Hyper-V Security Best Practices for Hosting, VDI and Service Providers Symon PerrimanAlex Karavanov VP, Business DevelopmentDirector of Solutions Engineering 5nine Software, Inc th, 2015

Hyper-V Security Best Practices Introduction Security for Virtualization Admins Best Practices for Hyper-V Best Practices for Providers Summary Q&A

Introduction Hyper-V Security Best Practices for Hosting, VDI and Service Providers

Meet the Speakers Symon Perriman is 5nine Software’s VP of Business Development and Marketing. Previously he was Microsoft's Senior Technical Evangelist and worldwide technical lead covering Hyper-V, Windows Server, and System Center. He has trained millions of IT Professionals, holds several patents and dozens of industry certifications, and in 2013 he co-authored "Introduction to System Center 2012 R2 for IT Professionals" (Microsoft Press). Contact or Alex Karavanov manages 5nine Software’s Solutions Engineering team. He has been in information security field for more than 10 years. Alex leads major 5nine Software management and security projects worldwide and aims to deliver the best efficiency and protection of the virtual infrastructures, to achieve the highest system performance and security level. He also holds multiple industry certifications. Contact or

Meet 5nine Software Founded in 2009 Headquartered in Chicago with offices worldwide More than 50,000 customers globally, representing companies and datacenters of all sizes The #1 leading solutions provider of security & management applications for Hyper-V environments –5nine Cloud Security - Agentless security for Hyper-V, System Center and Azure Pack5nine Cloud Security –5nine Manager - Integrated Hyper-V and Cluster Management for SMB5nine Manager –5nine V2V Easy Converter - Free VMware to Hyper-V virtual machine migration tool5nine V2V Easy Converter

Security for Virtualization Admins Hyper-V Security Best Practices for Hosting, VDI and Service Providers

Security Threats for Hyper-V Compute Denial of Memory or CPU Network Virus, Malware, Trojan Horses, Denial of Service Storage Data Breach or Loss, Denial of Data Web Denial of Service Active Persistent Threats Cross-Site Scripting (XSS), Man in Middle “This class of threats called APT is so top of mind for each of us…we want to detect Advanced Persistent Threats and to be able to take action as an organization to isolate and protect ourselves.” - Satya Nadella, Microsoft CEO at Microsoft Ignite, May 4 th 2015

Virtualized Environments are Never Secure New Threats End users / tenants Storage devices Network attacks Unidentified Threats New signatures Time bomb / logic bomb Most datacenters are already infected

Security Prevention Tools for Hyper-V Firewall Antivirus / Antimalware Network Traffic Filtering Intrusion Detection / Prevention Traffic Pattern Anomalies Unusual Endpoints Unusual Protocols Standard datacenter security practices are still recommended Physical security, BitLocker, VPN, Active Directory, etc. Security for virtualization and cloud is different

Best Practices for Hyper-V Hyper-V Security Best Practices for Hosting, VDI and Service Providers

Best Practice Use an Agentless (Host-based) Solution

Best Practice Use a Solution Designed for Hyper-V KB – If your solution is not designed for Hyper-V, Microsoft recommended to not scan folders with VM configuration files, VHDs, replicated disks, snapshots and executables

Best Practice Keep Security Signatures Updated Use antivirus / antimalware signatures from industry leaders Kaspersky Lab, ThreatTrack VIPRE, etc. Use intrusion detection rules from industry leaders Cisco Snort, etc. Use a centralized signature database to simplify updating Do not rely on users to keep endpoint security solutions updated

Best Practice Use a Single Firewall Solution for all VMs Manage traffic at the network protocol level TCP, UDP, GRE, ICMP, IGMP, etc. Hyper-V Guest OS List: aka.ms/HyperVGuestOSaka.ms/HyperVGuestOS Server Windows Server 2012 R2 Windows Server 2012 Windows Server 2008 R2 Home Server 2011 Small Business Server 2011 Windows Server 2003 Client Windows 8.1 Windows 8 Windows 7 Windows Vista Windows XP Linux & UNIX CentOS Debian FreeBSD Oracle Linux Red Hat RHEL SUSE Ubuntu

Best Practice Protect Virtual Networks and Avoid Appliances Physical appliances protect traffic between hosts Does not protect traffic between VMs on the same host Private VLAN routing is possible, but complex and decreases performance Virtual Networks External Internal Private Appliance

Immediately identify and alert on incoming threats Best Practice Use a Active Protection on the Network

Best Practice Use Intelligent Disk Scanning Agent-based scanning can cause “scanning storms” Decreases VM performance Lowers host density Triggers alerts Live migration traffic 5nine uses its proprietary Change Block Tracking driver Scan only changed blocks on disk Scan up to 70% faster

Best Practice Schedule Repetitive Tasks Enables scalability Ensures consistent SLAs Eliminates human error For tasks with high resource utilization, stagger the action across the virtualized resources

DEMO 5nine Cloud Security for Hyper-V

Best Practices for Providers Hyper-V Security Best Practices for Hosting, VDI and Service Providers

It is impossible to guarantee security for VMs with endpoint protection Requires installation Slows deployment Cloud environments are dynamic Virtual machines Virtual disks Virtual networks Virtual switches Scripting allows advanced deployment options Best Practice Automatically & Immediately Protect Everything

Best Practice Use an Enterprise Security Solution Security must be centralized System Center integration Security must be remote Branch office support Security must scale Software-based solution Security must be automatic PowerShell integration Security must not have a single point of failure Highly-available through clustering or redundancy, and runs inside a clustered VM Security must be easy for end-users Azure Pack integration

Hyper-V Hosts SQL Server 5nine Cloud Security Management Server / VM Hyper-V Cluster Redundant Management Group SQL Server SQL Cluster Branch Office SQL Server 5nine Sync 5nine Cloud Security Management 5nine Console | 5nine PowerShell | Azure Pack Extension | SCVMM Best Practice – 5nine Cloud Security Architecture

Best Practice Protect against Internal, Inbound & Outbound Threats Hyper-V Hosts Database or SQL Server 5nine Cloud Security Management Server / VM Public Internet Normal Traffic Unusual Traffic

Best Practice Log and Analyze Security Events Hyper-V Hosts Database or SQL Server 5nine Cloud Security Management Server / VM Public Internet On-Premises Analytics (Syslog) Cloud-Based Analytics

Best Practice Do NOT Trust your Users The “public” is now using your resources Assume the user does not care about security Manage security for them Update signatures for them Ensure they cannot disable security Accidently Purposely With a bad intention Centrally view all user actions

Best Practice Isolate Everyone Isolation and privacy is critical in a cloud An admin cannot access a VMs A VM cannot affect the host A VM cannot affect another VM Use Quality of Service (QoS) or throttling for memory, CPU, network & storage bandwidth Avoid Denial of resource attacks

Best Practice Offer Security as a Service (SECaaS) The Azure public cloud is not available to everyone Azure Pack allows you to run Azure-like services in your datacenter Differentiate your services by offering improved security Provide guided service selection to maximize monetization Simply security through templates

DEMO 5nine Cloud Security SCVMM Plugin & Azure Pack Extension

Summary Hyper-V Security Best Practices for Hosting, VDI and Service Providers

Best Practice Maintain Compliance Requirements Virtualization & cloud security is different Regulators require it Customers expect it Hackers know how to exploit it Benefits Improved security for you and your customers Opportunity to differentiate and monetize on value-added services A single security breach can ruin your reputation…and business… “Most partner solutions are nice to have. 5nine Cloud Security is the only must have” -Alex Verkinderen Microsoft Hybrid Cloud Architect & MVP

or Cloud Security: Licensing options –Licensed per 2 CPUs –Flexible pricing based on VM density –Service provider licenses and volume discounts available Sales direct, online, or through resellers & solution integrators How to Acquire 5nine Cloud Security

Upcoming 5nine Webinars May 27 – Complete Hyper-Converged Infrastructure Solutions for SMBs –Presented with StarWind Software & xByte Technologies June – Scale & Secure Microsoft VDI on Hyper-V with Enterprise-Class Protection for Desktops –Presented with Unidesk June - Introduction to Hyper-V Management for the VMware Admin June – [Russian Language] Hyper-V Security Tips Visit or join our mailing list to stay informedwww.5nine.com

5nine Cloud Security: 5nine Cloud Security Features: 5nine Cloud Security Azure Pack Extension: 5nine Cloud Security SCVMM Plugin: Microsoft Virtual Academy: Azure Pack Partner Solutions (Module 10): Whitepaper: The Challenges of Securing Hosted Hyper-V Multi-Tenant Environments: Resources

Sales: Phone US: Phone Europe: +44 (20) Technical Support: Phone US/Canada Toll Free: Fax: Mailing Address: 1385 Highway 35, STE 133, Middletown, NJ USA 5nine Software, Inc Oak Brooke Pointe, 700 Commerce Drive Ste 500, Oak Brook, IL Copyright © 2015 | 5nine Software, Inc. | All Rights Reserved