<html><body>
<p><font size="2" face="sans-serif">Hi Mike, Thanks for your interest in OpenStack and Neutron. Are there any published papers you can point us to? It may be easier to understand your work by reading/reviewing your papers.</font><br>
<br>
<font size="2" face="sans-serif">Best,</font><br>
<br>
<font size="2" face="sans-serif">Mohammad</font><br>
<br>
<br>
<img width="16" height="16" src="cid:1__=0ABBF642DF980C338f9e8a93df938@us.ibm.com" border="0" alt="Inactive hide details for Mike Grima ---05/06/2014 09:21:06 PM---Hi Everyone, I am an Information Security grad student, and I "><font size="2" color="#424282" face="sans-serif">Mike Grima ---05/06/2014 09:21:06 PM---Hi Everyone, I am an Information Security grad student, and I am wrapping up a thesis</font><br>
<br>
<font size="1" color="#5F5F5F" face="sans-serif">From: </font><font size="1" face="sans-serif">Mike Grima <mike.r.grima@gmail.com></font><br>
<font size="1" color="#5F5F5F" face="sans-serif">To: </font><font size="1" face="sans-serif">openstack-dev@lists.openstack.org, </font><br>
<font size="1" color="#5F5F5F" face="sans-serif">Date: </font><font size="1" face="sans-serif">05/06/2014 09:21 PM</font><br>
<font size="1" color="#5F5F5F" face="sans-serif">Subject: </font><font size="1" face="sans-serif">[openstack-dev] [Neutron][FWaaS]Firewall Web Services Research Thesis Applicability to the OpenStack Project</font><br>
<hr width="100%" size="2" align="left" noshade style="color:#8091A5; "><br>
<br>
<br>
<tt><font size="2">Hi Everyone,<br>
<br>
I am an Information Security grad student, and I am wrapping up a thesis<br>
on exposing host firewall capabilities via web services for KVM virtual<br>
machines. The purpose of which is to:<br>
A. Make the firewall management of KVM virtual machines easier to<br>
perform on the host (from the KVM administrator’s perspective)<br>
B. Provide the ability to enforce network security policies on<br>
hosted virtual machines via the host’s firewall.<br>
C. Provide the ability for future security appliances and<br>
vulnerability scanners to leverage the exposed web services to<br>
close network security vulnerabilities on hosted virtual<br>
machines (via modification of the host’s firewall rules). This<br>
can allow security appliances to automatically respond to<br>
security incidents as they occur.<br>
<br>
I just recently stumbled upon the OpenStack project, and noticed the <br>
Firewall as a Service (FWaaS) plugin and documentation that has been <br>
developed this past year. There are a lot of similarities to my thesis,<br>
and I would like to know if some of the research I have performed could<br>
be of value to the OpenStack project. Perhaps they could be useful in<br>
the development of use cases, or maybe inspire future ideas for <br>
enhancements and features? I am still in the process of wrapping up<br>
the thesis, so I would like to avoid posting it for the time being.<br>
However, once I have completed the write-up, I would be more than<br>
happy to share it with the OpenStack community.<br>
<br>
I have recorded screen videos showcasing the above three points in <br>
action. Perhaps the most relevant to recent events is the 4th video,<br>
which showcases how FWaaS (in general, not the OpenStack plugin) could<br>
be used by OpenVAS (in this case) to detect virtual machines that are<br>
vulnerable to Heartbleed, and immediately issue a command to the web<br>
service to close access to the HTTPS port.<br>
<br>
The web-services are being exposed via a Java Jetty web server running<br>
on the KVM host itself. I made a Java client app for interfacing with<br>
the web services.<br>
<br>
Below are the videos:<br>
1.) Demo 1: Adding new rules/policies and manipulating traffic<br>
</font></tt><tt><font size="2"><a href="https://docs.google.com/file/d/0B7WyzOL96X9QU0dQa0xEekFxVlk/edit">https://docs.google.com/file/d/0B7WyzOL96X9QU0dQa0xEekFxVlk/edit</a></font></tt><tt><font size="2"><br>
<br>
2.) Demo 2: Same as Demo 1, but showcasing platform independence by<br>
applying rules to a Windows Server 2008 R2 VM<br>
</font></tt><tt><font size="2"><a href="https://docs.google.com/file/d/0B7WyzOL96X9QMnRaZXBhU1FFc28/edit">https://docs.google.com/file/d/0B7WyzOL96X9QMnRaZXBhU1FFc28/edit</a></font></tt><tt><font size="2"><br>
<br>
3.) Sample OpenVAS Scenario where a VM can --only-- operate a HTTP<br>
server on port 80. Any other server that is detected is a<br>
violation of policy and would need to be blocked.<br>
</font></tt><tt><font size="2"><a href="https://docs.google.com/file/d/0B7WyzOL96X9QYXdFdC1XbHp2R3M/edit">https://docs.google.com/file/d/0B7WyzOL96X9QYXdFdC1XbHp2R3M/edit</a></font></tt><tt><font size="2"><br>
<br>
4.) OpenVAS Heartbleed Demo (as described above):<br>
</font></tt><tt><font size="2"><a href="https://docs.google.com/file/d/0B7WyzOL96X9QMzRMR1UzX09vRDA/edit">https://docs.google.com/file/d/0B7WyzOL96X9QMzRMR1UzX09vRDA/edit</a></font></tt><tt><font size="2"><br>
<br>
5.) Earlier prototype of my thesis working with XEN instead of KVM:<br>
</font></tt><tt><font size="2"><a href="https://docs.google.com/file/d/0B7WyzOL96X9QTVowem1ZYjJrRWM/edit">https://docs.google.com/file/d/0B7WyzOL96X9QTVowem1ZYjJrRWM/edit</a></font></tt><tt><font size="2"><br>
<br>
Please let me know if the above could prove useful for the OpenStack<br>
project. Concurrence from you guys would be helpful illustrating the<br>
significance of my research.<br>
<br>
Thank You,<br>
<br>
Mike Grima, RHCE<br>
<br>
<br>
_______________________________________________<br>
OpenStack-dev mailing list<br>
OpenStack-dev@lists.openstack.org<br>
</font></tt><tt><font size="2"><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a></font></tt><tt><font size="2"><br>
<br>
</font></tt><br>
</body></html>