cti-taxii message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: Re: [cti-taxii] TAXII Architecture
- From: "Jason Keirstead" <Jason.Keirstead@ca.ibm.com>
- To: Mark Davidson <mdavidson@soltra.com>
- Date: Wed, 16 Dec 2015 09:08:49 -0400
" I can’t think of any “brokers” that wouldn’t reasonably also be a “repository”."
I agree that I can not see many vendors writing a broker-only software suite, HOWEVER I can see many clients running broker-only configurations at numerous positions of their network, including the edge. At those locations the software would be configured with repository disabled and should respond as such to a discovery msg...
-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com
Without data, all you are is just another person with an opinion - Unknown
Mark Davidson ---12/16/2015 08:22:14 AM---Here is a thought I'll throw out there. There will be TAXII Servers that implement the broker and re
From: Mark Davidson <mdavidson@soltra.com>
To: Trey Darley <trey@soltra.com>, "Jordan, Bret" <bret.jordan@bluecoat.com>
Cc: "cti-taxii@lists.oasis-open.org" <cti-taxii@lists.oasis-open.org>
Date: 12/16/2015 08:22 AM
Subject: Re: [cti-taxii] TAXII Architecture
Sent by: <cti-taxii@lists.oasis-open.org>
Here is a thought I'll throw out there.
There will be TAXII Servers that implement the broker and repository functionality. I see these systems as the ones that will be attempting to facilitate exchange of information across systems/organizations. I can’t think of any “brokers” that wouldn’t reasonably also be a “repository”.
On the other hand, I can picture repositories that are hampered by broker requirements. A Threat Analyst workbench or SIEM might want to expose their threat information using the TAXII repository concept (and perhaps even interact with a broker), but have no desire to facilitate the exchange of information across other systems/organizations via the broker concept.
To that end, maybe there are (notionally) two conformance clauses?
1. A TAXII Server implements both the broker and repository functionality.
2. A TAXII Repository implements only the repository functionality (we’d have to have some rule that maybe the broker side gives back an HTTP 501 - Not Implemented)
If this approach is taken, I would like to consider requiring or suggesting that only TAXII Servers are advertised in DNS and that TAXII Repositories are not.
This does go slightly against my desire to have a ‘TAXII' mean a single rigid thing, but I think there are systems out there that will want to offer a TAXII interface and not be a broker, and I view those systems as important to the overall threat sharing ecosystem.
Thoughts?
Thank you.
-Mark
On 12/16/15, 6:14 AM, "Trey Darley" <cti-taxii@lists.oasis-open.org on behalf of trey@soltra.com> wrote:
>On 15.12.2015 18:39:33, Jordan, Bret wrote:
>>
>> Question: Which of the following statements do you prefer? Or do you
>> prefer something all together different?
>>
>>
>> Option 1: A compliant TAXII server MAY implement the message broker
>> solution, the cyber information repository solution, or both.
>>
>> Option 2: A compliant TAXII server MUST implement the message broker
>> solution and the cyber information repository solution.
>>
>
>I would suggest a third option:
>
>"A compliant TAXII server MUST implement the message broker solution
>and SHOULD implement the cyber information repository solution."
>
>--
>Cheers,
>Trey
>--
>Trey Darley
>Senior Security Engineer
>4DAA 0A88 34BC 27C9 FD2B A97E D3C6 5C74 0FB7 E430
>Soltra | An FS-ISAC & DTCC Company
>www.soltra.com
>--
>"In protocol design, perfection has been reached not when there is
>nothing left to add, but when there is nothing left to take away."
>--RFC 1925
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]