[openstack-dev] [Neutron][FWaaS]Firewall Web Services Research Thesis and OpenStack Applicability - UPDATED

Michael Grima mike.r.grima at gmail.com
Thu Aug 14 01:05:20 UTC 2014


Hi Everyone,

Not sure if you remember, but a few months ago, I made the following
thread on here titled: "Firewall Web Services Research Thesis
Applicability to the OpenStack Project"
(http://lists.openstack.org/pipermail/openstack-dev/2014-May/034575.html)

To provide a recap, this is a thesis that I am researching, and
examines the potential advantages of exposing a host's firewall via a
web service.  The purpose of which is to improve the security of IaaS
environments by now providing the ability for external security
appliances, such as vulnerability scanners and IDS's, the ability to
dynamically (and perhaps automatically) respond to incidents and close
open ports to problematic virtual machines.  My thesis examines the
perspective of the "infrastructure administrator", as opposed to the
"domain administrator".

At the time I made the initial post, I was actively writing my thesis,
and I am happy to report that it is effectively "done".

You can download the PDF here:
https://docs.google.com/file/d/0B7WyzOL96X9QWDl6R3RqRE0tMWc/edit

I have a section that specifically mentions OpenStack (Page 44,
Section 5.3).  Please review that section and let me know if it
accurately and properly describes the OpenStack effort and
corresponding projects (FWaaS, and Neutron).

Of course, if you find any issues, please don't hesitate to point them out.

Below are screen-videos showcasing my thesis in action:
1.) Demo 1: Adding new rules/policies and manipulating traffic
https://docs.google.com/file/d/0B7WyzOL96X9QU0dQa0xEekFxVlk/edit

2.) Demo 2: Same as Demo 1, but showcasing platform independence by
    applying rules to a Windows Server 2008 R2 VM
https://docs.google.com/file/d/0B7WyzOL96X9QMnRaZXBhU1FFc28/edit

3.) Sample OpenVAS Scenario where a VM can --only-- operate a HTTP
    server on port 80.  Any other server that is detected is a
    violation of policy and would need to be blocked.
https://docs.google.com/file/d/0B7WyzOL96X9QYXdFdC1XbHp2R3M/edit

4.) OpenVAS Heartbleed Demo (as described above):
https://docs.google.com/file/d/0B7WyzOL96X9QMzRMR1UzX09vRDA/edit

5.) Earlier prototype of my thesis working with XEN instead of KVM:
https://docs.google.com/file/d/0B7WyzOL96X9QTVowem1ZYjJrRWM/edit

I would be happy to answer any questions you may have.

Thank You

-- 
Mike Grima, RHCE



More information about the OpenStack-dev mailing list