[openstack-dev] [Neutron][FWaaS]Firewall Web Services Research Thesis Applicability to the OpenStack Project

Mohammad Banikazemi mb at us.ibm.com
Wed May 7 02:11:53 UTC 2014


Hi Mike, Thanks for your interest in OpenStack and Neutron. Are there any
published papers you can point us to? It may be easier to understand your
work by reading/reviewing your papers.

Best,

Mohammad




From:	Mike Grima <mike.r.grima at gmail.com>
To:	openstack-dev at lists.openstack.org,
Date:	05/06/2014 09:21 PM
Subject:	[openstack-dev] [Neutron][FWaaS]Firewall Web Services Research
            Thesis Applicability to the OpenStack Project



Hi Everyone,

I am an Information Security grad student, and I am wrapping up a thesis
on exposing host firewall capabilities via web services for KVM virtual
machines. The purpose of which is to:
    A.  Make the firewall management of KVM virtual machines easier to
        perform on the host (from the KVM administrator’s perspective)
    B.  Provide the ability to enforce network security policies on
        hosted virtual machines via the host’s firewall.
    C.  Provide the ability for future security appliances and
        vulnerability scanners to leverage the exposed web services to
        close network security vulnerabilities on hosted virtual
        machines (via modification of the host’s firewall rules). This
        can allow security appliances to automatically respond to
        security incidents as they occur.

I just recently stumbled upon the OpenStack project, and noticed the
Firewall as a Service (FWaaS) plugin and documentation that has been
developed this past year.  There are a lot of similarities to my thesis,
and I would like to know if some of the research I have performed could
be of value to the OpenStack project.  Perhaps they could be useful in
the development of use cases, or maybe inspire future ideas for
enhancements and features?  I am still in the process of wrapping up
the thesis, so I would like to avoid posting it for the time being.
However, once I have completed the write-up, I would be more than
happy to share it with the OpenStack community.

I have recorded screen videos showcasing the above three points in
action.  Perhaps the most relevant to recent events is the 4th video,
which showcases how FWaaS (in general, not the OpenStack plugin) could
be used by OpenVAS (in this case) to detect virtual machines that are
vulnerable to Heartbleed, and immediately issue a command to the web
service to close access to the HTTPS port.

The web-services are being exposed via a Java Jetty web server running
on the KVM host itself.  I made a Java client app for interfacing with
the web services.

Below are the videos:
1.) Demo 1: Adding new rules/policies and manipulating traffic
https://docs.google.com/file/d/0B7WyzOL96X9QU0dQa0xEekFxVlk/edit

2.) Demo 2: Same as Demo 1, but showcasing platform independence by
    applying rules to a Windows Server 2008 R2 VM
https://docs.google.com/file/d/0B7WyzOL96X9QMnRaZXBhU1FFc28/edit

3.) Sample OpenVAS Scenario where a VM can --only-- operate a HTTP
    server on port 80.  Any other server that is detected is a
    violation of policy and would need to be blocked.
https://docs.google.com/file/d/0B7WyzOL96X9QYXdFdC1XbHp2R3M/edit

4.) OpenVAS Heartbleed Demo (as described above):
https://docs.google.com/file/d/0B7WyzOL96X9QMzRMR1UzX09vRDA/edit

5.) Earlier prototype of my thesis working with XEN instead of KVM:
https://docs.google.com/file/d/0B7WyzOL96X9QTVowem1ZYjJrRWM/edit

Please let me know if the above could prove useful for the OpenStack
project.  Concurrence from you guys would be helpful illustrating the
significance of my research.

Thank You,

Mike Grima, RHCE


_______________________________________________
OpenStack-dev mailing list
OpenStack-dev at lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140506/537df417/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140506/537df417/attachment.gif>


More information about the OpenStack-dev mailing list