Ever since Microsoft released Hyper-V, its flagship virtualization platform, security professionals have been left wondering whether Microsoft would ever catch up to its primary competitor, VMware. VMware has always had the edge in providing a more capable set of virtual networking controls, as well as more availability features and simpler integration with new and existing security products and technologies. With the pending release of Windows 8 Server and the new Hyper-V platform, has Microsoft decided to even the playing field with regard to security? In many ways, the answer could be “yes.” Let’s take a look at what the vendor added for
Windows Server 8 Hyper-V security: Upgraded virtual switch
The first addition to the new version of Hyper-V, and definitely the most significant for security, is a much more capable and powerful virtual switch. As the linchpin of any hypervisor’s networking capability, virtual switches need to be able to integrate natively into physical network environments, and ideally offer some of the same capabilities for monitoring and security control that enterprise physical switches do. Hyper-V’s previous virtual switch allowed admins to create virtual networks that connected to external (physical) networks, virtual machines (VMs) and the Hyper-V host, or just other VMs. The only real segmentation control available was native virtual LAN (VLAN) tagging.
With the Windows 8 virtual switch, Microsoft has extended a set of APIs and drivers that will allow simplified integration with network security vendor virtual appliances, and vendors can create Virtual Switch Extensions that integrate natively with Hyper-V. Cisco, for example, will fully support a Hyper-V version of its Nexus 1000v virtual switch.
The new virtual switch also offers a number of built-in security features. These include:
- Traffic monitoring and filtering: The new virtual switch will be able to monitor traffic using traditional port mirroring techniques, and can also filter traffic based on IP and MAC addresses. OpenFlow and sFlow support is natively built-in.
- ARP and neighbor discovery spoofing protection: Layer 2 spoofing and man-in-the-middle attacks that rely on ARP spoofing or neighbor discovery (IPv6) spoofing are mitigated within the new Hyper-V virtual switch, as it monitors MAC addresses and ports.
- DHCP Guard: The new switch will protect against malicious VMs acting as DHCP servers.
- Port ACLs: IP and MAC addresses can be used to control which VMs are able to communicate with others.
- Private VLANs: Additional layer 2 segmentation and isolation within existing VLAN segments.
In addition, administrators can now set up virtual switch ports as trunks, which allow traffic on multiple VLANs to traverse the port. For virtual appliances acting as intrusion detection sensors or traffic monitoring systems, this is a very important capability.
Purely from a network availability standpoint, the ability to team NICs together, with active-passive and failover policies, is a mandatory feature for any mission-critical virtualization services. Hyper-V has not had robust support for this feature in the past, and has finally introduced natively supported NIC teaming with multi-vendor NIC support.
Windows Server 8 Hyper-V security: Operational features
The new version of Hyper-V will support several operational features that are important to availability and security, as well. For example, built-in application and event log monitoring will be present for VMs, feeding this data to the Hyper-V hosts to quickly detect service failures and other problems. This service was primarily designed as an alternative to clustering (for applications and systems that do not support clusters), but there are certainly security benefits to this, including higher availability and automated remediation, such as restarting VMs and services. Admins can also create affinity rules, keeping certain VMs together when they are migrated from one host to another, which can also be leveraged for systems that have varying data sensitivity levels. For example, rules can dictate that VMs handling payment card data are never migrated to a cluster that’s out of scope for PCI DSS compliance.
Two additional features for Windows Server 8 and Hyper-V involve clustering. The first feature, which directly impacts confidentiality, is the ability to create BitLocker-encrypted Hyper-V cluster volumes. This will allow all cluster members to access virtual machines stored on volumes, with encryption in place to protect the volume should someone try to gain access to it illicitly. The second feature is cluster-aware patching, which should greatly simplify large-scale patching operations for Hyper-V hosts and improve security at the same time.
About the author:
Dave Shackleford is owner and principal consultant at Voodoo Security, senior vice president of research and CTO at IANS, and a SANS analyst, instructor, and course author. He has consulted with hundreds of organizations in the areas of security, regulatory compliance, and network architecture and engineering. He is a VMware vExpert and has extensive experience designing and configuring secure virtualized infrastructures. He has previously worked as CSO for Configuresoft, CTO for the Center for Internet Security, and as a security architect, analyst, and manager for several Fortune 500 companies. Dave is the co-author of Hands-On Information Security from Course Technology as well as the "Managing Incident Response" chapter in the Course Technology book Readings and Cases in the Management of Information Security. Recently, Dave co-authored the first published course on virtualization security for the SANS Institute. Dave currently serves on the board of directors at the SANS Technology Institute and helps lead the Atlanta chapter of the Cloud Security Alliance.
This was first published in May 2012