Guides
Log In
Guides
Start typing to search…

Cyolo Connect - Overview

Introduction

Cyolo Connect provides remote secure access to company assets while allowing administrators to control device connectivity based on network restrictions. This page provides a technical overview of Cyolo Connect.

See also:

Key Features

  1. Remote Secure Access: Cyolo Connect enables secure remote access to company assets from desktop and mobile devices.
  2. Controlled Device Connectivity (Kill-Switch): Administrators can define and enforce
    connectivity restrictions based on the detected user network.
  3. Device Posture: Validates the minimum requirements to ensure the device’s compliance.
    Refer to the Device Posture Configuration admin guide for more information.

Getting Started

Before using Cyolo Connect, ensure that:

  • The application is installed on desktop devices (Windows, macOS, Ubuntu/Debian) or mobile devices (Android, iOS).
  • A Cyolo tenant is set up and configured. Users can download the Cyolo Connect installation file from the tenant’s Application Portal page.

Remote Secure Access

To allow users to access the company assets (e.g., RDP and SSH servers, networks, etc.), from the
Admin Portal, create network applications and assign them with the identities needed to access the configured assets. Please take a look at the Configuring Applications admin guide for more information.

Cyolo Connect users can access the assets (applications) when logged into the tenant.

Users can use the Applications Portal to enable or disable access to networks they are
authorized to access, particularly useful in cases where networks may encounter IP address conflicts. Additionally, users can request access to applications requiring approval through the Applications Portal.

Restricted Connectivity (Kill-Switch)

  • Blocking Outbound Connectivity: The primary function of the kill-switch is to block all
    outbound network connectivity when the Cyolo Connect Agent is not connected. This ensures that no data can be sent out from the device, protecting against unauthorized access and data breaches.
  • Static Exceptions: The kill-switch allows for the configuration of static exceptions. Specific IP addresses and IP ranges (e.g., 10.10.10.10, 11.0.0.0/8) can be whitelisted,
    allowing outbound traffic to these addresses even when the kill-switch is active.
  • Dynamic Exceptions: In addition to static exceptions, the kill-switch also supports dynamic
    exceptions. These exceptions are based on domain name suffixes (e.g., google.com, chime.aws) and allow for more flexible and dynamic network access controls. Dynamic exceptions work by intercepting DNS traffic on the host.
  • Captive Portal Handling: The kill-switch allows special treatment for captive portals.
    Whenever a captive portal is detected, the kill-switch temporarily allows TCP traffic until the user logs into the portal. This ensures that users can access necessary network resources to complete the login process without compromising security.
  • Network Detection: The kill-switch also features network detection capabilities. It can use
    host resolution, access, or certificate verification to determine the network environment. Based on these detections, different kill-switch policies can be applied or the kill-switch can be disabled altogether.

How it Works

Administrators can assign device profiles to users to control device connectivity. Profiles
determine the affected identities (users and groups) and specify the device connectivity mode:

  • Unrestricted Connectivity: No network restrictions are applied.
  • Restricted Mode: The device connectivity is restricted to whitelisted domain names or IP
    addresses and to configured applications the user has permission to access. The profile specifies whether the restrictions apply only to logged-out users or also to logged-in users.

An optional network indicator may help to detect the user network. The indicator can be:

  1. A simple connectivity check to a specified URL.
  2. An IP address validation against the specified URL.
  3. A certificate existence check on the user device (fingerprint check, not expiration).

When an indicator is used, the admin can configure two network whitelists:

  • Whitelist when the indicator test is positive.
  • Whitelist when the indicator test is negative.

For example, if the profile specifies http://myexample.com as an indicator with an IP address
of 192.168.5.5, Cyolo Connect resolves the URL and verifies that the address matches the configured IP address. Based on the result, device access to configured domain names is determined.

Captive Portal

In restricted mode, profiles specify whether temporary access to detected captive portals is
allowed on the device. When enabled, access is granted until the user establishes internet connectivity.

Known captive portal detection hosts are automatically whitelisted:

OS

Hosts

macos

attwifi.apple.com captive.apple.com

windows

msftncsi.com msftconnecttest.com

linux

204.pop-os.org nmcheck.gnome.org ping.archlinux.org conncheck.opensuse.org network-test.debian.org connectivity-check.ubuntu.com

additional

clients3.google.com detectportal.firefox.com connectivitycheck.gstatic.com captive.cyolo.io

The underlying network is monitored for changes such as changing the default route or
adding/removing a unicast IP address from one of the physical network interface - if a network change is detected, the following actions take place:

  • For the first 15 seconds in the new network, all outbound TCP is permitted
  • The agent starts polling for access to captive.cyolo.io:80 every second
  • In the case that it sees a 204 response, TCP connectivity is restricted again
  • In the case that it sees something else, a captive portal is assumed to be present in the
    network and TCP connectivity is left permitted.
  • Once captive.cyolo.io returns a 204, TCP connectivity will be restricted again

Upon user login to the Cyolo tenant, Cyolo Connect pulls the profile configuration and applies
it to the device. Configuration updates occur every 5 minutes when the device is connected to the tenant. Login and resume also trigger the configuration pulling.


Cyolo Connect FAQ

  • Can the Cyolo Connect agent work with older Windows versions such as Windows 7, Windows XP or even Windows NT?
    No.
  • Is there a version of this agent for Linux and what Linux OS support?
    Ubuntu Desktop.
  • Is it portable software or does it require installation?
    It requires installation.
  • Do we need to boot the machine after installing this agent?
    No.
  • Does it run as a service after installation, and autostart upon reboot?
    Yes.
  • Does it require specific configuration for each machine it is installed on or just a general configuration?
    No machine-specific configuration is needed.
  • Do we need to configure the agent on each machine manually or is configuration done automatically when installing the agent?
    Configuration is automatic.

Updated about 8 hours ago