OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-taxii message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [cti-taxii] Question about multiple trust group support


The thing to remember with all of this is the element of server trust.  For example, you would never federate your AD servers between two desperate companies.  The fact that a TAXII server on the other end does not need to honor or I should say is not guaranteed to honor the rules pushed to it from another organization is a problem.  At best, you can make these types of advertisements a suggestion. 

There are only two ways I see this working....

1) Someone hosts a large TAXII cluster on Amazon or Rackspace and controls all of the security.

2) You treat CTI like old Newsgroups, meaning there is full, open, and non-restricted flow of data. Which I think is not realistic.   Any time you add an element of control and you push that responsibility for maintaining that control outside of your domain, there is no guarantee that it will be honored.  



Thanks,

Bret



Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

On Oct 2, 2015, at 00:48, Terry MacDonald <terry.macdonald@threatloop.com> wrote:

Hi Jason,

In your example their is a single place the groups are administered. To use the FS-ISAC example, the FS-ISAC users would all sit within the FS-ISAC TAXII Server application.

I was meaning the use case where the administration is done on multiple TAXII servers at different locations. An example would be something like a Conficker Working Group. BankA and BankB are both part of the ConfickerWG and are administrator organizations, as are OrgA and OrgB. All Organizations that are part of the ConfickerWG and are group 'administrators' would have a copy of the ConfickerWG adminsitrative DB - and would be the only ones able to authorize any new members.

Bank A still keeps control of its own users or groups, As does BankB. The only real change is that the Conficker WG is now replicated to more than one location meaning that the Conficker WG can still add/remove and authenticate new Organizations into the WG even if one of the WG Administrators TAXII Servers fails. 

I guess it's similar to the way that ActiveDirectory replicates the AD database to all Domain Controllers in the domain, just that the TAXII server can be in multiple domains at once. Continuing the analogy, the single controlling master TAXII server with multiple secondary copies is exactly what Microsoft moved away from with the old primary/secondary NT domains. 

As mentioned before on another thread, I am ok with parking this feature for now and implementing this as an extension protocol that will enable group membership in the future. I still believe that this is important to provide interoperability and redundancy in the future, but I agree that keeping administration to a single TAXII server will suffice for now.

Cheers

Terry MacDonald | STIX, TAXII, CybOX Consultant




Disclaimer: The opinions expressed within this email do not represent the sentiment of any other party except my own. My views do not necessarily reflect those of my employers.


Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]