Re: [openstack-dev] [Neutron][FWaaS]Firewall Web Services Research Thesis and OpenStack Applicability - UPDATED
For whatever reason, this wasn’t linked appropriately to the older post in the list. That post is here: http://lists.openstack.org/pipermail/openstack-dev/2014-August/042981.html ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Neutron][FWaaS]Firewall Web Services Research Thesis and OpenStack Applicability - UPDATED
Sumit, My thesis is now complete! The entire research, including source code and screen recordings, are included in my deliverable here: https://docs.google.com/uc?id=0B7WyzOL96X9QaF9QMHFBSFhpbFE&e xport=download I am now in the process of drafting up a whitepaper based on my thesis research. Please let me know if there are additional resources I can provide. Thank you, -- Mike Grima, RHCE ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Neutron][FWaaS]Firewall Web Services Research Thesis and OpenStack Applicability - UPDATED
Hi Michael, Thanks for keeping us in the loop on the progress at your end. This is very nice work. I quickly read through the section you referenced in your email, and it does capture the current state of the work in OpenStack/Neutron. ~Sumit. On Wed, Aug 13, 2014 at 6:05 PM, Michael Grima wrote: > Hi Everyone, > > Not sure if you remember, but a few months ago, I made the following > thread on here titled: "Firewall Web Services Research Thesis > Applicability to the OpenStack Project" > (http://lists.openstack.org/pipermail/openstack-dev/2014-May/034575.html) > > To provide a recap, this is a thesis that I am researching, and > examines the potential advantages of exposing a host's firewall via a > web service. The purpose of which is to improve the security of IaaS > environments by now providing the ability for external security > appliances, such as vulnerability scanners and IDS's, the ability to > dynamically (and perhaps automatically) respond to incidents and close > open ports to problematic virtual machines. My thesis examines the > perspective of the "infrastructure administrator", as opposed to the > "domain administrator". > > At the time I made the initial post, I was actively writing my thesis, > and I am happy to report that it is effectively "done". > > You can download the PDF here: > https://docs.google.com/file/d/0B7WyzOL96X9QWDl6R3RqRE0tMWc/edit > > I have a section that specifically mentions OpenStack (Page 44, > Section 5.3). Please review that section and let me know if it > accurately and properly describes the OpenStack effort and > corresponding projects (FWaaS, and Neutron). > > Of course, if you find any issues, please don't hesitate to point them out. > > Below are screen-videos showcasing my thesis in action: > 1.) Demo 1: Adding new rules/policies and manipulating traffic > https://docs.google.com/file/d/0B7WyzOL96X9QU0dQa0xEekFxVlk/edit > > 2.) Demo 2: Same as Demo 1, but showcasing platform independence by > applying rules to a Windows Server 2008 R2 VM > https://docs.google.com/file/d/0B7WyzOL96X9QMnRaZXBhU1FFc28/edit > > 3.) Sample OpenVAS Scenario where a VM can --only-- operate a HTTP > server on port 80. Any other server that is detected is a > violation of policy and would need to be blocked. > https://docs.google.com/file/d/0B7WyzOL96X9QYXdFdC1XbHp2R3M/edit > > 4.) OpenVAS Heartbleed Demo (as described above): > https://docs.google.com/file/d/0B7WyzOL96X9QMzRMR1UzX09vRDA/edit > > 5.) Earlier prototype of my thesis working with XEN instead of KVM: > https://docs.google.com/file/d/0B7WyzOL96X9QTVowem1ZYjJrRWM/edit > > I would be happy to answer any questions you may have. > > Thank You > > -- > Mike Grima, RHCE > > ___ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [Neutron][FWaaS]Firewall Web Services Research Thesis and OpenStack Applicability - UPDATED
Hi Everyone, Not sure if you remember, but a few months ago, I made the following thread on here titled: "Firewall Web Services Research Thesis Applicability to the OpenStack Project" (http://lists.openstack.org/pipermail/openstack-dev/2014-May/034575.html) To provide a recap, this is a thesis that I am researching, and examines the potential advantages of exposing a host's firewall via a web service. The purpose of which is to improve the security of IaaS environments by now providing the ability for external security appliances, such as vulnerability scanners and IDS's, the ability to dynamically (and perhaps automatically) respond to incidents and close open ports to problematic virtual machines. My thesis examines the perspective of the "infrastructure administrator", as opposed to the "domain administrator". At the time I made the initial post, I was actively writing my thesis, and I am happy to report that it is effectively "done". You can download the PDF here: https://docs.google.com/file/d/0B7WyzOL96X9QWDl6R3RqRE0tMWc/edit I have a section that specifically mentions OpenStack (Page 44, Section 5.3). Please review that section and let me know if it accurately and properly describes the OpenStack effort and corresponding projects (FWaaS, and Neutron). Of course, if you find any issues, please don't hesitate to point them out. Below are screen-videos showcasing my thesis in action: 1.) Demo 1: Adding new rules/policies and manipulating traffic https://docs.google.com/file/d/0B7WyzOL96X9QU0dQa0xEekFxVlk/edit 2.) Demo 2: Same as Demo 1, but showcasing platform independence by applying rules to a Windows Server 2008 R2 VM https://docs.google.com/file/d/0B7WyzOL96X9QMnRaZXBhU1FFc28/edit 3.) Sample OpenVAS Scenario where a VM can --only-- operate a HTTP server on port 80. Any other server that is detected is a violation of policy and would need to be blocked. https://docs.google.com/file/d/0B7WyzOL96X9QYXdFdC1XbHp2R3M/edit 4.) OpenVAS Heartbleed Demo (as described above): https://docs.google.com/file/d/0B7WyzOL96X9QMzRMR1UzX09vRDA/edit 5.) Earlier prototype of my thesis working with XEN instead of KVM: https://docs.google.com/file/d/0B7WyzOL96X9QTVowem1ZYjJrRWM/edit I would be happy to answer any questions you may have. Thank You -- Mike Grima, RHCE ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev