Architecture

High-level Architecture Diagram.

Small Infrastructure Deployment

For small environment most of the components can be deployed on a single node and client configure to send events directly to the Nybble server.

Note that the node will need at least 16GB of memory, 8 Cores and proper OS and JVM configuration to manage memory correctly, change open file limits, and so on...

Medium Infrastructure Deployment

On medium size environment, it's recommended to deploy a complete separate Kafka cluster of brokers for the data pipeline. This will ensure availablity and queuing of data in case of issue on Nybble server.

An Elasticsearch cluster can also be deployed to allow faster searches and high-availability too.

Network Ports Matrix

In case of cluster deployment, some ports need to be open between Nybble server and other components. The list below contains network ports used for communication, note that some of them will be used probably only locally (Redis for example).

Component

Port

Protocol

Description

Kafka (Plaintext)

9092

TCP

Kafka data port.

Kafka (SSL)

9093

TCP

Kafka data port with secure communication port.

Zookeeper

2181

TCP

Zookeeper and Kafka communication port.

Redis

6379

TCP

Redis port for MISP and DNS cache.

Flink

8081

TCP

Default Flink Web Frontend port.

Flink

6123

TCP

Flink Job Manager RPC port.

Elasticsearch

9200

TCP

Elasticsearch RESTful API port.

Elasticsearch

9300-9400

TCP

Elasticsearch cluster communication port.

Kibana

5601

TCP

Default Kibana WebUI port.

MISP

443

TCP

Default MISP Restful API port.

TheHive

9000

TCP

Default TheHive API port.