Farsight's Advanced Exchange Access, part 1 of 3
By Mike Schiffman
Introduction: The Quis, Quid, and Cur of AXA
This article is the first in a three-part blog series intended to introduce and acquaint the user with Farsight's AXA suite of tools and library code. It is the "who, what, and why" introduction to AXA.
Farsight Advanced Exchange Access
Advanced Exchange Access (AXA) is a suite of tools and library code that brings the capabilities of the Farsight Security Information Exchange (SIE) right to a remote user's network. For a proper introduction to AXA, we first need to learn a bit about SIE.
Farsight Security Internet Exchange
Farsight's cup of tea is real-time security relevant telemetry data. Lots and lots of it. At break-neck speeds. SIE is a highly scalable, data-sharing platform that collects, aggregates, processes and re-broadcasts telemetry data – all in real-time. More concisely, SIE can be thought of as a data clearinghouse enabling contributors and consumers to efficiently share Internet telemetry. The data flowing through SIE includes telemetry representative of real-time observations and threat-oriented feeds from variety of sources, include:
- Passive DNS data from Farsight's massive global sensor array
- Darknet scan logs
- Spam data
- Phishing data
- Malware data
- Sanitized Firewall and IDS log data
- Conficker sinkhole activity
- Farsight's Newly Observed Domains
- Farsight's Newly Active Domains
All of this data is delivered as directly broadcast UDP datagrams inside our geographically disparate SIE data centers. Each data source is segregated into its own VLAN – "channel" in Farsight's parlance. The raw intensity of the data flows in each channel varies depending on the data source and external factors (some flows are predictably diurnal while others are sensitive to external influences). Some channels are extremely low bandwidth, averaging 1.5 Kbps, while our raw passive DNS channel average 410 Mbps with peaks hovering at 650 Mbps. All in all, there is a superabundant amount of real-time data lighting up the SIE network exchanges.
How can you, the battle-hardened security analyst, consultant, engineer, level 17 packet prestidigitator gain access to this treasure trove of data? Traditionally, subscribers would co-locate a Linux host inside one of our SIE data centers. While this gives terrific performance and premium access to data, this is not always convenient for customers.
There is another way.
Farsight SIE Remote Access
SIE Remote Access (SRA) is Farsight's software solution to make SIE content available to remote users. SRA enables SIE channel traffic to be delivered through a TCP stream across the Internet. In order to reduce the bitrates, SRA provides subscribers with the ability to invoke a server-side filtering capability across a set of channels, selecting only that subset of records that match specific domain name / IP address search criteria.
The Advanced Exchange Access suite of tools and library code is the software that implements Farsight's SRA service.
AXA, what's in the box?
The AXA suite consists of two Unix command line tools and one C library that daring developers such as yourself can use to build custom SRA applications.
sratool is the AXA Swiss Army Knife. It is a versatile tool used to test,
debug, or stream AXA connections. It connects to an SRA server, sends protocol
messages and displays the responses. It can also tunnel SIE data like
sratunnel transfers selected SIE data from the remote server to the local
network. The connection to the server is created and restored after problems
with binary exponential delays between retries.
libaxa is the C programming library that exposes the AXA API to the
Ok I'm in, where can I get it?
The AXA suite is available for download on Farsight's GitHub AXA page and available as Debian packages on our Debian package server.
I've got the tools, how can I get some data?
You need to sign up. We offer several options for accessing our data, including a grant program for those that qualify. Reach out to us!
We learned that Farsight's SIE network is an aggregation point for a multitude of mysterious and powerful real-time data feeds. We understood that traditional methods of connecting into SIE are not for the faint of heart and required a bare-metal machine to be installed at the exchange. We then learned to our delightful amazement that there exists a mystical software-based solution, called AXA, that enables SIE data to be delivered right to the user's network edge.
Next up in the series will be a detailed discussion of the two workhorse tools
in the AXA suite,
Mike Schiffman is a Senior Distributed Systems Engineer for Farsight Security, Inc.