Architecture


High-level design

Alertflex project is an automation, continuous monitoring, threat detection and response solution. Alertflex is designed for use in Hybrid IT infrastructure (on-premises and cloud-based) and can monitor different types of platforms - Windows, Linux, Docker, Kubernetes, Amazon AWS.

The solution works as a Security Event Manager with SOAR functionality for a distributed grid of security sensors and scanners. At this moment Alertflex provides an orchestrator and a single user interface for more than 20 products. Integrated products are mostly free open-source software in the areas of IDS and DevSecOps, that can be unified by Alertflex into one or several projects.

../_images/hld-arch.png

Low-level design

Alertflex implements security events management functions for a distributed hub of security sensors and scanners. The functional is based on the next levels: Collection (Alertflex collector), Streaming (ActiveMQ), Analysis (Alertflex controller), Storage (MySQL), Access (Alertflex controller and management console).

For working inside of a Hybrid IT environment, the solution consists of distributed software components Collector, Controller, Management Console. Alertflex Controller and Management Console build up the Central node, which can be placed inside of monitored IT infrastructure or outside.

Alertflex Collector (Altprobe) is placed in the network segment where security sensors and scanners are installed. Based on configurations of collectors and topology of the network, Alertflex logically forms the Collector node.

../_images/lld-arch.png

Central node

The minimum configuration of the Central Node includes Alertflex Java EE applications (Controller, Management console, which work under Payara/GlassFish AS) and third-party open-source components ActiveMQ and MySQL. This configuration can be installed on the stand-alone server or virtual machine with Linux Centos 7 or Ubuntu 18.04 version.

Example stand-alone server with Appliance configuration (additionally include Alertflex collector and sensors) shown below:

../_images/cnode-appl.png

The high availability of the Central Node is based on cluster configurations of third-party components and microservices architecture Alertflex applications:

../_images/cnode-ha.png

Collector node

The Collector node is based on the micro-segmentation model. It can include several Alertflex collectors (Altprobe) for retrieving info and manage of security sensors and scanners.

The minimum configuration of the Collector node includes one installed collector at a computer/virtual machine. The configuration can be expanded by installation several Alertflex collectors on different computers/VM inside a defined network segment. In this case, all collectors must have the same Node ID in the config file. It allows using the same filtering policies, Host IDS agents namespace, and security events statistics for all collectors united into the Collector node.

Alertflex collector directly reads from output files security events of sensors and reports of scanners. Additionally, Altprobe can use Redis for receiving events from sensors that are installed on other hosts or services.

Below shown an example of configuration with two Collector Nodes for log files and Redis as a source for Collector:

../_images/collector-node.png