The architecture of the WARDEN system is that of the client – server type. The Warden system consists of a server, receiving clients and sending clients. The server, on request of receiving clients, distributes new (previously undistributed) events fed to the server by sending clients.
Each entity/network that wishes to feed data into the WARDEN system should have a so called sending client. Each entity/network that wishes to receive data from the WARDEN system should have a so called receiving client. The server (the centre) ensures the data reception and storage as well as the interface for the access to data stored. Data which the clients send into the centre will be referred to as events. Events are sent by the clients after authentication; the access to the centre is also authenticated. X.509 is used for the authentication.
Entities/networks involved feed the centre events from various data sources. These may be within the entity/network, i.e. data from detection system operated within the entity/network and monitoring network and service traffic in the network concerned (IDS, honeypots …), or the third party sources (like Shadowserver, Honeynet, various blacklists), or even the aggregated or correlated data. There are of course the ways to distinct these cases.
An event fed in by a participating entity into the centre is the information about various facets of attack in form of IDEA structured event.
Each entity participating in the system may receive data from the Warden system (through a receiving client). The server (centre) provides participating entities with unmodified received events. The server sends the client only events so far unsent, or a notification that there is no new (unsent) event on the server.
Participating entities may use data obtained from Warden as necessary to ensure security of their own network and services provided.