search close

Architecture

access_time Updated Jun 20, 2021

What is the Signal Sciences architecture?

The Signal Sciences platform is an application security monitoring system that proactively monitors for malicious and anomalous web traffic directed at your web servers. The system is comprised of three key components:

  • A web server integration module
  • A monitoring agent
  • Our cloud-hosted collection and analysis system

The module and agent run on your web servers within your infrastructure, analyzing and acting on malicious traffic in real-time as it is detected. Anomalous request data is collected locally and uploaded to our collectors, allowing us to perform out-of-band analysis of malicious inbound traffic.

Architecture

What language is the agent written in?

The agent is written in Go. We chose Go because of its combination of performance, ease of deployment, and memory safety guarantees. In other words, it gets very close to native code performance, without the security issues associated with C/C++ (e.g. buffer overflows).

Where is it typically deployed?

Our software is typically installed directly on your web server. It can also be deployed on a reverse proxy or load balancer running Apache/NGINX. Another less common but technically viable approach is to deploy our software at the application layer. We currently provide modules for PHP, NodeJS, Java, .NET, and Python, and can supply documentation to help you write an application layer module in other languages.

Where are you hosting the service?

We are hosting the service in AWS West across multiple availability zones.

What does Signal Sciences need firewall access to?

To download and install Signal Sciences, you will need to ensure your firewall allows access to the following:

  • apt.signalsciences.net
  • yum.signalsciences.net
  • dl.signalsciences.net

The Signal Sciences agent communicates with the following endpoints outbound via port 443/TCP:

  • c.signalsciences.net
  • sigsci-agent-wafconf.s3.amazonaws.com
  • sigsci-agent-wafconf-us-west-2.s3.amazonaws.com

If the agent is unable to download from the primary S3 bucket, it will fallback to a secondary bucket in a second region until it can download from the primary S3 bucket again.

Note: Because the Signal Sciences endpoints are hosted on AWS, the IP addresses are dynamic with no set ranges. Because there are no set IP ranges, you will need to ensure firewall access via DNS.

What sort of scale do you support?

Our architecture allows us to support applications with high traffic volume. We are deployed across full production with companies in the top 50 of the Alexa Traffic Rankings.

Do you support configuration management?

Yes, we support Chef, Puppet, Ansible, Salt, and others. It’s easy to manage typical deployments with configuration management tools.

Do you support CDNs?

Yes, we can consume the X-Forwarded-For or any other header to obtain the true client IP address.

Do you support egress HTTP proxies?

Yes, instructions for configuring the Signal Sciences agent to use a proxy for egress traffic can be found here.

Do you have an API?

Yes, we have a fully documented, RESTful/JSON API so you can pull your Signal Sciences console data into your other systems.

Do you support integrations with SIEMs?

Yes, we support any SIEM via our API.