Introduction
There’s no shortage of Hyper-V security best practices made up of long lists of configurations to make. However, even if you spend hours making those configuration changes, there’s no guarantee you are secure or that your daily life, administering Hyper-V, will be any easier. Additionally, administering Hyper-V security across multiple hosts and tens, hundreds, or thousands of virtual machines requires specialized security tools. So what are the best tools to make your life as a Hyper-V admin easier and make your Hyper-V infrastructure more secure? There are a number of tools available but here are the 5 of the most useful and complementary tools available to implement and manage Hyper-V security:
#1 5nine Cloud Security
One of my “must-have” Hyper-V security tools is 5nine Cloud Security. Available in a commercial and free edition (with some limitations), 5nine cloud security is a comprehensive security tool for Hyper-V.
Use Case Scenario – Let’s say that you are a Hyper-V administrator who has virtualizing servers and desktops but is still running a traditional agent-based anti-virus solution. The agent-based approach is inefficient in a virtualized environment. With virtualization, agents are no longer needed and cause performance degradation on your expensive Hyper-V hosts. By implementing 5nine Cloud Security you could protect your hosts and virtual machine from. Additionally, 5nine Cloud Security provides network-level security for every virtual machine, administered from a centralized management console. Both of these things are challenging and inefficient to do with traditional agent-based anti-virus tools and physical firewall appliances.
Once implemented, 5nine Cloud Security provides you-
- Virtual firewall that can create secure multi-tenant environments and VM isolation made possible by integration into the Windows 20012 Hyper-V extensible switch
- Agentless anti-virus and anti-malware for all virtual machines running in the Hyper-V infrastructure utilizing an agentless design for efficiency and performance. 5nine Cloud Security provides you two different anti-virus engines to choose from – Kaspersky and ThreatTrack VIPRE (formerly GFI)
Figure 1
– so that you can select the anti-virus engine that you are most comfortable with
Figure 2
- Ability to enforce PCI-DSS, HIPPA, and Sarbanes-Oxley compliance
- Intrusion detection for Hyper-V virtual machines
- Centralized management for all functionality and an optional System Center VMM plugin
Here’s the 5nine Cloud Security centralized management console-
Figure 3: Graphic Thanks to 5nine.com
#2 Hyper-V Best Practices Analyzer
As mentioned above, best practices are great but implementing them across many hosts (and keeping them up to date) can be next to impossible. For that reason, you’ll be thankful to find the free Microsoft Hyper-V Best Practices Analyzer, or BPA. The Hyper-V BPA for Windows Server 2012 allows you to scan your hosts and ensure that all the best practices, as defined by veteran security experts, have been configured.
An even better alternative is to use 5nine Manager, which includes a centralized version of the best practices analyzer, such that you don’t have to run BPA on every host.
Use Case Scenario – Let’s say that you are bringing up your first Hyper-V infrastructure, you shouldn’t assume that the defaults are going to be the correct configuration as your infrastructure grows. As a Hyper-V administrator, you’ll want to ensure that all your Hyper-V hosts and virtual machines are optimally configured, both for efficient use of resources as well as to know that your Hyper-V infrastructure is secure.
For example, the BPA will search for issues such as:
- Hyper-V hosts that aren’t members of the domain
- VMs that don’t have Hyper-V integration services installed
- VMs that aren’t configured with the minimum amount of virtual memory
With Windows Server 2012 Hyper-V, there is no need to download BPA, it’s already part of the operating system. Assuming you have installed Hyper-V, you can access BPA from Server Manager. In the left-hand column select Hyper-V, then select the server on which you want to run the BPA. Scroll down and find the BPA section. Click Tasks and select Start BPA Scan.
Figure 4: Graphic Thanks to Microsoft.com
#3 Watchguard XCSv virtual appliance for Hyper-V
Another Hyper-V security solution is the WatGuard XCSv virtual appliance. The goal of XCSv is to prevent data loss from malicious attackers but it does this in a much different way than, let’s say, 5nine Cloud Security.
Use Case Scenario – every datacenter is connected to the Internet in some way so how are you going to secure your Hyper-V infrastructure (and entire network) from Internet-based threats? Hyper-V administrators should consider Watchguard XCSv as a potential solution for securing their inbound email from viruses, prevent outbound data loss, and control web-browsing, all from a single centralized console with no hardware to purchase.
XCSv provides you with-
- email security
- web security
- encryption
- policy-based administration
Here’s what the centralized management console looks like-
Figure 5: Graphic Thanks to WatchGuard.com
#4 Cisco Nexus 1000V
While not just for security purposes, the Cisco Nexus 1000V is an excellent virtual switch replacement for the Hyper-V infrastructure that also provides strong security controls. Ideal for companies that already use Cisco networking equipment and have Cisco networking administration knowledge the Nexus 1000V brings Cisco’s familiar IOS interface and feature set when administering the Hyper-V virtual network.
Use Case Scenario – when a virtual infrastructure is brought into the datacenter, network administrators lose visibility into and control over the new virtual network. With the Nexus 1000V in place, network and virtualization admins regain administration of and visibility into the Hyper-V virtual network. Even better for Cisco network admins, the Nexus 1000V provides them the familiar Cisco IOS interface and policy control when administering the Hyper-V virtual network.
The Nexus 1000V provides-
- Advanced switching with private VLANs, quality of service (QoS), and access control lists (ACL)
- Security features like DHCP snooping, dynamic ARP inspection, and IP source guard
- Network monitoring with switch port analyzer (SPAN) and remote SPAN (RSPAN)
- As well as SNMP, syslog, and the familiar Cisco IOS interface
Figure 6: Graphic Thanks to Cisco.com
#5 Free Security Analysis Tools
Lastly, besides the more comprehensive Hyper-V security tools above, there are tons of free Hyper-V administration tools – many of which are security related. GFI has a great list of 101 Free Hyper-V Tools here. Some of my favorites, as they relate to security are:
- NTFS permissions explorer
- Share Enumerator
- Wireshark
- RogueScanner
- Microsoft baseline security analyzer
Additionally, 5nine also offers their Cloud Security tool in a free edition, which still offers strong functionality.
Summary
Securing Windows Server can be a challenge. When you add 20+ other operating systems, running on top of your existing Windows server (as you would with Hyper-V), securing Windows Server becomes much more crucial (but no less complex or challenging). Because of this, you must ensure that you have the right tools in place to protect Hyper-V. I encourage you to consider each of these, very different, tools to ensure that you have the right tools in place to make your Hyper-V infrastructure as secure as possible.
