Skip to content

Architecture

The ControlGuard solution is specifically engineered to be lightweight, highly extensible, high-performing, and extremely secure. It requires no specialized hardware and offers extensive customization capabilities.

Most core software components are implemented in modern C and C++ to maximize performance, while leveraging mature, well-established open-source libraries.

Key Components

  • Engine: Performs all control decisions and traffic analysis.
  • Connector: Enables integration with specific protocols or software solutions.
  • Database: Centrally store critital information such as policies, session information and alerts.
  • Web Portal: Provides a captive portal for Network Access Control (NAC) and a lightweight, customizable web page to display notification and alerts to users.
  • Command Line Utilities: Interactive and non-interactive tools for remote management and monitoring.

Each components can be configured seperately through configuration files. See our reference section for more information about how to configure each components.

architecture-beta
    service wan1(material-symbols:cloud)[WAN]
    service wan2(material-symbols:cloud)[WAN]

    group cg[ControlGuard Core]

    service router1(material-symbols:router-sharp)[Router]
    service proxy1(material-symbols:identity-aware-proxy)[Proxy]
    service user1(material-symbols:computer-outline-sharp)[User]

    service connector1(material-symbols:host-outline-sharp)[Connector] in cg
    service connector2(material-symbols:host-outline-sharp)[Connector] in cg

    service engine(material-symbols:settings-applications)[Engine] in cg
    service database(material-symbols:database)[Database] in cg
    service portal(material-symbols:captive-portal-sharp)[Web Portal] in cg

    wan1:B -- T:router1
    wan2:B -- T:proxy1

    proxy1:L -- R:user1
    proxy1:R -- L:router1

    router1:B -- T:connector1
    proxy1:B -- T:connector2

    connector1:B -- T:engine
    connector2:B -- T:engine

    engine:L -- R:database

    database:B -- T:portal

Encrypted Communication

The ControlGuard solution employs the proprietary Defendr binary protocol, developed in-house, to ensure seamless, high-performance integration between the solution's core components. An open specification for this protocol will be published in the near future.

All communication between peers is encrypted using the Transport Layer Security (TLS) protocol, providing robust encryption with algorithms such as AES to guarantee confidentiality and data integrity. Sessions are further secured through mutual peer authentication using strong hashing algorithms such as SHA2-256.

Cryptographic operations are implemented using the widely trusted OpenSSL library, which benefits from extensive community scrutiny and regular peer review.