On the 9/5 Virtualization Security Podcast we discussed Hyper-V Security and were joined by Alex Kibkalo, a former senior architect at Microsoft who works as a Director of Product Management in 5nine Software. 5nine Software has developed the first introspective virtualization security device for Hyper-V. Introspective security has been missing from Hyper-V for a number of years, while it was possible to implement, the market has been so small that is was not feasible until now. Which implies Hyper-V is gaining adherents so has a need for better security measures.
Hyper-V and VMware vSphere now have similar introspection available for security measures. Hyper-V’s is implemented by 5nine Software and VMware vSphere is implemented by VMware vCloud Networking and Security App and Endpoint modules as well as the VMware VMsafe ecosystem partner products (Juniper vGW, Checkpoint, IBM, Reflex Systems, etc.). Introspection has always been available within Hyper-V, there just have not, until now, been any products using it.
Hyper-V differs from VMware vSphere in the manner by which introspective firewalls are added to the system. Within Hyper-V you add such measures either by hooking into the extensible virtual switch (Server 2012 versions of Hyper-V) or by hooking into the storage subsystem (all versions of Hyper-V). The key is where you hook into those subsystems, not that you need a driver to do so, and both vSphere and Hyper-V allow such drivers, but where. Within Hyper-V these drivers live within the parent partition (or the Dom-0 in KVM and Xen hypervisors). Which also implies that there needs to be heightened security around the parent partition.
It is important to realize that the most basic forms of virtualization security, protection of the management constructs within the virtual environment, has not changed with the addition of an introspective layer within Hyper-V. In fact, such additions heightens the need for these protections. The introspective layer that 5nine Software has created by Hyper-V has the following capabilities:
- Provides agent-less introspective Anti-Virus/Anti-Malware, Firewall within Hyper-V implemented as a set of drivers that covers an entire host
- Adds change block tracking to the SCSI data layer to allow anti-virus/anti-malware inspection of only changed blocks
- Adds the ability to use different AV engines (Kasperskey, Sophos, etc. based on current configurations)
- Adds a packet-filtering firewall to the network data layer of a virtual switch to allow for introspective firewalls on egress and ingress into a virtual machine. This packet filtering firewall allows for the use of other virtual switch extenders such as the Cisco Nexus 1000v and OpenVswitch within Hyper-V.
- A plugin to System Center to manage the 5nine security layers
In general, we have been missing out on any discussions of Hyper-V security outside the normal you would expect from a hypervisor:
- Each VM is segregated and all memory allocated to one is scrubbed before access
- Protect the management constructs
- Bitlocker full disk encryption exists for VM storage for data at rest protections
But now we know quite a bit more, specifically the data path through the hypervisor for both network and storage. This will help us to better secure the environment. 5nine Software is a step in the proper direction, adding an introspective layer to Hyper-V allows us to provide agent-less offload of security features to a better part of the subsystem. Which provides one more tool within the Hyper-V security toolbox.
However, we can never forget that the lowest hanging fruit of virtualization and cloud security is to protect the management constructs, whether that is the parent partition or system center, as if they were the keys to the kingdom, which they are.