Post on 04-Jan-2016
Yuri DiogenesSenior Technical WriterServer and Cloud Division Information Experience – Solutions Group
Security Enhancements in Windows Server 2012Securing the Private Cloud Infrastructure
Tom ShinderSenior Knowledge EngineerServer and Cloud Division Information Experience – Solutions Group
http://aka.ms/FEEABhttp://blogs.technet.com/security_talk
• The Importance of Security in a Private Cloud
• Private Cloud Reference Model: Infrastructure
• Private Cloud: Compute Layer• Private Cloud: Storage Layer• Private Cloud: Networking Layer• Private Cloud: Resiliency Layer• Practical Scenario
AgendaPrivate cloud Infrastructure Security
Why is Private Cloud Security Important? Customers want to know
What we will cover in this presentation?Private Cloud Infrastructure Security
Ultimate GoalAlign Windows Server 2012 security features to address core Private Cloud Security concerns by providing a secure foudation of its cloud infrastructure based on Microsoft PCRM (Private Cloud Reference Model).
Primary Considerations
Compute
Networking
Storage
Resiliency
Compute
• What if…• The Cloud Operator restarts the compute resource that I’m using and
load a malware upon the boot process?• A failure in provisioning leads to another operating system to load,
causing downtime to my workload?• There is a breach on the physical security and someone steals the
server?
• Protecting Compute Resource• Policies in place to avoid errors in security provisioning• Clean up process• SLA
Private Cloud Security ConcernPhysical Security to Compute Resources
Secure BootServer Protection
Current boot process
New boot process
Any OS could hook in load code here, including a piece of malware
If it is not valid the boot will be interrupted
UEFI Secure Boot Activation
UEFI will only load a verified (via certificate) OS
Network Unlock for BitLockerServer Protection
• Requires Windows 8, TPM, DHCP and UEFI• Allows admins to boot remote systems
without user interaction• If taken outside the trusted location (off
premise), the machine will require a PIN in order to boot
• No more trade-offs between security and power management or servicing
Storage
• What if…• Other tenants can access my data?• Data leakage occurs while at rest?
• Protecting Storage Resource• Isolation• Encryption• Auditing
Private Cloud Security ConcernStorage Security
• Secure data within deployments inside and outside of the datacenter.
• Enables IT administrator to:• Encrypt local disk storage (DAS)• Encrypt traditional failover cluster disks• Encrypt Cluster Shared Volumes 2.0
• Meets compliance demands.
Bitlocker Drive EncryptionData Protection
Demo: Encrypting a Cluster Shared VolumeTom Shinder
Scenario• Bob wants to ensure that the tenants' data
is protected while at rest• Bob wants to make sure that even if an
intruder breaches the data center and pulls a drive, the data will be inaccessible
• Bob is using Windows Server 2012 iSCSI target for failover cluster storage and CSVs
Networking
• What if…• Other tenants can access my data?• Data leakage occurs while data is in transit?• Rogue servers/traffic can disrupt my workload?
• Protecting Network Resource• Isolation• Encryption• Protection against rogue services
Private Cloud Security ConcernNetwork Security
• End-to-end encryption of SMB data in flight• Protects data from eavesdropping attacks• No need for IPSec or specialized hardware• Configured per share or for the entire
server• Can be turned on for a variety of scenarios
where data traverses trusted and untrusted networks• Branch Offices over WAN networks• Application workload over unsecured networks
SMB EncryptionNetwork Protection
Demo: Enabling and verifying SMB EncryptionYuri Diogenes
Scenario• The Private Cloud tenant read a report
saying that internal threats are still the biggest concern in network security
• The tenant has a file server on his segment that contains financial records and must be protect against eavesdropping attack launched by internal clients
Lab Environment
• Protects against a malicious VM representing itself as a Dynamic Host Configuration Protocol (DHCP) server for man-in-the-middle attacks
DHCP GuardNetwork Protection
Demo: Protecting Tenants against rogue DHCPYuri Diogenes
Scenario• The Private Cloud tenant read the paper “
A Solution for Private Cloud Security” from Microsoft and wants to ensure that his network segment is protected against rogue servers, clients and applications
• This feature allows you to specify whether the router advertisement and redirection messages from unauthorized VMs should be dropped
Router GuardNetwork Protection
• Allows you to create rules to apply to a Hyper-V switch port.
• The rule specifies whether a packet is allowed or denied on the way into or out of the VM.
Port ACLNetwork Protection
How to implement this configurationAdd-VMNetworkAdapterAcl -VMName MyVM –LocalMacAddress 12-34-56-78-9A-–Direction Both –Action Allow
Add-VMNetworkAdapterAcl -VMName MyVM –LocalMacAddress FF-FF-FF-FF-FF-FF –Direction InBound –Action Allow
Add-VMNetworkAdapterAcl -VMName MyVM –LocalMacAddress Any –Direction Both –Action Deny
Demo: Traffic isolation with Port ACLsYuri Diogenes
Scenario• The Private Cloud tenant read the paper “
A Solution for Private Cloud Security” from Microsoft and wants to ensure that traffic isolation happens not only between tenants on his Private Cloud but also within the same tenant network
• Allows you to specify whether a VM is allowed to change its source MAC address for outgoing packets.
MacAddressSpoofing Network Protection
How to implement this configurationSet-VMNetworkAdapter –VMName MyVM –MacAddressSpoofing On
Demo: Protecting against MacSpoofing attackYuri Diogenes
Scenario• The Private Cloud tenant read the paper “
A Solution for Private Cloud Security” from Microsoft and wants to ensure that his company reduces the likelihood that man in the middle attack can occur inside of a tenant’s network
• Open platform that lets multiple Partners provide extensions that arewritten to standard Windows API frameworks.
• Partners include:• Cisco: Nexus 1000V & UCS Virtual Machine Fabric Extender (VM-FEX)• NEC: OpenFlow• 5nine: Virtual Firewall 3.0
Hyper-V Extensible Switch Network Protection
Demo: Enabling Security Settings in the Hyper-V Extensible SwitchYuri Diogenes
Scenario• Contoso has plans to extend their Private
Cloud infrastructure by enabling intrusion detection in the hypervisor level.
• Cloud architect wants to understand if his current deployment has any built in capability to implement that and if not how this can be done without changing the hypervisor.
Resiliency
What happens when hardware fails?
VMs designed to handle failures (e.g. Guest Clustering) or downtime acceptable.Lower End Industry Standard Server, single infrastructure
App-Level Resiliency
Application-controlled failover / Guest clustering
Switch
Switch
Parent VMs
VMs
VMs
Parent VMs
VMs
VMs
Resiliency Approaches
Cluster
VMs not designed to handle failures, H/A at server level, Failover clustering as another layer of protection, high-end servers, redundant power and network gear
Hyper-V Failover Clustering
Infrastructure Resiliency
Parent VMs
VMs
VMs
Parent VMs
VMs
VMs
Switch
Switch
Hyper-V | Resiliency
Resi
liency Inbox Replication
Hyper-V Replica enables the replication of VMs fromPrimary to Secondary site for inbuilt Disaster Recovery
Incremental BackupsPerform agentless backup operations more quickly &easily while saving network bandwidth & disk space
Integrated NIC TeamingAggregate network adaptors to increase throughput &provide redundancy in case of link failure
Practical Scenario
Converged Datacenter Network + File Server StorageFile Server
Clu
ste
r
Sto
rag
e
Man
ag
e
SAS
Hyper-V Extensible
Switch
VM 1
Liv
e
Mig
rati
on
Clu
ste
r /
Sto
rag
e
Man
ag
e
Hyper-V Server
VM n
Datacenter Network Tenants Network
“Green Field”
• 10GbE Network(s)• File Server for VM storage
• Actual storage may be an existing FC/iSCSI SANs or JBODs+Spaces
• Highlighted features: 10GbE w/DCB, QoS, LBFO, Hyper-V over SMB, Spaces
• Note: LBFO & RDMA can’t coexist on same NICs.
10GbE1/10GbE
NIC Teaming
OS QoS
DCB
NIC Teaming
OS QoS
DCB
Use of NIC Teaming & Qos/DCB
10GbE
10GbE
SAN / JBODs
SAS
1/10GbE
Converged Datacenter Network + File Server Storage
• Documentation can be found at:http://technet.microsoft.com/en-us/library/hh831738.aspx
What about the Management Layer?
Solution for Management LayerSystem Center 2012 SP1
• Plan to embed security principles into the management layer, such as:• Role Based Access Control
• Secure provisioning and deprovisioning
• Secure elasticity
• Secure automation
Announcing
Learn more about our book athttp://blogs.technet.com/b/security_talk/archive/2013/01/22/windows-server-2012-from-end-to-edge-and-beyond-the-book.aspx
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.