Hyper-V Security TipsFix the Gaps you Never Knew About

Symon Perriman@SymonPerrimanSymon@5nine.comwww.SymonPerriman.com

Thomas Maurer@ThomasMaurerwww.ThomasMaurer.com

Security Threats to Virtualization

Security Threats for Hyper-V

Compute• Denial of Memory or CPU

Network• Virus, Malware, Trojan Horses,

Denial of Service

Storage• Data Breach or Loss, Denial of Data

Web• Denial of Service

Active Persistent Threats• Cross-Site Scripting (XSS), Man in Middle• Virtualized infrastructure attacks

“This class of threats called APT is so top of mind for each of us…we want to detect

Advanced Persistent Threats and to be able to take action as an organization to isolate

and protect ourselves.”

- Satya Nadella, Microsoft CEO at Microsoft Ignite - May, 2015

Virtualized Environments are Never Secure

Security for virtualization is differentNew Threats• End users / tenants• Storage devices•Network attacks

Unidentified Threats•New signatures• Time bomb / logic bomb

Most datacenters are already infected

Multi-Layered Agentless Security

Virtual FirewallAV Detection on the NetworkAV Scan on the DiskNetwork Intrusion DetectionNetwork Anomaly AnalysisExtensible to Analytics Systems

Virtualization SecurityBest Practices

How a Threat Reaches a VM

Hyper-V Virtual Machines

Virtual Network Adapters

Virtual Switch

Hyper-V Host

Physical Network Adapter

Agentless Host-Level Protection

Automatic & Immediate Protection

Security for virtualized environments is differentShared environments are never secureIt is impossible to guarantee securityusing traditional “endpoint protection”• Requires installation• Slows deployment• Complicates management

Virtualized environments are dynamic• Virtual machines• Virtual disks• Virtual networks• Virtual switches

Abstract & Hide Security from Users

Non-technical users or the public are using your hardwareRemove the burden of security from the clients•Manage security for the clients•Update signatures for the clients• Ensure the clients cannot disable security• Accidently• Purposely with bad intentions

Centrally Manage Rules & Definitions

Use a recognized industry leader• Antivirus / antimalware• Intrusion detection

Set up a local proxy for extra security

Guarantee Isolation & Resource Access

Isolation and privacy is critical in a cloud• An admin should not access a tenant’s VM• A VM cannot affect the host• A VM cannot affect another VM

Use Quality of Service (QoS) or throttling for memory, CPU, network & storage bandwidth• Avoid Denial of <Resource> attacks

Traditional security protect traffic between hosts• Does not protect traffic between

VMs on the same host• Threats can spread if one client becomes

infected

Virtual Network Types• External• Internal• Private

Protect All Virtual Networks

Network Security Applianc

e

Universal Virtual Firewall for all VMs

Intercept network traffic before it even gets to the VMManage traffic at the network protocol level• TCP, UDP, GRE, ICMP, IGMP, etc.

Hyper-V Guest OS List: aka.ms/HyperVGuestOS

Server• Windows Server 2016• Windows Server 2012

R2• Windows Server 2012• Windows Server 2008

R2• Home Server 2011• Small Business Server

2011• Windows Server 2003

Client• Windows 10• Windows 8.1• Windows 8• Windows 7• Windows

Vista• Windows XP

Linux & UNIX• CentOS• Debian• FreeBSD• Oracle Linux• Red Hat

RHEL• SUSE• Ubuntu

Active Detection of Incoming Threats

Immediately identify incoming threats•Unencrypted traffic• Based on protocol

Automatically alert admins• Email• PowerShell• Event Logs

Fast AV Scanning with No Performance Impact

Agent-based scanning causes “scanning storms”• Decreases VM performance for all clients• Reduces VM density on the hosts

Optimized scans useChange Block Tracking (CBT) driver• Scan only changed

blocks on the disk• Scan up to 70x faster

Automate Security Task Management

PowerShell supportTask schedulingEnables scalabilityEnsures consistent SLAsEliminates human errorFor tasks with high resourceutilization, stagger the action to avoid performance impact

Hyper-V Hosts & Clusters

SQL Server

Security Management Server / VM

Redundant Management Group

SQL Server

SQL Cluster

Branch Office

SQL Server

Sync

ManagementConsole | PowerShell | Azure Pack | System Center

Enterprise High-Availability for Security

Inbound, Outbound & Internal Threat Protection

Hyper-V Hosts & Clusters

SQL Server

Security Management Server / VM

Public Internet

1 2 3 4 5 6 7 8 9 10111213141516171819202122230

10

20

30

40

50

60

70

80

90

100

Normal Traffic

1 2 3 4 5 6 7 8 9 10111213141516171819202122230

10

20

30

40

50

60

70

80

90

100

Unusual Traffic

Extensible to Analytics Platforms

Hyper-V Hosts

SQL Server

Security Management Server / VM

Public Internet

On-Premises Analytics (Syslog)

Cloud-Based Analytics

System Center Integration

Centralized security management through System Center to protect Hyper-V Infrastructure and VMs

Automatically apply security policies to guarantee immediate protection for hosts and virtual machines

Accelerate and secure VM deployments with an agentless solution designed for Hyper-V

Monitor the infrastructure with Operations Manager

Scales to protect the largest enterprises running System Center and the Microsoft Cloud Platform

Azure Pack (WAP) IntegrationSecurity as a Service (SECaaS) to protect your datacenter, your customers, and their clouds

Generate new revenue by offering an higher security tier

Meet the latest compliance and regulation requirements with multi-layered unified security

Automatically and immediately secure your tenants with non-invasive protection

Support more VMs and tenants on each host with the most efficient security solution for Hyper-V

Simplify security management for tenants through on/off buttons• Firewall, Network Detection & Intrusion Detection• Preconfigure firewall templates for different VM roles

*Azure Pack (WAP) allows you to run Azure services in your datacenter on your hardware

Benefits of Agentless Security

Universal virtual firewall for all guest OSesProtect all virtual networksDetect inbound, outbound and internal attacksFastest disk scans with least performance impactAutomatic & immediate protectionCentrally manage & update policiesRemove burden from end usersSecurity cannot be disabled

Summary

Summary

Security for virtualization is differentProtect your datacenter with a virtual firewall, antivirus, antimalware, and intrusion detection systemUse an agentless solution for Hyper-V, System Center Virtual Machine Manager, and Azure PackUse centralized management and reporting with industry standard signaturesEmail Symon@5nine.com for questions