OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-taxii message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [cti-taxii] Goals for TAXII 2.0


( Note - If people want me to take this off the list let me know... )


But if that is the case... what is the "subscription ID" the hubs are using in the push message, and where did it come from? I am referring to the sample document - https://taxii.mitre.org/specifications/version1.0_draft1/TAXII_SampleUsage_November_2012.pdf . In this document, the workflow is the following:

- Client connects to server


- Client requests subscription to feed from server

- On interval, server connects to client, and issues PUSH messages with the subscription ID in them

Based on this flow, I presume the Client is the Spoke and the Server is the Hub. Regardless... based on this flow, both services require open TAXII ports since the client connects to the server and then later on the server connects to the client.




-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


Inactive hide details for Trey Darley ---2015/07/15 09:23:49 AM---Hey, Jason - In this configuration the spokes pull from the hTrey Darley ---2015/07/15 09:23:49 AM---Hey, Jason - In this configuration the spokes pull from the hub and push back to it. The hub itself

From: Trey Darley <trey@soltra.com>
To: Jason Keirstead/CanEast/IBM@IBMCA
Cc: Terry MacDonald <terry.macdonald@threatloop.com>, "cti-taxii@lists.oasis-open.org" <cti-taxii@lists.oasis-open.org>
Date: 2015/07/15 09:23 AM
Subject: Re: [cti-taxii] Goals for TAXII 2.0
Sent by: <cti-taxii@lists.oasis-open.org>




Hey, Jason -

In this configuration the spokes pull from the hub and push back to it. The hub itself doesn't make outbound connections.

Cheers,
Trey
--
Trey Darley
Senior Security Engineer
Soltra | An FS-ISAC & DTCC Company
www.soltra.com




From: cti-taxii@lists.oasis-open.org <cti-taxii@lists.oasis-open.org> on behalf of Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Sent:
Wednesday, July 15, 2015 14:20
To:
Trey Darley
Cc:
Terry MacDonald; cti-taxii@lists.oasis-open.org
Subject:
Re: [cti-taxii] Goals for TAXII 2.0

Sorry maybe I am misunderstanding... maybe I have always misunderstood this! What I am referring to is the TAXII push to INBOX which contains a subscription ID... this implies that the client hosting that INBOX service, previously subscribed to something on that TAXII hub... which by nature (since it is subscriber based) implies it is a PUSH from the hub to the spoke.

If you had a hub and spoke configuration.. the hub would not be the subscriber.. the spokes would be subscribers... no?

I am having a hard time envisioning a model where there is a hub and spoke configuration where the hub subscribes to feeds on the spokes when the spokes don't allow inbond connections... how does that work?


-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


Trey Darley ---2015/07/15 09:11:21 AM---Hey, Jason - While it might not be immediately apparent, there are institutions which use both the p

From:
Trey Darley <trey@soltra.com>
To:
Jason Keirstead/CanEast/IBM@IBMCA, Terry MacDonald <terry.macdonald@threatloop.com>
Cc:
"cti-taxii@lists.oasis-open.org" <cti-taxii@lists.oasis-open.org>
Date:
2015/07/15 09:11 AM
Subject:
Re: [cti-taxii] Goals for TAXII 2.0
Sent by:
<cti-taxii@lists.oasis-open.org>





Hey, Jason -


While it might not be immediately apparent, there are institutions which use both the poll and push due to site security policy. Basically, where you'd normally have a hub and spoke with peer-to-peer polling, in these cases no inbound connections are allowed on the edge node. Instead, these nodes are configured to a) poll a centrally accessible hub and b) push outbound to that same node.


I generally agree with the notion of stripping away "needless" flexibility but I don't think that applies in this particular case.


Cheers,
Trey
--
Trey Darley
Senior Security Engineer
Soltra | An FS-ISAC & DTCC Company
www.soltra.com




From:
cti-taxii@lists.oasis-open.org <cti-taxii@lists.oasis-open.org> on behalf of Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Sent:
Wednesday, July 15, 2015 14:06
To:
Terry MacDonald
Cc:
cti-taxii@lists.oasis-open.org
Subject:
Re: [cti-taxii] Goals for TAXII 2.0

Does Tenant 1 mean that TAXII 2.0 will only do either a PUSH model or a POLL/PULL model, but not both?

That would be great... to me this was one of the "needlessly flexible" facets of TAXII 1.X.

-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


Terry MacDonald ---2015/07/15 12:45:00 AM---Hi All, As per earlier discussions I really think it would be beneficial to discuss


From:
Terry MacDonald <terry.macdonald@threatloop.com>
To:
"cti-taxii@lists.oasis-open.org" <cti-taxii@lists.oasis-open.org>
Date:
2015/07/15 12:45 AM
Subject:
[cti-taxii] Goals for TAXII 2.0
Sent by:
<cti-taxii@lists.oasis-open.org>





Hi All,

As per earlier discussions I really think it would be beneficial to discuss some key goals that we want TAXII 2.0 to adhere to. As such I've tried to incorporate the discussions we've had over the past year or so, and distill them into the following list.

Please note, this is a 'starter for 10', just to prompt further discussion. Please do not consider it official, final, or authoritative in any way :) (I should be a lawyer).


Goals for TAXII v2.0:
Comments and improvements welcomed (nay, required :) ).

Cheers


Terry MacDonald
| STIX, TAXII, CybOX Consultant

M: +61-407-203-026
E:
terry.macdonald@threatloop.com
W:
www.threatloop.com



Disclaimer: The opinions expressed within this email do not represent the sentiment of any other party except my own. My views do not necessarily reflect those of my employers.









[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]