5nine Anti-Virus and Virtual Firewall for Hyper-V

When it comes to cloud security, as I have mentioned before many times in my blog posts and presentations, it is not always the physical servers that need to be protected against the outside attacks but attacks from the inside have also become very critical. With all those different layers of security such as firewalls, IDS and IPS systems protecting the environment from those outside attacks, attackers are now thinking of attacking from the inside by only having a minimum needed access to some resources inside the cloud infrastructure.

This minimum access is usually and most of the time access to a virtual machine whereby the attacker can settle down and try to escalate his/her privilege. In order to secure the access between the virtual machines and to stop the hackers from accessing resources inside a VM from another VM, we need to make use of a firewall system to control the flow of traffic between the VMs. Before I go on with introducing a solution for that, it needs to be mentioned that there are already two ways to stop this kind of attack. The first thing is that there is a number of different filters built inside the Hypervisor in Microsoft Hyper-V and since the Hypervisor mediates access between the VMs, most of the attacks will be prevented. The other thing that is put inside Hyper-V is the use of VLANs and of course this is up to the designer to choose how he/she would make use of them to filter the traffic between different VMs throught the use of VLANs and virtual switches in Hyper-V.

But the one which this article is going to be about is 5nine Security Manager software which is an ant-virus and virtual firewall that helps us to be immune against this kind of attack. It provides a lot of different features:

  • Controls Network Traffic – Using simple PowerShell API/scripts or the management application, we can control the flow of the traffic between the VMs and also between the VMs and the external network.
  • Security Heartbeat Service – It’s a special kind of service that checks whether the rules are being enforced and if it feels like a VM for instance is compromised, it will stop the VM.
  • Anti-Virus and Anti-Malware protection – This type of scan is well-managed that never lets any type of performance degradation occur.
  • Bandwidth Throttling – It also includes a VM bandwidth shaper.
  • Stateful Packet Inspection.
  • Deployment options – 5nine Virtual Firewall can be used with Microsoft System Center Virtual Machine Manager to be deployed on the physical machine before any of the VMs are placed on the physical machine.
  • Compliance Audits – It makes the admin able to monitor and audit the network traffic flowing between the VMs any time.

In this post I tried to have an overview on this really good software and soon I will try to have a deeper dive into it.

For the time being, here is the website to have a close look at.

Cheers

Techinsights 2011 SEA – Security from the Ground up to the Cloud

Hello folks,

A few hours ago I finished my presentation in Techinsights 2011 South East Asia and here I left the slides for you. I hope you will enjoy it

Private Cloud Security via Forefront TMG 2010

Good evening everyone… I need to thank those of you who attended my session in Microsoft TechDays 2011 event called Security Blackbelt Day at Microsoft auditorium. I hope you enjoyed it and it was useful. I shared the slides so that you could use them:

Private Cloud Security via Forefront TMG 2010 [slideshare id=10008891&w=425&h=355&sc=no]

Cheers

Security in Hyper-V

Hyper-V is Microsoft’s virtualization technology running on Windows Server 2008 R2 now and is largely being used in so many networks nowadays. Hyper-V could support so many different applications that even now Microsoft Forefront TMG 2010 can be run on it; so we can completely virtualize the edge of the network in a very efficient design. I have written three articles for virtualization of Forefront TMG 2010 and you can access them from the links below:

Deploying the network edge on a virtualized environment – Part 1

Deploying the network edge on a virtualized environment – Part 2

Deploying the network edge on a virtualized environment – Part 3

Once we run so many different applications and servers on different virtual machines, we come to wonder whether it is really secure or we are just putting all the servers running on Hyper-V at risk of being hacked? The answer is Yes, it is really secure provided that we implement a good design.

So as you know Hyper-V includes a parent partition which is basically our main Windows Server 2008 R2 (64-Bit) on which we have installed the Hyper-V role and this is where all the Hyper-V management toolset is installed and can be accessed.

And there is one or more child partitions on which we could install another operating system as our virtual machine and make it operational to give or maybe even receive any kind of services.

Now imagine that Hyper-V is on the edge of your network and there is a very high possibility that some bad guy would attack it. Now what if the bad guy did attack your server and because of some security bug that one of your applications had, your parent partition got hacked and he penetrated into your parent partition. Now what? He has access to all the other VMs through the Hyper-V manager and can make any kind of modification on the other child partitions and operating systems.

So the first step is to think of disconnecting the parent partition from the internet while still giving internet access to the virtual machines. Is it possible? Yes, it is.

So let’s say that you have a network adapters that is connected to the Interent. You simply right click on that NIC (Physical NIC) and go to the properties and follow the configuration that you see in the picture below:

Then you will open up your Virtual Network Manager and create a New Virtual Network and call it WAN and make it an External Connection type and in the drop down menu right below External, choose the NIC that is connected to the Internet (The one you just saw its properties above). The next thing you need to know is that you need to uncheck “Allow management operating system to share this network adapter”.

Now you are done and if you test the parent partition you will see it is disconnected from the Internet; here was how you can disconnect the parent VM from the Internet. Now if you have another child virtual VM and if you want to connect it to the Internet, what will you do? Do you think now that you disconnect the parent from the internet it is still possible to give the child internet access? Yes it is…

Let’s say the child is a TMG server that you want to give it Internet access and then connect the rest of the network to the Internet through TMG. On your Hyper-V network manager console, right click on the child VM with TMG and then click on the settings and then click on the Network Adapter on the right. Then on the top of the window, connect it to the WAN network:

Now if you test network connectivity on your TMG child VM, you can see that it is connected to the internet. On the TMG VM still you need to add another Network adapter and connect it to the LAN physical network interface, because you need the LAN users to see your TMG and then connect through it to the Internet.

Remember that on the Hyper-V server you still need to install a third network adapter for the management purposes and connect it physically to a management switch. So if you did install one, go to the Virtual Network Manager and create a new Virtual Network called Management and make it an External network and then add that new Network adapter as the chosen network adapter and this time check “Allow management operating system to share this network adapter” to let the management users access the parent VM through this interface.

I hope it was useful 

To get more information about my book click on the book below:

1

Best of luck

Deploying the network edge on a virtual environment – Part 3

Now that you have some background knowledge on the concept of a virtualized network edge, we will go a little bit deeper and in this post I will try to illustrate different scenarios where we put TMG in our network:

1- TMG as an Edge Firewall

An edge firewall is a firewall placed on the edge of the network connecting the LAN to the Internet and is capable of inspecting any traffic that enters or exits the network.

As it is shown in the illustration, we will install the TMG on a Guest VM on Hyper-V and will disconnect the parent OS from the internet.

We need to create two virtual NICs on the Guest VM. One of the virtual NICs is connected to the physical server’s NIC linked to the LAN and the other virtual NIC is connected to the physical server’s NIC linked to the Internet.

Notes: The connection between the virtual NIC and the physical NIC is established through a Virtual Switch on each side. So keep in mind that in this scenario we will need to have two virtual switches.

2- TMG as a Three-Legged Firewall

A three-legged firewall is a type of firewall that is connected to three different network segments namely LAN, DMZ (Perimeter Network) and the Internet.

As precisely depicted in the illustration, everything looks and is configured the same as when we had an edge TMG firewall with the only difference that we need to have a new and third Virtual NIC on the Guest VM running TMG which is connected to the DMZ section of the network.

There goes to scenario here:

  • The DMZ is on the same Hyper-V Server. In this case we are going to have a specific virtual switch for our DMZ section. This switch is connected to the TMG on one side and to the virtual NICs of the Guest VMs from the other side. This way we can have a link between the TMG and the Guest VMs which are placed in DMZ.
  • The DMZ is not on the same Hyper-V server and is on another server or servers. The picture below can describe things a little bit better. In this scenario we still have the DMZ virtual switch but this virtual switch is not straight connected to the other DMZ Guest VMs; instead it is connected to them through the physical NIC of the server.

Notes: I don’t explain more on this scenario to avoid confusion; because I believe the picture is clearly showing what I am trying to say.

3- TMG as a Back-to-Back Firewall

In this scenario we have two TMGs both installed on two different Guest VMs. One of them is playing the role ofa frontier firewall connected to the Internet through a Virtual Switch; and the other TMG is playing the role of aback-end firewall connected to the LAN through another Virtual Switch.

Both of these Guest VMs running TMG, from the other side, are connected to a DMZ Virtual Switch. This virtual switch is also connected to the other VMs in the DMZ.

Notes: Again like the previous scenario, the DMZ section could be either on the same Hyper-V Server or on another server or servers. It totally depends on your design.

Here I just talked about the design and not the configuration on the TMG and VMs. Basically there are a number of things that need to be configured correctly if you want to get these scenarios up and running. In the next and most probably the last post of this series, I will talk about the configuration with all the details.

Some months ago I also had a deep dive session in Microsoft Virtualization and Security Summit 2010 and it was on deploying TMG on a virtualized environment. Below you can see my presentation slides shared for your use.

You want to learn more about this topic? Check out my new book below and have access to great and practical tutorials and step-by-step guides all in one book:

To get more information about the book click on the book below:

1

Wish you all the best

Cheers

Deploying the network edge on a virtual environment – Part 2

I would like to extend this discussion by talking about some of the concerns people might have when it comes to virtualization of the edge. There are a number of issues that might concern people that below is just a few:

-Software firewalls are less secure than firewall appliances (Hardware):

This is a totally wrong idea since on top of all those firewall appliances, there is always a software running using which the administrator is able to configure the firewall. The difference is that the appliance only comes in a box making it more expensive. So if you think you can set up a very good server with really efficient hardwares, then you could even get a better performance than an appliance.

-A more complicated infrastructure and therefore more difficult to manage:

Well, that is somehow true but you should bare in mind that the complication would also exist in a physical environment where you have no documentation about the configuration and of course the design. So keep in mind that for every implementation whether physical or virtual, documentation is the first approach to be taken.

-Windows is not secure enough to be placed on the edge:

While some might believe Windows Server is not secure enough to be on the network edge, I totally disagree since there has not been any serious security vulnerabilities to exploit on Windows Server (Especially 2008 R2) as in 2010 there were only 33 vulnerabilities found on this OS which none of them was called critical while Linux had over 179 vulnerabilities which many of them were found on its kernel making it so vulnerable to attacks. To support my opinion on the security of Windows below is three edge products by Microsoft installed on Windows Server with no vulnerabilities over years:

-Exchange Server 2010 Edge role

-Office Communication Server 2007 Edge Role

-ISA Server (It has had 10 years without any exploits)

Now that you have found relief about some of your concerns, we can talk about virtualizaiton of Forefront TMG 2010 which is to be done on Hyper-V on top of Windows Server 2008 R2.

When it comes to the implementation of an application, the first thing to think of is where to install it. On the Hyper-V, well the question is a bit more clear… Should I install it on the Guest OS or the parent OS?

The answer is the Guest OS will be where TMG must be installed. If you install it on the parent partition, then you have exposed you whole virtualized environment to the internet. Remember that the network edge is the part of your network more than the others exposed to the internet and therefore there is a higher possibility to go under attack. So we could say that if in any ways the the parent OS (With TMG) is compromised then the whole virtualized environment is going to be compromised.

Imagine a hacker having access to the Hyper-V console on the parent partition, you could guess what he would be capable of doing…

But if you install TMG on the Guest OS, just in case the server is hacked, only and only that Guest OS is compromised and not the whole virtual environment. That is why…

You want to learn more? Check out my new book below and have access to great and practical tutorials and step-by-step guides all in one book: 

To get more information about the book click on the book below:

1

Deploying the network edge on a virtual environment – Part 3

Deploying the network edge on a virtual environment – Part 1

It was a while I had not posted anything here until today I decided to write a two- or three-part article (I am not still sure how many parts it is going to be composed of) on virtualization of the edge using Microsoft technologies.

With a rapid growth in the area of virtualization, one might think of virtualizing parts of the network that seemed and of course still seems pretty critical in every environment. One of those parts is the edge of the network where the internet meets the LAN or at least the perimeter network.

There is always a high number of reasons behind taking the network infrastructure all on a virtual platform but specifically for the network edge, the reasons must be strong enough to assure security because this is the part of the network which is more than the others exposed to the outside (The internet so to speak) and therefor could be affected by a number of potential attacks.

Talking about reasons, helping the environment and of course developing more Green technologies would be the most common reason behind any virtualizaion solution but here for the edge below is the answers to all those WHYs:

-Faster disaster recovery: As a systems engineer I have seen it many times when the devices sitting at the edge of the network responsible for all kinds of NATing and routing happen to fail and shut down as a result of hacking attacks, DDoS attacks or simply for no reason. In such situations, the first thing to do will be recovery and of course if the infrastructure is a ll virtualized, it will only be a matter of restoring the old Virtual Hard Disk files (VHD) and then booting up the OS again. It’s really fast and efficient really well suiting the requirement of an edge solution.

-Increasing Complexity for hackers: Who wouldn’t like to create a very complex environment for a hacker who gets terribly confused even if he gets the chance to penetrate in. As an administrator or a systems engineer you would also get lost if you are not familiar with the whole infrastructure that you are dealing with and just in case you do not have the documentation (Which is a must for every virtualized environment) you will be like Alice in wonderland.

-A Cost-effective solution for small businesses: Not all the businesses have big data centers with hundreds of servers installed in the racks. There are businesses with only one or two servers and of course a number of applications. For such businesses, installing an edge application like ISA Server or Forefront TMG 2010 on a separate server is a huge cost since servers are not that cheap to afford. By taking TMG and of course other applications all virtual on one or two servers, there will be a great save in costs.

For the time being, I just wanted to clarify things over all the questions of WHY??? In the next parts I will more discuss different scenarios in detail. In our exercises we are going to make use of Forefornt TMG 2010 as the edge application running on Hyper-v in a Guest VM.

You want to learn more? Check out my new book below and have access to great and practical tutorials and step-by-step guides all in one book: 

To get more information about the book click on the book below:

1

Cheers

Security in the cloud

A few weeks ago I shared a link on my blog about Steve Ballmer’s speech on cloud computing and how it really works. Cloud computing in terms is referred to all kinds of services provided online on the internet. To make things clearer, cloud computing is a way to make data always accessible for anyone to use at any time. Such a technology brings a lot of convenienve and a really fast access to the data using the services in the cloud. For instance imagine that you could have your Microsoft office tools available whereever you would need it on any computer whether with or without the real office installed.
With this rapid growth of cloud computing and different companies having their own clouds with their services available and ready to give services on it, who knows maybe on day all the services would go online and working offline had no meaning to anyone. We have to wait and see how fast the technology is going…
When it comes to the reliabiliy of the services provided in the cloud, one of the first things that comes to everyone’s mind is security and how the companies providing such online services are approaching security. There are many items that could be listed here but to be brief I’d like to mention a few of them:
Trusting the cloud: This is probably the most fundamental concept of security which is very hard to gain. Trusting the company and therefore trusting their cloud and its services is definitely crucial because you are putting all your information up there and you must make sure that the company is trustworthy to keep all those provate information. This type of trust also comes from the level of popularity of a company. Let’s say if www.microsoft.com is providing services online, then the name is well-known to anyone and there will be no more question.
-Availability of the cloud: Basically this concept is more related to the availability than security, but the first step to secure your data is to have the servers available all the time. This is something not many companies pay a lot of attention to and also clients do not question the companies about the availability of their services. It has happned in the real world that a little bit of interruption in service provision has caused loss of thousands of dollars.
-Identity in the cloud: Whoever using the cloud has his identity and is known to the others using let’s say a username. this user is given an ientity from the cloud provider and he is the only one reponsible to keep his credentials safe. On the other hand, the company is also required to set policies to force users to better protect their credentials.
-Policies in the cloud: Everyone would make a lot of connections in the cloud and could share his/her information with the others. This is the company giving the user this ability to customize his/her privacy policies and give the rest of the people different types of permission to access his/her data. You could see a lot of such issues recently in Facebook regarding different privacy policies resulting in many of its users to go angry and even quit using it. So wha can be concluded is that it is not only the user who has to be aware enough to set proper policies but also the company must give him this ability.
The history of loud computing maybe dates back to the time Hotmail became so popular and everyone was creating accounts in it and ever user was communicating with the rest, uploading their data somehow and doing so many new things. The technology has expanded up until now that we have lots of services provided like having a lot of space for storing my information and even I could have more than what I have on my pc at home. right? With all this rapid expansion, there comes security risks also. One of them could be the server downtime due to any serious security issues. In these situation we should look at our company’s plan to see how prepared they are for such cases and how secure their infrastructure is. At the same time, we should see how they react to such problems in the cloud really and what back-up plans they have.
Something else which plays a very important role in the level of trust and reliability from the users is the support they receive from the technical team. The users always need a team to respond well to the issues they have and we should really see how a company as big as Microsoft and with the users as many as Microsoft users, is supporting so many users.
In the future posts I ll try to make it so specific on different cloud providers and how they interact with each other and how the users are connected from different clouds. For the time being this link is a great source of information on Microsoft website.
Late at night
Befoe the morning clouds are out, let’s get some night sleep…. 🙂

Windows Virtual PC support for systems without hardware virtualization

Good news for those who have legacy processors which do not support hardware virtualization. A new update has been released by Microsoft letting you make use of Windows Virtual PC on computers without hardware virtualization capability. 

Something to keep in mind is that your computer must be running Windows 7 only in order to run Windows Virtual PC. One of the usages of Windows Virtual PC is for when we need to bring Windows XP application compatibility to our Windows 7 operating system. In this case we need to make use of a feature called Windows XP Mode which utilizes Windows Virtual PC. In the past such a support was not provided but now it has been out in the form of an update:
You can also read this really helpful article: http://support.microsoft.com/kb/977206
Cheers