Post on 17-Jan-2016
Hyper-V Security TipsFix the Gaps you Never Knew About
Symon Perriman@SymonPerrimanSymon@5nine.comwww.SymonPerriman.com
Thomas Maurer@ThomasMaurerwww.ThomasMaurer.com
Security Threats to Virtualization
Security Threats for Hyper-V
Compute• Denial of Memory or CPU
Network• Virus, Malware, Trojan Horses,
Denial of Service
Storage• Data Breach or Loss, Denial of Data
Web• Denial of Service
Active Persistent Threats• Cross-Site Scripting (XSS), Man in Middle• Virtualized infrastructure attacks
“This class of threats called APT is so top of mind for each of us…we want to detect
Advanced Persistent Threats and to be able to take action as an organization to isolate
and protect ourselves.”
- Satya Nadella, Microsoft CEO at Microsoft Ignite - May, 2015
Virtualized Environments are Never Secure
Security for virtualization is differentNew Threats• End users / tenants• Storage devices•Network attacks
Unidentified Threats•New signatures• Time bomb / logic bomb
Most datacenters are already infected
Multi-Layered Agentless Security
Virtual FirewallAV Detection on the NetworkAV Scan on the DiskNetwork Intrusion DetectionNetwork Anomaly AnalysisExtensible to Analytics Systems
Virtualization SecurityBest Practices
How a Threat Reaches a VM
Hyper-V Virtual Machines
Virtual Network Adapters
Virtual Switch
Hyper-V Host
Physical Network Adapter
Agentless Host-Level Protection
Automatic & Immediate Protection
Security for virtualized environments is differentShared environments are never secureIt is impossible to guarantee securityusing traditional “endpoint protection”• Requires installation• Slows deployment• Complicates management
Virtualized environments are dynamic• Virtual machines• Virtual disks• Virtual networks• Virtual switches
Abstract & Hide Security from Users
Non-technical users or the public are using your hardwareRemove the burden of security from the clients•Manage security for the clients•Update signatures for the clients• Ensure the clients cannot disable security• Accidently• Purposely with bad intentions
Centrally Manage Rules & Definitions
Use a recognized industry leader• Antivirus / antimalware• Intrusion detection
Set up a local proxy for extra security
Guarantee Isolation & Resource Access
Isolation and privacy is critical in a cloud• An admin should not access a tenant’s VM• A VM cannot affect the host• A VM cannot affect another VM
Use Quality of Service (QoS) or throttling for memory, CPU, network & storage bandwidth• Avoid Denial of <Resource> attacks
Traditional security protect traffic between hosts• Does not protect traffic between
VMs on the same host• Threats can spread if one client becomes
infected
Virtual Network Types• External• Internal• Private
Protect All Virtual Networks
Network Security Applianc
e
Universal Virtual Firewall for all VMs
Intercept network traffic before it even gets to the VMManage traffic at the network protocol level• TCP, UDP, GRE, ICMP, IGMP, etc.
Hyper-V Guest OS List: aka.ms/HyperVGuestOS
Server• Windows Server 2016• Windows Server 2012
R2• Windows Server 2012• Windows Server 2008
R2• Home Server 2011• Small Business Server
2011• Windows Server 2003
Client• Windows 10• Windows 8.1• Windows 8• Windows 7• Windows
Vista• Windows XP
Linux & UNIX• CentOS• Debian• FreeBSD• Oracle Linux• Red Hat
RHEL• SUSE• Ubuntu
Active Detection of Incoming Threats
Immediately identify incoming threats•Unencrypted traffic• Based on protocol
Automatically alert admins• Email• PowerShell• Event Logs
Fast AV Scanning with No Performance Impact
Agent-based scanning causes “scanning storms”• Decreases VM performance for all clients• Reduces VM density on the hosts
Optimized scans useChange Block Tracking (CBT) driver• Scan only changed
blocks on the disk• Scan up to 70x faster
Automate Security Task Management
PowerShell supportTask schedulingEnables scalabilityEnsures consistent SLAsEliminates human errorFor tasks with high resourceutilization, stagger the action to avoid performance impact
Hyper-V Hosts & Clusters
SQL Server
Security Management Server / VM
Redundant Management Group
SQL Server
SQL Cluster
Branch Office
SQL Server
Sync
ManagementConsole | PowerShell | Azure Pack | System Center
Enterprise High-Availability for Security
Inbound, Outbound & Internal Threat Protection
Hyper-V Hosts & Clusters
SQL Server
Security Management Server / VM
Public Internet
1 2 3 4 5 6 7 8 9 10111213141516171819202122230
10
20
30
40
50
60
70
80
90
100
Normal Traffic
1 2 3 4 5 6 7 8 9 10111213141516171819202122230
10
20
30
40
50
60
70
80
90
100
Unusual Traffic
Extensible to Analytics Platforms
Hyper-V Hosts
SQL Server
Security Management Server / VM
Public Internet
On-Premises Analytics (Syslog)
Cloud-Based Analytics
System Center Integration
Centralized security management through System Center to protect Hyper-V Infrastructure and VMs
Automatically apply security policies to guarantee immediate protection for hosts and virtual machines
Accelerate and secure VM deployments with an agentless solution designed for Hyper-V
Monitor the infrastructure with Operations Manager
Scales to protect the largest enterprises running System Center and the Microsoft Cloud Platform
Azure Pack (WAP) IntegrationSecurity as a Service (SECaaS) to protect your datacenter, your customers, and their clouds
Generate new revenue by offering an higher security tier
Meet the latest compliance and regulation requirements with multi-layered unified security
Automatically and immediately secure your tenants with non-invasive protection
Support more VMs and tenants on each host with the most efficient security solution for Hyper-V
Simplify security management for tenants through on/off buttons• Firewall, Network Detection & Intrusion Detection• Preconfigure firewall templates for different VM roles
*Azure Pack (WAP) allows you to run Azure services in your datacenter on your hardware
Benefits of Agentless Security
Universal virtual firewall for all guest OSesProtect all virtual networksDetect inbound, outbound and internal attacksFastest disk scans with least performance impactAutomatic & immediate protectionCentrally manage & update policiesRemove burden from end usersSecurity cannot be disabled
Summary
Summary
Security for virtualization is differentProtect your datacenter with a virtual firewall, antivirus, antimalware, and intrusion detection systemUse an agentless solution for Hyper-V, System Center Virtual Machine Manager, and Azure PackUse centralized management and reporting with industry standard signaturesEmail Symon@5nine.com for questions