Re: [cti-taxii] TAXII Architecture

["Jason Keirstead" <Jason.Keirstead@ca.ibm.com>]

" I can’t think of any “brokers” that wouldn’t reasonably also be a “repository”."

I agree that I can not see many vendors writing a broker-only software suite, HOWEVER I can see many clients running broker-only configurations at numerous positions of their network, including the edge. At those locations the software would be configured with repository disabled and should respond as such to a discovery msg...


-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


Mark Davidson ---12/16/2015 08:22:14 AM---Here is a thought I'll throw out there. There will be TAXII Servers that implement the broker and re

From: Mark Davidson <mdavidson@soltra.com>
To: Trey Darley <trey@soltra.com>, "Jordan, Bret" <bret.jordan@bluecoat.com>
Cc: "cti-taxii@lists.oasis-open.org" <cti-taxii@lists.oasis-open.org>
Date: 12/16/2015 08:22 AM
Subject: Re: [cti-taxii] TAXII Architecture
Sent by: <cti-taxii@lists.oasis-open.org>

---

Here is a thought I'll throw out there.

There will be TAXII Servers that implement the broker and repository functionality. I see these systems as the ones that will be attempting to facilitate exchange of information across systems/organizations. I can’t think of any “brokers” that wouldn’t reasonably also be a “repository”.

On the other hand, I can picture repositories that are hampered by broker requirements. A Threat Analyst workbench or SIEM might want to expose their threat information using  the TAXII repository concept (and perhaps even interact with a broker), but have no desire to facilitate the exchange of information across other systems/organizations via the broker concept.

To that end, maybe there are (notionally) two conformance clauses?

1. A TAXII Server implements both the broker and repository functionality.
2. A TAXII Repository implements only the repository functionality (we’d have to have some rule that maybe the broker side gives back an HTTP 501 - Not Implemented)

If this approach is taken, I would like to consider requiring or suggesting that only TAXII Servers are advertised in DNS and that TAXII Repositories are not.

This does go slightly against my desire to have a ‘TAXII' mean a single rigid thing, but I think there are systems out there that will want to offer a TAXII interface and not be a broker, and I view those systems as important to the overall threat sharing ecosystem.

Thoughts?

Thank you.
-Mark



On 12/16/15, 6:14 AM, "Trey Darley" <cti-taxii@lists.oasis-open.org on behalf of trey@soltra.com> wrote:

>On 15.12.2015 18:39:33, Jordan, Bret wrote:
>> 
>> Question: Which of the following statements do you prefer? Or do you
>> prefer something all together different?
>> 
>> 
>> Option 1: A compliant TAXII server MAY implement the message broker
>> solution, the cyber information repository solution, or both.
>> 
>> Option 2: A compliant TAXII server MUST implement the message broker
>> solution and the cyber information repository solution.
>> 
>
>I would suggest a third option:
>
>"A compliant TAXII server MUST implement the message broker solution
>and SHOULD implement the cyber information repository solution."
>
>-- 
>Cheers,
>Trey
>--
>Trey Darley
>Senior Security Engineer
>4DAA 0A88 34BC 27C9 FD2B  A97E D3C6 5C74 0FB7 E430
>Soltra | An FS-ISAC & DTCC Company
>www.soltra.com
>--
>"In protocol design, perfection has been reached not when there is
>nothing left to add, but when there is nothing left to take away."
>--RFC 1925