Four-Layer Architecture
Built for Collective Defence
From 180+ Alliance member telemetry to automated firewall enforcement — understand how the OneFirewall platform ingests, validates, enriches and distributes actionable threat intelligence in near real time.
The Four-Layer Model
Every component in the OneFirewall stack serves a specific role — from raw telemetry collection to automated enforcement at the network edge. No manual steps. No stale feeds. No integration friction.
Alliance Member Network — Collective Telemetry
The foundation of OneFirewall is a trusted network of 180+ member organisations spanning finance, telecommunications, critical national infrastructure, cloud providers, and MSSPs. Each member contributes threat observations — malicious IPs, domains, URLs, file hashes — validated through a shared trust framework aligned with the Cyber Threat Alliance (CTA) standards.
- Crowd-sourced indicators from diverse sectors provide cross-industry attack visibility
- Multi-member validation reduces false positives and increases confidence scoring
- Members earn OFA Tokens for quality submissions, incentivising timely reporting
- CTA membership (since 2020) extends telemetry reach to global threat-sharing ecosystems
Intelligence Platform — Enrichment & Scoring
Raw telemetry enters the OneFirewall Intelligence Platform where it is validated, deduplicated, enriched, and scored. The platform outputs structured STIX 2.1 objects and assigns a Crime Score (0–1000) to each indicator, making intelligence immediately actionable without manual transformation.
- STIX 2.1 enrichment: indicator, observed-data, attack-pattern, threat-actor, relationship objects
- MITRE ATT&CK mapping across 20+ techniques: T1595, T1566, T1110, T1046, T1071, T1498
- ASN and geolocation enrichment for network-level context
- Crime Score decay modeling — indicators age and reflect infrastructure churn
- Sector telemetry tagging — identify which industries are being targeted
- Historical score timeline for trend and dwell time analysis
WCF Agent — World Crime Feeds Distribution
The World Crime Feeds (WCF) Agent is a lightweight, platform-agnostic distribution component deployed at the customer site. It continuously synchronises enforcement-ready intelligence from the OneFirewall API to connected security devices. Updates are delta-based — only changed indicators are transferred, minimising bandwidth and processing overhead.
- Containerised deployment (Docker / VM) — minimal footprint, no agent sprawl
- Supports pull and push synchronisation modes; configurable update intervals
- All traffic encrypted over TLS 1.3 with mutual authentication
- Translates intelligence into native formats: ACL, IP-reputation lists, TAXII 2.1, JSON, CSV
- OneDevice series: purpose-built hardware appliance with integrated WCF Agent
Enforcement Layer — Automated Blocking at the Edge
The final layer is where intelligence becomes action. Connected security controls — firewalls, IPS, WAF, SIEM, XDR, cloud policy engines — receive updated rule sets and block or alert on indicators matching the configured Crime Score threshold (Alliance baseline: score ≥ 190).
Enterprise Firewalls
Checkpoint, FortiGate, Palo Alto, Sophos, SonicWall, Forcepoint, pfSense
Cloud & Network
AWS WAF, GCP Cloud Armor, Cloudflare, Cisco IOS, HAProxy, InfoBlox
IPS & WAF
Apache ModSecurity, AWS CloudFront, Windows Defender, GCP CloudArmor
SIEM & Analytics
IBM QRadar, Splunk, Elastic SIEM, Trellix — direct STIX 2.1 ingestion
End-to-End Data Flow
From a member reporting a malicious IP to your firewall blocking it — under five minutes, fully automated.
# Step 1 — Member submits indicator POST /api/v1/report { "type": "ipv4-addr", "value": "198.51.100.42", "confidence": "high", "sector": "finance" } # Step 2 — Platform validates & enriches → Multi-member cross-validation → STIX 2.1 object generated → Crime Score: 347 (above threshold) → MITRE mapping: T1595.002, T1566.001 # Step 3 — WCF Agent pulls delta GET /api/v1/feed/delta?since=last_sync → 1 new indicator, 0 removed # Step 4 — Enforcement rule pushed → FortiGate: address object updated → QRadar: STIX bundle ingested → Blocked in 4m 22s total
Intelligence API Endpoints
GET /api/v1/intel/<IPv4>— consolidated enrichmentGET /api/v1/feed/delta— incremental feed syncGET /api/v1/stix/bundle— TAXII-compatible STIX bundlePOST /api/v1/report— submit new indicator
Crime Score Enforcement Bands
- 0 – 189 — Observe / log only
- 190 – 499 — Alliance baseline: block
- 500 – 799 — High confidence: block + alert SOC
- 800 – 1000 — Critical: block, alert, threat hunt
Security & Compliance Design
The OneFirewall architecture is designed with security-by-design principles — every data path is encrypted, every component is authenticated, and deployment options span cloud, hybrid, and air-gapped environments.
TLS 1.3 Everywhere
All API calls, agent synchronisation, and dashboard sessions are encrypted with TLS 1.3. Mutual authentication prevents spoofed agent connections.
Token-Based Auth
Bearer token authentication with per-member scoped API keys. Keys support expiry, rotation, and scope limitation to read-only or submit-only roles.
On-Prem & Private Cloud
WCF Agent operates in fully offline or proxied modes for air-gapped environments. Proof of Value VM supports private cloud evaluation without cloud dependency.
Cyber Essentials Certified
OneFirewall Alliance holds Cyber Essentials certification, validating baseline security controls across access management, patch management, and network boundary defence.
Privacy-Preserving Sharing
Member telemetry is anonymised at submission — no customer PII or internal network topology is shared with other alliance members.
Decay & Expiry Policy
Indicators decay over time based on last-seen confidence. Stale IPs are automatically demoted, preventing over-blocking of reclaimed infrastructure.
Ready to Deploy the Full Stack?
Speak with a OneFirewall architect to design your deployment — from WCF Agent sizing to SIEM integration and enforcement policy configuration.