Presentation is loading. Please wait.

Presentation is loading. Please wait.

Hack Hyper-V: How to Protect your Microsoft Private Cloud

Published byFelicity Spencer Modified over 6 years ago

Similar presentations

Presentation on theme: "Hack Hyper-V: How to Protect your Microsoft Private Cloud"— Presentation transcript:

1 Hack Hyper-V: How to Protect your Microsoft Private Cloud
Microsoft Ignite 2016 6/24/2018 9:43 AM BRK3339 Hack Hyper-V: How to Protect your Microsoft Private Cloud Symon Perriman VP of Business Development, 5nine Software President, FanWide Hyper-V MVP @SymonPerriman © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2 Security for Virtualization is Different
Traditional Datacenter Virtualized Datacenter Static server hardware rarely changes Agent-based protection is simple Admins have access to servers Extra capacity for AV scans Virtual machines are dynamic Agent-based protection is impractical Admins may not access tenant VMs Hosts at capacity will slow with AV scans

3 Virtualized Environments are Never Secure
Security is more than just antivirus New Threats End users / tenants Portable storage devices Network attacks Unidentified Threats New signatures Time bomb / logic bomb Most datacenters are already infected

4 Security Threats for Hyper-V
Compute Denial of Memory or CPU Network Virus, Malware, Trojan Horses, Denial of Service Storage Data Breach or Loss, Denial of Data Web Denial of Service Active Persistent Threats Cross-Site Scripting (XSS), Man in Middle Virtualized infrastructure attacks “This class of threats called APT is so top of mind for each of us…we want to detect Advanced Persistent Threats and to be able to take action as an organization to isolate and protect ourselves.” - Satya Nadella, Microsoft CEO at Microsoft Ignite - May, 2015

5 How a Threat Reaches a VM
Hyper-V Virtual Machines VMs Virtual Network Adapters Virtual Switch Hyper-V Host Hyper-V Host Physical Network Adapter

6 Security using the Hyper-V Extensible Switch

7 Multiple Layers of Security
Host Protection Automatic Virtual Machine & Network Protection Virtual Firewall AV Detection on the Network AV Scan on the Disk Network Intrusion Detection Network Anomaly Analysis Logging extensible to Analytics Systems

8 Use Agentless Protection
Security agent installed on each Hyper-V host, not on VMs Minimizes excessive resource consumption and content, such as AV storms Simplifies Virtual Desktop Infrastructure (VDI) management No security component is required to run inside the VM Users never see security alerts Users never have to update signatures Users never have to runs security scans User can never disable security Users will not even notice that they are being protected Administrators no longer need access to every VM Centralized management, notifications, signature updates Ideal for service providers to ensure compliance and tenant privacy

9 Host Protection Many users run their entire infrastructure on Hyper-V, so protecting hosts are critical Host protection prevents the physical infrastructure from being attacked Physical NICs must be connected to the virtual infrastructure for 5nine Cloud Security to filter traffic Integrated multi-layered security in one package Virtual firewall Antivirus & antimalware Intrusion detection (IDS) Network analytics

10 Encrypt all Storage with BitLocker
6/24/2018 9:43 AM Encrypt all Storage with BitLocker BitLocker encrypted cluster disks Support for traditional failover disks Support for Cluster Shared Volumes Enables physical security for deployments outside of secure datacenters Branch office deployments Volume level encryption for compliance requirements Negligible (<1%) performance impact Microsoft Confidential

11 DHCP Guard, Router Guard, Monitor Port
DHCP Guard - a security feature that drops DHCP server messages from unauthorized virtual machines pretending to be DHCP servers. Router Guard - a security feature that drops Router Advertisement and Redirection messages from unauthorized virtual machines pretending to be routers. Monitor Mode - duplicates all egress and ingress traffic to/from one or more switch ports (being monitored) to another switch port (performing monitoring)

12 6/24/2018 Protect Customer Data Any seized or infected host administrators can access guest virtual machines Hardware-rooted technologies to separate the guest operating system from host administrators Virtual Secure Mode Process and Memory access protection from the host Host OS Customer Customer Virtual machine OS Data Workload Compute Storage Network Hypervisor Fabric Guest VM Guest VM Guarded fabric to identify legitimate hosts and certify them to run shielded tenant Generation 2 VMs Impossible to identify legitimate hosts without a hardware based verification Host Guardian Service Enabler to run Shielded Virtual Machines on a legitimate host in the fabric Trust the host Storage Virtualized trusted platform module (vTPM) support to encrypt virtual machines Tenants VMs are exposed to storage and network attacks while unencrypted Shielded VM Bitlocker enabled VM Hypervisor Hypervisor Fabric Fabric Host Guardian Service © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

13 Automatic & Immediate Protection
Many virtualized environment are dynamic Virtual machines Virtual disks Virtual networks Virtual switches Shared environments are never secure It is impossible to guarantee security using traditional “endpoint protection” Requires installation Slows deployment Complicates management

14 Centrally Manage Rules & Definitions
Use a recognized industry leader Antivirus / antimalware Intrusion detection Set up a local proxy for downloading updates so your hosts are not connected to the Internet ©2016 Snort and the Snort Pig are registered trademarks of Cisco. All rights reserved.

15 Guarantee Isolation & Resource Access
Isolation and privacy is critical in a cloud An admin should not access a tenant’s VM A VM cannot affect the host A VM cannot affect another VM Use Quality of Service (QoS) or throttling for memory, CPU, network & storage bandwidth Avoid Denial of <Resource> attacks

16 Protect All Virtual Networks
6/24/2018 Protect All Virtual Networks Traditional security protect traffic between hosts Does not protect traffic between VMs on the same host Threats can spread if one client becomes infected Virtual Network Types External Internal Private Network Security Appliance © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

17 Universal Virtual Firewall for all VMs
Intercept network traffic before it even gets to the VM Manage traffic at the network protocol level TCP, UDP, GRE, ICMP, IGMP, etc. Server Windows Server 2016 Windows Server 2012 R2 Windows Server 2012 Windows Server 2008 R2 Home Server 2011 Small Business Server 2011 Windows Server 2003 Client Windows 10 Windows 8.1 Windows 8 Windows 7 Windows Vista Windows XP Linux & UNIX CentOS Debian FreeBSD Oracle Linux Red Hat RHEL SUSE Ubuntu

18 Active Detection of Incoming Threats
Immediately identify incoming threats Unencrypted traffic Based on protocol Automatically alert admins PowerShell Event Logs

19 Fast AV Scanning with No Performance Impact
Agent-based scanning causes “scanning storms” Decreases VM performance for all clients Reduces VM density on the hosts Optimized scans use Change Block Tracking (CBT) driver Scan only changed blocks on the disk Scan up to 70x faster

20 Automate Security Task Management
PowerShell support Task scheduling Enables scalability Ensures consistent SLAs Eliminates human error For tasks with high resource utilization, stagger the action to avoid performance impact

21 Inbound, Outbound & Internal Threat Protection
Security Management Server Public Internet Unusual Traffic Normal Traffic Hyper-V Hosts Database

22 Extensible to Analytics Platforms
Security Management Server Public Internet Cloud-Based Analytics Hyper-V Hosts On-Premises Analytics Database

23 Enterprise High-Availability for Security
6/24/2018 Enterprise High-Availability for Security Security Management Server / VM Management Console | PowerShell | Azure Pack | System Center Redundant Management Group Branch Office SQL Cluster Sync Hyper-V Hosts & Clusters SQL Server SQL Server SQL Server © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

24 System Center Integration
Centralized security management through System Center to protect Hyper-V Infrastructure and VMs Automatically apply security policies to guarantee immediate protection for hosts and virtual machines Accelerate and secure VM deployments with an agentless solution designed for Hyper-V Monitor the infrastructure with Operations Manager Scales to protect the largest enterprises running System Center and the Microsoft Cloud Platform

25 Azure Pack (WAP) Integration
Security as a Service (SECaaS) to protect your datacenter, your customers, and their clouds Generate new revenue by offering an higher security tier Meet the latest compliance and regulation requirements with multi-layered unified security Automatically and immediately secure your tenants with non-invasive protection Support more VMs and tenants on each host with the most efficient security solution for Hyper-V Simplify security management for tenants through on/off buttons Firewall, Network Detection & Intrusion Detection Preconfigure firewall templates for different VM roles

26 Meet Compliance & Regulation Requirements
Virtualization infrastructure has compliance and regulation standards Hackers and threats are targeting virtualized datacenters and clouds Meet expected compliance and regulation standards Meet customer’s guidelines to operate in new markets Increase your own potential customer base Tenants expect privacy and require nonintrusive management No requirement for anything to be installed inside the VM Makes deployment faster and more secure Security is centrally managed without requiring access to the VM Tenant does not need to run security maintenance tasks User and system change logging

27 Introducing 5nine Cloud Security 8.1
Ensure Security and Compliance for Your Hyper-V Infrastructures Introducing 5nine Cloud Security 8.1 Advanced protection for Hyper-V Server 2016, Windows Server 2016, and Server Core 2016   Increase protection through non-intrusive, agentless virus scans Save time and resources with faster synchronization, monitoring and notifications Detect threats faster using a simplified IDS analytics and alerts Streamline upgrades policy and PowerShell administration Ensure compliance and simplify reporting with enhanced logging Visit Booth #2067 or scan on exit Get your free 30-day trial

28 Summary Security for virtualization is different
Protect your datacenter with a virtual firewall, antivirus, antimalware, and intrusion detection system Use an agentless solution for Hyper-V, System Center Virtual Machine Manager, and Azure Pack Use centralized management and reporting with industry standard signatures for questions

29 Free IT Pro resources To advance your career in cloud technology
Microsoft Ignite 2016 6/24/2018 9:43 AM Free IT Pro resources To advance your career in cloud technology Plan your career path Microsoft IT Pro Career Center Cloud role mapping Expert advice on skills needed Self-paced curriculum by cloud role $300 Azure credits and extended trials Pluralsight 3 month subscription (10 courses) Phone support incident Weekly short videos and insights from Microsoft’s leaders and engineers Connect with community of peers and Microsoft experts Get started with Azure Microsoft IT Pro Cloud Essentials Demos and how-to videos Microsoft Mechanics Connect with peers and experts Microsoft Tech Community © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

30 Please evaluate this session
6/24/2018 9:43 AM Please evaluate this session Your feedback is important to us! From your PC or Tablet visit MyIgnite at From your phone download and use the Ignite Mobile App by scanning the QR code above or visiting © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

31 6/24/2018 9:43 AM © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Download ppt "Hack Hyper-V: How to Protect your Microsoft Private Cloud"

Similar presentations

Hyper-V Security Best Practices for Hosting, VDI and Service Providers Symon PerrimanAlex Karavanov VP, Business DevelopmentDirector of Solutions Engineering.

Hyper-V Security Best Practices for Hosting, VDI and Service Providers Symon PerrimanAlex Karavanov VP, Business DevelopmentDirector of Solutions Engineering.
Exchange Deployment Planning Services Exchange 2010 Complementary Products.

Exchange Deployment Planning Services Exchange 2010 Complementary Products.
Hyper-V Security TipsHyper-V Security Tips Fix the Gaps you Never Knew About Symon Thomas.

Hyper-V Security TipsHyper-V Security Tips Fix the Gaps you Never Knew About Symon Thomas.
Hyper-V Security TipsHyper-V Security Tips Fix the Gaps you Never Knew About Symon Thomas.

Hyper-V Security TipsHyper-V Security Tips Fix the Gaps you Never Knew About Symon Thomas.
Learn how the cloud is accelerating network transformation

Learn how the cloud is accelerating network transformation
Won Huh Product Marketing Manager

Won Huh Product Marketing Manager
Hybrid Management and Security

Hybrid Management and Security
Microsoft Virtual Academy

Microsoft Virtual Academy
Microsoft Ignite 2016 4/30/2018 9:28 PM BRK3174

Microsoft Ignite /30/2018 9:28 PM BRK3174
Transform yourself and build your IT cloud career path

Transform yourself and build your IT cloud career path
Microsoft Virtual Academy

Microsoft Virtual Academy
Secure Hyperconnectivity with TeamViewer and Windows technologies

Secure Hyperconnectivity with TeamViewer and Windows technologies
Examine information management in Cortana Intelligence

Examine information management in Cortana Intelligence
Enterprise Security in Practice

Enterprise Security in Practice
5/21/2018 9:40 PM BRK3021 Learn about modern infrastructure roles in RDS: Next generation Windows desktop & app virtualization Clark Nicholson - Principal.

5/21/2018 9:40 PM BRK3021 Learn about modern infrastructure roles in RDS: Next generation Windows desktop & app virtualization Clark Nicholson - Principal.
Develop, debug and deploy containerized applications with Docker

Develop, debug and deploy containerized applications with Docker
Hybrid Management and Security

Hybrid Management and Security
Microsoft 2016 6/2/2018 3:42 PM BRK3129 Query Big Data using the Expanded T-SQL footprint with PolyBase in SQL Server 2016 Casey Karst Program Manager.

Microsoft /2/2018 3:42 PM BRK3129 Query Big Data using the Expanded T-SQL footprint with PolyBase in SQL Server 2016 Casey Karst Program Manager.
Windows Server* 2016 & Intel® Technologies

Windows Server* 2016 & Intel® Technologies
Microsoft Virtual Academy

Microsoft Virtual Academy

Similar presentations

Ads by Google