46
Yuri Diogenes Senior Technical Writer Server and Cloud Division Information Experience – Solutions Group Security Enhancements in Windows Server 2012 Securing the Private Cloud Infrastructure Tom Shinder Senior Knowledge Engineer Server and Cloud Division Information Experience – Solutions Group tp://aka.ms/FEEAB tp://blogs.technet.com/security_talk

Http://aka.ms/FEEAB

Embed Size (px)

Citation preview

Page 1: Http://aka.ms/FEEAB

Yuri DiogenesSenior Technical WriterServer and Cloud Division Information Experience – Solutions Group

Security Enhancements in Windows Server 2012Securing the Private Cloud Infrastructure

Tom ShinderSenior Knowledge EngineerServer and Cloud Division Information Experience – Solutions Group

http://aka.ms/FEEABhttp://blogs.technet.com/security_talk

Page 2: Http://aka.ms/FEEAB

• The Importance of Security in a Private Cloud

• Private Cloud Reference Model: Infrastructure

• Private Cloud: Compute Layer• Private Cloud: Storage Layer• Private Cloud: Networking Layer• Private Cloud: Resiliency Layer• Practical Scenario

AgendaPrivate cloud Infrastructure Security

Page 3: Http://aka.ms/FEEAB

Why is Private Cloud Security Important? Customers want to know

Page 4: Http://aka.ms/FEEAB

What we will cover in this presentation?Private Cloud Infrastructure Security

Ultimate GoalAlign Windows Server 2012 security features to address core Private Cloud Security concerns by providing a secure foudation of its cloud infrastructure based on Microsoft PCRM (Private Cloud Reference Model).

Page 5: Http://aka.ms/FEEAB

Primary Considerations

Compute

Networking

Storage

Resiliency

Page 6: Http://aka.ms/FEEAB

Compute

Page 7: Http://aka.ms/FEEAB

• What if…• The Cloud Operator restarts the compute resource that I’m using and

load a malware upon the boot process?• A failure in provisioning leads to another operating system to load,

causing downtime to my workload?• There is a breach on the physical security and someone steals the

server?

• Protecting Compute Resource• Policies in place to avoid errors in security provisioning• Clean up process• SLA

Private Cloud Security ConcernPhysical Security to Compute Resources

Page 8: Http://aka.ms/FEEAB

Secure BootServer Protection

Current boot process

New boot process

Any OS could hook in load code here, including a piece of malware

If it is not valid the boot will be interrupted

UEFI Secure Boot Activation

UEFI will only load a verified (via certificate) OS

Page 9: Http://aka.ms/FEEAB

Network Unlock for BitLockerServer Protection

• Requires Windows 8, TPM, DHCP and UEFI• Allows admins to boot remote systems

without user interaction• If taken outside the trusted location (off

premise), the machine will require a PIN in order to boot

• No more trade-offs between security and power management or servicing

Page 10: Http://aka.ms/FEEAB

Storage

Page 11: Http://aka.ms/FEEAB

• What if…• Other tenants can access my data?• Data leakage occurs while at rest?

• Protecting Storage Resource• Isolation• Encryption• Auditing

Private Cloud Security ConcernStorage Security

Page 12: Http://aka.ms/FEEAB

• Secure data within deployments inside and outside of the datacenter.

• Enables IT administrator to:• Encrypt local disk storage (DAS)• Encrypt traditional failover cluster disks• Encrypt Cluster Shared Volumes 2.0

• Meets compliance demands.

Bitlocker Drive EncryptionData Protection

Page 13: Http://aka.ms/FEEAB

Demo: Encrypting a Cluster Shared VolumeTom Shinder

Page 14: Http://aka.ms/FEEAB

Scenario• Bob wants to ensure that the tenants' data

is protected while at rest• Bob wants to make sure that even if an

intruder breaches the data center and pulls a drive, the data will be inaccessible

• Bob is using Windows Server 2012 iSCSI target for failover cluster storage and CSVs

Page 15: Http://aka.ms/FEEAB

Networking

Page 16: Http://aka.ms/FEEAB

• What if…• Other tenants can access my data?• Data leakage occurs while data is in transit?• Rogue servers/traffic can disrupt my workload?

• Protecting Network Resource• Isolation• Encryption• Protection against rogue services

Private Cloud Security ConcernNetwork Security

Page 17: Http://aka.ms/FEEAB

• End-to-end encryption of SMB data in flight• Protects data from eavesdropping attacks• No need for IPSec or specialized hardware• Configured per share or for the entire

server• Can be turned on for a variety of scenarios

where data traverses trusted and untrusted networks• Branch Offices over WAN networks• Application workload over unsecured networks

SMB EncryptionNetwork Protection

Page 18: Http://aka.ms/FEEAB

Demo: Enabling and verifying SMB EncryptionYuri Diogenes

Page 19: Http://aka.ms/FEEAB

Scenario• The Private Cloud tenant read a report

saying that internal threats are still the biggest concern in network security

• The tenant has a file server on his segment that contains financial records and must be protect against eavesdropping attack launched by internal clients

Page 20: Http://aka.ms/FEEAB

Lab Environment

Page 21: Http://aka.ms/FEEAB

• Protects against a malicious VM representing itself as a Dynamic Host Configuration Protocol (DHCP) server for man-in-the-middle attacks

DHCP GuardNetwork Protection

Page 22: Http://aka.ms/FEEAB

Demo: Protecting Tenants against rogue DHCPYuri Diogenes

Page 23: Http://aka.ms/FEEAB

Scenario• The Private Cloud tenant read the paper “

A Solution for Private Cloud Security” from Microsoft and wants to ensure that his network segment is protected against rogue servers, clients and applications

Page 24: Http://aka.ms/FEEAB

• This feature allows you to specify whether the router advertisement and redirection messages from unauthorized VMs should be dropped

Router GuardNetwork Protection

Page 25: Http://aka.ms/FEEAB

• Allows you to create rules to apply to a Hyper-V switch port.

• The rule specifies whether a packet is allowed or denied on the way into or out of the VM.

Port ACLNetwork Protection

Page 26: Http://aka.ms/FEEAB

How to implement this configurationAdd-VMNetworkAdapterAcl -VMName MyVM –LocalMacAddress 12-34-56-78-9A-–Direction Both –Action Allow

Add-VMNetworkAdapterAcl -VMName MyVM –LocalMacAddress FF-FF-FF-FF-FF-FF –Direction InBound –Action Allow

Add-VMNetworkAdapterAcl -VMName MyVM –LocalMacAddress Any –Direction Both –Action Deny

Page 27: Http://aka.ms/FEEAB

Demo: Traffic isolation with Port ACLsYuri Diogenes

Page 28: Http://aka.ms/FEEAB

Scenario• The Private Cloud tenant read the paper “

A Solution for Private Cloud Security” from Microsoft and wants to ensure that traffic isolation happens not only between tenants on his Private Cloud but also within the same tenant network

Page 29: Http://aka.ms/FEEAB

• Allows you to specify whether a VM is allowed to change its source MAC address for outgoing packets.

MacAddressSpoofing Network Protection

Page 30: Http://aka.ms/FEEAB

How to implement this configurationSet-VMNetworkAdapter –VMName MyVM –MacAddressSpoofing On

Page 31: Http://aka.ms/FEEAB

Demo: Protecting against MacSpoofing attackYuri Diogenes

Page 32: Http://aka.ms/FEEAB

Scenario• The Private Cloud tenant read the paper “

A Solution for Private Cloud Security” from Microsoft and wants to ensure that his company reduces the likelihood that man in the middle attack can occur inside of a tenant’s network

Page 33: Http://aka.ms/FEEAB

• Open platform that lets multiple Partners provide extensions that arewritten to standard Windows API frameworks.

• Partners include:• Cisco: Nexus 1000V & UCS Virtual Machine Fabric Extender (VM-FEX)• NEC: OpenFlow• 5nine: Virtual Firewall 3.0

Hyper-V Extensible Switch Network Protection

Page 34: Http://aka.ms/FEEAB

Demo: Enabling Security Settings in the Hyper-V Extensible SwitchYuri Diogenes

Page 35: Http://aka.ms/FEEAB

Scenario• Contoso has plans to extend their Private

Cloud infrastructure by enabling intrusion detection in the hypervisor level.

• Cloud architect wants to understand if his current deployment has any built in capability to implement that and if not how this can be done without changing the hypervisor.

Page 36: Http://aka.ms/FEEAB

Resiliency

Page 37: Http://aka.ms/FEEAB

What happens when hardware fails?

Page 38: Http://aka.ms/FEEAB

VMs designed to handle failures (e.g. Guest Clustering) or downtime acceptable.Lower End Industry Standard Server, single infrastructure

App-Level Resiliency

Application-controlled failover / Guest clustering

Switch

Switch

Parent VMs

VMs

VMs

   

Parent VMs

VMs

VMs

   

Resiliency Approaches

Cluster

VMs not designed to handle failures, H/A at server level, Failover clustering as another layer of protection, high-end servers, redundant power and network gear

Hyper-V Failover Clustering

Infrastructure Resiliency

Parent VMs

VMs

VMs

   

Parent VMs

VMs

VMs

          

Switch

Switch

Page 39: Http://aka.ms/FEEAB

Hyper-V | Resiliency

Resi

liency Inbox Replication

Hyper-V Replica enables the replication of VMs fromPrimary to Secondary site for inbuilt Disaster Recovery

Incremental BackupsPerform agentless backup operations more quickly &easily while saving network bandwidth & disk space

Integrated NIC TeamingAggregate network adaptors to increase throughput &provide redundancy in case of link failure

Page 40: Http://aka.ms/FEEAB

Practical Scenario

Page 41: Http://aka.ms/FEEAB

Converged Datacenter Network + File Server StorageFile Server

 

Clu

ste

r

Sto

rag

e

Man

ag

e

 

SAS

Hyper-V Extensible

Switch

VM 1  

 

Liv

e

Mig

rati

on

Clu

ste

r /

Sto

rag

e

Man

ag

e

Hyper-V Server

 

VM n  

 

Datacenter Network Tenants Network

“Green Field”

• 10GbE Network(s)• File Server for VM storage

• Actual storage may be an existing FC/iSCSI SANs or JBODs+Spaces

• Highlighted features: 10GbE w/DCB, QoS, LBFO, Hyper-V over SMB, Spaces

• Note: LBFO & RDMA can’t coexist on same NICs.

 

10GbE1/10GbE

NIC Teaming

OS QoS

DCB

NIC Teaming

OS QoS

DCB

Use of NIC Teaming & Qos/DCB

 

10GbE

 

10GbE

SAN / JBODs

SAS

  

1/10GbE

Page 42: Http://aka.ms/FEEAB

Converged Datacenter Network + File Server Storage

• Documentation can be found at:http://technet.microsoft.com/en-us/library/hh831738.aspx

Page 43: Http://aka.ms/FEEAB

What about the Management Layer?

Page 44: Http://aka.ms/FEEAB

Solution for Management LayerSystem Center 2012 SP1

• Plan to embed security principles into the management layer, such as:• Role Based Access Control

• Secure provisioning and deprovisioning

• Secure elasticity

• Secure automation

Page 45: Http://aka.ms/FEEAB

Announcing

Learn more about our book athttp://blogs.technet.com/b/security_talk/archive/2013/01/22/windows-server-2012-from-end-to-edge-and-beyond-the-book.aspx

Page 46: Http://aka.ms/FEEAB

© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.