OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

cti-taxii message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: TAXII 2.0 Architecture


I have updated the following page and added an Architecture section to reflect the current line of thinking and provide a place for people to record their thoughts.  If you agree or disagree with any of these, please speak up either on the list or on the wiki.

TAXII 2.0 Architecture

  • We are using a Publish and Subscribe model for the TAXII 2.0 architecture over an HTTP RESTful interface

  • TAXII Servers are plumbing for CTI between TAXII Clients

    • TAXII Servers handle authentication, authorization, and policy based message handling (block, allow, rewrite, redirect etc.)
    • TAXII Servers handle TTL values for messages, channels, and clients
  • TAXII Clients are light weight clients that only send or receive CTI to a channel on a TAXII Server

    • The output from a TAXII Client is a raw CTI object such as a STIX package.
  • A TAXII server MAY have a special embedded TAXII client called a TAXII Router to facilitate communications with another TAXII Server

    • An ingress or egress policy MAY be applied to all traffic between the TAXII Server channel and this embedded TAXII Router
    • NOTE: we may want to scratch the router terminology so as not to confuse people and just say that a TAXII Server can also, itself, publish and subscribe to another TAXII Server.
  • Each TAXII Server will have some defined out-of-the box channels that clients can publish or subscribe to

    • A TAXII Server MAY have additional channels beyond what we define
    • Channels MAY have ingress or egress policies
    • Channels MAY be read-only
    • Channels MAY require out-of-band subscription information in addition to authentication
    • Channels MAY be auto-deleted if there are no more clients attached to it
    • Channels MAY be exclusive, meaning only the creator can subscribe

Here is a diagram I built to show what that would mean.  You will see that Group 1 has a simple TAXII deployment.  Where as Group 2 has an Internal and External TAXII deployment.  I could envision some sort of human review process or workbench tool that might sit between the Group 2's Internal and External TAXII Servers. 

Here is another diagram I did a while back, not sure if I have shared it with the group yet.    But this can give you another visual in to what we are talking about.



Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]