Hi Everyone, Not sure if you remember, but a few months ago, I made the following thread on here titled: "Firewall Web Services Research Thesis Applicability to the OpenStack Project" (http://lists.openstack.org/pipermail/openstack-dev/2014-May/034575.html)
To provide a recap, this is a thesis that I am researching, and examines the potential advantages of exposing a host's firewall via a web service. The purpose of which is to improve the security of IaaS environments by now providing the ability for external security appliances, such as vulnerability scanners and IDS's, the ability to dynamically (and perhaps automatically) respond to incidents and close open ports to problematic virtual machines. My thesis examines the perspective of the "infrastructure administrator", as opposed to the "domain administrator". At the time I made the initial post, I was actively writing my thesis, and I am happy to report that it is effectively "done". You can download the PDF here: https://docs.google.com/file/d/0B7WyzOL96X9QWDl6R3RqRE0tMWc/edit I have a section that specifically mentions OpenStack (Page 44, Section 5.3). Please review that section and let me know if it accurately and properly describes the OpenStack effort and corresponding projects (FWaaS, and Neutron). Of course, if you find any issues, please don't hesitate to point them out. Below are screen-videos showcasing my thesis in action: 1.) Demo 1: Adding new rules/policies and manipulating traffic https://docs.google.com/file/d/0B7WyzOL96X9QU0dQa0xEekFxVlk/edit 2.) Demo 2: Same as Demo 1, but showcasing platform independence by applying rules to a Windows Server 2008 R2 VM https://docs.google.com/file/d/0B7WyzOL96X9QMnRaZXBhU1FFc28/edit 3.) Sample OpenVAS Scenario where a VM can --only-- operate a HTTP server on port 80. Any other server that is detected is a violation of policy and would need to be blocked. https://docs.google.com/file/d/0B7WyzOL96X9QYXdFdC1XbHp2R3M/edit 4.) OpenVAS Heartbleed Demo (as described above): https://docs.google.com/file/d/0B7WyzOL96X9QMzRMR1UzX09vRDA/edit 5.) Earlier prototype of my thesis working with XEN instead of KVM: https://docs.google.com/file/d/0B7WyzOL96X9QTVowem1ZYjJrRWM/edit I would be happy to answer any questions you may have. Thank You -- Mike Grima, RHCE _______________________________________________ OpenStack-dev mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
