Download presentation
Presentation is loading. Please wait.
Published byFelicity Spencer Modified over 6 years ago
1
Hack Hyper-V: How to Protect your Microsoft Private Cloud
Microsoft Ignite 2016 6/24/2018 9:43 AM BRK3339 Hack Hyper-V: How to Protect your Microsoft Private Cloud Symon Perriman VP of Business Development, 5nine Software President, FanWide Hyper-V MVP @SymonPerriman © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
2
Security for Virtualization is Different
Traditional Datacenter Virtualized Datacenter Static server hardware rarely changes Agent-based protection is simple Admins have access to servers Extra capacity for AV scans Virtual machines are dynamic Agent-based protection is impractical Admins may not access tenant VMs Hosts at capacity will slow with AV scans
3
Virtualized Environments are Never Secure
Security is more than just antivirus New Threats End users / tenants Portable storage devices Network attacks Unidentified Threats New signatures Time bomb / logic bomb Most datacenters are already infected
4
Security Threats for Hyper-V
Compute Denial of Memory or CPU Network Virus, Malware, Trojan Horses, Denial of Service Storage Data Breach or Loss, Denial of Data Web Denial of Service Active Persistent Threats Cross-Site Scripting (XSS), Man in Middle Virtualized infrastructure attacks “This class of threats called APT is so top of mind for each of us…we want to detect Advanced Persistent Threats and to be able to take action as an organization to isolate and protect ourselves.” - Satya Nadella, Microsoft CEO at Microsoft Ignite - May, 2015
5
How a Threat Reaches a VM
Hyper-V Virtual Machines VMs Virtual Network Adapters Virtual Switch Hyper-V Host Hyper-V Host Physical Network Adapter
6
Security using the Hyper-V Extensible Switch
7
Multiple Layers of Security
Host Protection Automatic Virtual Machine & Network Protection Virtual Firewall AV Detection on the Network AV Scan on the Disk Network Intrusion Detection Network Anomaly Analysis Logging extensible to Analytics Systems
8
Use Agentless Protection
Security agent installed on each Hyper-V host, not on VMs Minimizes excessive resource consumption and content, such as AV storms Simplifies Virtual Desktop Infrastructure (VDI) management No security component is required to run inside the VM Users never see security alerts Users never have to update signatures Users never have to runs security scans User can never disable security Users will not even notice that they are being protected Administrators no longer need access to every VM Centralized management, notifications, signature updates Ideal for service providers to ensure compliance and tenant privacy
9
Host Protection Many users run their entire infrastructure on Hyper-V, so protecting hosts are critical Host protection prevents the physical infrastructure from being attacked Physical NICs must be connected to the virtual infrastructure for 5nine Cloud Security to filter traffic Integrated multi-layered security in one package Virtual firewall Antivirus & antimalware Intrusion detection (IDS) Network analytics
10
Encrypt all Storage with BitLocker
6/24/2018 9:43 AM Encrypt all Storage with BitLocker BitLocker encrypted cluster disks Support for traditional failover disks Support for Cluster Shared Volumes Enables physical security for deployments outside of secure datacenters Branch office deployments Volume level encryption for compliance requirements Negligible (<1%) performance impact Microsoft Confidential
11
DHCP Guard, Router Guard, Monitor Port
DHCP Guard - a security feature that drops DHCP server messages from unauthorized virtual machines pretending to be DHCP servers. Router Guard - a security feature that drops Router Advertisement and Redirection messages from unauthorized virtual machines pretending to be routers. Monitor Mode - duplicates all egress and ingress traffic to/from one or more switch ports (being monitored) to another switch port (performing monitoring)
12
6/24/2018 Protect Customer Data Any seized or infected host administrators can access guest virtual machines Hardware-rooted technologies to separate the guest operating system from host administrators Virtual Secure Mode Process and Memory access protection from the host Host OS Customer Customer Virtual machine OS Data Workload Compute Storage Network Hypervisor Fabric Guest VM Guest VM Guarded fabric to identify legitimate hosts and certify them to run shielded tenant Generation 2 VMs Impossible to identify legitimate hosts without a hardware based verification Host Guardian Service Enabler to run Shielded Virtual Machines on a legitimate host in the fabric Trust the host Storage Virtualized trusted platform module (vTPM) support to encrypt virtual machines Tenants VMs are exposed to storage and network attacks while unencrypted Shielded VM Bitlocker enabled VM Hypervisor Hypervisor Fabric Fabric Host Guardian Service © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
13
Automatic & Immediate Protection
Many virtualized environment are dynamic Virtual machines Virtual disks Virtual networks Virtual switches Shared environments are never secure It is impossible to guarantee security using traditional “endpoint protection” Requires installation Slows deployment Complicates management
14
Centrally Manage Rules & Definitions
Use a recognized industry leader Antivirus / antimalware Intrusion detection Set up a local proxy for downloading updates so your hosts are not connected to the Internet ©2016 Snort and the Snort Pig are registered trademarks of Cisco. All rights reserved.
15
Guarantee Isolation & Resource Access
Isolation and privacy is critical in a cloud An admin should not access a tenant’s VM A VM cannot affect the host A VM cannot affect another VM Use Quality of Service (QoS) or throttling for memory, CPU, network & storage bandwidth Avoid Denial of <Resource> attacks
16
Protect All Virtual Networks
6/24/2018 Protect All Virtual Networks Traditional security protect traffic between hosts Does not protect traffic between VMs on the same host Threats can spread if one client becomes infected Virtual Network Types External Internal Private Network Security Appliance © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
17
Universal Virtual Firewall for all VMs
Intercept network traffic before it even gets to the VM Manage traffic at the network protocol level TCP, UDP, GRE, ICMP, IGMP, etc. Server Windows Server 2016 Windows Server 2012 R2 Windows Server 2012 Windows Server 2008 R2 Home Server 2011 Small Business Server 2011 Windows Server 2003 Client Windows 10 Windows 8.1 Windows 8 Windows 7 Windows Vista Windows XP Linux & UNIX CentOS Debian FreeBSD Oracle Linux Red Hat RHEL SUSE Ubuntu
18
Active Detection of Incoming Threats
Immediately identify incoming threats Unencrypted traffic Based on protocol Automatically alert admins PowerShell Event Logs
19
Fast AV Scanning with No Performance Impact
Agent-based scanning causes “scanning storms” Decreases VM performance for all clients Reduces VM density on the hosts Optimized scans use Change Block Tracking (CBT) driver Scan only changed blocks on the disk Scan up to 70x faster
20
Automate Security Task Management
PowerShell support Task scheduling Enables scalability Ensures consistent SLAs Eliminates human error For tasks with high resource utilization, stagger the action to avoid performance impact
21
Inbound, Outbound & Internal Threat Protection
Security Management Server Public Internet Unusual Traffic Normal Traffic Hyper-V Hosts Database
22
Extensible to Analytics Platforms
Security Management Server Public Internet Cloud-Based Analytics Hyper-V Hosts On-Premises Analytics Database
23
Enterprise High-Availability for Security
6/24/2018 Enterprise High-Availability for Security Security Management Server / VM Management Console | PowerShell | Azure Pack | System Center Redundant Management Group Branch Office SQL Cluster Sync Hyper-V Hosts & Clusters SQL Server SQL Server SQL Server © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
24
System Center Integration
Centralized security management through System Center to protect Hyper-V Infrastructure and VMs Automatically apply security policies to guarantee immediate protection for hosts and virtual machines Accelerate and secure VM deployments with an agentless solution designed for Hyper-V Monitor the infrastructure with Operations Manager Scales to protect the largest enterprises running System Center and the Microsoft Cloud Platform
25
Azure Pack (WAP) Integration
Security as a Service (SECaaS) to protect your datacenter, your customers, and their clouds Generate new revenue by offering an higher security tier Meet the latest compliance and regulation requirements with multi-layered unified security Automatically and immediately secure your tenants with non-invasive protection Support more VMs and tenants on each host with the most efficient security solution for Hyper-V Simplify security management for tenants through on/off buttons Firewall, Network Detection & Intrusion Detection Preconfigure firewall templates for different VM roles
26
Meet Compliance & Regulation Requirements
Virtualization infrastructure has compliance and regulation standards Hackers and threats are targeting virtualized datacenters and clouds Meet expected compliance and regulation standards Meet customer’s guidelines to operate in new markets Increase your own potential customer base Tenants expect privacy and require nonintrusive management No requirement for anything to be installed inside the VM Makes deployment faster and more secure Security is centrally managed without requiring access to the VM Tenant does not need to run security maintenance tasks User and system change logging
27
Introducing 5nine Cloud Security 8.1
Ensure Security and Compliance for Your Hyper-V Infrastructures Introducing 5nine Cloud Security 8.1 Advanced protection for Hyper-V Server 2016, Windows Server 2016, and Server Core 2016 Increase protection through non-intrusive, agentless virus scans Save time and resources with faster synchronization, monitoring and notifications Detect threats faster using a simplified IDS analytics and alerts Streamline upgrades policy and PowerShell administration Ensure compliance and simplify reporting with enhanced logging Visit Booth #2067 or scan on exit Get your free 30-day trial
28
Summary Security for virtualization is different
Protect your datacenter with a virtual firewall, antivirus, antimalware, and intrusion detection system Use an agentless solution for Hyper-V, System Center Virtual Machine Manager, and Azure Pack Use centralized management and reporting with industry standard signatures for questions
29
Free IT Pro resources To advance your career in cloud technology
Microsoft Ignite 2016 6/24/2018 9:43 AM Free IT Pro resources To advance your career in cloud technology Plan your career path Microsoft IT Pro Career Center Cloud role mapping Expert advice on skills needed Self-paced curriculum by cloud role $300 Azure credits and extended trials Pluralsight 3 month subscription (10 courses) Phone support incident Weekly short videos and insights from Microsoft’s leaders and engineers Connect with community of peers and Microsoft experts Get started with Azure Microsoft IT Pro Cloud Essentials Demos and how-to videos Microsoft Mechanics Connect with peers and experts Microsoft Tech Community © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
30
Please evaluate this session
6/24/2018 9:43 AM Please evaluate this session Your feedback is important to us! From your PC or Tablet visit MyIgnite at From your phone download and use the Ignite Mobile App by scanning the QR code above or visiting © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
31
6/24/2018 9:43 AM © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.