massively scalable, lossless packet capture

Packet Continuum UCS is a massively scalable, lossless packet capture solution on the open Cisco UCS computing infrastructure. Packet Continuum is designed to continuously capture live network traffic directly from a network tap, span/mirror, or packet broker. All captured traffic (in the form of PCAP files) is instantly searchable across very long capture timelines, with support for “federated” threat-hunting and fast PCAP search across up to 100 capture points.

Packet Continuum UCS integrates with the Cisco suite of security solutions and with important Cisco partners. Users can quickly solve security or performance problems by drilling down into reported incidents directly from the application GUI screens of these products:

  • Cisco FirePOWER Management Center (Sourcefire) analyzes network vulnerabilities, prioritizes any attacks, and recommends protections. Packet Continuum for Cisco UCS extends analysis of intrusion events with dynamic links to full-session data content.
  • Cisco StealthWatch network visibility and security analytics for advanced protection. Packet Continuum for Cisco UCS allows quick pivot-to-PCAP for critical Incident Response.

Packet Continuum for Cisco UCS is a scalable sensor/recorder for enhanced network telemetry data, based on lossless PCAP that is cross-correlated with critical events. At line rate, in real-time, Packet Continuum for Cisco UCS executes over 50,000 Snort IDS rules, up to 1 Million ThreatIP alerts, and generates sessionized logs for critical security applications like file detection events, DNS, HTTP, Email, VOIP, SSL/TLS, etc.

Packet Continuum UCS Model UCS Enterprise Capture Node Appliance UCS Cluster Node Appliance
Part Number PUCS-10G210C4N-93TB-2U-V4-CS1.0 PUCS-CN-93TB-2U-V4-CS1.0
Hardware Platform Cisco UCS C240 M5 (LFF) Server – 2U Rackmount Cisco UCS C240 M5 (LFF) Server – 2U Rackmount
Purchase Options
  • Purchase the integrated capture appliance, with 1st year support/maintenance included
  • Services options for As-A-Service business model, and for extended support/maintenance
Support Full appliance support from NextComputing
Capture Interfaces

2 x 10G/1G interfaces, with SFP+ SR and SFP RJ-45 transceiver modules

n/a
Capture Rate Options: Capture Node Stand Alone (no clusters)
  • Up to 10Gbps sustained aggregate lossless capture rate, with packet analytics enabled and simultaneous search/retrieval
  • Additional cluster nodes increase: capture rate, forensics timeline, and/or advanced packet analytics
n/a
Forensic Timeline – Capture Node
  • 93TB dedicated PCAP Capture Store
  • Worst case: 1 Day, with no compression and 10Gbps max capture rate
  • Best case: 9 Days, with 5:1 compression and 50% bandwidth
  • Additional 93TB dedicated PCAP Capture Store per Cluster Node
  • Worst case: 1 Day, with no compression and 10Gbps max capture rate
  • Best case: 9 Days, with 5:1 compression and 50% bandwidth
Forensic Timeline – Max System Capacity
  • Capture Node + up to 4 Cluster Nodes maximum, has a maximum of 465TB dedicated PCAP Capture Store
  • Worst case: 4.4 Days, assuming no compression and max capture rate
  • Best case: 44 Days, assuming 5:1 compression and 50% bandwidth
  • For additional timeline capacity, up to 100 capture systems may be Federated, or “clusters of clusters” may be configured
Federation Manager A single “Federation” may include up to 100 Capture Nodes (or Capture Clusters), where the remote user interface (and REST/API access) provides a unified view of all PCAP/log data and allows federated data queries. For additional capacity, “federations of federations” may be configured.
Time Stamp 150 nanoseconds n/a
Pre-Capture Filter BPF (dynamically adjustable) n/a
Active Triggers BPF (100 simultaneous) n/a
IDS Alerts Snort/Suricata rules (up to 50,000 simultaneous) n/a
Threat-IP Alerts IP Address lists (up to 1 Million simultaneous) n/a
Operating System CentOS v7.5, or optional upgrade to RedHat Enterprise License v7.5
Threat-Hunting & Log Manager Real-time logging/alerts for HTTP, Files, DNS, Email, User Agents, TLS/SSL, Active Triggers (BPF signature), System events, and Snort/Suricata rules (both user-defined & pre-packaged libraries). Log Manager events are actionable to search. All logs are time-correlated with PCAPs and NetFlow data. Text string search of logs. NetFlow record logging and search, when Log Manager Analytics enabled.
Flow Record Recording Flow record recording in NetFlow V9 record format with search & extraction of NetFlow data via timeline. UI-based NetFlow files downloadable and formatted for offline viewing in WireShark or Tshark.
REST & GUI Mgmt Interface RJ-45 1G LAN port – For remote access by the Web-based User Interface and for programmatic access via the REST/API.
Device Control Interface RJ-45 1G LAN port – CIMC (Cisco Integrated Management Controller) Interface, for device control during “lights out” operation
Output Options Interface RJ-45 1G LAN port – For automated Active Defense Measures output, or alternatively for PCAP Replay output for offline traffic analysis
Cluster Node Interfaces Multiple 10G fiber SR LAN ports – for point-to-point fiber connection for up to (4) Cluster Nodes per capture node Multiple 10G fiber SR LAN ports – for point-to-point connection with a Capture Node

Timeline Configuration Examples

Notes

  • A “Capture Cluster” includes a single Capture Node, and optional point-to-point 10G fiber connections with up to 4 Cluster Nodes.
  • A “Federation” can include up to 100 Capture Clusters, which self-organize via IP Address to present a single, unified, web-based User Interface for federated PCAP search and dashboard screens for logs, alerts, and threat-hunting analysis.
  • Capture Timelines in this chart are shown as a range, because in-line data compression varies based on how much network traffic is encrypted: – WORST case: no data compression – BEST case: 5:1 data compression
example configurations
Click to enlarge

Capture Clusters

Long capture timelines for days, weeks, or months of lossless packet capture data history, when quick response search is required. Added timeline features include in-line data compression and policy driven data retention.

example configurations
Click to enlarge

Federation

High data-rate capture clusters (eg. 40Gbps, 100Gbps, and beyond) where a full feature set of real-time analytics functions must run at line rate with deterministic performance. Line-rate functions include continuous lossless full packet capture (PCAP), real-time IDS alerting and other user-defined Policy Management, with simultaneous search/ recall for Incident Response.

example configurations
Click to enlarge

Resources

Packet Continuum
for Cisco UCS
Datasheet