Security Dependencies

To me, systems security is not all about the configuration but it is mostly about design. Staying away from attacks and keeping the environment safe pretty much depends on how the security engineer designs a system. There are a lot of things that play very important roles in bringing security to systems. One of the most important things that should be paid a great amount of attention to is security dependencies.

A security dependency occurs when the security of a system is dependent on the security of another system. This is the case in almost all networks with all these unified systems deployed in each of them. Take Active Directory for instance. In an AD environment there are so many different services which get authenticated and authorized with the Domain Controller. What does it mean? This simply means that the security of all those systems running those services are dependent on the security of the Domain Controller. Once the DC is hacked, the whole network with all those services which are dependent on the DC will be in danger.

This way of thinking will give the security designer a very good view on their design. They pretty much know what they need to begin their design with. They know exactly what kind of data must be stored on each server and how this data is going to be used by the other servers. This way of clarifying things will give the designer a better view on how to relate services and servers.

We generally have two types of dependencies:

Acceptable dependency: In this type of dependency, a less sensitive service or server is dependent on a more sensitive server or service. For example the security of a client PC is dependent on the security of a DC in an AD network.

Unacceptable dependency: In this type of dependency, a more sensitive service or server is dependent on a less sensitive server or service. As a simple example, you can take a DC running Windows Server 2008 R2 in a part of a network being protected by another server running Windows Server 2003 running Routing and Remote Access Service with a basic firewall. This is where we should think again about our design:

Should we run the AD database on a Windows Server 2008 R2 server and protect it from the outside attacks using a Windows Server 2003 or the other way around???!!!

Or maybe we should go a head with a totally different design by adding another Windows Server 2008 R2 to the network.

Thinking about virtualization technologies we get to the same point. The point here is that all the virtual machines (VMs) are dependent on the security of the Hypervisor. With a basic configuration of Hyper-V the whole virtualized environment could be exposed to attacks and once the host is hacked, the other VMs will be at risk but yet again there are ways to make some changes in this kind of dependency and mitigate the attacks. In this post I have explained one of those ways.

All in all, security dependency always exists in our network and systems but what really matters is the level of this dependency and seeing exactly what is dependent on what? In those situations that we have to make a choice, it’s very important to analyze different choices that we have and then choose the one which makes the less sensitive server dependent on the more sensitive one if there is no way to eliminate the whole dependency.


Security in Hyper-V

Hyper-V is Microsoft’s virtualization technology running on Windows Server 2008 R2 now and is largely being used in so many networks nowadays. Hyper-V could support so many different applications that even now Microsoft Forefront TMG 2010 can be run on it; so we can completely virtualize the edge of the network in a very efficient design. I have written three articles for virtualization of Forefront TMG 2010 and you can access them from the links below:

Deploying the network edge on a virtualized environment – Part 1

Deploying the network edge on a virtualized environment – Part 2

Deploying the network edge on a virtualized environment – Part 3

Once we run so many different applications and servers on different virtual machines, we come to wonder whether it is really secure or we are just putting all the servers running on Hyper-V at risk of being hacked? The answer is Yes, it is really secure provided that we implement a good design.

So as you know Hyper-V includes a parent partition which is basically our main Windows Server 2008 R2 (64-Bit) on which we have installed the Hyper-V role and this is where all the Hyper-V management toolset is installed and can be accessed.

And there is one or more child partitions on which we could install another operating system as our virtual machine and make it operational to give or maybe even receive any kind of services.

Now imagine that Hyper-V is on the edge of your network and there is a very high possibility that some bad guy would attack it. Now what if the bad guy did attack your server and because of some security bug that one of your applications had, your parent partition got hacked and he penetrated into your parent partition. Now what? He has access to all the other VMs through the Hyper-V manager and can make any kind of modification on the other child partitions and operating systems.

So the first step is to think of disconnecting the parent partition from the internet while still giving internet access to the virtual machines. Is it possible? Yes, it is.

So let’s say that you have a network adapters that is connected to the Interent. You simply right click on that NIC (Physical NIC) and go to the properties and follow the configuration that you see in the picture below:

Then you will open up your Virtual Network Manager and create a New Virtual Network and call it WAN and make it an External Connection type and in the drop down menu right below External, choose the NIC that is connected to the Internet (The one you just saw its properties above). The next thing you need to know is that you need to uncheck “Allow management operating system to share this network adapter”.

Now you are done and if you test the parent partition you will see it is disconnected from the Internet; here was how you can disconnect the parent VM from the Internet. Now if you have another child virtual VM and if you want to connect it to the Internet, what will you do? Do you think now that you disconnect the parent from the internet it is still possible to give the child internet access? Yes it is…

Let’s say the child is a TMG server that you want to give it Internet access and then connect the rest of the network to the Internet through TMG. On your Hyper-V network manager console, right click on the child VM with TMG and then click on the settings and then click on the Network Adapter on the right. Then on the top of the window, connect it to the WAN network:

Now if you test network connectivity on your TMG child VM, you can see that it is connected to the internet. On the TMG VM still you need to add another Network adapter and connect it to the LAN physical network interface, because you need the LAN users to see your TMG and then connect through it to the Internet.

Remember that on the Hyper-V server you still need to install a third network adapter for the management purposes and connect it physically to a management switch. So if you did install one, go to the Virtual Network Manager and create a new Virtual Network called Management and make it an External network and then add that new Network adapter as the chosen network adapter and this time check “Allow management operating system to share this network adapter” to let the management users access the parent VM through this interface.

I hope it was useful 

To get more information about my book click on the book below:


Best of luck