HOW TO SECURE AN ENTIRE HYPER-V NETWORK

by Virtualization Evangelist

David Davis

TODAY’S SPEAKER

David Davis

• Video Training Author for www.Pluralsight.com, Blogger, Speaker

• CCIE, VCP, vExpert, and Former IT Manager of an enterprise datacenter

• My blog is www.VirtualizationSoftware.com

WHY SECURITY IS SO IMPORTANT IN VIRTUALIZATION?

High-density Servers

larger impact if compromised

VM Sprawlinstant

provisioning, offline machines: more exposure

points

Intra-VM Trafficcreates blind spots, threats

bypass perimeter

Dynamic IT LoadsLive Migration, ever-changing security posture

SECURITY IN LAYERS

The OSI stack model has seven layers:

Layer 7: Application Layer Layer 6: Presentation Layer Layer 5: Session Layer Layer 4: Transport Layer Layer 3: Network Layer Layer 2: Data Link Layer Layer 1: Physical Layer

By default, when thinking about network security, there is something of a tendency to focus on issues at Layer 3.

However, in reality, we need to look both up and down the stack to address the security risks we face today.

TODAY’S NEED: ADDITIONAL LAYER OF HYPER-V PROTECTION

Multi-tenant protection

Network virtualization support

Control and protect intra-VM traffic

Stateful, deep packet inspection

Security follows VMs during Live

Migration

Granular QoS

Aggregate, analyze, audit logs

Agentless, incremental scan

Orchestrate scans

Set thresholds to avoid AV

storms

Centralized management

Proactive real-time

monitoring

Application level protection

Isolate VMs: security policies

Leverage Hyper-V Extension

Manage Risk, Improve Protection, Ensure Compliance

Additional Security and Compliance Capabilities

5 BEST PRACTICES FOR SECURING HYPER-V 

1. Isolate VMs with a virtual firewall

2. Use agentless anti-virus

3. Enforce compliance

4. Use intrusion detection system

5. Set up centralized management

1. ISOLATE VMS WITH A VIRTUAL FIREWALL

Virtual Machine 1

Virtual Machine 2

Virtual Machine 3

Web ServersSecurity Group

DB ServersSecurityGroup

2. USE AGENTLESS ANTI-VIRUS

Incremental Anti-Virus Scan based on Changed Blocks Tracking (CBT)

Common Full System Anti-Virus Scan

1. Scans all the files over and over again

2. Takes from 40 MINUTES up to SEVERAL HOURS

3. Consumes valuable IOPS and Virtual Machine resources, heavy impact on host performance

1. Scans changes only2. Takes from SECONDS up

to 5-7 MINUTES3. Does not consume any

Virtual Machines resources, almost no affect on host performance

Perf

orm

ance

Perf

orm

ance

Real FULL System Scans Log of Virtual Machine, Using CBT

This is what you want to see in a log after scanning Virtual Machine

Date Scanning Time

20.02.2014

25 seconds

19.02.2014

15 seconds

17.02.2014

30 seconds

18.02.2014

12 seconds!

3. ENFORCE COMPLIANCE

Do regularly monitor and test networks/systems that have payment card data – IDS (Intrusion Detection System).

Do implement and enforce a company Information Security Policy.

Do install and keep up-to-date, a firewall that protects cardholder data stored within company systems – Virtual Firewall.

Do use and regularly update anti-virus software – Anti-virus with agentless capabilities.

PCI-DSS, HIPPA, Sarbanes-Oxley

4. INTRUSION DETECTION

Real-time threat monitoring:

5. CENTRALIZED MANAGEMENT

Management Console

Anti-Virus

Virtual Firewall IDS

5nine Cloud Security for Hyper-V

Agentless Anti-Virus/Anti-Malware

• Agentless: no degradation

• All versions of guest OS supported by Microsoft Hyper-V

• Fastest AV Scans available

• Orchestrate scans and set thresholds across VMs

• Staggered scanning

• Caching across VMs

• Centralized management

Agentless Intrusion Detection

• Industrial-strength

• Real-time threat monitoring

• Signature-based

• Block application-level attacks (WAF)

• Behavioral: build baseline for known attacks (WAF)

• Pro-active - detect, warn, block (WAF)

Agentless Virtual Firewall

• Isolate VMs: manage security programmatically per VM

• Control and protect inbound, outbound, intra-VM traffic

• Multi-Tenant protection and support of network virtualization

• Stateful, deep packet inspection

• Granular QoS

• Aggregate, analyze, audit logs

• Virtual Machine Security Groups

• User/Role - level access: support of Security and Auditor accounts

• Application-level protection against a wide range of exploits (WAF)

Enterprise-grade Aggregate security control

Simplified deployment

• Easy-to-use, powerful multi-layered protection for Hyper-V: anti-malware, virtual firewall, network filtering, intrusion detection and more - agentless and integrated with System Center 2012 R2

• Built from ground-up for Microsoft Windows Server Hyper-V

• Certified extension for the Hyper-V Extensible Switch

Agentless deployment

Light-speed incremental scans

Inbound/outbound traffic throttling

Log, analysis, audit

Isolate, harden and secure every VM, secure intra-VM traffic

Live Migration support

Protection and compliance by VM, user, application, organizational unit

VM VM VM

Hyper-V SwitchExtension

CloudSecurity

Window Server Hyper-V Host

AV/AM

IDS

SECURING THE MODERN DATACENTER

• Native: built from the ground-up for Windows Hyper-V

• Optimized for Windows Hyper-V

• Leverage Hyper-V Host vSwitch and Windows Filtering

• Agentless security approach

• Additional layer of protection and compliance

Security Built for Windows Server Hyper-V

• Integrated firewall, anti-virus/anti-malware, intrusion detection system

• Isolate and secure VMs by ID, names, org unit, user

• Support network virtualization and multi-tenant security

• Spot threats proactively

Multi-Layered Protection for Your VMs

✓

• Centralized management and control of security and compliance

• Administration of policies, rules, filters

• Log and analysis with full audit

• Powerful, yet easy-to-use

• Armed for the unexpected

Relieve Admin Headache

✓

• Lightweight agentless approach

• Maximize your consolidation ratio and density

• Won’t consume valuable Microsoft Hyper-V resources: no degradation of performance

• Supports Hyper-V 2012 R2, 2012: aligned with Hyper-V economics

Maximize Hyper-V Investment

✓✓

WHY FORWARD-THINKING COMPANIES CHOOSE 5NINE

Intensified Effort: Manage Security, Risk and Compliance

QUESTIONS AND ANSWERS

Please put your questions into the chat box of GoToWebinar window:

I am joined by:Alexander Karavanov Virtualization Security Engineer5nine Software, Inc.

THANK YOU FOR JOINING!Now you know how to secure an entire Hyper-V network in an optimal way.

Act now! Download your free trial of 5nine Cloud Security for Hyper-V from:

http://www.5nine.com/cloudsecurity

To request your personal product demo, please contact 5nine Software: info@5nine.com

+44 (20) 7048-2021 (7:00am-4:00pm GMT)