en:architecture

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
en:architecture [28.11.2014 14:27]
trestikv@cesnet.cz
en:architecture [11.07.2017 12:04] (current)
ph@cesnet.cz Removed map, it's on the main page
Line 5: Line 5:
 Each entity/​network that wishes to feed data into the WARDEN system should have a so called //**sending client**//. Each entity/​network that wishes to receive data from the WARDEN system should have a so called //​**receiving**//​ client. The server (the centre) ensures the data reception and storage as well as the interface for the access to data stored. Data which the clients send into the centre will be referred to as //​**events**//​. Events are sent by the clients after authentication;​ the access to the centre is also authenticated. X.509 is used for the authentication. ​ Each entity/​network that wishes to feed data into the WARDEN system should have a so called //**sending client**//. Each entity/​network that wishes to receive data from the WARDEN system should have a so called //​**receiving**//​ client. The server (the centre) ensures the data reception and storage as well as the interface for the access to data stored. Data which the clients send into the centre will be referred to as //​**events**//​. Events are sent by the clients after authentication;​ the access to the centre is also authenticated. X.509 is used for the authentication. ​
  
-===== Sending events ​=====+===== System architecture ​=====
  
-Entities/​networks involved feed the centre events solely from data sources within the entity/​network,​ i.e. data from detection system operated within the entity/​network and monitoring network and service traffic in the network concerned (IDS, honeypots ...)+{{:​cs:​warden-l.png?​nolink&​800|Architektura systému Warden}}
  
-//An event// fed in by a participating entity into the centre is stateless information about the origin of the attack/ threat containing the following elements:  +===== Sending events =====
- +
-  * Name (identifier) of the service which had detected the event  +
-  * Time tag of event occurrence (detection), in GMT/UTC  +
-  * Time tag of event reception by the server, in GMT/UTC  +
-  * Type of event (attack/​threat) reported  +
-  * Address of attack/​threat source and its type (ip, domain, email) ​+
  
-==== Optional elements ====+Entities/​networks involved feed the centre events from various data sources. These may be within the entity/​network,​ i.e. data from detection system operated within the entity/​network and monitoring network and service traffic in the network concerned (IDS, honeypots ...), or the third party sources (like Shadowserver,​ Honeynet, various blacklists),​ or even the aggregated or correlated data. There are of course the ways to distinct these cases.
  
-  * Protocol of the attack/threat target  +//An event// fed in by a participating entity into the centre is the information about various facets ​of attack ​in form of [[https://idea.cesnet.cz|IDEA]] structured event.
-  * Port number ​of attack/threat target  +
-  * Attack robustness  +
-  * Note (unstructured text) +
  
 ===== Receiving events ===== ===== Receiving events =====
  
-Each entity participating in the system may receive data from the Warden system (through a receiving client). The server (centre) provides participating entities with received events ​together with event identifier, source and domain name of the station from which the event was received. The server sends the client only events so far unsent ​(one or more), or a notification that there is no new (unsent) event on the server. ​+Each entity participating in the system may receive data from the Warden system (through a receiving client). The server (centre) provides participating entities with unmodified ​received events. The server sends the client only events so far unsent, or a notification that there is no new (unsent) event on the server. ​
  
 Participating entities may use data obtained from Warden as necessary to ensure security of their own network and services provided. Participating entities may use data obtained from Warden as necessary to ensure security of their own network and services provided.
  
Last modified:: 28.11.2014 14:27