Hyper-V Security Best Practicesfor Hosting, VDI and Service ProvidersSymon Perriman Alex KaravanovVP, Business Development Director of Solutions EngineeringSymon@5nine.com AMK@5nine.com

5nine Software, Inc.www.5nine.comTwitter @5nine_Software May 20th, 2015

Hyper-V Security Best Practices

• Introduction

• Security for Virtualization Admins

• Best Practices for Hyper-V

• Best Practices for Providers

• Summary

• Q&A

Introduction

Hyper-V Security Best Practicesfor Hosting, VDI and Service Providers

Meet the Speakers

Symon Perriman is 5nine Software’s VP of Business Development and Marketing. Previously he was Microsoft's Senior Technical Evangelist and worldwide technical lead covering Hyper-V, Windows Server, and System Center. He has trained millions of IT Professionals, holds several patents and dozens of industry certifications, and in 2013 he co-authored "Introduction to System Center 2012 R2 for IT Professionals" (Microsoft Press).

Contact Symon@5nine.com or Twitter @SymonPerriman

Alex Karavanov manages 5nine Software’s Solutions Engineering team.He has been in information security field for more than 10 years. Alex leads major 5nine Software management and security projects worldwide and aims to deliver the best efficiency and protection of the virtual infrastructures, to achieve the highest system performance and security level. He also holds multiple industry certifications.

Contact AMK@5nine.com or Twitter @5nine_Software

Meet 5nine Software

• Founded in 2009

• Headquartered in Chicago with offices worldwide

• More than 50,000 customers globally, representing companies and datacenters of all sizes

• The #1 leading solutions provider of security & management applications for Hyper-V environments– 5nine Cloud Security - Agentless security for Hyper-V, System Center and Azure Pack

– 5nine Manager - Integrated Hyper-V and Cluster Management for SMB

– 5nine V2V Easy Converter - Free VMware to Hyper-V virtual machine migration tool

• www.5nine.com

Security for Virtualization Admins

Hyper-V Security Best Practicesfor Hosting, VDI and Service Providers

Security Threats for Hyper-V

• Compute• Denial of Memory or CPU

• Network• Virus, Malware, Trojan Horses,

Denial of Service

• Storage• Data Breach or Loss, Denial of Data

• Web• Denial of Service

• Active Persistent Threats• Cross-Site Scripting (XSS), Man in Middle

“This class of threats called APT is so top of mind for each of us…we want to detect Advanced Persistent

Threats and to be able to take action as an organization to isolate and protect ourselves.”

- Satya Nadella, Microsoft CEO at Microsoft Ignite, May 4th 2015

Virtualized Environments are Never Secure•New Threats• End users / tenants• Storage devices• Network attacks

•Unidentified Threats• New signatures• Time bomb / logic bomb

•Most datacenters are already infected

Security Prevention Tools for Hyper-V• Firewall• Antivirus / Antimalware• Network Traffic Filtering

• Intrusion Detection / Prevention• Traffic Pattern Anomalies • Unusual Endpoints• Unusual Protocols

• Standard datacenter security practices are still recommended• Physical security, BitLocker, VPN, Active Directory, etc.

• Security for virtualization and cloud is different

Best Practices forHyper-V

Hyper-V Security Best Practicesfor Hosting, VDI and Service Providers

Best Practice

Use an Agentless (Host-based) Solution

Hyper-V Virtual Machines

Virtual Network Adapters

Virtual Switch

Hyper-V Host

Physical Network Adapter

Best Practice

Use an Agentless (Host-based) Solution

Best Practice

Use a Solution Designed for Hyper-V• KB 961804 – If your solution is not designed for Hyper-V, Microsoft

recommended to not scan folders with VM configuration files, VHDs, replicated disks, snapshots and executables

Best Practice

Keep Security Signatures Updated• Use antivirus / antimalware signatures from industry leaders• Kaspersky Lab, ThreatTrack VIPRE, etc.

• Use intrusion detection rules from industry leaders • Cisco Snort, etc.

• Use a centralized signature database to simplify updating• Do not rely on users to keep endpoint security solutions updated

Best Practice

Use a Single Firewall Solution for all VMs• Manage traffic at the network protocol level

• TCP, UDP, GRE, ICMP, IGMP, etc.

Hyper-V Guest OS List: aka.ms/HyperVGuestOS

Server• Windows Server 2012 R2• Windows Server 2012• Windows Server 2008 R2• Home Server 2011• Small Business Server 2011• Windows Server 2003

Client• Windows 8.1• Windows 8• Windows 7• Windows Vista• Windows XP

Linux & UNIX• CentOS• Debian• FreeBSD• Oracle Linux• Red Hat RHEL• SUSE• Ubuntu

Best Practice

Protect Virtual Networks and Avoid Appliances

• Physical appliances protect traffic between hosts• Does not protect traffic between VMs on the same host• Private VLAN routing is possible,

but complex and decreases performance

• Virtual Networks• External• Internal• Private

Appliance

• Immediately identify andalert on incoming threats

Best Practice

Use a Active Protection on the Network

Best Practice

Use Intelligent Disk Scanning• Agent-based scanning can cause “scanning storms”• Decreases VM performance• Lowers host density• Triggers alerts• Live migration traffic

• 5nine uses its proprietary Change Block Tracking driver• Scan only changed

blocks on disk• Scan up to 70% faster

Best Practice

Schedule Repetitive Tasks• Enables scalability• Ensures consistent SLAs• Eliminates human error• For tasks with high resource

utilization, stagger the action across the virtualized resources

DEMO5nine Cloud Securityfor Hyper-V

Best Practices for Providers

Hyper-V Security Best Practicesfor Hosting, VDI and Service Providers

• It is impossible to guarantee security for VMs with endpoint protection• Requires installation• Slows deployment

• Cloud environments are dynamic• Virtual machines• Virtual disks• Virtual networks• Virtual switches

• Scripting allows advanced deployment options

Best Practice

Automatically & Immediately Protect Everything

Best Practice

Use an Enterprise Security Solution

• Security must be centralized• System Center integration

• Security must be remote• Branch office support

• Security must scale• Software-based solution

• Security must be automatic• PowerShell integration

• Security must not have a single point of failure• Highly-available through

clustering or redundancy, and runs inside a clustered VM

• Security must be easy for end-users• Azure Pack integration

Hyper-V HostsSQL Server

5nine Cloud Security Management Server / VM

Hyper-V Cluster

Redundant Management Group

SQL Server

SQL Cluster

Branch Office

SQL Server

5nine Sync

5nine Cloud Security Management 5nine Console | 5nine PowerShell | Azure Pack Extension | SCVMM

Best Practice – 5nine Cloud Security Architecture

Best Practice

Protect against Internal, Inbound & Outbound Threats

Hyper-V HostsDatabase or SQL Server

5nine Cloud Security Management Server / VM

Public Internet

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 230

10

20

30

40

50

60

70

80

90

100Normal Traffic

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 230

10

20

30

40

50

60

70

80

90

100Unusual Traffic

Best Practice

Log and Analyze Security Events

Hyper-V HostsDatabase or SQL Server

5nine Cloud Security Management Server / VM

Public Internet

On-Premises Analytics (Syslog)

Cloud-Based Analytics

Best Practice

Do NOT Trust your Users• The “public” is now using your resources• Assume the user does not care about security• Manage security for them• Update signatures for them• Ensure they cannot disable security

• Accidently• Purposely• With a bad intention

• Centrally view all user actions

Best Practice

Isolate Everyone• Isolation and privacy is critical in a cloud• An admin cannot access a VMs• A VM cannot affect the host• A VM cannot affect another VM

• Use Quality of Service (QoS) or throttling formemory, CPU, network & storage bandwidth• Avoid Denial of resource attacks

Best Practice

Offer Security as a Service (SECaaS)• The Azure public cloud is not available to everyone• Azure Pack allows you to run Azure-like services in your datacenter

• Differentiate your services by offering improved security• Provide guided service selection to maximize monetization • Simply security through templates

DEMO5nine Cloud SecuritySCVMM Plugin & Azure Pack Extension

Summary

Hyper-V Security Best Practicesfor Hosting, VDI and Service Providers

Best Practice

Maintain Compliance Requirements• Virtualization & cloud security is different• Regulators require it• Customers expect it• Hackers know how to exploit it • Benefits• Improved security for you and your customers• Opportunity to differentiate and monetize on value-added services

• A single security breach can ruin your reputation…and business…

“Most partner solutions are nice to have. 5nine Cloud

Security is the only must have”-Alex Verkinderen (@AlexVerkinderen)

Microsoft Hybrid Cloud Architect & MVP

• www.5nine.com or Sales@5nine.com

• Cloud Security: http://www.5nine.com/CloudSecurity

• Licensing options– Licensed per 2 CPUs– Flexible pricing based on VM density– Service provider licenses and volume discounts available

• Sales direct, online, or through resellers & solution integrators

How to Acquire 5nine Cloud Security

Upcoming 5nine Webinars

• May 27 – Complete Hyper-Converged Infrastructure Solutions for SMBs– Presented with StarWind Software & xByte Technologies

• June – Scale & Secure Microsoft VDI on Hyper-V with Enterprise-Class Protection for Desktops

– Presented with Unidesk

• June - Introduction to Hyper-V Management for the VMware Admin

• June – [Russian Language] Hyper-V Security Tips

Visit www.5nine.com or join our mailing list to stay informed

• 5nine Cloud Security: http://www.5nine.com/CloudSecurity

• 5nine Cloud Security Features: http://www.5nine.com/5nine-security-for-hyper-v-product.aspx#features

• 5nine Cloud Security Azure Pack Extension: http://www.5nine.com/5nine-security-for-hyper-v-product.aspx#Azure

• 5nine Cloud Security SCVMM Plugin: http://www.5nine.com/5nine-security-for-hyper-v-product.aspx#scvmm

• Microsoft Virtual Academy: Azure Pack Partner Solutions (Module 10): http://www.microsoftvirtualacademy.com/training-courses/windows-azure-pack-partner-solutions

• Whitepaper: The Challenges of Securing Hosted Hyper-V Multi-Tenant Environments: http://www.5nine.com/Docs/Brien_Posey_Securing_Hosting_Hyper_Environment.pdf

Resources

Sales:Phone US: +1 630-288-4700Phone Europe: +44 (20) 7048-2021Email: sales@5nine.com

Technical Support:Phone US/Canada Toll Free: +1 877-275-5232 Email: techsupport@5nine.com

Fax: +1 732-203-1665

Mailing Address:1385 Highway 35, STE 133, Middletown, NJ 07748 USA

5nine Software, IncOak Brooke Pointe, 700 Commerce Drive Ste 500, Oak Brook, IL 60523

Copyright © 2015 | 5nine Software, Inc. | All Rights Reserved