Phase 1 Sprint 1.1 - Telemetry Gateway Architecture
Summary
A dedicated telemetry gateway service was introduced for internal use only. Client API remains read-only for tenant portal consumption.
Threat Model
- Assume any caller is untrusted until identity and payload integrity are verified.
- Enforce explicit service identity and cryptographic authenticity on every request.
Attack Vectors Considered
- Public exposure of telemetry ingestion endpoints.
- Bypass of mTLS identity requirements.
- Forged producer signatures.
- Replay of previously valid telemetry payloads.
Mitigations Implemented
- Isolated compose service
vectorvue_telemetry_gatewayontelemetry_privateinternal network. - No host port mapping for telemetry gateway.
- mTLS fingerprint pinning and Ed25519 verification at gateway ingress.
Residual Risk
- Gateway currently validates a proxy-provided certificate fingerprint header.
- Horizontal scaling requires shared replay cache.
Future Improvements
- Add Envoy/Nginx mTLS sidecar that injects immutable certificate metadata headers.
- Introduce distributed replay defense backend.
Architecture Diagram
flowchart LR
SS[SpectraStrike Producer]
MTLS[mTLS Boundary / TLS Terminator]
TG[VectorVue Telemetry Gateway\ninternal/v1/telemetry]
Q[(Secure Queue - Phase 2)]
SS --> MTLS
MTLS --> TG
TG --> Q
subgraph Private Network
TG
end