The Cyderes CNAP Logging & Operations Server (CYCLOPS) is a virtual appliance built to manage various containerized applications on a Cyderes-managed Kubernetes cluster that enables data forwarding to security analytics platforms like Cyderes CNAP, GCP's Chronicle, and Azure Sentinel. Customers are provided a VM appliance from Cyderes to deploy into their environment. Once online, the node enrolls into the Cyderes-managed configuration management system, loads necessary dependencies, and applications are deployed onto the CYCLOPS Kubernetes cluster.
CYCLOPS can perform as a single node cluster or can be linked with additional nodes to form a High Availability (HA) cluster. This cluster runs in the customer's environment, typically on a virtualization platform (VMware, Hyper-V, KVM, etc) or in a cloud computing environment such as AWS, GCP, or Azure. Kubernetes runs on top of this CYCLOPS. Kubernetes is a container orchestration platform that allows for simplified container deployments, zero downtime configuration updates, load balancing, high availability, and autoscaling.
From CYCLOPS, Cyderes will deploy containerized applications including our data forwarder technologies, logging/metrics collection for CYCLOPS, CYCLOPS management agents, and some Kubernetes components.
Scope and Sizing¶
The CYCLOPS size is derived from a combination of 'Events per Second' and data types that will be configured. Data types are defined as differentiated sources of information. For example, EDR, DNS, and DHCP are all separate data types.
Cyderes recommends CYCLOPS be deployed with at least 4 CPU, 16 GB of RAM, and 100 GB of disk space. This sizing allows for CYCLOPS to be instantly capable to accept new data types or features to be added. CYCLOPS is also flexible enough to be sized up or down depending on deployment scenario with the following guidelines:
|RAM||1.5 GB||Data Type|
|HDD||50 GB minimum|
Cyderes recommends following VMware documentation when choosing network interfaces: https://kb.vmware.com/s/article/1001805
Cyderes can provide an OVA or similarly packaged virtual appliance or an AWS/GCP/Azure image. The package contains a base Linux operating system with enough necessary dependencies to bootstrap the system and establish initial contact with the Cyderes. The package can be deployed as often as needed to build additional nodes.
- If utilizing an AWS AMI image, please provide Cyderes with AWS account numbers and regions to share the AMI to.
- If utilizing a GCP Compute Image, please provide Cyderes the Admin account address or service account email address that will be given the Compute Image User role in the Cyderes project and can be used to create a copy of the Cyderes CYCLOPS image within your project.
- If utilizing an Azure Shared Image, please provide Cyderes the appropriate Tenant ID.
IMPORTANT: Please provide Cyderes with the hostname(s) set for the forwarder(s). Providing a unique name that specifically identifies each forwarder will help our team get them provisioned as quickly as possible and help troubleshoot any issues in the future. Please ensure there are no spaces, underscores, or special characters other than a dash in the unique hostname(s).
Why deploy a forwarder?¶
Cyderes can handle log ingestion directly in our cloud-hosted forwarders, requiring no on-premise deployments of log collectors whatsoever. However, some customers appreciate having a centralized CYCLOPS log forwarder within a given on-premise environment. Additionally, some customers have legacy systems which cannot communicate over TLS, and having an on-premise forwarder allows the customer to limit the unencrypted traffic to the local network since the CYCLOPS log forwarder handles the encrypted traffic upstream back to Cyderes.
- A static/reserved IP address is required for proper appliance functionality.
- If there is TLS/SSL interception enabled, please also bypass for the domains listed below.
- If required, a custom DNS server may be used in place of 184.108.40.206 and 220.127.116.11.
- *.cyderes.io port 123 must be used for NTP.
- Broad opening of sub-domains to .cyderes.cloud and .cyderes.io is encouraged due to changing infrastructure.
If a health check port is required for a load balancer to function properly, please set the health check probe port to 10250, which is a metrics port for the Kubernetes cluster.
|gcr.io||TCP/443||External Outbound||Docker Image Management|
|*.googleapis.com||TCP/443||External Outbound||Telemetry (High Bandwidth)|
|*.cyderes.cloud||TCP/443||External Outbound||CYCLOPS Management|
|*.cyderes.io||TCP/123,443 UDP/123||External Outbound||NTP|
|sm-ext-01.cyderes.cloud||TCP/4505,4506||External Outbound||CYCLOPS Management|
|18.104.22.168||TCP/53, UDP/53||External Outbound||DNS|
|22.214.171.124||TCP/53, UDP/53||External Outbound||DNS|
|Data sources||TCP/30000-32767, UDP/30000-32767||Local Inbound|
|Product Specific Connections|
|malachiteingestion-pa.googleapis.com||TCP/443||External Outbound||Chronicle Ingestion|
Note: If the CYCLOPS is setup in HA (High Availability) cluster where multiple nodes are deployed, following is required to be open between those nodes for cluster communications
|10254||TCP||Ingress controller livenessProbe/readinessProbe|
|8472||UDP||Canal/Flannel VXLAN overlay networking|
|4789||UDP||Flannel VXLAN overlay networking on Windows cluster|
Generally, for each data type that is sent to CYCLOPS, a new TCP and UDP listener service will be configured to accept the data. The listener service ports will begin at 30000 and be incremented to accommodate additional data types as needed. For example, if there are two data types being sent over syslog, there would be two listener services on 30000 TCP/UDP and 30001 TCP/UDP.
Cyderes recommends utilizing TCP for sending syslog traffic whenever possible as this can help guarantee reliable log delivery.
CYCLOPS will function best when deployed in a load balanced environment to ensure maximum availability. The load balancer should distribute traffic on any TCP or UDP port to allow for new data types listeners on CYCLOPS to be added at any time.
CYCLOPS can be configured with a passive tap interface, giving the ability to gather data for specific traffic flows like DNS and DHCP through packet capture. As CYCLOPS is a virtual appliance, it can be given an additional interface that is configured with promiscuous mode enabled. Cyderes recommends configuring the promiscuous mode interface with only the same VLAN as the traffic it is trying to gather data for. For instance, if you want to capture DNS and DHCP traffic from a virtual domain controller, assign the promiscuous mode interface the same VLAN which the domain controller resides. CYCLOPS must be deployed on the same virtualization host as the device it is trying to capture packet data for. CYCLOPS is configured with a Berkeley Packet Filter (PBF) assigned to it to only capture and send traffic for ports detailed in the filter. The interface assigned to CYCLOPS must be able to handle the amount of traffic that will be sent to it.
CYCLOPS supports two layers of high availability and load balancing.
Node/VM Layer - Multiple CYCLOPS log forwarder instances can be run as a cluster within a customer-managed load balancer targeting each CYCLOPS forwarder instance. This also allows the customer to scale CYCLOPS out horizontally as well as vertically to meet their needs.
Container Layer - By default, each CYCLOPS log forwarder leverages Kubernetes to load-balance multiple instances of the log forwarder service within multiple containers. This enables Cyderes to perform ZDD (zero downtime deployments) updates and meet our High Availability objectives, even on single node CYCLOPS cluster deployments.
Buffering, Resiliency, and Continuity of Log Flow¶
First, Cyderes recommends, whenever possible, customers to configure their systems to queue logs locally as a first layer of resiliency should that system become unable to contact the CYCLOPS log forwarder (e.g. a firewall misconfiguration or routing failure within the customer's environment).
Second, CYCLOPS forwarders leverage in-memory queuing of all incoming log data for times when they cannot communicate upstream to Cyderes, which is sufficient in most cases due to the reliability and high availability of Google Chronicle and the Google Cloud Platform (GCP). See Scope and Sizing above to ensure the deployment allocates sufficient RAM.
Cyderes employs industry standard distributed configuration management and diagnostic solutions which instruct our CYCLOPS forwarders deployed within customer environments to establish outbound-only connections to Cyderes (e.g. Salt/Ansible). In the rare situation where an engineer must manually log into a forwarder, that engineer must successfully authenticate via Cyderes' managed MFA SSO before gaining access to the forwarder’s terminal shell within the customer environment via the outbound connection to Cyderes, at which point the engineer may perform connectivity diagnostics and Operating System level commands or actions to ensure the healthy status of the log ingestion and forwarding. The CYCLOPS forwarders do not allow inbound connectivity (e.g. SSH) for management or interactive control.
For environments with high security or regulatory concerns, Cyderes recommends deploying the forwarder in a DMZ (i.e. a firewall in between the CYCLOPS forwarder and the internal systems in question) as depicted in the architecture diagram above, allowing the internal systems to connect through the firewall to the CYCLOPS forwarders on the specific ports associated with the relevant data types, but no connectivity from the forwarder to the internal network; only allow internet-bound egress traffic to the resources listed above. This should remove the forwarder from the regulatory or high security compliance scope while maintaining a high level of availability for log collection.
For protection of data in transit, CYCLOPS can accept connections on TLS 1.2 (TLS 1.0, 1.1, and all SSL versions are not enabled by default). For customers with legacy systems that cannot send logs over encrypted channels, CYCLOPS forwarders can also be configured to listen on specific ports for plaintext syslog (see the Why deploy a forwarder? section above). All outgoing communication from the CYCLOPS forwarders to Cyderes are encrypted over HTTPS using TLS 1.2.
VMware Configuration Reference: