To mitigate the increasingly complex cyber attacks, you can enable the appliance to run a TAXII (Trusted Automated eXchange of Indicator Information) service to receive information on real-time threat incidents. The information in each threat incident is represented using the STIX (Structured Threat Information eXpression) language format. STIX is a standard language used to describe structured cyber threat information, which is shared between different TAXII clients.
When you run the TAXII service on a Grid member, the appliance acts as a TAXII server that receives TAXII messages (for one or more specified STIX collection) from TAXII clients. The TAXII message typically contains a list of IP addresses (both IPv4 and IPv6) and domains. The member then communicates with the Grid Master and sends a request to create an RPZ rule on the specified RPZ based on the TAXII messages it receives. The RPZ rule created on NIOS is available in the Response Policy Zones tab, as shown in Figure 42.4.
Once you start the TAXII server, the inbox for the configured collections is available at https://<member address>/services/inbox and the TAXII discovery service is available at https://<member address>/services/discovery, where <member address> is the MGMT or LAN IP address (IPv4 or IPv6 address of the port that is configured).
You can run the TAXII service on the following Infoblox appliance models: IB-1410, IB-1415, IB-1420, IB-1425, IB-VM-1410, IB-VM-1415, IB-VM-1420, IB-VM-1425, TE-810, TE-815, TE-2210, TE-2215, TE-2220, TE-2215, IB-VM-4010, IB-4030, IB-4030-10GE, IB-VM-2220, IB-VM-2225, PT-1400, PT-1405, PT-2200, PT-2205, PT-2205-10GE, PT-4000, and PT-4000-10GE.
To enable the TAXII service, you must install the Security Ecosystem license on any Grid member. You must also install an RPZ license on any Grid member in the Grid in order to create RPZ rules based on the TAXII messages. To allow a group to access the TAXII service, you can enable the group to authenticate with the TAXII server.
To enable a group to access the TAXII server:
3. Save the configuration.
NIOS supports arbitrary set of RPZ rules mapped to the corresponding TAXII collection. To map an RPZ with a TAXII collection:
You can do the following in this tab:
Figure 42.3 Mapping RPZs with TAXII Collection
Figure 42.4 RPZ Rules created for the Mapped RPZ and Collection
To start the TAXII service:
1. From the Grid tab, select the Services tab -> TAXII_member check box and then click the Start icon from the vertical Toolbar.
To stop the TAXII service:
1. From the Grid tab, select the Services tab -> TAXII_member check box and then click the Stop icon from the vertical Toolbar.
You can define extensible attributes that are specific to the TAXII service. When you define TAXII specific extensible attributes, the RPZ rules created will have these attributes and their corresponding values (received in the TAXII messages) added automatically.
For information about how to configure extensible attributes, see Managing Extensible Attributes.
Table 42.3 Extensible attributes for TAXII service
The name of the TAXII collection the TAXII client delivered the message to.
The IP address of the TAXII client that sent the TAXII message.
The TAXII Grid member that receives TAXII message resulting in the creation of the RPZ rule.
The timestamp when the TAXII message was received.
The login name of the user the TAXII client connected as to the TAXII server on the member that received the message.
You can monitor the status of the TAXII server, as described in Monitoring Grid Services. If there are any invalid TAXII messages, the appliance makes a syslog entry. For information, see Viewing RPZ in the Syslog. The appliance also sends an SNMP trap and an email notification, if configured. For information about setting SNMP and email notification, see Setting SNMP and Email Notifications.
This page has no comments.