HOW TO SECURE AN ENTIRE HYPER-V NETWORK by Virtualization Evangelist David Davis
TODAY’S SPEAKER David Davis Video Training Author for Blogger, Speakerwww.Pluralsight.com CCIE, VCP, vExpert, and Former IT Manager of an enterprise datacenter My blog is
WHY SECURITY IS SO IMPORTANT IN VIRTUALIZATION? High-density Servers larger impact if compromised VM Sprawl instant provisioning, offline machines: more exposure points Intra-VM Traffic creates blind spots, threats bypass perimeter Dynamic IT Loads Live Migration, ever-changing security posture
SECURITY IN LAYERS The OSI stack model has seven layers: Layer 7: Application Layer Layer 6: Presentation Layer Layer 5: Session Layer Layer 4: Transport Layer Layer 3: Network Layer Layer 2: Data Link Layer Layer 1: Physical Layer By default, when thinking about network security, there is something of a tendency to focus on issues at Layer 3. However, in reality, we need to look both up and down the stack to address the security risks we face today.
TODAY’S NEED: ADDITIONAL LAYER OF HYPER-V PROTECTION Multi-tenant protection Network virtualization support Control and protect intra-VM traffic Stateful, deep packet inspection Security follows VMs during Live Migration Granular QoS Aggregate, analyze, audit logs Agentless, incremental scan Orchestrate scans Set thresholds to avoid AV storms Centralized management Proactive real-time monitoring Application level protection Isolate VMs: security policies Leverage Hyper-V Extension Manage Risk, Improve Protection, Ensure Compliance Additional Security and Compliance Capabilities
5 BEST PRACTICES FOR SECURING HYPER-V 1. Isolate VMs with a virtual firewall 2. Use agentless anti-virus 3. Enforce compliance 4. Use intrusion detection system 5. Set up centralized management
1. ISOLATE VMS WITH A VIRTUAL FIREWALL
2. USE AGENTLESS ANTI-VIRUS
Incremental Anti-Virus Scan based on Changed Blocks Tracking (CBT) Common Full System Anti-Virus Scan 1.Scans all the files over and over again 2.Takes from 40 MINUTES up to SEVERAL HOURS 3.Consumes valuable IOPS and Virtual Machine resources, heavy impact on host performance 1.Scans changes only 2.Takes from SECONDS up to 5-7 MINUTES 3.Does not consume any Virtual Machines resources, almost no affect on host performance Performance
Real FULL System Scans Log of Virtual Machine, Using CBT This is what you want to see in a log after scanning Virtual Machine DateScanning Time seconds seconds seconds seconds!
3. ENFORCE COMPLIANCE Do regularly monitor and test networks/systems that have payment card data – IDS (Intrusion Detection System). Do implement and enforce a company Information Security Policy. Do install and keep up-to-date, a firewall that protects cardholder data stored within company systems – Virtual Firewall. Do use and regularly update anti-virus software – Anti-virus with agentless capabilities. PCI-DSS, HIPPA, Sarbanes-Oxley
4. INTRUSION DETECTION Real-time threat monitoring:
5. CENTRALIZED MANAGEMENT Management Console Anti-Virus Virtual Firewall IDS
5nine Cloud Security for Hyper-V Agentless Anti-Virus/ Anti-Malware Agentless: no degradation All versions of guest OS supported by Microsoft Hyper-V Fastest AV Scans available Orchestrate scans and set thresholds across VMs Staggered scanning Caching across VMs Centralized management Agentless Anti-Virus/ Anti-Malware Agentless: no degradation All versions of guest OS supported by Microsoft Hyper-V Fastest AV Scans available Orchestrate scans and set thresholds across VMs Staggered scanning Caching across VMs Centralized management Agentless Intrusion Detection Industrial-strength Real-time threat monitoring Signature-based Block application-level attacks (WAF) Behavioral: build baseline for known attacks (WAF) Pro-active - detect, warn, block (WAF) Agentless Intrusion Detection Industrial-strength Real-time threat monitoring Signature-based Block application-level attacks (WAF) Behavioral: build baseline for known attacks (WAF) Pro-active - detect, warn, block (WAF) Agentless Virtual Firewall Isolate VMs: manage security programmatically per VM Control and protect inbound, outbound, intra-VM traffic Multi-Tenant protection and support of network virtualization Stateful, deep packet inspection Granular QoS Aggregate, analyze, audit logs Virtual Machine Security Groups User/Role - level access: support of Security and Auditor accounts Application-level protection against a wide range of exploits (WAF) Agentless Virtual Firewall Isolate VMs: manage security programmatically per VM Control and protect inbound, outbound, intra-VM traffic Multi-Tenant protection and support of network virtualization Stateful, deep packet inspection Granular QoS Aggregate, analyze, audit logs Virtual Machine Security Groups User/Role - level access: support of Security and Auditor accounts Application-level protection against a wide range of exploits (WAF) Enterprise-grade Aggregate security control Simplified deployment
Easy-to-use, powerful multi-layered protection for Hyper-V: anti-malware, virtual firewall, network filtering, intrusion detection and more - agentless and integrated with System Center 2012 R2 Built from ground-up for Microsoft Windows Server Hyper-V Certified extension for the Hyper-V Extensible Switch Agentless deployment Light-speed incremental scans Inbound/outbound traffic throttling Log, analysis, audit Isolate, harden and secure every VM, secure intra-VM traffic Live Migration support Protection and compliance by VM, user, application, organizational unit VM Hyper-V Switch Extension Cloud Security Window Server Hyper-V Host AV/AM IDS SECURING THE MODERN DATACENTER
Native: built from the ground-up for Windows Hyper-V Optimized for Windows Hyper-V Leverage Hyper-V Host vSwitch and Windows Filtering Agentless security approach Additional layer of protection and compliance Native: built from the ground-up for Windows Hyper-V Optimized for Windows Hyper-V Leverage Hyper-V Host vSwitch and Windows Filtering Agentless security approach Additional layer of protection and compliance Security Built for Windows Server Hyper-V Security Built for Windows Server Hyper-V Integrated firewall, anti-virus/anti- malware, intrusion detection system Isolate and secure VMs by ID, names, org unit, user Support network virtualization and multi-tenant security Spot threats proactively Integrated firewall, anti-virus/anti- malware, intrusion detection system Isolate and secure VMs by ID, names, org unit, user Support network virtualization and multi-tenant security Spot threats proactively Multi-Layered Protection for Your VMs ✓ Centralized management and control of security and compliance Administration of policies, rules, filters Log and analysis with full audit Powerful, yet easy-to- use Armed for the unexpected Centralized management and control of security and compliance Administration of policies, rules, filters Log and analysis with full audit Powerful, yet easy-to- use Armed for the unexpected Relieve Admin Headache ✓ Lightweight agentless approach Maximize your consolidation ratio and density Won’t consume valuable Microsoft Hyper-V resources: no degradation of performance Supports Hyper-V 2012 R2, 2012: aligned with Hyper-V economics Lightweight agentless approach Maximize your consolidation ratio and density Won’t consume valuable Microsoft Hyper-V resources: no degradation of performance Supports Hyper-V 2012 R2, 2012: aligned with Hyper-V economics Maximize Hyper-V Investment ✓ ✓ WHY FORWARD-THINKING COMPANIES CHOOSE 5NINE Intensified Effort: Manage Security, Risk and Compliance
QUESTIONS AND ANSWERS Please put your questions into the chat box of GoToWebinar window: I am joined by: Alexander Karavanov Virtualization Security Engineer 5nine Software, Inc.
THANK YOU FOR JOINING! Now you know how to secure an entire Hyper-V network in an optimal way. Act now! Download your free trial of 5nine Cloud Security for Hyper-V from: To request your personal product demo, please contact 5nine Software: +44 (20) (7:00am-4:00pm GMT)