On 5/17/06, Tyler Durden <camera_lumina@hotmail.com> wrote:
... Well, how out of band? Do you mean the management VPN (or whatever) doesn't travel with the actual grabbed traffic? (Frankly, this would be my first candidate.)
i was thinking three scenarios: 1. backhaul is a dedicated link (SONET?*) with encryption at this layer and control/management out of band. 2. backhaul and control/mgmt on the dedicated link (SONET?*) with encryption at this layer, no IPsec. 3. backhaul and control/mgmt on the dedicated link using IPsec for both. (least likely perhaps) the nature of SONET would make encryption at this layer tricky i think (L2/L3?) although the NSA is fond of authentication and privacy at the link layer. if a desire to leverage commercial solutions (narus, cisco, juniper, etc) won out would a strongly keyed IPsec be sufficient? no ISAKMP/IKE here, heh.
Of course, they could do it via SONET overhead bytes, thus avoiding the flakiness and vunerability that routers and switches still seem to have.
covert channels for backhaul? nah, that would still be too visible. especially if/when a customer puts link testing equipment on the line and sees something funny. SONET doesn't give you a lot of play room.
One wonders too if they do anything with SS7.
not for this. capturing SS7 would be useful and is surely performed though...
Of course, they could have a dedicated fiber for their management LAN, but due to latency issues &c I would suspect that can't be a LAN all the way across the country...
why not? most of these SONET/[D]WDM links are long haul anyway. it's not a single repeated fiber, but hops along backbone peering points like everything else. also casts an interesting light on the new super NSA warehouse planned for Denver, CO doesn't it. nice place to position tap aggregation...
Anyone know what telecom vendor NSA uses?
AT&T, Verizon and Sprint for sure. probably lease fiber (through some obfuscated shell company / other agency configuration?) from all of them to some degree, including the transoceanic cable oligopolies. one way to find out: - perform your own non-interruptive tap on the fibers exiting $telco via infiltration of outside plant conduit. (so easy, lol) - using test equipment see what SONET link(s) are full of blackened traffic. you could use AS no's or BGP/SS7 characteristics to identify legitimate circuits and highlight the blackened ones via elimination. - ask Sean Gorman or GeoTEL MetroFiber which provider sold out that particular circuit/fiber/route. something tells me this is beyond the means of your average hacker. FOIA requests it is then... *grin* for the record: i'm not advocating illegal intrusions; this is a mental exercise. :) [ i'm not too paranoid about visits from MIB's but mapping critical information infrastructure is definitely one way to attract attention. maybe i'll talk more about that later... ]