Hi Mike, Thanks for your interest in OpenStack and Neutron. Are there any published papers you can point us to? It may be easier to understand your work by reading/reviewing your papers.
Best, Mohammad From: Mike Grima <mike.r.gr...@gmail.com> To: openstack-dev@lists.openstack.org, Date: 05/06/2014 09:21 PM Subject: [openstack-dev] [Neutron][FWaaS]Firewall Web Services Research Thesis Applicability to the OpenStack Project Hi Everyone, I am an Information Security grad student, and I am wrapping up a thesis on exposing host firewall capabilities via web services for KVM virtual machines. The purpose of which is to: A. Make the firewall management of KVM virtual machines easier to perform on the host (from the KVM administrator’s perspective) B. Provide the ability to enforce network security policies on hosted virtual machines via the host’s firewall. C. Provide the ability for future security appliances and vulnerability scanners to leverage the exposed web services to close network security vulnerabilities on hosted virtual machines (via modification of the host’s firewall rules). This can allow security appliances to automatically respond to security incidents as they occur. I just recently stumbled upon the OpenStack project, and noticed the Firewall as a Service (FWaaS) plugin and documentation that has been developed this past year. There are a lot of similarities to my thesis, and I would like to know if some of the research I have performed could be of value to the OpenStack project. Perhaps they could be useful in the development of use cases, or maybe inspire future ideas for enhancements and features? I am still in the process of wrapping up the thesis, so I would like to avoid posting it for the time being. However, once I have completed the write-up, I would be more than happy to share it with the OpenStack community. I have recorded screen videos showcasing the above three points in action. Perhaps the most relevant to recent events is the 4th video, which showcases how FWaaS (in general, not the OpenStack plugin) could be used by OpenVAS (in this case) to detect virtual machines that are vulnerable to Heartbleed, and immediately issue a command to the web service to close access to the HTTPS port. The web-services are being exposed via a Java Jetty web server running on the KVM host itself. I made a Java client app for interfacing with the web services. Below are the videos: 1.) Demo 1: Adding new rules/policies and manipulating traffic https://docs.google.com/file/d/0B7WyzOL96X9QU0dQa0xEekFxVlk/edit 2.) Demo 2: Same as Demo 1, but showcasing platform independence by applying rules to a Windows Server 2008 R2 VM https://docs.google.com/file/d/0B7WyzOL96X9QMnRaZXBhU1FFc28/edit 3.) Sample OpenVAS Scenario where a VM can --only-- operate a HTTP server on port 80. Any other server that is detected is a violation of policy and would need to be blocked. https://docs.google.com/file/d/0B7WyzOL96X9QYXdFdC1XbHp2R3M/edit 4.) OpenVAS Heartbleed Demo (as described above): https://docs.google.com/file/d/0B7WyzOL96X9QMzRMR1UzX09vRDA/edit 5.) Earlier prototype of my thesis working with XEN instead of KVM: https://docs.google.com/file/d/0B7WyzOL96X9QTVowem1ZYjJrRWM/edit Please let me know if the above could prove useful for the OpenStack project. Concurrence from you guys would be helpful illustrating the significance of my research. Thank You, Mike Grima, RHCE _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
_______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev