OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-taxii message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: TAXII 2.0 Architecture

All, 

I have updated the following page and added an Architecture section to reflect the current line of thinking and provide a place for people to record their thoughts.  If you agree or disagree with any of these, please speak up either on the list or on the wiki.



TAXII 2.0 Architecture

  • We are using a Publish and Subscribe model for the TAXII 2.0 architecture over an HTTP RESTful interface

  • TAXII Servers are plumbing for CTI between TAXII Clients

    • TAXII Servers handle authentication, authorization, and policy based message handling (block, allow, rewrite, redirect etc.)
    • TAXII Servers handle TTL values for messages, channels, and clients

  • TAXII Clients are light weight clients that only send or receive CTI to a channel on a TAXII Server

    • The output from a TAXII Client is a raw CTI object such as a STIX package.

  • A TAXII server MAY have a special embedded TAXII client called a TAXII Router to facilitate communications with another TAXII Server

    • An ingress or egress policy MAY be applied to all traffic between the TAXII Server channel and this embedded TAXII Router
    • NOTE: we may want to scratch the router terminology so as not to confuse people and just say that a TAXII Server can also, itself, publish and subscribe to another TAXII Server.

  • Each TAXII Server will have some defined out-of-the box channels that clients can publish or subscribe to

    • A TAXII Server MAY have additional channels beyond what we define
    • Channels MAY have ingress or egress policies
    • Channels MAY be read-only
    • Channels MAY require out-of-band subscription information in addition to authentication
    • Channels MAY be auto-deleted if there are no more clients attached to it
    • Channels MAY be exclusive, meaning only the creator can subscribe



Here is a diagram I built to show what that would mean.  You will see that Group 1 has a simple TAXII deployment.  Where as Group 2 has an Internal and External TAXII deployment.  I could envision some sort of human review process or workbench tool that might sit between the Group 2's Internal and External TAXII Servers. 




Here is another diagram I did a while back, not sure if I have shared it with the group yet.    But this can give you another visual in to what we are talking about.








Thanks,

Bret



Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]