hyper-v security tips: protect yourself from vulnerabilities that you never knew existed symon...
TRANSCRIPT
Hyper-V Security Tips:Protect yourself from vulnerabilities that you never knew existedSymon Perriman Alex KaravanovVP, Business Development Director of Sales [email protected] [email protected]
5nine Software, Inc.www.5nine.comTwitter @5nine_Software
Hyper-V Security Tips
• Introduction
• Firewall
• Antivirus & Antimalware
• Intrusion Detection
• Management
• Summary
Introduction
Hyper-V Security Tips:Protect yourself from vulnerabilities that you never knew existed
Meet the Speakers
Symon Perriman is 5nine Software’s VP of Business Development and Marketing. Previously he was Microsoft's Senior Technical Evangelist and worldwide technical lead covering Hyper-V, Windows Server, and System Center. He has trained millions of IT Professionals, holds several patents and dozens of industry certifications, and in 2013 he co-authored "Introduction to System Center 2012 R2 for IT Professionals" (Microsoft Press).
Contact [email protected] or Twitter @SymonPerriman
Alex Karavanov manages 5nine Software’s Sales Engineering team.He has been in information security field for more than 10 years. Alex leads major 5nine Software management and security projects worldwide and aims to deliver the best efficiency and protection of the virtual infrastructures, to achieve the highest system performance and security level. He also holds multiple industry certifications.
Contact [email protected] or Twitter @5nine_Software
Meet 5nine Software
• Founded in 2009
• Headquartered in Chicago with offices worldwide
• More than 50,000 customers globally, representing companies and datacenters of all sizes
• The #1 leading solutions provider of security & management applications for Hyper-V environments– 5nine Cloud Security - Agentless security for Hyper-V, System Center and Azure Pack
– 5nine Manager - Integrated Hyper-V and Cluster Management for SMB
– 5nine V2V Easy Converter - Free VMware to Hyper-V virtual machine migration tool
• www.5nine.com
• Traditional endpoint security fails– Installing agents inside every VM is impractical– Securing every VM will affect the performance of the host and other VMs
• Virtual machines, networks and storage are dynamic– Users can rapidly create and destroy virtualized resources– Protection needs to be automatic and immediate
• Fabric admins lack full control over all resources– Tenant VMs are often private and protected from fabric admins
• Security & compliance is critical to the business & reputation– Many security and compliance regulations now consider virtualization & clouds– Many threats target virtualized environments & clouds– A security breach can ruin the reputation of a company
Security Design for a Virtualized Environment
5nine Cloud Security
Hyper-V HostsSQL Server
5nine Cloud Security Management Server / VM
Hyper-V Cluster
5nine Cloud Security Management 5nine Console | PowerShell | Azure Pack Extension | SCVMM
- Architecture
Firewall Challenges
• Windows Firewall not possible for all Hyper-V VMs– Different requirements for Linux, VDI & Windows Server
workloads
• Physical firewalls do not monitor private (internal) virtual networks– Does not analyze private VM networks (“blind spots”)
as the VM’s traffic does not leave the host– Allows for security breaches to spread within a host
Firewall Best Practices
• Use a central point of management– Use templates and apply global policies– Use a database with reporting capabilities (such as SQL
Server)
• Protect private virtual networks– Physical firewalls are ineffective or complex– Prevent threats from spreading across a host
• Protect at the host level– Secure every supported Hyper-V guest OS– Use the Hyper-V extensible switch in kernel mode used to
inspect, drop, modify, or insert packets
Hyper-V Extensible Switch
Hyper-V Virtual Machines
Virtual Network Adapters
Virtual Switch
Hyper-V Host
Physical Network Adapter
Antivirus & Antimalware
Hyper-V Security Tips:Protect yourself from vulnerabilities that you never knew existed
Antivirus & Antimalware Challenges
• Admin may not have access to VM guest OS– Tenant may remove or disable the agent
• Full scan on every VM is not recommended– During scanning could have a massive performance hit– Very dense VM hosts may be overwhelmed by a “scanning
storm”– Could decrease VM performance due to high memory
paging– Could trigger live migration storms and other network
disruptions
Warning! AV Scanning can cause VM Corruption• Host scanning tools not designed for Hyper-V can cause
corruption
• KB 961804 – Microsoft recommended to not scan folders with VM configuration files, VHDs, replicated disks, snapshots and executables
Antivirus & Antimalware Best Practices
• Protect at the host level– Secure every supported Hyper-V guest OS– Admin may not have access to VM guest OS– Tenant may remove or disable the agent
• Use a solution designed for Hyper-V to avoid “blind spots” or VM corruption (KB 961804)
• Use industry-standard signatures
• Do not scan every VM– Hosts may be overwhelmed by a “scanning storm”– Use an agentless solution with Change Block Tracking (CBT)
and staggered scans
Hyper-V Virtual Hard Disk Storage
VHD on traditional SAN orCluster Shared Volumes (CSV) diskC:\ClusterStorage\Volume1\VM3
VHD on DASF:\VM1
VHD on SMB File Server\\FileServer\VM4
Intrusion Detection
Hyper-V Security Tips:Protect yourself from vulnerabilities that you never knew existed
Intrusion Detection Systems Challenges
• Hardware IDS monitors only internal and external network connections– Does not analyze threats on private VM networks (“blind
spots”)– Allows for security breaches to spread within a host
• Cloud scaling challenges– Slower detection– Slower response
Intrusion Detection Systems Best Practices• Use a software-based IDS solution designed for
Hyper-V– Dynamically scales with virtualization– Does not analyze traffic on private virtual networks– Secure every supported Hyper-V guest OS
• Use a central point of management– Fast reporting, tracking, and consistent heuristics
• Protect against inbound and outbound threats
• Use industry-standard signatures (Cisco Snort)
IDS Reporting
Hyper-V HostsDatabase or SQL
Server
5nine Cloud Security Management Server / VM
On-Premises Analytics (Syslog)
Cloud-Based Analytics
Public Internet
IDS Reporting
Hyper-V HostsDatabase or SQL
Server
5nine Cloud Security Management Server / VM
Public Internet
On-Premises Analytics (Syslog)
Cloud-Based Analytics
Management Challenges
• New regulations for virtualization & cloud computing increase complexity– Hosters and service providers must support
their customer’s requirements
• Public clouds are not available to everyone– Growing demand for Hyper-V hosting & service providers
worldwide
• Self-service users must receive immediate protection without slowing deployment or adding complexity
Management Best Practices
• Protect at the host level– Instantly protect a VM as soon as it is deployed
• Use supported software (Windows Server 2003 support ends in July, 2015)
• Use industry-standard policies, rules, filters, and log analytics
• Centralized management for an easy security and compliance audit – Store in SQL and use SQL Server Reporting Services, or
third-party analysis services and security analytics
5nine Cloud Security
Hyper-V HostsSQL Server
5nine Cloud Security Management Server / VM
Hyper-V Cluster
Redundant Management Group
SQL Server
SQL Cluster
Branch Office
SQL Server
5nine Cloud Security Management 5nine Console | PowerShell | Azure Pack Extension | SCVMM
- Enterprise Architecture
5nine Sync
Summary
• Virtualized infrastructure has special security considerations
• Protect your datacenter with a virtual firewall, antivirus, antimalware, and intrusion detection system
• 5nine Cloud Security offers the only agentless solution for Hyper-V, System Center Virtual Machine Manager and Azure Pack
• Use centralized management and reporting with industry standard signatures from Kaspersky, ThreatTrack Vipre, and Cisco Snort
• www.5nine.com or [email protected]
• Cloud Security: http://www.5nine.com/CloudSecurity
• Licensing options– Licensed per 2 CPUs– Flexible pricing based on VM density– Service provider licenses and volume discounts available
• Sales direct, online, or through resellers & solution integrators
How to Acquire 5nine Cloud Security
Sales:Phone US: +1 630-288-4700Phone Europe: +44 (20) 7048-2021Email: [email protected]
Technical Support:Phone US/Canada Toll Free: +1 877-275-5232 Email: [email protected]
Fax: +1 732-203-1665
Mailing Address:1385 Highway 35, STE 133, Middletown, NJ 07748 USA
5nine Software, IncOak Brooke Pointe, 700 Commerce Drive Ste 500, Oak Brook, IL 60523
Copyright © 2015 | 5nine Software, Inc. | All Rights Reserved