What does DXL do? Trellix Data Exchange Layer (DXL) framework allows bi-directional communication between endpoints on a network. This technology connects multiple products and applications, shares data, and orchestrates security tasks using a real-time application framework called the Data Exchange Layer fabric. DXL receives and sends encrypted messages over the fabric to track activity, risks, and threats and takes action in real time. McAfee Data Exchange Layer (DXL) is installed as a McAfee ePO extension. This technology stores data in Microsoft Structured Query Language (SQL) Server and PostgreSQL databases. Trellix acquired this technology in March 2021. The TRM decisions in this entry only apply to technologies and versions owned, operated, managed, patched, and version-controlled by VA. This includes technologies deployed as software installations on VMs within VA-controlled cloud environments (e.g., VA Enterprise Cloud (VAEC)). Cloud services provided by the VAEC, which are listed in the VAEC Service Catalog, and those controlled and managed by an external Cloud Service Provider (i.e., SaaS) are not in the purview of the TRM. For more information on the use of cloud services and cloud-based products within VA, including VA private clouds, please see the Enterprise Cloud Solutions Office (ECSO) Portal at: https://dvagov.sharepoint.com/sites/OITEPMOECSO Technology/Standard Usage Requirements: Users must ensure their use of this technology/standard is consistent with VA policies and standards, including, but not limited to, VA Handbooks 6102 and 6500; VA Directives 6004, 6513, and 6517; and National Institute of Standards and Technology (NIST) standards, including Federal Information Processing Standards (FIPS). Users must ensure sensitive data is properly protected in compliance with all VA regulations. Prior to use of this technology, users should check with their supervisor, Information Security Officer (ISO), Facility Chief Information Officer (CIO), or local Office of Information and Technology (OI&T) representative to ensure that all actions are consistent with current VA policies and procedures prior to implementation. Section 508 Information: This technology has not been assessed by the Section 508 Office. The Implementer of this technology has the responsibility to ensure the version deployed is 508-compliant. Section 508 compliance may be reviewed by the Section 508 Office and appropriate remedial action required if necessary. For additional information or assistance regarding Section 508, please contact the Section 508 Office at DXL communicates with services, databases, endpoints, and applications. The DXL client is installed on each managed endpoint, and connects to a DXL broker. The connected brokers create a fabric, or framework, so that information can be shared immediately with all other services and devices. For example: If a security administrator stops a threat using McAfee® Active Response, the threat information is sent in real time via DXL to all connected clients, isolating and stopping it from spreading. If a security administrator changes the reputation of a file or process using McAfee® Threat Intelligence Exchange (TIE), that change can be applied to a single system, or sent to all connected clients to take effect immediately. Brokers DXL brokers are installed on managed systems and route messages between connected clients, effectively allowing the client to connect to the DXL. Examples of connected clients are the Threat Intelligence Exchange module, the Active Response server, or third-party products using OpenDXL. Brokers can be installed on a virtual appliance through an .ova file or any Linux system running Red Hat or CentOS. The network of brokers tracks active consumers (clients that use DXL) and dynamically adjusts the message routing as needed. When a client requests a service, or when an update is broadcast, brokers relay these messages to listeners or receivers. Brokers can be organized into hubs and service zones to provide failover protection and message routing preferences. DXL clients maintain a persistent connection to their brokers regardless of their location. Even if a managed endpoint running the DXL client is behind a NAT (network address translation) boundary, it can receive updated threat information from its broker located outside the NAT. DXL Fabric The DXL fabric consists of connected DXL clients and brokers. It enables bidirectional communication, allowing connected security components to share relevant data between endpoint, network, and other security systems. It also allows automated responses, greatly reducing response time and improving containment of threats. To share information and services across separate fabrics, you can bridge DXL fabrics that are managed by different McAfee® ePolicy Orchestrator® (McAfee® ePO™) servers. Broker hubs A broker hub is a configuration of one or two brokers that provides failover protection in a multi-broker environment. If a hub has two brokers, both act simultaneously. If one is unavailable, the other continues to function. Clients A client is any device that connects to the DXL fabric that is not routing messages (such as a broker). Clients receive and process messages from the brokers. Examples of clients are the Threat Intelligence Exchange module and Active Response. Service zones Service zones are groups of brokers that allow you to control how requests are routed on the fabric. You can organize brokers and hubs into service zones to determine how services are used. For example, if you have multiple TIE servers and brokers in different geographical locations, you can create service zones that contain brokers and services. Clients connected to a broker in a service zone access services in that zone first. If those services are not available, the broker routes the request to services in other zones. If you don’t use service zones, client requests are sent to any service at any location across the fabric. In the following example, service zones are organized into locations. When the TIE client sends a file or certificate reputation request, it tries to find a TIE server in the Portland service zone first. If a server is not available in that zone, it looks in the North America service zone, because the Portland hub is part of the North America zone. Without specifying service zones, requests might be sent to the Europe or London hub first. DXL Topics Topics are like the URLs of DXL. They are where a service publishes its specific methods. When a client connects to DXL, it notifies the broker of the topics it is interested in. This allows for de-coupled topic-based communication where messages are sent to topics, not specific hosts. DXL Cloud Databus The DXL Cloud Databus facilitates the connection of on-premise McAfee ePO servers with McAfee Cloud Bridge, which provides cloud storage and services. DXL brokers can be configured using the DXL Broker Management Extension to send data via the DXL Cloud Databus to the Cloud Bridge to support products that use this component. For example, McAfee Active Response clients send trace data from managed endpoints via DXL and the DXL Cloud Databus to the McAfee Cloud Bridge. The trace data on the Cloud Bridge is then made available to an on-premise instance of Active Response where an endpoint administrator analyzes the data, identifies issues, and remediates threats. Section508@va.gov.