Hi Michael,
Thanks for keeping us in the loop on the progress at your end. This is
very nice work. I quickly read through the section you referenced in
your email, and it does capture the current state of the work in
OpenStack/Neutron.
~Sumit.
On Wed, Aug 13, 2014 at 6:05 PM, Michael Grima mike.r.gr...@gmail.com wrote:
Hi Everyone,
Not sure if you remember, but a few months ago, I made the following
thread on here titled: Firewall Web Services Research Thesis
Applicability to the OpenStack Project
(http://lists.openstack.org/pipermail/openstack-dev/2014-May/034575.html)
To provide a recap, this is a thesis that I am researching, and
examines the potential advantages of exposing a host's firewall via a
web service. The purpose of which is to improve the security of IaaS
environments by now providing the ability for external security
appliances, such as vulnerability scanners and IDS's, the ability to
dynamically (and perhaps automatically) respond to incidents and close
open ports to problematic virtual machines. My thesis examines the
perspective of the infrastructure administrator, as opposed to the
domain administrator.
At the time I made the initial post, I was actively writing my thesis,
and I am happy to report that it is effectively done.
You can download the PDF here:
https://docs.google.com/file/d/0B7WyzOL96X9QWDl6R3RqRE0tMWc/edit
I have a section that specifically mentions OpenStack (Page 44,
Section 5.3). Please review that section and let me know if it
accurately and properly describes the OpenStack effort and
corresponding projects (FWaaS, and Neutron).
Of course, if you find any issues, please don't hesitate to point them out.
Below are screen-videos showcasing my thesis in action:
1.) Demo 1: Adding new rules/policies and manipulating traffic
https://docs.google.com/file/d/0B7WyzOL96X9QU0dQa0xEekFxVlk/edit
2.) Demo 2: Same as Demo 1, but showcasing platform independence by
applying rules to a Windows Server 2008 R2 VM
https://docs.google.com/file/d/0B7WyzOL96X9QMnRaZXBhU1FFc28/edit
3.) Sample OpenVAS Scenario where a VM can --only-- operate a HTTP
server on port 80. Any other server that is detected is a
violation of policy and would need to be blocked.
https://docs.google.com/file/d/0B7WyzOL96X9QYXdFdC1XbHp2R3M/edit
4.) OpenVAS Heartbleed Demo (as described above):
https://docs.google.com/file/d/0B7WyzOL96X9QMzRMR1UzX09vRDA/edit
5.) Earlier prototype of my thesis working with XEN instead of KVM:
https://docs.google.com/file/d/0B7WyzOL96X9QTVowem1ZYjJrRWM/edit
I would be happy to answer any questions you may have.
Thank You
--
Mike Grima, RHCE
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
