Doesn't a Probe actively intercept traffic?
February 9, 2007
When deciding on the proper technique for implementing an LI solution, quite often the question of "Active" vs. "Passive" comes up, especially in IP based networks. In order to understand what this means we have to understand that in lawful intercept parlance, Active and Passive have their own meanings.
An active solution is one in which the Mediation/Delivery Function has a defined interface with an Access Function (network element: router, SBC, switch etc.) that allows provisioning of target information, the exchange of session information and the replication of communication traffic (example: Cisco SII). This interface is called "active" because the network element (AF) is actively identifying and replicating target traffic based on requests from the Mediation Function (MF). Since the connections between the AF and MF are typically IP based, no special connectivity is needed and the AFs can be activated very quickly.
A passive solution employs a probe (sniffer) to identify and replicate traffic. To gain access to network traffic the probe requires either a network tap (like NetOptics) or a "SPAN" type of interface. The probe then uses the same targeting information to dynamically identify and replicate traffic. It isn't called a passive solution because it isn't actively working; it is passive because it isn't an inherent part of the active network and it sits outside of the network looking in.
Both solutions have pros and cons; an active solution is quickly implemented but only works on certain models and may require software upgrades. Probes can be expensive but are easily moved around a network and don't care about software releases or models of equipment.
Active = network element with support for a lawful intercept interface
Passive = probe attached to the network but not actively involved with network switching
Till next time ...
An active solution is one in which the Mediation/Delivery Function has a defined interface with an Access Function (network element: router, SBC, switch etc.) that allows provisioning of target information, the exchange of session information and the replication of communication traffic (example: Cisco SII). This interface is called "active" because the network element (AF) is actively identifying and replicating target traffic based on requests from the Mediation Function (MF). Since the connections between the AF and MF are typically IP based, no special connectivity is needed and the AFs can be activated very quickly.
A passive solution employs a probe (sniffer) to identify and replicate traffic. To gain access to network traffic the probe requires either a network tap (like NetOptics) or a "SPAN" type of interface. The probe then uses the same targeting information to dynamically identify and replicate traffic. It isn't called a passive solution because it isn't actively working; it is passive because it isn't an inherent part of the active network and it sits outside of the network looking in.
Both solutions have pros and cons; an active solution is quickly implemented but only works on certain models and may require software upgrades. Probes can be expensive but are easily moved around a network and don't care about software releases or models of equipment.
Active = network element with support for a lawful intercept interface
Passive = probe attached to the network but not actively involved with network switching
Till next time ...
Related Tags: network element, network, active, traffic, passive, probe
- Related Entries
Technorati
Del.icio.us
Slashdot
Digg
Furl
Spurl
Listed below are links to sites that reference Doesn't a Probe actively intercept traffic?:
Trackback Pings
TrackBack URL for Doesn't a Probe actively intercept traffic?:
http://blog.tmcnet.com/mt3/t.fcgi/31815
» The Difference Between Active and Passive from Greg Galitzine's VoIP Authority Blog
Scott Coleman has another blog post today on the difference between ACTIVE and PASSIVE when discussing Lawful Intercept (LI) and the monitoring of IP-based networks. Check out Scott’s latest entry here.... [More]
Tracked on February 9, 2007 2:04 PM
Previous blog:
Filing date for CALEA "Monitoring Report" upon usDemystifying Lawful Intercept and CALEA Home Page
Next blog:
Do Probes Provide Complete Solutions for VoIP?