[openstack-dev] [Neutron][FWaaS]Firewall Web Services Research Thesis Applicability to the OpenStack Project

Mike Grima mike.r.grima at gmail.com
Wed May 7 01:20:42 UTC 2014


Hi Everyone,

I am an Information Security grad student, and I am wrapping up a thesis
on exposing host firewall capabilities via web services for KVM virtual
machines. The purpose of which is to:
    A.  Make the firewall management of KVM virtual machines easier to
        perform on the host (from the KVM administrator’s perspective)
    B.  Provide the ability to enforce network security policies on
        hosted virtual machines via the host’s firewall.
    C.  Provide the ability for future security appliances and
        vulnerability scanners to leverage the exposed web services to
        close network security vulnerabilities on hosted virtual
        machines (via modification of the host’s firewall rules). This
        can allow security appliances to automatically respond to
        security incidents as they occur.

I just recently stumbled upon the OpenStack project, and noticed the 
Firewall as a Service (FWaaS) plugin and documentation that has been 
developed this past year.  There are a lot of similarities to my thesis,
and I would like to know if some of the research I have performed could
be of value to the OpenStack project.  Perhaps they could be useful in
the development of use cases, or maybe inspire future ideas for 
enhancements and features?  I am still in the process of wrapping up
the thesis, so I would like to avoid posting it for the time being.
However, once I have completed the write-up, I would be more than
happy to share it with the OpenStack community.

I have recorded screen videos showcasing the above three points in 
action.  Perhaps the most relevant to recent events is the 4th video,
which showcases how FWaaS (in general, not the OpenStack plugin) could
be used by OpenVAS (in this case) to detect virtual machines that are
vulnerable to Heartbleed, and immediately issue a command to the web
service to close access to the HTTPS port.

The web-services are being exposed via a Java Jetty web server running
on the KVM host itself.  I made a Java client app for interfacing with
the web services.

Below are the videos:
1.) Demo 1: Adding new rules/policies and manipulating traffic
https://docs.google.com/file/d/0B7WyzOL96X9QU0dQa0xEekFxVlk/edit

2.) Demo 2: Same as Demo 1, but showcasing platform independence by
    applying rules to a Windows Server 2008 R2 VM
https://docs.google.com/file/d/0B7WyzOL96X9QMnRaZXBhU1FFc28/edit

3.) Sample OpenVAS Scenario where a VM can --only-- operate a HTTP
    server on port 80.  Any other server that is detected is a
    violation of policy and would need to be blocked.
https://docs.google.com/file/d/0B7WyzOL96X9QYXdFdC1XbHp2R3M/edit

4.) OpenVAS Heartbleed Demo (as described above):
https://docs.google.com/file/d/0B7WyzOL96X9QMzRMR1UzX09vRDA/edit

5.) Earlier prototype of my thesis working with XEN instead of KVM:
https://docs.google.com/file/d/0B7WyzOL96X9QTVowem1ZYjJrRWM/edit

Please let me know if the above could prove useful for the OpenStack
project.  Concurrence from you guys would be helpful illustrating the
significance of my research.

Thank You,

Mike Grima, RHCE




More information about the OpenStack-dev mailing list