massively scalable, lossless packet capture
Packet Continuum UCS is a massively scalable, lossless packet capture solution on the open Cisco UCS computing infrastructure. Packet Continuum is designed to continuously capture live network traffic directly from a network tap, span/mirror, or packet broker. All captured traffic (in the form of PCAP files) is instantly searchable across very long capture timelines, with support for “federated” threat-hunting and fast PCAP search across up to 100 capture points.
Packet Continuum UCS integrates with the Cisco suite of security solutions and with important Cisco partners. Users can quickly solve security or performance problems by drilling down into reported incidents directly from the application GUI screens of these products:
- Cisco FirePOWER Management Center (Sourcefire) analyzes network vulnerabilities, prioritizes any attacks, and recommends protections. Packet Continuum for Cisco UCS extends analysis of intrusion events with dynamic links to full-session data content.
- Cisco StealthWatch network visibility and security analytics for advanced protection. Packet Continuum for Cisco UCS allows quick pivot-to-PCAP for critical Incident Response.
Packet Continuum for Cisco UCS is a scalable sensor/recorder for enhanced network telemetry data, based on lossless PCAP that is cross-correlated with critical events. At line rate, in real-time, Packet Continuum for Cisco UCS executes over 50,000 Snort IDS rules, up to 1 Million ThreatIP alerts, and generates sessionized logs for critical security applications like file detection events, DNS, HTTP, Email, VOIP, SSL/TLS, etc.
|Packet Continuum UCS Model||UCS Enterprise Capture Node Appliance||UCS Cluster Node Appliance|
|Hardware Platform||Cisco UCS C240 M5 (LFF) Server – 2U Rackmount||Cisco UCS C240 M5 (LFF) Server – 2U Rackmount|
|Support||Full appliance support from NextComputing|
2 x 10G/1G interfaces, with SFP+ SR and SFP RJ-45 transceiver modules
|Capture Rate Options: Capture Node Stand Alone (no clusters)||
|Forensic Timeline – Capture Node||
|Forensic Timeline – Max System Capacity||
|Federation Manager||A single “Federation” may include up to 100 Capture Nodes (or Capture Clusters), where the remote user interface (and REST/API access) provides a unified view of all PCAP/log data and allows federated data queries. For additional capacity, “federations of federations” may be configured.|
|Time Stamp||150 nanoseconds||n/a|
|Pre-Capture Filter||BPF (dynamically adjustable)||n/a|
|Active Triggers||BPF (100 simultaneous)||n/a|
|IDS Alerts||Snort/Suricata rules (up to 50,000 simultaneous)||n/a|
|Threat-IP Alerts||IP Address lists (up to 1 Million simultaneous)||n/a|
|Operating System||CentOS v7.5, or optional upgrade to RedHat Enterprise License v7.5|
|Threat-Hunting & Log Manager||Real-time logging/alerts for HTTP, Files, DNS, Email, User Agents, TLS/SSL, Active Triggers (BPF signature), System events, and Snort/Suricata rules (both user-defined & pre-packaged libraries). Log Manager events are actionable to search. All logs are time-correlated with PCAPs and NetFlow data. Text string search of logs. NetFlow record logging and search, when Log Manager Analytics enabled.|
|Flow Record Recording||Flow record recording in NetFlow V9 record format with search & extraction of NetFlow data via timeline. UI-based NetFlow files downloadable and formatted for offline viewing in WireShark or Tshark.|
|REST & GUI Mgmt Interface||RJ-45 1G LAN port – For remote access by the Web-based User Interface and for programmatic access via the REST/API.|
|Device Control Interface||RJ-45 1G LAN port – CIMC (Cisco Integrated Management Controller) Interface, for device control during “lights out” operation|
|Output Options Interface||RJ-45 1G LAN port – For automated Active Defense Measures output, or alternatively for PCAP Replay output for offline traffic analysis|
|Cluster Node Interfaces||Multiple 10G fiber SR LAN ports – for point-to-point fiber connection for up to (4) Cluster Nodes per capture node||Multiple 10G fiber SR LAN ports – for point-to-point connection with a Capture Node|
Timeline Configuration Examples
- A “Capture Cluster” includes a single Capture Node, and optional point-to-point 10G fiber connections with up to 4 Cluster Nodes.
- A “Federation” can include up to 100 Capture Clusters, which self-organize via IP Address to present a single, unified, web-based User Interface for federated PCAP search and dashboard screens for logs, alerts, and threat-hunting analysis.
- Capture Timelines in this chart are shown as a range, because in-line data compression varies based on how much network traffic is encrypted: – WORST case: no data compression – BEST case: 5:1 data compression
Long capture timelines for days, weeks, or months of lossless packet capture data history, when quick response search is required. Added timeline features include in-line data compression and policy driven data retention.
High data-rate capture clusters (eg. 40Gbps, 100Gbps, and beyond) where a full feature set of real-time analytics functions must run at line rate with deterministic performance. Line-rate functions include continuous lossless full packet capture (PCAP), real-time IDS alerting and other user-defined Policy Management, with simultaneous search/ recall for Incident Response.