Architecture


High-level design

Alertflex project is a continuous security monitoring solution designed for use in Hybrid Clouds (on-premises and cloud-based IT infrastructure). By monitoring events and information derived from well-known open source security applications near real-time, Alertflex helps to detect cyber intrusions and vulnerabilities, give companies end-to-end security visibility. Alertflex allows introducing DevSecOps, SOAR and OWASP best practices.

../_images/hld-arch.png


Low-level design

The Alertflex implements a modern security event management technology based on five levels: Collection, Streaming, Analysis, Storage, Access. For working in a distributed environment of Hybrid Clouds, the solution consists of separate software components Collector, Controller, Web Management Console, Worker. Collector (Altprobe) is located in the network domain where security sensors are installed (Container Runtime Security, Host IDS, File Integrity Monitor, Network IDS, Web Application Firewall). Together with security sensors, Collector logically forms a collector node. Alertflex Controller, Web Console, and Workers compose the central node. It could be located inside of monitored IT infrastructure or outside. To exchange messages between the collector node and the central node, the ActiveMQ message broker is used. The security of connections between nodes is implemented on the basis of support for SSL / TLS protocols built into ActiveMQ. The solution can be easily scaled from the stand-alone appliance configuration to the distributed configuration for multi-clouds.

../_images/lld-arch.png


Appliance

For small and demo installations you can use a Dockerized version of Alertflex, which includes all needed components for a fast introduced solution on your network/IT infrastructure. The only one computer or virtual machine with installed docker is required for such configuration.

../_images/appliance.png


Central node

The minimum configuration of the central node includes Alertflex Java EE applications (Controller, Web console and Worker) which work under Payara/GlassFish AS and third-party open-source components ActiveMQ, Redis, MySQL. It can be installed on the stand-alone server or virtual machine with Linux Centos 7 or Ubuntu 16.04 version. The high availability of the central node is based on cluster configurations of third-party components and microservices architecture Alertflex applications. Below a drawing of such a High availability scheme:

../_images/central-node.png


Collector node

Collector node is based on the micro-segmentation model. It can include several alertflex collectors (Altprobe) and security sensors/IDS. The minimum configuration of such a node includes one installed collector on a computer/virtual machine (Master) in the node segment. The configuration can be expanded by installation several Alertflex collectors on different computers/VM inside of the node segment. It allows connecting many security sensors inside one network segment controlled by the node and using a single network and agents namespace. Alertflex collector can directly read security events from IDS logs or use Redis server for receiving events from IDS which are installed on other hosts. See an example of such configuration below:

../_images/collector-node.png