Professional Documents
Culture Documents
Non-Intrusive Monitoring: White Paper
Non-Intrusive Monitoring: White Paper
Non-Intrusive Monitoring: White Paper
Non-Intrusive Monitoring
Using Embedded Systems to Monitor Network Activities
By Steven Wigent, Product Manager
www.pt.com
Each of the components in a non-intrusive monitoring system plays a specific role in the monitoring process: Data Conduit The data conduit is the medium of data flow for a specific network. The data conduit could be part of a public phone system, a wireless communications system, a data network, or other network systems. Some data conduits are bi-directional, also called full duplex. In a full-duplex transmission, the data could be traveling either way through the conduit, and therefore monitoring systems may need to be able to monitor both directions of traffic. Network Tap The network tap is an attenuated hardware device that is connected in line with the data conduit. The network tap performs two functions: it allows data to pass normally through the conduit as if the network tap was not there and it presents the data to the monitoring hardware. The attenuation is intended to pull a small amount of the signal power from the data conduit in order to read the data. The network tap must have the ability to adjust for different signaling methods, such as T1, E1, or J1 standards. The network tap must work with some very weak signals. However, todays circuit designs provide a large advantage for this application; the engineering of these circuits deals with the loading issues while recovering the data with excellent reliability.
Monitoring Hardware The monitoring hardware collects the data from the network tap and reviews the data on a continual basis. The hardware can consist of a server and/or line cards (T1/E1/J1, such as PT's PCE335, PCE335HSI, PCE385, PCI334A, and the PCI384). Software If the monitoring hardware includes the server, the software typically is embedded within the monitoring hardware, and is used to: Examine the network data Compare the data with trigger requirements Perform specific actions if the trigger requirements are met
The software can perform filtering operations, such as removing Fill-in Signal Units (FISUs) in SS7 communication streams. The data is compared with trigger events: specifications programmed into the monitoring system. If the data matches one of the trigger events, the data is passed up to the server for future use, whether storage or additional processing. The trigger events and the data types depend on the specific monitoring application. If the data does not match the trigger event, the data is discarded. In a turnkey application, all data, except for the filtered data, goes to the server and the server then looks for those trigger events and performs further processing, in parallel, as required. Server The server connects the monitoring hardware to a network. Some monitoring hardware can be directly installed into a server rack mount, while others can be cable-connected. The server allows the data collected by the monitoring hardware to be analyzed, stored, or sent to another location. Additional data analysis and processing can occur on the server once the data is received from the monitoring hardware. The monitoring hardware and the server can coexist in the same location, or can be separate boxes. (NOTE: another option is to use controllers such as the PT's PCI384 and PCE385 that can provide data right over the PCI and PCIe bus).
Lawful Intercept operations are governed by specific laws in each country, but the regulations generally include: The Lawful Intercept mechanism must not interfere with the flow of network traffic
u
The monitoring operation must be performed in such a way that the target of the investigation is not aware of the monitoring
In the United States, Lawful Intercept is governed by the Communications Assistance for Law Enforcement Act (CALEA), which went into effect in 1995, and was later updated to include internet-based communications, such as VoIP communications. Non-intrusive monitoring systems can help law enforcement agencies perform surveillance while maintaining compliance with the laws. Monitoring Enhanced 9-1-1 Systems Enhanced 9-1-1 services, or E9-1-1, are designed to automatically match an incoming call to a physical address. Once an address has been associated with the call, the monitoring system routes the call to the most appropriate local agency. For traditional wired telecom systems, emergency services have access to a database that matches phone numbers to addresses. For wireless systems, there are two methods of obtaining location information. The first is on-board global positioning systems (GPS), which provides coordinates of the location of the device. The other method is triangulation, which determines location based on the proximity of the signal to adjacent wireless transceiver towers. In both of these methods, the location information is used to route the call to the appropriate local agency. VoIP systems that interconnect with the public telephone network are required to incorporate E9-1-1 into their services. VoIP providers are cooperating with public telephone networks to access the emergency services database in order to provide accurate location information for calls initiated on a VoIP system.
Network Intrusion Detection While the non-intrusive monitoring applications described in the previous sections pertain primarily to voice communication systems with some relevance to data transmission, network intrusion detection is focused solely on monitoring data flow. The goal in this application is to ensure that all traffic on a specific network consists of legitimate users and processes performing legitimate activities. Intrusion detection systems look at the patterns and content of network traffic, looking for actions or data that is outside specified parameters for acceptable network use. For this type of application, the monitoring system needs to examine incoming traffic, as well as the response from the monitored system, in order to discern possible unauthorized activities from normal network communications.
Anonymity The network tap in a non-intrusive monitoring system is not a network-addressable device, so the monitoring system does not create any load or latency on the network itself. Also, harmful packets cannot be directed to the network tap because of its anonymity.
Using Embedded Systems for Monitoring Embedded systems consist of hardware and software that form a component of some larger system and are expected to function without human intervention. A typical embedded system consists of a single-board microcomputer with software that starts running a special purpose application program as soon as it is turned on and will not stop until it is turned off. Embedded systems are ideal for non-intrusive monitoring applications because of the straightforward nature of the monitoring process. The embedded application will begin monitoring as soon as the system is installed and powered up, providing constant monitoring without the need for a person to observe or intervene in the process. Using Host Systems for Monitoring In many cases, host systems or servers are used for processing data collected from monitoring system hardware. In this type of configuration, the monitoring hardware simply passes the data to the server, as opposed to the embedded systems described previously that perform on-board processing prior to data transfer. The capabilities of the host allow for more complex data analysis to occur on board the server in parallel with data monitoring and preliminary review. In many cases, host systems involve a high-powered server and data acquisition system in conjunction with the monitoring hardware. PT Hardware PT offers a wide range of hardware products that can be used as the foundation for a variety of non-intrusive monitoring applications. Each product provides different capabilities and benefits, allowing users to choose the right product for their specific application. Table 1 illustrates the different PT products applicable to non-intrusive monitoring applications and their individual specifications.
Form Factor
PCI
Processor
Motorola 8260
Monitoring Ports
2
u u
Highlights
Solaris ready Quad T1/E1/J1 Communications Interface for PCI Systems u Software Programmable Interface u H.100 Bus Support u Capable of switching 96/128 time slots bi-directionally to any of the 4096 H.100 CT bus channels u 128 MB Dedicated Processor DRAM Memory u Handles extensive onboard traffic and protocol requirements Multipurpose Intelligent WAN Communications Adapter u Four High-Speed Channels Capable of Sustaining 2 Mbps per Port u 4 MB of Shared SRAM Memory u Universal I/O Supporting 3.3 V and 5 V u Support for 33 MHz and 66 MHz PCI Bus
u
PCI334A
PCI
Motorola MC68360
PCI Express
Solaris ready Multipurpose Intelligent PCI Express WAN Communications Adapter u Four High-speed Channels Capable of Sustaining 2 Mbps per Port u 128 MB Dedicated Processor DRAM Memory u Handles Extensive Onboard Traffic and Protocol Requirements u 32 MB Application Flash
u u
PCE385
PCI Express
Solaris ready Quad T1/E1/J1 Communications Interface for PCI Express Systems u Software Programmable Interfaces u H.100 Bus Support u Capable of switching 96/128 time slots bi-directionally to any of the 4096 H.100 CT bus channels
u u
Form Factor
CompactPCI
Processor
1 GHz PowerQUICC III
Monitoring Ports
4
u
Highlights
Onboard eight-port gigabit switch u Can be used in a host system, or in a standalone mode independent of other blades in a server Onboard eight-port gigabit switch u Hardware u Can be used in a host system, or in a standalone mode independent of other blades in a server. u Suitable for large volume applications in most network types
u
CPC324A
CompactPCI
12
CPC5565
CompactPCI
3 USB
High-Density Compute Blade u High-Performance Computing Solution for PICMG 2.16 Systems u 128-Bit Memory Addressability to 8 GB PC3200 DDR SDRAM with ECC u Onboard Eight-Port Gigabit Switch
u
AMC308/318
AMC
Quad T1/E1/J1 Communications Controller u Mid-size, Single AMC Module u Full Compliance with AMC.0 R2.0 Specifications u PCI Express (AMC.1) and Gigabit Ethernet (AMC.2) connectivity
u
AMC121
AMC
Mid-Size, Single Compute Module u High-Performance Computing Solution for AdvancedTCA and MicroTCA Systems u MiniSD Site for Onboard Program and OS Storage u 4 MB Shared L2 Cache
u
AMC131
AMC
Mid-Size, Single Compute Module u High-Performance Computing Solution for AdvancedTCA and MicroTCA Systems u MiniSD Site for Onboard Program and OS Storage u 1 MB L2 On-Chip Cache
u
10
PT's modules allow programming interfaces into the framer and time division multiplexing (TDM) switch. There are also modules that provide the user access to the Channel Associated Signaling (CAS), also known as robbed-bit signaling. Monitoring applications have been in use on network systems for many years. However, most manufacturers of monitoring hardware have not kept up with the changes in network technology, including the introduction of new hardware form factors. PT is one of the few vendors that continues to develop new hardware to meet the latest needs of the industry, and to be used with the newest hardware and form factors. Because all of these products have embedded processors, PT's hardware has the intelligence to perform on-board filtering and data processing, providing a more efficient use of server bandwidth.
11
Available Protocols Different data conduit types, including T1, E1, J1, or serial lines, use different protocols. Signaling between international networks can often be a significant challenge to developers because of the many different variants of SS7 found throughout the world. The monitoring software must be able to translate these protocols to maintain the integrity of the monitoring process. Customization Each monitoring application has specific goals and specific requirements. The software package for a non-intrusive monitoring system must be able to be customized for each individual monitoring application. Filtering an SS7 network system is just one example where filtering can be deployed. The SS7 network passes data containing three types of units: Fill-In Signal Units (FISU), Link Status Signal Units (LSSU), and Message Signal Units (MSU). The FISUs are used to fill in empty time on the network so the data stream is continuous. Since the FISUs are not relevant to data analysis, monitoring systems must be able to filter out FISUs from the data stream. Doing so streamlines the analysis process, because the quantity of data to be examined is much smaller after this initial filtering.
A benefit of using embedded system hardware for non-intrusive monitoring is that the bulk of the data processing can take place on board, reducing the amount of server bandwidth required to transmit data after processing. A benefit for using the host system of a monitoring server for the real-time data analysis is that it will have one or more robust CPUs. This enables it to analyze in greater detail, the input data and pass it to parallel tasks for further processing.
12
13
NexusWare WAN NexusWare WAN software provides an extensive offering of protocol packages including, but not limited to, HDLC, X.25, Frame Relay, and Radar Receiver which combined with PT's embedded products enhance the ability to create flexible and efficient radar gateways, converged serial gateways, HDLC packet monitors, and front-end I/O systems. The WAN software products are offered as installable software packages for NexusWare Core or as Turn-key packages for those developers interested in the protocol package by itself. Both the turn-key and installable packages can be easily leveraged for monitoring applications. Whether the user chooses the installable or Turn-key solution, the result is a well documented and powerful MPS-API to facilitate the development process.
Next Steps
This document is intended as an overview of non-intrusive monitoring applications in embedded systems. For more information on designing network monitoring solutions for your project, you can contact PT in North America at: +1.585.256.0200. For international requests, you can contact the companys UK office at: +44 (0) 1908 646000. PT develops standards-based solutions for telecommunications, aerospace and defense, as well as commercial markets. The company's portfolio includes tightly integrated application-ready platforms for MicroTCA and CompactPCI, comprehensive blade offerings, and NexusWare, an integrated Linux OS. The companys award-winning 1U MicroTCA platform features front-to-back cooling for NEBS and ETSI compliance, and supports a wide range of AdvancedMCs that include multicore compute, video and storage, and intelligent WAN communications modules. Additional information can be found by visiting http://www.pt.com.
14
About PT (www.pt.com)
PT (NASDAQ: PTIX) is a global supplier of advanced network communications solutions to carrier, government, and OEM markets. PTs portfolio includes IP-centric network elements and applications designed for high availability, scalability, and long life-cycle deployments. The companys entire line of offerings is anchored by IPnexus, PTs own IP-native, highly integrated platforms and element management systems. OEMs and application developers, including PT itself, leverage the robust carrier grade Linux development environment and rich suite of communications protocols (PTs NexusWare) of IPnexus ApplicationReady Systems as a cornerstone component of their end product value proposition. PTs SEGway Signaling Solutions provide low cost, high density signaling, advanced routing, IP migration, gateway capabilities, SIP bridge, and core-to-edge distributed intelligence. The companys Xpress NGN applications enable evolving Mobile 2.0, Multimedia, and IMS based revenue generating services. PT is headquartered in Rochester, NY and maintains sales and engineering offices around the world.
PT is a trademark of Performance Technologies, Inc. The names of other companies, products, or services may be the trademarks, registered trademarks, or service marks of their respective owners in the United States and/or other countries.
15