Techinsights 2011 SEA – Security from the Ground up to the Cloud

Hello folks,

A few hours ago I finished my presentation in Techinsights 2011 South East Asia and here I left the slides for you. I hope you will enjoy it

Private Cloud Security via Forefront TMG 2010

Good evening everyone… I need to thank those of you who attended my session in Microsoft TechDays 2011 event called Security Blackbelt Day at Microsoft auditorium. I hope you enjoyed it and it was useful. I shared the slides so that you could use them:

Private Cloud Security via Forefront TMG 2010 [slideshare id=10008891&w=425&h=355&sc=no]


Security in Hyper-V

Hyper-V is Microsoft’s virtualization technology running on Windows Server 2008 R2 now and is largely being used in so many networks nowadays. Hyper-V could support so many different applications that even now Microsoft Forefront TMG 2010 can be run on it; so we can completely virtualize the edge of the network in a very efficient design. I have written three articles for virtualization of Forefront TMG 2010 and you can access them from the links below:

Deploying the network edge on a virtualized environment – Part 1

Deploying the network edge on a virtualized environment – Part 2

Deploying the network edge on a virtualized environment – Part 3

Once we run so many different applications and servers on different virtual machines, we come to wonder whether it is really secure or we are just putting all the servers running on Hyper-V at risk of being hacked? The answer is Yes, it is really secure provided that we implement a good design.

So as you know Hyper-V includes a parent partition which is basically our main Windows Server 2008 R2 (64-Bit) on which we have installed the Hyper-V role and this is where all the Hyper-V management toolset is installed and can be accessed.

And there is one or more child partitions on which we could install another operating system as our virtual machine and make it operational to give or maybe even receive any kind of services.

Now imagine that Hyper-V is on the edge of your network and there is a very high possibility that some bad guy would attack it. Now what if the bad guy did attack your server and because of some security bug that one of your applications had, your parent partition got hacked and he penetrated into your parent partition. Now what? He has access to all the other VMs through the Hyper-V manager and can make any kind of modification on the other child partitions and operating systems.

So the first step is to think of disconnecting the parent partition from the internet while still giving internet access to the virtual machines. Is it possible? Yes, it is.

So let’s say that you have a network adapters that is connected to the Interent. You simply right click on that NIC (Physical NIC) and go to the properties and follow the configuration that you see in the picture below:

Then you will open up your Virtual Network Manager and create a New Virtual Network and call it WAN and make it an External Connection type and in the drop down menu right below External, choose the NIC that is connected to the Internet (The one you just saw its properties above). The next thing you need to know is that you need to uncheck “Allow management operating system to share this network adapter”.

Now you are done and if you test the parent partition you will see it is disconnected from the Internet; here was how you can disconnect the parent VM from the Internet. Now if you have another child virtual VM and if you want to connect it to the Internet, what will you do? Do you think now that you disconnect the parent from the internet it is still possible to give the child internet access? Yes it is…

Let’s say the child is a TMG server that you want to give it Internet access and then connect the rest of the network to the Internet through TMG. On your Hyper-V network manager console, right click on the child VM with TMG and then click on the settings and then click on the Network Adapter on the right. Then on the top of the window, connect it to the WAN network:

Now if you test network connectivity on your TMG child VM, you can see that it is connected to the internet. On the TMG VM still you need to add another Network adapter and connect it to the LAN physical network interface, because you need the LAN users to see your TMG and then connect through it to the Internet.

Remember that on the Hyper-V server you still need to install a third network adapter for the management purposes and connect it physically to a management switch. So if you did install one, go to the Virtual Network Manager and create a new Virtual Network called Management and make it an External network and then add that new Network adapter as the chosen network adapter and this time check “Allow management operating system to share this network adapter” to let the management users access the parent VM through this interface.

I hope it was useful 

To get more information about my book click on the book below:


Best of luck

Deploying the network edge on a virtual environment – Part 3

Now that you have some background knowledge on the concept of a virtualized network edge, we will go a little bit deeper and in this post I will try to illustrate different scenarios where we put TMG in our network:

1- TMG as an Edge Firewall

An edge firewall is a firewall placed on the edge of the network connecting the LAN to the Internet and is capable of inspecting any traffic that enters or exits the network.

As it is shown in the illustration, we will install the TMG on a Guest VM on Hyper-V and will disconnect the parent OS from the internet.

We need to create two virtual NICs on the Guest VM. One of the virtual NICs is connected to the physical server’s NIC linked to the LAN and the other virtual NIC is connected to the physical server’s NIC linked to the Internet.

Notes: The connection between the virtual NIC and the physical NIC is established through a Virtual Switch on each side. So keep in mind that in this scenario we will need to have two virtual switches.

2- TMG as a Three-Legged Firewall

A three-legged firewall is a type of firewall that is connected to three different network segments namely LAN, DMZ (Perimeter Network) and the Internet.

As precisely depicted in the illustration, everything looks and is configured the same as when we had an edge TMG firewall with the only difference that we need to have a new and third Virtual NIC on the Guest VM running TMG which is connected to the DMZ section of the network.

There goes to scenario here:

  • The DMZ is on the same Hyper-V Server. In this case we are going to have a specific virtual switch for our DMZ section. This switch is connected to the TMG on one side and to the virtual NICs of the Guest VMs from the other side. This way we can have a link between the TMG and the Guest VMs which are placed in DMZ.
  • The DMZ is not on the same Hyper-V server and is on another server or servers. The picture below can describe things a little bit better. In this scenario we still have the DMZ virtual switch but this virtual switch is not straight connected to the other DMZ Guest VMs; instead it is connected to them through the physical NIC of the server.

Notes: I don’t explain more on this scenario to avoid confusion; because I believe the picture is clearly showing what I am trying to say.

3- TMG as a Back-to-Back Firewall

In this scenario we have two TMGs both installed on two different Guest VMs. One of them is playing the role ofa frontier firewall connected to the Internet through a Virtual Switch; and the other TMG is playing the role of aback-end firewall connected to the LAN through another Virtual Switch.

Both of these Guest VMs running TMG, from the other side, are connected to a DMZ Virtual Switch. This virtual switch is also connected to the other VMs in the DMZ.

Notes: Again like the previous scenario, the DMZ section could be either on the same Hyper-V Server or on another server or servers. It totally depends on your design.

Here I just talked about the design and not the configuration on the TMG and VMs. Basically there are a number of things that need to be configured correctly if you want to get these scenarios up and running. In the next and most probably the last post of this series, I will talk about the configuration with all the details.

Some months ago I also had a deep dive session in Microsoft Virtualization and Security Summit 2010 and it was on deploying TMG on a virtualized environment. Below you can see my presentation slides shared for your use.

You want to learn more about this topic? Check out my new book below and have access to great and practical tutorials and step-by-step guides all in one book:

To get more information about the book click on the book below:


Wish you all the best


Deploying the network edge on a virtual environment – Part 2

I would like to extend this discussion by talking about some of the concerns people might have when it comes to virtualization of the edge. There are a number of issues that might concern people that below is just a few:

-Software firewalls are less secure than firewall appliances (Hardware):

This is a totally wrong idea since on top of all those firewall appliances, there is always a software running using which the administrator is able to configure the firewall. The difference is that the appliance only comes in a box making it more expensive. So if you think you can set up a very good server with really efficient hardwares, then you could even get a better performance than an appliance.

-A more complicated infrastructure and therefore more difficult to manage:

Well, that is somehow true but you should bare in mind that the complication would also exist in a physical environment where you have no documentation about the configuration and of course the design. So keep in mind that for every implementation whether physical or virtual, documentation is the first approach to be taken.

-Windows is not secure enough to be placed on the edge:

While some might believe Windows Server is not secure enough to be on the network edge, I totally disagree since there has not been any serious security vulnerabilities to exploit on Windows Server (Especially 2008 R2) as in 2010 there were only 33 vulnerabilities found on this OS which none of them was called critical while Linux had over 179 vulnerabilities which many of them were found on its kernel making it so vulnerable to attacks. To support my opinion on the security of Windows below is three edge products by Microsoft installed on Windows Server with no vulnerabilities over years:

-Exchange Server 2010 Edge role

-Office Communication Server 2007 Edge Role

-ISA Server (It has had 10 years without any exploits)

Now that you have found relief about some of your concerns, we can talk about virtualizaiton of Forefront TMG 2010 which is to be done on Hyper-V on top of Windows Server 2008 R2.

When it comes to the implementation of an application, the first thing to think of is where to install it. On the Hyper-V, well the question is a bit more clear… Should I install it on the Guest OS or the parent OS?

The answer is the Guest OS will be where TMG must be installed. If you install it on the parent partition, then you have exposed you whole virtualized environment to the internet. Remember that the network edge is the part of your network more than the others exposed to the internet and therefore there is a higher possibility to go under attack. So we could say that if in any ways the the parent OS (With TMG) is compromised then the whole virtualized environment is going to be compromised.

Imagine a hacker having access to the Hyper-V console on the parent partition, you could guess what he would be capable of doing…

But if you install TMG on the Guest OS, just in case the server is hacked, only and only that Guest OS is compromised and not the whole virtual environment. That is why…

You want to learn more? Check out my new book below and have access to great and practical tutorials and step-by-step guides all in one book: 

To get more information about the book click on the book below:


Deploying the network edge on a virtual environment – Part 3

Deploying the network edge on a virtual environment – Part 1

It was a while I had not posted anything here until today I decided to write a two- or three-part article (I am not still sure how many parts it is going to be composed of) on virtualization of the edge using Microsoft technologies.

With a rapid growth in the area of virtualization, one might think of virtualizing parts of the network that seemed and of course still seems pretty critical in every environment. One of those parts is the edge of the network where the internet meets the LAN or at least the perimeter network.

There is always a high number of reasons behind taking the network infrastructure all on a virtual platform but specifically for the network edge, the reasons must be strong enough to assure security because this is the part of the network which is more than the others exposed to the outside (The internet so to speak) and therefor could be affected by a number of potential attacks.

Talking about reasons, helping the environment and of course developing more Green technologies would be the most common reason behind any virtualizaion solution but here for the edge below is the answers to all those WHYs:

-Faster disaster recovery: As a systems engineer I have seen it many times when the devices sitting at the edge of the network responsible for all kinds of NATing and routing happen to fail and shut down as a result of hacking attacks, DDoS attacks or simply for no reason. In such situations, the first thing to do will be recovery and of course if the infrastructure is a ll virtualized, it will only be a matter of restoring the old Virtual Hard Disk files (VHD) and then booting up the OS again. It’s really fast and efficient really well suiting the requirement of an edge solution.

-Increasing Complexity for hackers: Who wouldn’t like to create a very complex environment for a hacker who gets terribly confused even if he gets the chance to penetrate in. As an administrator or a systems engineer you would also get lost if you are not familiar with the whole infrastructure that you are dealing with and just in case you do not have the documentation (Which is a must for every virtualized environment) you will be like Alice in wonderland.

-A Cost-effective solution for small businesses: Not all the businesses have big data centers with hundreds of servers installed in the racks. There are businesses with only one or two servers and of course a number of applications. For such businesses, installing an edge application like ISA Server or Forefront TMG 2010 on a separate server is a huge cost since servers are not that cheap to afford. By taking TMG and of course other applications all virtual on one or two servers, there will be a great save in costs.

For the time being, I just wanted to clarify things over all the questions of WHY??? In the next parts I will more discuss different scenarios in detail. In our exercises we are going to make use of Forefornt TMG 2010 as the edge application running on Hyper-v in a Guest VM.

You want to learn more? Check out my new book below and have access to great and practical tutorials and step-by-step guides all in one book: 

To get more information about the book click on the book below:



Windows Virtual PC support for systems without hardware virtualization

Good news for those who have legacy processors which do not support hardware virtualization. A new update has been released by Microsoft letting you make use of Windows Virtual PC on computers without hardware virtualization capability. 

Something to keep in mind is that your computer must be running Windows 7 only in order to run Windows Virtual PC. One of the usages of Windows Virtual PC is for when we need to bring Windows XP application compatibility to our Windows 7 operating system. In this case we need to make use of a feature called Windows XP Mode which utilizes Windows Virtual PC. In the past such a support was not provided but now it has been out in the form of an update:
You can also read this really helpful article: