hyper-v security best practices for hosting, vdi and service providers symon perrimanalex karavanov...
TRANSCRIPT
Hyper-V Security Best Practicesfor Hosting, VDI and Service ProvidersSymon Perriman Alex KaravanovVP, Business Development Director of Solutions [email protected] [email protected]
5nine Software, Inc.www.5nine.comTwitter @5nine_Software May 20th, 2015
Hyper-V Security Best Practices
• Introduction
• Security for Virtualization Admins
• Best Practices for Hyper-V
• Best Practices for Providers
• Summary
• Q&A
Introduction
Hyper-V Security Best Practicesfor Hosting, VDI and Service Providers
Meet the Speakers
Symon Perriman is 5nine Software’s VP of Business Development and Marketing. Previously he was Microsoft's Senior Technical Evangelist and worldwide technical lead covering Hyper-V, Windows Server, and System Center. He has trained millions of IT Professionals, holds several patents and dozens of industry certifications, and in 2013 he co-authored "Introduction to System Center 2012 R2 for IT Professionals" (Microsoft Press).
Contact [email protected] or Twitter @SymonPerriman
Alex Karavanov manages 5nine Software’s Solutions Engineering team.He has been in information security field for more than 10 years. Alex leads major 5nine Software management and security projects worldwide and aims to deliver the best efficiency and protection of the virtual infrastructures, to achieve the highest system performance and security level. He also holds multiple industry certifications.
Contact [email protected] or Twitter @5nine_Software
Meet 5nine Software
• Founded in 2009
• Headquartered in Chicago with offices worldwide
• More than 50,000 customers globally, representing companies and datacenters of all sizes
• The #1 leading solutions provider of security & management applications for Hyper-V environments– 5nine Cloud Security - Agentless security for Hyper-V, System Center and Azure Pack
– 5nine Manager - Integrated Hyper-V and Cluster Management for SMB
– 5nine V2V Easy Converter - Free VMware to Hyper-V virtual machine migration tool
• www.5nine.com
Security for Virtualization Admins
Hyper-V Security Best Practicesfor Hosting, VDI and Service Providers
Security Threats for Hyper-V
• Compute• Denial of Memory or CPU
• Network• Virus, Malware, Trojan Horses,
Denial of Service
• Storage• Data Breach or Loss, Denial of Data
• Web• Denial of Service
• Active Persistent Threats• Cross-Site Scripting (XSS), Man in Middle
“This class of threats called APT is so top of mind for each of us…we want to detect Advanced Persistent
Threats and to be able to take action as an organization to isolate and protect ourselves.”
- Satya Nadella, Microsoft CEO at Microsoft Ignite, May 4th 2015
Virtualized Environments are Never Secure•New Threats• End users / tenants• Storage devices• Network attacks
•Unidentified Threats• New signatures• Time bomb / logic bomb
•Most datacenters are already infected
Security Prevention Tools for Hyper-V• Firewall• Antivirus / Antimalware• Network Traffic Filtering
• Intrusion Detection / Prevention• Traffic Pattern Anomalies • Unusual Endpoints• Unusual Protocols
• Standard datacenter security practices are still recommended• Physical security, BitLocker, VPN, Active Directory, etc.
• Security for virtualization and cloud is different
Best Practices forHyper-V
Hyper-V Security Best Practicesfor Hosting, VDI and Service Providers
Best Practice
Use an Agentless (Host-based) Solution
Hyper-V Virtual Machines
Virtual Network Adapters
Virtual Switch
Hyper-V Host
Physical Network Adapter
Best Practice
Use an Agentless (Host-based) Solution
Best Practice
Use a Solution Designed for Hyper-V• KB 961804 – If your solution is not designed for Hyper-V, Microsoft
recommended to not scan folders with VM configuration files, VHDs, replicated disks, snapshots and executables
Best Practice
Keep Security Signatures Updated• Use antivirus / antimalware signatures from industry leaders• Kaspersky Lab, ThreatTrack VIPRE, etc.
• Use intrusion detection rules from industry leaders • Cisco Snort, etc.
• Use a centralized signature database to simplify updating• Do not rely on users to keep endpoint security solutions updated
Best Practice
Use a Single Firewall Solution for all VMs• Manage traffic at the network protocol level
• TCP, UDP, GRE, ICMP, IGMP, etc.
Hyper-V Guest OS List: aka.ms/HyperVGuestOS
Server• Windows Server 2012 R2• Windows Server 2012• Windows Server 2008 R2• Home Server 2011• Small Business Server 2011• Windows Server 2003
Client• Windows 8.1• Windows 8• Windows 7• Windows Vista• Windows XP
Linux & UNIX• CentOS• Debian• FreeBSD• Oracle Linux• Red Hat RHEL• SUSE• Ubuntu
Best Practice
Protect Virtual Networks and Avoid Appliances
• Physical appliances protect traffic between hosts• Does not protect traffic between VMs on the same host• Private VLAN routing is possible,
but complex and decreases performance
• Virtual Networks• External• Internal• Private
Appliance
• Immediately identify andalert on incoming threats
Best Practice
Use a Active Protection on the Network
Best Practice
Use Intelligent Disk Scanning• Agent-based scanning can cause “scanning storms”• Decreases VM performance• Lowers host density• Triggers alerts• Live migration traffic
• 5nine uses its proprietary Change Block Tracking driver• Scan only changed
blocks on disk• Scan up to 70% faster
Best Practice
Schedule Repetitive Tasks• Enables scalability• Ensures consistent SLAs• Eliminates human error• For tasks with high resource
utilization, stagger the action across the virtualized resources
DEMO5nine Cloud Securityfor Hyper-V
Best Practices for Providers
Hyper-V Security Best Practicesfor Hosting, VDI and Service Providers
• It is impossible to guarantee security for VMs with endpoint protection• Requires installation• Slows deployment
• Cloud environments are dynamic• Virtual machines• Virtual disks• Virtual networks• Virtual switches
• Scripting allows advanced deployment options
Best Practice
Automatically & Immediately Protect Everything
Best Practice
Use an Enterprise Security Solution
• Security must be centralized• System Center integration
• Security must be remote• Branch office support
• Security must scale• Software-based solution
• Security must be automatic• PowerShell integration
• Security must not have a single point of failure• Highly-available through
clustering or redundancy, and runs inside a clustered VM
• Security must be easy for end-users• Azure Pack integration
Hyper-V HostsSQL Server
5nine Cloud Security Management Server / VM
Hyper-V Cluster
Redundant Management Group
SQL Server
SQL Cluster
Branch Office
SQL Server
5nine Sync
5nine Cloud Security Management 5nine Console | 5nine PowerShell | Azure Pack Extension | SCVMM
Best Practice – 5nine Cloud Security Architecture
Best Practice
Protect against Internal, Inbound & Outbound Threats
Hyper-V HostsDatabase or SQL Server
5nine Cloud Security Management Server / VM
Public Internet
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 230
10
20
30
40
50
60
70
80
90
100Normal Traffic
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 230
10
20
30
40
50
60
70
80
90
100Unusual Traffic
Best Practice
Log and Analyze Security Events
Hyper-V HostsDatabase or SQL Server
5nine Cloud Security Management Server / VM
Public Internet
On-Premises Analytics (Syslog)
Cloud-Based Analytics
Best Practice
Do NOT Trust your Users• The “public” is now using your resources• Assume the user does not care about security• Manage security for them• Update signatures for them• Ensure they cannot disable security
• Accidently• Purposely• With a bad intention
• Centrally view all user actions
Best Practice
Isolate Everyone• Isolation and privacy is critical in a cloud• An admin cannot access a VMs• A VM cannot affect the host• A VM cannot affect another VM
• Use Quality of Service (QoS) or throttling formemory, CPU, network & storage bandwidth• Avoid Denial of resource attacks
Best Practice
Offer Security as a Service (SECaaS)• The Azure public cloud is not available to everyone• Azure Pack allows you to run Azure-like services in your datacenter
• Differentiate your services by offering improved security• Provide guided service selection to maximize monetization • Simply security through templates
DEMO5nine Cloud SecuritySCVMM Plugin & Azure Pack Extension
Summary
Hyper-V Security Best Practicesfor Hosting, VDI and Service Providers
Best Practice
Maintain Compliance Requirements• Virtualization & cloud security is different• Regulators require it• Customers expect it• Hackers know how to exploit it • Benefits• Improved security for you and your customers• Opportunity to differentiate and monetize on value-added services
• A single security breach can ruin your reputation…and business…
“Most partner solutions are nice to have. 5nine Cloud
Security is the only must have”-Alex Verkinderen (@AlexVerkinderen)
Microsoft Hybrid Cloud Architect & MVP
• www.5nine.com or [email protected]
• Cloud Security: http://www.5nine.com/CloudSecurity
• Licensing options– Licensed per 2 CPUs– Flexible pricing based on VM density– Service provider licenses and volume discounts available
• Sales direct, online, or through resellers & solution integrators
How to Acquire 5nine Cloud Security
Upcoming 5nine Webinars
• May 27 – Complete Hyper-Converged Infrastructure Solutions for SMBs– Presented with StarWind Software & xByte Technologies
• June – Scale & Secure Microsoft VDI on Hyper-V with Enterprise-Class Protection for Desktops
– Presented with Unidesk
• June - Introduction to Hyper-V Management for the VMware Admin
• June – [Russian Language] Hyper-V Security Tips
Visit www.5nine.com or join our mailing list to stay informed
• 5nine Cloud Security: http://www.5nine.com/CloudSecurity
• 5nine Cloud Security Features: http://www.5nine.com/5nine-security-for-hyper-v-product.aspx#features
• 5nine Cloud Security Azure Pack Extension: http://www.5nine.com/5nine-security-for-hyper-v-product.aspx#Azure
• 5nine Cloud Security SCVMM Plugin: http://www.5nine.com/5nine-security-for-hyper-v-product.aspx#scvmm
• Microsoft Virtual Academy: Azure Pack Partner Solutions (Module 10): http://www.microsoftvirtualacademy.com/training-courses/windows-azure-pack-partner-solutions
• Whitepaper: The Challenges of Securing Hosted Hyper-V Multi-Tenant Environments: http://www.5nine.com/Docs/Brien_Posey_Securing_Hosting_Hyper_Environment.pdf
Resources
Sales:Phone US: +1 630-288-4700Phone Europe: +44 (20) 7048-2021Email: [email protected]
Technical Support:Phone US/Canada Toll Free: +1 877-275-5232 Email: [email protected]
Fax: +1 732-203-1665
Mailing Address:1385 Highway 35, STE 133, Middletown, NJ 07748 USA
5nine Software, IncOak Brooke Pointe, 700 Commerce Drive Ste 500, Oak Brook, IL 60523
Copyright © 2015 | 5nine Software, Inc. | All Rights Reserved