Communication between clients on the DXL fabric is based on sending “messages” to a “topic.” Clients do not need to know the location of the other DXL clients with whom they communicate, or the hostname, IP address, and other identifiable information.
For example, if a client wanted to determine the reputation for a file, it could send a request message to the topic /mcafee/service/tie/file/reputation. A service would receive the request and send a response with the appropriate reputation information. All of this communication occurs without either party knowing the location of the other (they could be in the same building or on the other side of the world).
Connections are established from a DXL client to a DXL broker. These connections are persistent and allow for bi-directional communication. The benefits to this style of connection include:
- Firewall friendly—Clients are responsible for establishing the connection to brokers (never from a broker to a client). Therefore, we can communicate with clients that were previously unreachable. For example, a mobile client can connect to a broker exposed in a demilitarized zone (DMZ). Since the communication is bi-directional, we can now communicate with the client from McAfee server products also connected to the fabric (sending an agent wakeup for Cloud ePO, etc.).
- Near real-time communication—Communication on the DXL fabric is extremely efficient because the expense of continually establishing connections is eliminated.
Multiple Communication Models
DXL supports two different models of communication: a service-based model with point-to-point (request/response) communication and a publish/subscribe event-based model.
- Service based—The DXL fabric allows for services to be registered and exposed that respond to requests sent by invoking clients. This communication is point-to-point (one-to-one), meaning the communication is solely between an invoking client and the service that is being invoked. In this model, the client actively invokes the service by sending it requests. For example, the McAfee Threat Intelligence Exchange service is exposed via DXL, allowing DXL clients to request reputations for files and certificates.
- Event based—The DXL fabric also allows for event-based communication. This model is typically referred to as “publish/subscribe” wherein clients register interest by subscribing to a topic and publishers periodically send events to that topic. The event is delivered by the DXL fabric to all clients currently subscribed to the topic, so a single event sent can reach multiple clients (one-to-many). In this model, the client passively receives events when they are sent out by a publisher. For example, McAfee Advanced Threat Defense servers send events to the topic /mcafee/event/atd/file/report when they have successfully determined the reputation for a file. Any clients currently subscribed to this topic will receive the report (McAfee Threat Intelligence Exchange Server and McAfee Enterprise Security Manager currently subscribe to this topic).