February 22, 2013

Windows Server 2012 Hyper-V Security Features

The extensible switch includes protection against ARP poisoning to ensure that malicious VMs can't launch an ARP poisoning–based man-in-the-middle attack. In such an attack, a malicious machine uses fake ARP messages to associate malicious MAC addresses with IP addresses that it doesn't own. This can make unsuspecting machines send messages to the malicious machine instead of other intended destination machines. To enable ARP poisoning protection, you must leave the Enable MAC address spoofing check box in its default clear state.

To make it easier to configure the extensible switch and its extensions, Microsoft provides PowerShell cmdlets. You can use these to create automated scripts for extensible switch configuration, monitoring, or troubleshooting.

Simplified Delegation, BitLocker Extension

Hyper-V 3.0 supports simplified administrative delegation through the introduction of the Hyper-V Administrators local security group. Members of this new group have complete access to all Hyper-V features. Administrators should use this group to control access to Hyper-V, instead of adding users to the local Administrators group. The new group is also a partial replacement for the Windows Authorization Manager (AzMan), which was previously the only available solution for setting up administrative delegation in Hyper-V. Administrators can continue to use AzMan for delegation scenarios that need more granularity and that go beyond assigning the complete Hyper-V Administrator role.

Finally I want to point out that in Server 2012 you can also take advantage of the new BitLocker volume-level encryption features to protect the confidentiality and integrity of VM images that might be stored in less physically secure locations. Server 2012 BitLocker has been extended to support the encryption of OS and data volumes on Windows failover cluster disks, including cluster shared volumes. See "BitLocker Changes in Windows 8" for more information.

Important vSphere Security Differentiators


The new security features are important differentiators when positioning Hyper-V against its close competitor, VMware vSphere. A good example is the new Hyper-V extensible switch. VMware also offers a virtual network switch, but it's available only in the high-end Enterprise Plus edition of vSphere, which obviously comes at an extra cost. The vSphere switch isn't open or extensible, nor does it come with some of the advanced security features (e.g., DHCP Guard, virtual port ACLs) of the Hyper-V switch. Such features can be added to vSphere only through the purchase of additional software, such as the App component of the VMware vCloud Networking and Security (vCNS) suite.

Similar observations can be made for the Hyper-V Network Virtualization feature. To obtain similar functionality in a vSphere environment, customers must call on the vCNS suite, which supports a technology known as VXLAN. VXLAN also require the vSphere Distributed Switch (VDS), which comes only with the high-end edition of vSphere. (VMware is expected to ramp up in the SDN space soon, through its recent acquisition of Nicira.)

Powerful Flexibility


In summary, Hyper-V 3.0 comes with powerful new security features that also benefit the overall flexibility and manageability of Hyper-V–based multi-tenant clouds. Now is the time to learn more about the new Hyper-V. Also make sure that you familiarize yourself with the new capabilities in VVM SP1, which is an indispensable tool for managing larger Hyper-V deployments.

No comments:

Post a Comment