DeepProbe - IP Fabrics

DeepProbe™
1Gbps and 10Gbps IP Data Collection Probes
DeepProbe-1 1Gbps IP Data Collection Probe
DeepProbe-10 10Gbps IP Data Collection Probe
IP Fabrics’ DeepProbe systems are the industry’s leading intelligent network
surveillance probes for 1Gbps and 10Gbps IP networks.
FEATURES/BENEFITS
• Intelligent: Can detect and collect IP data based on
• Secure: Safe from unauthorized access
Internet access, protocol or application-level criteria
Each provisioning message and response is authenticated
Easily provisioned to discover and generate IPDRs for IP
via SHA-1 and intercepted data is optionally authenticated
access, email, webmail, VoIP, IM/chat, or web site usage.
and encrypted.
• Fast: Performs deep application protocol inspection
• Flexible and extensible to serve evolving surveillance needs
(DAPI) and application protocol decoding at wire speeds
Open Surveillance Module™ architecture enables continued
Multi-core host processors, with multiple packet inspection
use as IP technology, IP applications, and data retention
accelerators (PIXLs), supports multiple 1Gbps and 10Gbps
legislation evolves, and, Custom Plug-In SDK enables
interfaces.
developers to add support for custom/proprietary protocols
and applications.
DeepProbe
Passive IP data collection at wire speed.
High-Performance Passive IP Data Collection Probe
High Performance,
Scalable Architecture
DeepProbe™ is IP Fabrics’ most advanced network surveillance system
and functions as an intelligent, passive probe. Designed for use in data
IP Fabrics’ Surveillance Module™ (SM) architecture and underlying
retention and lawful intercept solutions, DeepProbe is ideal for monitoring
multi-core deep application protocol inspection (DAPI) and deep
large and complex networks.
packet inspection (DPI) technology give DeepProbe many unique
DeepProbe is completely passive and has the capability to inspect
fully every network packet and decode application-level protocols, so
that the controlling mediation systems don’t need to rely on active
network elements (e.g., CMTSes or routers) for IP data collection and
advantages over basic “PC-based” surveillance systems or hard-wired
ASIC-based systems. DeepProbe’s internal host processors and multicore packet inspection accelerators allow it to monitor multiple 1Gbps
and 10Gbps Ethernet links at true wire-speed with full DAPI and DPI
capabilities.
IPDR generation. This eliminates any performance impact to the existing
infrastructure and provides enhanced IPDR generation capabilities.
To the user, SMs are a series of well-defined, secure ASN.1 commands,
DeepProbe offers flexible data collection options, including the
which are designed for specific surveillance capabilities. For example,
ability to deliver IPDRs/key session events, IRI/Pen-Register information,
there are SMs for discovering webmail traffic, IM/chat, and SIP-based
or a full application/session data stream, enabling DeepProbe to serve
VoIP traffic. Some SMs, such as webmail and IM/chat use plug-ins,
in data retention and log generation solutions, as well as full intercept
including 3rd-party-created CPIs, to support new services.
solutions. DeepProbe incorporates sophisticated reconstruction logic
to detect and deliver application-level information when generating IPDRs
for complex applications such as web traffic, webmail, IM/chat, and other
web-based applications.
The DeepProbe is typically provisioned and managed via the system
ports using a simple yet powerful set of commands. Each provisioning
command is securely authenticated to prevent use by an unauthorized
system. Consistent with previous IP Fabrics systems, an easy-to-use,
DeepProbe is typically provisioned and managed by a centralized
secure web-based interface is also included.
mediation platform using secure ASN.1-formatted commands. Once
provisioned, it discovers and collects IP data based on a sophisticated
and flexible set of discovery criteria, such as:
• DHCP or RADIUS dynamically assigned IPv4 or IPv6 addresses
• Email address or partial email address
• VoIP user name or phone number • Webmail address or domain
• IM/Chat username
• Web URL or cookie
Once an application or target is detected, the DeepProbe can be
Extensible, for Custom and Proprietary Application
Monitoring
IP Fabrics’ Custom Plugin™ (CPI) architecture allows 3rd-parties
to easily build additional custom/proprietary plugin decoders
to supplement the IP Fabrics plugins. IP Fabrics CPI SDK allows
developers to reuse key DeepProbe capabilities, such as provisioning,
delivery, logging, and HTTP dechunking and compression.
configured to deliver varying amounts of information, including IPDRs,
key session/application events, or the complete application flow with
related content such as attachments. For data retention applications,
DeepProbe can also be configured to store IPDRs in files with configurable
Probes passively monitor a network and are controlled programmatically by another device, typically called a
mediation system.
Intelligent Data Collection Probes
formats. Application-level collection can optionally include an IP/subnet/
DHCP/RADIUS pre-filter, giving flexibility to further segment/qualify the
monitored network.
PROBE
MEDIATION DELIVERY
SYSTEM
STORAGE / ANALYTIC
CENTER
1Gbps and 10Gbps Models
PROBE
{
DeepProbe comes in two basic models. The first is for monitoring
10/100/1000 Mbps networks and is available with four surveillance
ports. The second is for monitoring 10Gbps networks and is available
with four 10Gbps and six 10/100/1000 Mbps surveillance ports. Both
models support multiple, dynamically updatable targets and also come
with two 10/100/1000 Mbps system ports, and are identical from a
user perspective.
PASSIVE
s)$%.4)49&2%%
s).42/$5#%./,!4%.#9
s$/.4!&&%#4%8)34).'
NETWORK ELEMENTS
10Gb AND
1Gb INVISIBLE
INPUTS
PROBE
PROVISIONING
COMMANDS
COLLECTED
DATA / IPDR
SOFTWARE FEATURES
DeepProbe-1 and DeepProbe-10:
IP Traffic SM: IP Traffic Discovery and Data Collection
IM/Chat SM and Service Plug-Ins
This Surveillance Module discovers and collects data based on IPv4 or IPv6 Internet
This SM discovers and collects data based on IM/chat activity. Data can be collected
access. IP access can be static IPv4/ IPv6 addresses or subnets, DHCP-assigned via MAC
for all IM/Chat activity or can be based on the specific subject’s username. Options
address, option 82 (remote ID, circuit id or both) or RADIUS login (username or NAS port
for delivered traffic include key IM/Chat events, or the full IM/chat session, including
ID). Layer-4 ports can be specified as singular, a range, a set, or a ‘not’ condition. Options
(when possible) advanced features such as audio, video, and file sharing, formatted
for delivered traffic include session events, packet summary, all packets, and others.
using RFC3920/3921 XMPP for IM/chat text and presence information, video, files,
summary information, and events. Initial service plugins include MS Live, Yahoo
VoIP Traffic SM: SIP-Based VoIP Discovery and Data Collection
This SM discovers and collects data on VoIP calls that use the SIP signaling
protocol. Monitored traffic can be the all SIP VoIP activity, or can be specified as:
user@host, user@IPv4/IPv6 address, phone_number@host, host, phone-number@
Messenger, Twitter, ICQ/ICQ2Go!, Paltalk, and Facebook. Users can also develop
IM/Chat SM CPIs for custom/proprietary IM/Chat services.
Keyword Scan Schema SM Plugin: IP Data Collection Based on Application Content
IPv4/IPv6, tel:phone_number, hostname, or IPv4/IPv6 address and includes the
This SM plugin can further qualify email, webmail, and IM/Chat SM data collection
ability to wildcard the name and /or phone number. Options for delivered traffic
by the content in the bodies or attachments. Content can be specified by a set of
include the pertinent signaling (SIP and dialed digits), RTP packets, and others.
simple strings, complex strings, regular expression, or pattern/signature database.
Email Traffic SM: SMTP, POP3, and IMAP4-based Email Discovery and Data Collection
This SM discovers and collects data based on an email activity. Monitored traffic
can be all email, or can be specified as localname@domainname, localname (at any
The match criteria can be further qualified by the location of the content within the
communications (e.g., body, attachment, subject line, etc).
Web Traffic SM: HTTP/HTTPS and DNS Traffic Discovery and Data Collection
domain), @domainname (any localname on this domain). Additionally, targets can
This SM detects and collects data based on DNS domain lookups and HTTP/HTTPS
be specified as: to (including cc and bcc), from, or both. Options for delivered traffic
traffic based on URL, HTTP header, and SSL handshakes. Traffic can be discovered
include the email session events, the full email with attachments, and others.
and collected for all web activity, or can be specified with targeting information
including the client, a web site, a cookie/cookie value, or a specific type of traffic.
Webmail SM and Webmail Service Plug-Ins
This SM discovers and collects data based on webmail activity, email address
or webmail domain. The webmail session is captured and decoded, with the
Available in 2011.
Web Application SM and Application Plugins: Web-Based Application Traffic Discovery
pertinent information extracted and delivered in RFC822 format (email text,
and Data Collection
folders, drafts) and byte stream with metadata (attachments). Initial webmail
This SM detects and collects data based on popular web applications, such as
service plugins include Hotmail, Yahoo, Maktoob, and Facebook. Users can also
bulletin boards. Planned applications include the vBulletin forum/message board
develop Webmail SM CPIs for custom/proprietary Webmail services.
application. Users can also develop Web Application SM CPIs for custom/proprietary
web applications. Available in 2011.
Surveillance Module (SM) Architecture
File Transfer SM: File Transfer/Sharing Discovery and Data Collection
This SM detects and collects data based on file transfer activity, such as FTP,
WEBMAIL SURVEILLANCE MODULE
BitTorrent, Gnutella, and EDonkey. Available in 2011.
WEB TRAFFIC SURVEILANCE
Dark Traffic SM: Malformed and Unusual Traffic Discovery and Data Collection
SECURE, UNIFORM PROVISIONING
EMAIL SURVEILLANCE MODULE
This SM detects and collects data based on malformed and unusual traffic in
SIP VOIP SURVEILLANCE MODULE
CPI
GOOGLE TALK
DARK TRAFFIC SURVEILLANCE
IP TRAFFIC SURVEILLANCE MODULE
protocols and applications including IPv4, IPv6, ICMP, TCP, UDP, DCCP, DNS queries,
ICQ
FILE TRANSFER SURVEILLANCE
TWITTER
SM PLUG-INS
FACEBOOK
YAHOO
MICROSOFT LIVE
IM/CHAT SURVEILLANCE MODULE
and HTTP/SSL responses. Available in 2011.
Encrypted Traffic SM: Encrypted Traffic Discovery and Data Collection
This SM detects and collects data based on encrypted traffic such as Skype, IPSec,
SSL/TLS, SSH, pcAnywhere, encrypted XMPP, and encrypted services, such as Gmail.
EVENT INFORMATION
SECURE, FULLY DECODED, OUTPUT
IN STANDARDIZED FORM
Available in 2011.
UNIFORM REPRESENTATION
Flexible Surveillance Module architecture can be extended via new SMs and SM plug-ins.
DeepProbe-10 provides for 10Gbps and six 10/100/1000Mbps surveillance ports.
DeepProbe-10
DeepProbe™ Datasheet
DeepProbe-1
PRODUCT PERFORMANCE SPECIFICATIONS
DeepProbe-1 Performance and Capacities:
• 64-Bit quad-core Xeon ® host processor with OCTEON ™ CN5650 packet inspection accelerator (12 Cores)
• 10,000+ active filters
I/O
• 4 10/100/1000 Mbps identity-free Ethernet surveillance interfaces
• Flexible physical interfaces on surveillance ports via pluggable SFPs
• 2 1Gbps Ethernet system ports
Power
• Redundant and hot-swappable
• Choice of 100–240V AC or -48–60V DC
Physical/Mechanical
• Rack mountable, 2U appliance
• Dimensions: 3.5” (H) X 17.2” (W) X 17.7” (D)
• Weight: 33lbs
Environmental
• Temp: 10°C to 35°C (operating), -40°C to 70°C (non-operating)
• Humidity: 8-90% (operating), 5-95% (non-operating) non-
condensing
Safety
• UL 1950, CSA 950, IEC 950, TUV/GS EN60950
Emissions
• FCC Class A certified, CISPR 22 Class A tested, EN55022 Class A tested, VCCI
Class A ITE tested, AS/NZS 3548 Class A tested
DeepProbe-10 Performance and Capacities:
•
•
Dual-Core Intel ® Xeon® host processor (4 total cores) with Dual OCTEON™
CN58xx packet inspection acceleration (32 Cores)
10,000+ active filters
I/O
• 4 10Gbps and 6 10/100/1000 Mbps identity free Ethernet surveillance interfaces
• Flexible interfaces on surveillance ports via pluggable SFP/SFP+
• 2 1Gbps Ethernet system ports
Power
• Redundant and hot-swappable
• Choice of 100–240V AC or -48–60V DC
Physical/Mechanical
• 3U 2-slot ATCA
• Dimensions: 133.25mm (3U)(H) x 19” (W) x 16.275” (D)
• Weight: 46 lbs
• Hot pluggable fan tray
Environmental
• Operating temp: -5°C to 55°C
• Non-operating temp: -40°C to 70°C
• Non-operating humidity: 5% to 95% non-condensing
• Up to 1800m
Safety
• Designed to meet CE, UL, TUV
Emissions
• FCC Part 15 and CE
ORDERING INFORMATION
For more information, including pricing, availability, and ordering,
please contact IP Fabrics by email at [email protected] or call us
at +1 503-444-2400.
Copyright © 2011 IP Fabrics, Inc. All company and/or product names may be trade names, trademarks and/or registered
trademarks of the respective owners with which they are associated. Features, pricing, availability, and specifications are subject
to change without notice. IP Fabrics restricts the sale of the DeepSweep and DeepProbe products to authorized government,
military, and law enforcement agencies and their contractors, and to authorized communications carrier and service-provider
companies. 110103
IP Fabrics, Inc.
14976 NW Greenbrier Pkwy
Beaverton, OR 97006
Tel: +1 503-444-2400
Fax: +1 503-444-2401
www.ipfabrics.com