Page 1 of 8 Rev 1.1—2/17

INNOVATIVE, OPEN, MASSIVELY SCALABLEPACKET CAPTURE SOLUTION

Federate multiple capture sites, anywhere!

Packet Continuum UCS solves these critical use cases for Cisco enterprise network customers:

• Pre-wire global networks for continuous recording of network traffic, and for fast data retrieval only by proper authority

• Cyber security Incident Response investigations, to greatly reduce the critical time-to-detect new and unknown threats

• Network and IT Operations performance problem resolution

• IT Compliance validation

Packet Continuum UCS is a massively scalable, lossless packet capture solution on an open UCS infrastructure. Packet Continuum is designed to continuously capture live network traffic directly from a network tap, from the span/mirror port of a network switch, or from a third-party packet broker. All captured traffic (in the form of PCAP files) is instantly searchable across very long capture timelines.

Packet Continuum UCS integrates with components of the Cisco suite of security solutions, and other important Cisco partners. Users can quickly solve security or performance problems by drilling down into reported incidents directly from the application GUI screens of these products:

• Cisco FirePOWER Management Center (Sourcefire) collecting critical events in real time. Packet Continuum UCS can extend analysis of intrusion events to dynamically link to full session data

• Cisco Lancope’s StealthWatch System doing netflow and other real time analysis

• Splunk’s operational intelligence analytics platform

Page 2 of 8 Rev 1.1—2/17

Lossless Packet Capture & Log Manager, With Deterministic Performance

Packet Continuum UCS provides a performance guarantee of sustained lossless capture rate, for a set of real-time packet analytics (Log Manager) functions, and a specified number of Packet Continuum cluster nodes. This means a deterministic guarantee to capture every packet under real world conditions, not just a “best effort” attempt.

• Lossless packet capture from 1Gbps, to 40Gbps, to 100+Gbps telco interfaces

• Time stamping of 150 nanoseconds

• Real-time indexing, for efficient query and retrieval of retrospective PCAP data or IPFIX records

• Real-time IDS alerting generates event logs for HTTP, Files, DNS, email, user agents, TLS/SSL – all cross-correlated with PCAP & IPFIX flow records

• Log Manager advanced packet analytics options include real-time event logging & cross-correlation:

◦ Logs for HTTP, Files, DNS, Email, User Agents, TLS/SSL

◦ Active Triggers (BPF signature)

◦ 100 Snort rules (emerging-DNS, emerging-ftp, and files)

◦ System events

• Log Manager search actions:

◦ All logs are time-correlated with PCAPs and IPFIX data

◦ Text string search of logs

◦ IPFIX flow record logging and search

• Scalable architecture to meet your speed and/or analytics requirements

• Federate multiple cluster-based capture systems, for global visibility and PCAP retrieval

Scalable, Lightweight, MapReduce Cluster Architecture

The Packet Continuum UCS cluster-based architecture can scale up smoothly to accommodate any combination of desired goals for capture speed, IDS alerting and Log Manager functions, and extended forensic capture timeline.

• Scalable to multiple “Cluster Nodes”, which add compute power to increase sustained capture rates, packet analytics thruput, and (of course) extend the storage timeline

• Capture Nodes push packet processing operations to distributed Cluster Nodes, for PCAP storage, compression, indexing, and Log Manager functions

• “Federated” Search operates in parallel within the cluster, resulting in incredibly fast streaming search results, even over very large capture timelines

• Every starter appliance is “Cluster-ready”, for smooth scale up to very high performance

• Dynamic node management, including redundancy and hot-swap / expand

Extended Forensic Timeline and Storage Features

Packet Continuum UCS offers many features to lower the cost of maintaining very long timelines, on a massive scale.

• Real-time Data Compression: In-line packet compression is transparent to the user. All packets are compressed as they are captured, and all extracted PCAP les are decompressed. Overall storage amplification up to 10x (depending on percentage of traffic with SSL encrypted or compressed packet payloads)

• Cluster architecture leverages CPU power over many servers for super-fast query response, while enabling low-cost local-attached storage on a massive scale. Forensic timelines smoothly scale over days, weeks & months.

• Massive queries over large timelines respond quickly, even as the timeline increases

• Federated search across multiple Packet Continuum appliances at diverse geographic locations, without any “concentrators” required

Page 3 of 8 Rev 1.1—2/17

Intuitive and Effective Web GUI

• Innovative dynamic Sankey Session Relationship Diagram shows top-talkers and SRC/DST IP/port pairs

• “One-Click” searches directly from Sankey, Time Graph or Critical Alerts log. Auto-populates the query request, making it easy to drill down quickly to find the PCAP files you need

• Comprehensive Log Manager screen, with tabs for each log type, allowing instant search and correlation with PCAP and IPFIX flow records

• Easy remote access to manage and control multiple devices, including hot-accessible Cluster Node changes

• Control multiple clusters in a global-dispersed “Federation” of capture systems

Find Critical Event Information FAST!

• Fast, Streamed Query Results: Every query has the option to return PCAP files, IPFIX records, and/or any log files. Especially valuable for PCAP queries, all results are streamed in “chunks”, allowing partial results to be analyzed while the remaining query is completed, the first of which appear almost immediately after the query initiates

• Historical “look-back” queries based on standard Berkeley Packet Filter (BPF) within a time period.

• Active Trigger “look-forward” alerts, BPF-based and user-defined, will generate alerts whenever the target condition occurs. Dozens can be active simultaneously

• Pre-capture filters, also BPF-based, can be changed on-the-fly during capture operations

• All historical logs are searchable by text string

• Real-time indexing: Every packet gets a timestamp and correlation index, for very fast query retrieval, where every log & alert event is cross-correlated to PCAPs and IPIX flow records

Open Data Access

• Open file formats and data viewers: standard PCAP-NG file and IPFIX record extractions are viewable in Wireshark or TShark. All log files and alerts are viewable as CSV or text files in any compatible application such as MSFT Office.

• Remote Access file extractions via the Web GUI

• PCAP playback feature for 3rd party tools

• Open REST/API for creating customized workflows for automated Incident Response, Policy-Driven data retention, or interface to legacy analytic tools.

Streaming Playback Feature

• PCAPs that have been searched/filtered/extracted with the Packet Continuum UI may be regenerated out a 1G copper RJ45 interface to an external device

• Compatible with ANY 3rd party capture/analysis tool – just like a span/mirror port.

• Great for recording, additional packet/signature analysis, or back-testing new firewall policies against real historical traffic.

Page 4 of 8 Rev 1.1—2/17

Open Data Recorder with Many Use Cases

• Packet Continuum UCS is a lossless, time-based data recorder of PCAP files, IPIX flow records, Log files and Alerts. All data is searchable, with actionable correlations. All data is accessible via an open REST/API.

• This “Open PCAP Infrastructure” resource is utilized simultaneously by multiple department applications:

◦ SOC & Cyber Security teams need access to PCAPs for Incident Response (IR) investigations.

◦ IT/Operations need fast IR access regarding uptime and performance problems.

◦ Compliance, Audit and Legal teams increasingly have their own IR requirements for the same ground truth for critical network events

◦ MSSP or Telecom Service Providers use Open PCAP Infrastructure for internal diagnostics, but also offer PCAP recording as an incremental CPE service to customers, with enhanced “IR-to-PCAP” Incident Response services linked to multiple value-add hosted MSSP solutions like SOC, DLP, DDoS Mitigation, and other Big Data Analytics.

Cisco UCS Platforms have Unique Advantages

• A common hardware platform from Cisco. High performance capture from low cost SKUs, not expensive proprietary appliances and NICs

• Standard distribution Linux OS from CentOS or RedHat, without proprietary real-time modifications

• Server / OS features are now available within the full range of optimized capture appliances

• Hardware maintenance support service, direct from Cisco, like every other server in the data center

• Future upgrade and EOL issues are tied to Cisco’s own roadmap

Traditional full packet capture is known to be prohibitively expensive. Packet Continuum UCS changes all that!

• Massive scale

◦ MapReduce cluster

◦ Common hardware platforms

◦ Long timelines

◦ High capture rates

◦ Federated global search

• Low cost

◦ Packet Continuum UCS uses your common hardware platform

◦ Cluster architecture allows low-cost, local-attached storage at scale, retaining fast PCAP query response.

◦ In-line data compression & storage amplification

◦ Flexible purchase options for qualified customers: software-only deployment, or enterprise-wide site licensing

The Power of Packet Continuum UCS

Page 5 of 8 Rev 1.1—2/17

Packet Continuum UCS Capture Workflow

Page 6 of 8 Rev 1.1—2/17

Incident Response Workflow: Open PCAP infrastructure for the Cisco ecosystem

Incident Response Workflow: Automated PCAP workflow for Splunk

Use Cases

• Incident Response Workflow

• Event-to-PCAP Correlation

• Policy-Driven Packet Capture

• Automated File Detection

• Selective DPI Analytics

• Fast DPI Analytics

• Look-Back + Look-Forward Actions

• Full Context PCAP Extraction

• Offload Resource-Intensive Operations

• Entry-Level Platforms

• Adaptive PCAP Algorthms

Use Cases

• Incident Response Workflow

• Importing IoC alerts

• User-Created Scripts

• Data exfiltration

• Bring PCAP evidence to court

• Botnet Command-and-Control activity

• Search for User anomalous behavior

• Forensic traffic analysis

• Network Behavior Anomaly Detection (NBAD)

• Integration of real-time threat intelligence

• Encrypted Traffic analysis

Page 7 of 8 Rev 1.1—2/17

Packet Continuum Software Model UCS Enterprise Extreme UCS Enterprise UCS Enterprise Lite UCS Cluster Node

Common Software Platform

All Packet Continuum UCS Capture Node software models are:• Cluster-ready - Cluster nodes can be hot-swapped to live systems for expansion in the field• Have a common REST/API and Web GUI• Federate together into a global system for enterprise-scale packet capture/retrieval

Cisco UCS Server Model

Cisco UCS C460 M4 Rack Server Cisco UCS C240 M4 Rack Server (SFF drives) Cisco UCS C220 M3 Cisco UCS C240 M4 Rack Server (LFF drives)

Purchase Options• Integrated capture appliance for enterprise end users and OEMs• Option to purchase a software license for OEMs/integrators only, depending on business case and agreed-to enterprise-grade servers, per specNote: For a detailed UCS SKU to order for compatible operation with Packet Continuum UCS, please contact your NextComputing Sales Engineer.

Support Global hardware support available direct from Cisco, with software support from NextComputing

Capture Interface Options

• 2 x 10G ports• 4 x 10G ports

• 4 x 1G ports• 2 x 10G ports

• 1 x 1G ports • n/a

Capture Rate Options

• With no cluster nodes, up to 20Gbps aggregate lossless capture rate with or without Log Manager enabled

• With 2+ nodes, up to 20Gbps

• With no cluster nodes, up to 10Gbps aggregate lossless capture rate with Log Manager disabled and 4Gbps with Log Manager enabled.

• With 2+ nodes, up to 20Gbps

• 2Gbps aggregate lossless capture rate with or without Log Manager enabled, and any number of cluster nodes

• n/a

Forensic Timeline: Capture Node

PCAP storage of 20TB physical, up to 200TB with amplification

PCAP storage of 20TB physical, up to 200TB with amplification

PCAP storage of 40TB physical, up to 400TB with amplification

PCAP storage of 100TB physical, up to 1PB with amplification

Forensic Timeline: Max System Capacity

28 cluster nodes max, for total PCAP storage of 2.8PB physical, up to 28PB with amplification

8 cluster nodes max, for total PCAP storage of 820TB physical, up to 1.6PB with amplification

8 cluster nodes max, for total PCAP storage of 820TB physical, up to 1.6PB with amplification

n/a

Packet Time Stamp 150 nanoseconds 150 nanoseconds 150 nanoseconds n/a

Pre-Capture Filter BPF (dynamically adjustable) BPF (dynamically adjustable) BPF (dynamically adjustable) n/a

Active Trigger Alerts

BPF (100 simultaneous) BPF (100 simultaneous) BPF (100 simultaneous) n/a

REST & GUI Mgmt Interface

1G RJ-45 LAN port, to an external host for Web GUI and REST/API. Automation via REST API and shell scripts available to assist with automated workflows.

PCAP Stream/Playback Interface

Playback of filtered packets from historical searches via 1G RJ-45 LAN port, to an external traffic/PCAP analyzer

Flow Record Recording

Flow record recording in IPFIX record format with search & extraction of IPFIX data via timeline. UI-based IPFIX files downloadable and formatted for offline viewing in WireShark or Tshark.

Log Manager Real time logging/alerts for HTTP, Files, DNS, Email, User Agents, TLS/SSL, Active Triggers (BPF signature), System events, and 100 Snort rules (emerging-DNS, emerging-ftp, and files). Log Manager events are actionable to search. All logs are time-correlated with PCAPs and IPFIX data. Text string search of logs. IPFIX record logging and search, when Log Manager Analytics enabled.

Physical 4U rackmount 2U rackmount 1U rackmount 2U rackmount

Page 8 of 8 Rev 1.1—2/17

20 TB 100 TB 500 TB 1000 TB 5 PB 9 PB 28 PB

0.5Gbps 3.8 days 19 days 95 days 190 days 2.7 years 4.8 years 14.9 years

1.0Gbps 1.9 days 9.5 days 47 days 95 days 1.3 years 2.4 years 7.4 years

5Gbps 9.1 hours 1.9 days 9.5 days 19 days 97 days 175 days 1.5 years

10Gbps 4.6 hours 22.8 hours 4.7 days 9.5 days 49 days 87 days 272 days

20Gbps 2.3 hours 11.4 hours 2.4 days 4.7 days 24 days 44 days 136 days

40Gbps 1.1 hours 5.7 hours 1.2 days 2.4 days 12 days 22 days 68 days

PCAP capture store, either the physical or amplified storage capacity

Aver

age

Capt

ure

Rat

e

up to 24 hours up to 2 weeks up to 12 mos 1+ years

This document is for informational purposes only. Updates and changes can occur without notice. All logos, trademarks, and service marks are the property of their respective owners. Copyright © NextComputing all rights reserved.

NextComputing4 Townsend West, Building 17, Nashua, NH 03063

Phone: 1 (603) 886-3874 • Fax: 1 (603) 886-1736www.NextComputing.com • sales@Nextcomputing.com