Upload
sarah-jefferson
View
223
Download
1
Tags:
Embed Size (px)
Citation preview
HOW TO SECURE AN ENTIRE HYPER-V NETWORK
by Virtualization Evangelist
David Davis
TODAY’S SPEAKER
David Davis
• Video Training Author for www.Pluralsight.com, Blogger, Speaker
• CCIE, VCP, vExpert, and Former IT Manager of an enterprise datacenter
• My blog is www.VirtualizationSoftware.com
WHY SECURITY IS SO IMPORTANT IN VIRTUALIZATION?
High-density Servers
larger impact if compromised
VM Sprawlinstant
provisioning, offline machines: more exposure
points
Intra-VM Trafficcreates blind spots, threats
bypass perimeter
Dynamic IT LoadsLive Migration, ever-changing security posture
SECURITY IN LAYERS
The OSI stack model has seven layers:
Layer 7: Application Layer Layer 6: Presentation Layer Layer 5: Session Layer Layer 4: Transport Layer Layer 3: Network Layer Layer 2: Data Link Layer Layer 1: Physical Layer
By default, when thinking about network security, there is something of a tendency to focus on issues at Layer 3.
However, in reality, we need to look both up and down the stack to address the security risks we face today.
TODAY’S NEED: ADDITIONAL LAYER OF HYPER-V PROTECTION
Multi-tenant protection
Network virtualization support
Control and protect intra-VM traffic
Stateful, deep packet inspection
Security follows VMs during Live
Migration
Granular QoS
Aggregate, analyze, audit logs
Agentless, incremental scan
Orchestrate scans
Set thresholds to avoid AV
storms
Centralized management
Proactive real-time
monitoring
Application level protection
Isolate VMs: security policies
Leverage Hyper-V Extension
Manage Risk, Improve Protection, Ensure Compliance
Additional Security and Compliance Capabilities
5 BEST PRACTICES FOR SECURING HYPER-V
1. Isolate VMs with a virtual firewall
2. Use agentless anti-virus
3. Enforce compliance
4. Use intrusion detection system
5. Set up centralized management
1. ISOLATE VMS WITH A VIRTUAL FIREWALL
Virtual Machine 1
Virtual Machine 2
Virtual Machine 3
Web ServersSecurity Group
DB ServersSecurityGroup
2. USE AGENTLESS ANTI-VIRUS
Incremental Anti-Virus Scan based on Changed Blocks Tracking (CBT)
Common Full System Anti-Virus Scan
1. Scans all the files over and over again
2. Takes from 40 MINUTES up to SEVERAL HOURS
3. Consumes valuable IOPS and Virtual Machine resources, heavy impact on host performance
1. Scans changes only2. Takes from SECONDS up
to 5-7 MINUTES3. Does not consume any
Virtual Machines resources, almost no affect on host performance
Perf
orm
ance
Perf
orm
ance
Real FULL System Scans Log of Virtual Machine, Using CBT
This is what you want to see in a log after scanning Virtual Machine
Date Scanning Time
20.02.2014
25 seconds
19.02.2014
15 seconds
17.02.2014
30 seconds
18.02.2014
12 seconds!
3. ENFORCE COMPLIANCE
Do regularly monitor and test networks/systems that have payment card data – IDS (Intrusion Detection System).
Do implement and enforce a company Information Security Policy.
Do install and keep up-to-date, a firewall that protects cardholder data stored within company systems – Virtual Firewall.
Do use and regularly update anti-virus software – Anti-virus with agentless capabilities.
PCI-DSS, HIPPA, Sarbanes-Oxley
4. INTRUSION DETECTION
Real-time threat monitoring:
5. CENTRALIZED MANAGEMENT
Management Console
Anti-Virus
Virtual Firewall IDS
5nine Cloud Security for Hyper-V
Agentless Anti-Virus/Anti-Malware
• Agentless: no degradation
• All versions of guest OS supported by Microsoft Hyper-V
• Fastest AV Scans available
• Orchestrate scans and set thresholds across VMs
• Staggered scanning
• Caching across VMs
• Centralized management
Agentless Intrusion Detection
• Industrial-strength
• Real-time threat monitoring
• Signature-based
• Block application-level attacks (WAF)
• Behavioral: build baseline for known attacks (WAF)
• Pro-active - detect, warn, block (WAF)
Agentless Virtual Firewall
• Isolate VMs: manage security programmatically per VM
• Control and protect inbound, outbound, intra-VM traffic
• Multi-Tenant protection and support of network virtualization
• Stateful, deep packet inspection
• Granular QoS
• Aggregate, analyze, audit logs
• Virtual Machine Security Groups
• User/Role - level access: support of Security and Auditor accounts
• Application-level protection against a wide range of exploits (WAF)
Enterprise-grade Aggregate security control
Simplified deployment
• Easy-to-use, powerful multi-layered protection for Hyper-V: anti-malware, virtual firewall, network filtering, intrusion detection and more - agentless and integrated with System Center 2012 R2
• Built from ground-up for Microsoft Windows Server Hyper-V
• Certified extension for the Hyper-V Extensible Switch
Agentless deployment
Light-speed incremental scans
Inbound/outbound traffic throttling
Log, analysis, audit
Isolate, harden and secure every VM, secure intra-VM traffic
Live Migration support
Protection and compliance by VM, user, application, organizational unit
VM VM VM
Hyper-V SwitchExtension
CloudSecurity
Window Server Hyper-V Host
AV/AM
IDS
SECURING THE MODERN DATACENTER
• Native: built from the ground-up for Windows Hyper-V
• Optimized for Windows Hyper-V
• Leverage Hyper-V Host vSwitch and Windows Filtering
• Agentless security approach
• Additional layer of protection and compliance
Security Built for Windows Server Hyper-V
• Integrated firewall, anti-virus/anti-malware, intrusion detection system
• Isolate and secure VMs by ID, names, org unit, user
• Support network virtualization and multi-tenant security
• Spot threats proactively
Multi-Layered Protection for Your VMs
✓
• Centralized management and control of security and compliance
• Administration of policies, rules, filters
• Log and analysis with full audit
• Powerful, yet easy-to-use
• Armed for the unexpected
Relieve Admin Headache
✓
• Lightweight agentless approach
• Maximize your consolidation ratio and density
• Won’t consume valuable Microsoft Hyper-V resources: no degradation of performance
• Supports Hyper-V 2012 R2, 2012: aligned with Hyper-V economics
Maximize Hyper-V Investment
✓✓
WHY FORWARD-THINKING COMPANIES CHOOSE 5NINE
Intensified Effort: Manage Security, Risk and Compliance
QUESTIONS AND ANSWERS
Please put your questions into the chat box of GoToWebinar window:
I am joined by:Alexander Karavanov Virtualization Security Engineer5nine Software, Inc.
THANK YOU FOR JOINING!Now you know how to secure an entire Hyper-V network in an optimal way.
Act now! Download your free trial of 5nine Cloud Security for Hyper-V from:
http://www.5nine.com/cloudsecurity
To request your personal product demo, please contact 5nine Software: [email protected]
+44 (20) 7048-2021 (7:00am-4:00pm GMT)