Packet Continuum for Cisco UCS

LOSSLESS PACKET CAPTURE —
EASY PIVOT FROM CISCO SECURITY EVENTS

Contact Us today to start
building your order

Download Packet Continuum
for Cisco UCS Datasheet

Packet Continuum UCS extends the Cisco Security Suite with easy workflows for Incident Response and Forensic Investigation. This is a low-cost solution for lossless packet capture, with easy Pivot-to-PCAP, directly from Stealthwatch, Firepower and other critical events from Cisco analytics. Cisco users quickly jump into an open data investigator, where they analyze packets and follow streams, augmented by IDS alerts and suspicious activity, to quickly find the root-cause. Use Packet Continuum for “Retrospective Detection”, reaching back over an extended timeline history to discover threat activity even before it was known.

  • This software framework runs native on Cisco UCS server hardware, with 1U, 2U, and 4U standard SKUs.
  • We also offer a unique software field-upgrade for legacy Cisco Security Packet Analyzer (CSPA) appliances.
  • NextComputing makes TSA carry-on deployable hardware platforms, both for PCAP and to run other Cisco Security Suite apps on a very small footprint.
Enterprise-level packet capture rackmount systemRequest More Info

Cisco Security Workflow

  • Use Steathwatch to initiate detailed Forensic IR Investigations
    • Examine full lossless packet capture data of suspicious activity around any critical alert – over extended timeline periods
  • Supplement Stealthwatch with rich data augmentation around events
    • Pivot from Stealthwatch into a full-featured Data Visualization Investigator
    • “What else is going around this critical event?”
    • Isolate & follow individual “Streams”, augmented with known suspicious files & activity like domains or JA3 signatures, in addition to user-defined IDS snort alerts, etc
  • Leverage valuable Stealthwatch alerting policies:
    • Extend the timeline for critical data retention, beyond the lossless Capture Timeline
    • Retrospective Detection: Did similar behavior occur in the past, while undetected?
    • Trigger automated capture & extraction workflows

Network Topology Pivot Workflow

  • Easy Pivot-to-PCAP from Cisco Security events

    • Easy workflow to Forensic IR Investigations, from Stealthwatch, FMC or any 3rd party event
    • Optimized for standard Cisco UCS servers, with UCS hardware credit to Cisco sellers
    • Field-upgrade for legacy CS Packet Analyzer appliances

  • Automated capture policies & workflows

    • Event-related queries retain critical data, even beyond the lossless capture timeline period
    • Mature REST/API for easy workflow integrations, using open data access & standard interfaces

  • Low-cost entry-level options => EASY PROOF-OF-CONCEPT

  • Unique features for massive scale => Carrier-grade and large-enterprise networks

    • Federated search across many capture nodes – up to 10,000
    • Very long capture timelines – weeks/months
    • Very high lossless capture rates – 300-500+Gbps

Product Options

Packet Continuum UCS is available as a software license, which deploys directly on Cisco UCS standard SKU servers offered by Cisco and partners. NextComputing will also quote integrated capture appliances (software+hardware). The mainstream configuration is an “Enterprise” Capture Node, with up to 10Gbps lossless capture rate & 100TB Capture Store (dedicated to PCAP data). There are also “Lite” and “Extreme” versions. Using these standard SKUs, users may deploy “Cluster Nodes” and “Federated Groups”, to deliver any lossless capture rate, or any timeline capacity -- without limitation.

System Capture Rate Capacity Timeline Capacity Federation Capacity Target Platform Available As
Lite Up to 2Gbps
  • 40TB = 3++ Days@1Gbps
  • 200TB Max (1+4 cluster)
 up to 10,000 capture points 1U Cisco UCS C220 M5 Rack LFF Server Software License, Integrated Appliance
CSPA Upgrade 4++Gbps
  • 40TB = 3++ Days @1Gbps
  • No Cluster Expansion
 up to 10,000 capture points 2U Cisco Security Packet Analyzer Software License
Deployable Up to 10Gbps
  • Up to 100TB
  • 500TB Max (1+4 cluster)
 up to 10,000 capture points NextServer-X Portable Chassis Integrated Appliance
Enterprise Up to 10Gbps
  • 100TB = 1++ Days@10Gbps
  • 500TB Max (1+4 cluster)
 up to 10,000 capture points 2U Cisco UCS C240 M5 Rack LFF Server Software License, Integrated Appliance
Extreme Up to 20Gbps
  • 600TB = 6++ Days@10Gbps
  • 5.4PB Max (1+8 cluster)
 up to 10,000 capture points 4U Cisco UCS S3260 Storage Server Software License
Federated Group Unlimited Unlimited up to 10,000 capture points Multiple UCS servers Software License

Packet Continuum Enterprise Capture Node

Download Datasheet (PDF)
  • 2U x 27" standard-SKU rackmount: Cisco UCS C240 M5 Rack LFF
  • 10Gbps sustained PEAK capture rate, via 2x10G capture interfaces (SFP+ SR Fiber and/or RJ-45)
  • Zero packet loss (deterministic), even with full packet analytics (eg. 50,000 active Snort/Suricata alerts)
  • Very fast PCAP search, simultaneous with capture operations.
  • 100TB Capture Store – dedicated to actively-searchable PCAP data
  • Capture Timeline, based on data compression ratio which is network dependent:
    • 1++ Days @ 10Gbps AVERAGE capture rate
    • 10++ Days @ 1Gbps AVERAGE capture rate
  • Unlimited Capture Timeline, by adding up to 4 Cluster Nodes, or federating multiple Capture Nodes
  • Unlimited Capture Rate, with a Federated Group of Capture Nodes

Upgrade for Cisco Security Packet Analyzer (CSPA)

Download Datasheet (PDF)

Cisco customers who purchased Cisco Security Packet Analyzer 2400 Appliance (CSPA) are aware this product was announced as end-of-service. However, CSPA users may upgrade their legacy appliance to Packet Continuum UCS, with full support – from Cisco for hardware, and from NextComputing for software support and feature enhancements in the future. The software is installed to CSPA devices in the field. Upgraded CSPA appliances will federate with any newly purchased Packet Continuum UCS systems.

Packet Continuum Lite Capture Node

Download Datasheet (PDF)
  • 2U x 27" standard-SKU rackmount: Cisco UCS C240 M5 Rack LFF
  • 2Gbps sustained PEAK capture rate, via 2x1G capture interfaces (SFP+ SR Fiber and/or RJ-45)
  • Zero packet loss (deterministic), even with full packet analytics (eg. 50,000 active Snort/Suricata alerts)
  • Very fast PCAP search, simultaneous with capture operations
  • 40TB Capture Store – dedicated to actively-searchable PCAP data
  • Capture Timeline, based on data compression ratio which is network dependent:
    • 4++ Days @ 1Gbps AVERAGE capture rate
  • Unlimited Capture Timeline, by adding up to 4 Cluster Nodes, or federating multiple Capture Nodes
  • Unlimited Capture Rate, by aggregating federated Capture Nodes

Packet Continuum Extreme Capture Node

Download Datasheet (PDF)
  • 4U x 27" standard-SKU rackmount: Cisco UCS S3260 Storage Server
  • 20Gbps sustained PEAK capture rate, via 2x10G (or 4x1G) capture interfaces (SFP+ SR and/or RJ-45)
  • Zero packet loss (deterministic), even with full packet analytics (eg. 50,000 active Snort/Suricata alerts)
  • Very fast PCAP search, simultaneous with capture operations
  • 600TB Capture Store – dedicated to actively-searchable PCAP data
  • Capture Timeline, based on data compression ratio which is network dependent:
    • 3++ Days @ 20Gbps AVERAGE capture rate
    • 6++ Days @ 10Gbps AVERAGE capture rate
    • 8++ Weeks @ 1Gbps AVERAGE capture rate
  • Unlimited Capture Timeline, by adding up to 4 Cluster Nodes, or federating multiple Capture Nodes
  • Unlimited Capture Rate, by aggregating federated Capture Nodes

Packet Continuum Deployable

Download Datasheet (PDF)

Equivalent in power to the Enterprise version, the Packet Continuum UCS Deployable capture node runs on the unique workstation hardware manufactured by NextComputing. Inside its specially designed transit case, it is less than 35lbs and TSA-compliant as an airline carry-on. It is ideal for military CPTs and commercial IR and assessment teams who must travel and quickly setup at a remote location. The system has various configurations for price/performance up to 10Gbps and 100TB capture store, and can be stripped down for very low cost.

Packet Continuum UCS Deployable is powerful enough to run the entire Cisco Security Suite on a very small form-factor – with or without Packet Continuum software.

Workflows

The unique value of Packet Continuum is easy workflows for data exploration to quickly resolve the cause of an event. Cisco users instantly jump to an open data Investigator, where they analyze packets and follow streams, augmented by IDS alerts and suspicious activity, to quickly find the root-cause.

Packet Continuum continuously captures network traffic without data loss, into an onboard Capture Store. Simultaneous with ongoing lossless capture operations and real-time DPI analytics, remote user analysts have access to very fast search, with easy workflows to pivot, investigate and ultimately report findings.

example configurations
Click to enlarge

valuable workflows enabled by Packet Continuum

  • Federation Workflow - Federation and aggregation of capture nodes in different locations or within the same datacenter
  • Investigation Workflow - Global investigation based on search or pivot from an alert in Cisco Stealthwatch or Firepower, and then explore and recursively search towards the root cause
  • Follow the Stream Workflow - Within Investigations, follow important streams within any search results, to quickly isolate important packets for examination
  • Augmentation Workflow - Within any Investigation or stream analysis, take advantage of various IoC alerts, suspicious activity and log data which may correlate to the data under current review
  • Phishing Workflow - for a specific Forensics Investigation following a phishing email attack and subsequent actions, see the activity at each step, and user-defined alerts to flag this if it happens again.
  • Policy Update Workflow – Quickly change real-time policies, based on new threat intel or lessons-learned. Federation Manager will PUSH policies to ALL field appliances.
  • DNS Transaction Analysis – Drill down into DNS transactions, or events associated with any other IoC or Application logging
  • Network Performance & Investigation Workflow – Packet Continuum supports NetOps and Performance anomaly investigations, as well as SOC operations, with workflows like TCP Flow State / Flow Aging Analysis & SMB Data Analysis

Packet Continuum UCS Cluster

example configurations

(Click to enlarge)

Note: Enterprise Capture Nodes and Cluster Nodes are available as a software-only license, or as an integrated appliance

Packet Continuum UCS Model UCS Enterprise Capture Node Appliance UCS Cluster Node Appliance
Hardware Platform
  • 2U x 27" standard-SKU rackmount: Cisco UCS C240 M5 Rack LFF
  • No proprietary hardware.
  • Cluster Nodes deploy on the same underlying server platform as the matching Capture Node
  • Capture Store capacity must be the same for all Capture/Cluster Nodes in the same cluster
Software Platform
  • CentOS, or Red Hat EL
  • Role-Based Access Control via SSO, LDAP, RADIUS, etc
  • CentOS, or Red Hat EL
Support
  • UCS Server Hardware support from Cisco
  • Packet Continuum software support from NextComputing
Capture Rate
  • 10Gbps sustained PEAK capture rate, via 2x10G capture interfaces (SFP+ SR Fiber and/or RJ-45)
  • Zero packet loss (deterministic), even with full packet analytics (eg. 50,000 active Snort/Suricata alerts)
  • Very fast PCAP search, simultaneous with capture operations
 n/a
Capture Timeline
  • 100TB Capture Store – dedicated to actively-searchable PCAP data
  • Capture Timeline, based on data compression ratio which is network dependent:
    • 1++ Days @ 10Gbps AVERAGE capture rate
    • 10++ Days @ 1Gbps AVERAGE capture rate
  • Each Cluster Node provides actively-searchable storage expansion matching Capture Node storage
    • Note: PCAP search times remain constant, as Capture Store increases
  • For example, a “1+4 Capture Cluster” has a Capture Timeline of 5x vs a standalone Capture Node
Expansion
  • Unlimited Capture Timeline, by adding up to 4 Cluster Nodes, or federating multiple Capture Nodes
  • Unlimited Capture Rate, with a Federated Group of Capture Nodes
  • The number of Cluster Nodes per individual Capture Node is limited (up to 4 or 8)
  • Unlimited timeline expansion is possible by “Federating” multiple Capture Clusters
Management Interface
  • For remote access by the Web-based User Interface
  • For programmatic access via the REST/API
 n/a

Stream Search Output Interface
  • For streaming replay of PCAP search results. For example, for analysis by legacy tools.
  • For Alert/Event Log Forwarding. For example, selective log/metadata streaming to 3rd party systems.
  • For “Active Defense” messaging. For example, when Threat IP activity is detected.
 n/a

IPMI Platform Control Interface
  • For device control during "lights out" operation, server monitoring, remote re-boot, etc
 n/a
Cluster Node Interfaces
  • For point-to-point fiber connection for multiple Cluster Nodes for additional storage expansion that is actively-searchable
 n/a
IDS Alerting
  • Up to 50,000 active Snort/Suricata IDS rules, simultaneous with PCAP capture/search
  • Up to 1M Suspicious ThreatIP alerts
  • Defended Assets & Defended Services
  • User-defined, or select for pre-packaged libraries
 n/a

IoC Alerting & Augmentation
  • BPF-based Active Triggers
  • Suspicious Domains & IP Addresses
  • Suspicious Files (eg. MD5 Hashes)
  • Suspicious SSL/TLS activity (eg. JA3 Signatures)
  • User-defined, or select from pre-packaged libraries
 n/a
DPI Event Logging
  • File Detection, Emails, DNS, SMB, SSL/TLS, VOIP, User-Agent – and NetFlow V9 generation
 n/a

Retrospective Detection
  • “SigDetect” feature to search-back over the entire timeline for emerging 0-Day threats, using Snort/Suricata rulesets and other Indicators of Compromise (IoC)
 n/a

Timeline Configuration Examples

  • A "Capture Cluster" includes a single Capture Node, and optional point-to-point 10G fiber connections with up to 4 Cluster Nodes.
  • A "Federation" can include up to 10,000 Capture Clusters, which self-organize via IP Address to present a single, unified, web-based User Interface for federated PCAP search and dashboard screens for logs, alerts, and threat-hunting analysis.
  • Capture Timelines in this chart are shown as a range, because in-line data compression varies based on how much network traffic is encrypted: - WORST case: no data compression - BEST case: 5:1 data compression
example configurations
Click to enlarge

Capture Clusters

Long capture timelines for days, weeks, or months of lossless packet capture data history, when quick response search is required. Added timeline features include in-line data compression and policy driven data retention.

example configurations
Click to enlarge

Federation

High data-rate capture clusters (eg. 40Gbps, 100Gbps, and beyond) where a full feature set of real-time analytics functions must run at line rate with deterministic performance. Line-rate functions include continuous lossless full packet capture (PCAP), real-time IDS alerting and other user-defined Policy Management, with simultaneous search/ recall for Incident Response.

example configurations
Click to enlarge

Packet Continuum UCS offers a unique advantage to Cisco users

  • Lossless capture rates specs are deterministic and guaranteed, even with multiple PCAP searches and while all advanced packet alerting features are enabled
  • Direct software connectors for easy workflows to pivot from Cisco Security tools in to a data Investigator (Kibana-based) to quickly explore around critical events
  • True "federation" of many capture nodes for many users via a web-browser
  • Retrospective detection based on snort rules
  • Field-upgrade options for Cisco customers with legacy Cisco Security Packet Analyzer (CSPA) appliances
CONTACT US TODAY TO START BUILDING YOUR ORDER

Resources

Packet Continuum
for Cisco UCS
Datasheet