise over how to provide certified forensics packet capture data. To ensure the quality of evidence, the agency has to adhere to specific regulations providing clear access to all data without any loss of information or impact on the network being monitored, while adhering to warrant parameters, including time span, types of communications, and many more.
In these cases a network packet capture device utilizing SPAN will not hold up in Court for these simple reasons:
• Monitoring tools may miss dropped packets due to SPAN port oversubscription
• Will not pass corrupt packets or errors (bad packets) and are dropped
• SPAN can change the timing of the frame interactions, altering response times
• The timestamps are can read different but the packet contents are the same
• Can duplicate packets if multiple VLANs are used
Solution
Network TAPs Provide 100% Certified Data
Network TAPs pass every packet, including physical errors, supports jumbo frames and does not alter or duplicate packets. This provides a complete picture for the monitoring and security tools to complete analysis on this traffic. Network TAPs are CALEA (Commission on Accreditation for Law Enforcement Agencies) approved for use in Lawful Intercept cases for these reasons:
• 100% Full duplex packet capture, without loss, at full line rate
• Passes physical errors and supports jumbo frames
• No altered or duplicate packets
• No dropped packets
See Network TAPs, to learn more about how TAPs can improve your network access.
Look-back Forensics
For inline deployments, Garland’s EdgeLens Inline security packet brokers, not only offers bypass resilience but also additional use cases like “Look-back Forensics” which provides visibility to out-of-band packet capture, storage and analysis tools for inspecting the traffic from your inline IPS, Firewalls and WAFs tools. If active blocking failed to stop a threat, you have traffic storage for post breach forensics.
• 100% Full duplex packet capture, without loss, at full line rate
• Provide easy to correlate events generated by IPS/NGFW PCAP data
• Facilitate the time-critical workflow for security incident response.
• Enables forensic timelines of days/weeks/months
• Extracted PCAP data may be presented as evidence in court as “chain of custody”