5nine Security for Hyper-V Datacenter Edition. Version 3.0 Plugin for Microsoft System Center 2012 Virtual Machine Manager

(1)

11

5nine Security for Hyper-V

Datacenter Edition

Version 3.0

Plugin for Microsoft System Center 2012

Virtual Machine Manager

November 2013

(2)

No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form by any means, without written permission from 5nine Software Inc (5nine). The information contained in this document represents the current view of 5nine on the issue discussed as of the date of publication and is subject to change without notice. 5nine shall not be liable for technical or editorial errors or omissions contained herein. 5nine makes no warranties, express or implied, in this document. 5nine may have patents, patent applications, trademark, copyright, or other intellectual property rights covering the subject matter of this document. All other trademarks mentioned herein are the property of their respective owners. Except as expressly provided in any written license

agreement from 5nine, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

Important! Please read the End User Software License Agreement before using the

accompanying software program(s). Using any part of the software indicates that you accept the terms of the End User Software License Agreement.

(4)

Contacting 5nine Software

We are always welcome your feedback on the product as well as your user experience. In case you would like to help us improve the product, please contact us at [email protected].

Customer Support

Please contact [email protected] if you have encountered any issue using 5nine Security 3.0 for Hyper-V Datacenter Edition Plugin for Microsoft System Center 2012 Virtual Machine Manager. Please supply product log files with your query to the support team.

(5)

Summary

5nine Security 3.0 for Hyper-V Datacenter Edition Plugin for Microsoft System Center 2012 Virtual Machine Manager is a program module designed to allow managing Security Manager Virtual Firewall and Antivirus directly from SCVMM console. The plugin allows performing all the actions with virtual firewall traffic rules, set and remove monitoring from virtual machines, run anti-malware scanning processes, and get log records just as like as it is established in the 5nine Security Management console.

To download and install Plugin, please register on 5nine web page (or login), and download the product at 5nine Security 3.0 for Hyper-V Datacenter Edition

http://www.5nine.com/productsetup/5nine.VirtualFirewall.vFWVMMExtension.DC.zip.

System requirements

 OS:

 Host: Windows Server 2012 or Windows 8 with enabled Hyper-V;

 Guest VM: any

 .NET 4.0 or higher on the Server or VM that hosts Management API and/or GUI application;

 SQL 2008 Express edition on Management server/VM (in case DB logging is required);

 5nine Security 3.0 for Hyper-V Datacenter Edition minimal setup on the hosts.

 Microsoft System Center 2012 Virtual Machine Manager on the hosts.

Permissions

For both for domain and workgroup configurations:

 TCP port 8788 should be opened on managed host.

 5nine Security (Datacenter Edition or Free Edition ) should be installed on each Hyper-V host monitored and protected ( in case several hosts are managed from one

Management console ).

 Same with the 5nine Security service for SC VMM 5nine Security plugins.

 WMI access (http://technet.microsoft.com/en-us/library/cc787533(WS.10).aspx )

 SQL database or file access (read/write).

 Allow to control Hyper-V

(http://blogs.msdn.com/b/virtual_pc_guy/archive/2008/01/17/allowing-non- administrators-to-control-hyper-v.aspx)

 User should be local administrator.

 If host is managed remotely from centralized management console, there should be also an account with similar permissions used in Server Settings. Best practice – to use the same account for service on managed host and in Server Settings in management console.

(6)

For workgroup/mixed domains environment:

 Account for workgroup environment also should have similar permissions for current managed host.

 Managed and management servers should be marked as trusted hosts in case if workgroup environment is used on several domains environment.

Installation

VMM extension source package is zip archive. Installation is performed through the MS SC VMM Management Console itself:

Below are brief Installation and deployment instructions:

1. Select the Settings workspace.

2. Next, select the „Console Add-Ins‟ node.

3. Finally, click the Import Console Add-In button. An import wizard will then be opened allowing you to select a ZIP file that contains the Add-In.

(7)

Security & Management Solutions for Hyper-V and Windows Server 7 Once the above is completed a new buttons and menu items with 5nine icon and “Security Manager” label will appear in VMM Main top bar and context menus:

When selecting „All Hosts‟:

When selecting certain host:

(8)

When selecting certain virtual machine:

5nine Security Operations

The plugin allows you to perform the following 5nine Security operations from the SCVMM console context menu and top bar buttons:

1. Security Global Rules. Allows user to edit global filtering rules. Described in „Global settings‟ section.

2. Virtual Firewall Management and Monitoring Management. Allows user to enable or disable firewalling, monitoring and protection for individual VMs. Described in „Setting virtual firewall‟ section and „Setting virtual machine rules‟ subsection of „Operations with virtual machines‟ section.

3. Anti-Virus schedule management. Allows user to view and manage the Anti-Virus schedules and enable or disable it for VMs – select VMs for scheduled anti-malware checks. Described in „Setting antivirus‟ section.

4. Anti-Virus Operation on individual VMs. Allows user to run anti-malware scan jobs on particular VM, manually control the scan job state (start/pause/resume/stop) and see log records. Described in „Antivirus operation‟ subsection of „Operations with virtual machines‟ section.

5. Intrusion Detection System (IDS). Allows detection¹ and prevention of intrusion attacks and see event log. Described in „IDS‟ subsection of „Operations with virtual machines‟

section.

All these operations are similar to operations in standalone 5nine Security Management Console.

1 Detection of intrusion attacks is done through free IDS – Snort © – third-party free distributed application that is able to determine whether certain inbound traffic is considered as an intrusion and then blocked by 5nine vFirewall.

(9)

Security & Management Solutions for Hyper-V and Windows Server 9 Note. In all windows that contain host and VMs tree only VMs or Hosts that are monitored by 5nine Security are visible.

Global settings

To change 5nine Security global settings, first select „All Hosts‟ in the SCVMM tree on the left, then use the Security Global Rules context menu command:

or click the Security Global Rules button on the top bar of the Folder tab:

(10)

The Virtual Machine rules window will appear:

Setting IP rule

To add IP rule click the Add IP Rule button on the top menu panel. The following dialog will appear:

(11)

Security & Management Solutions for Hyper-V and Windows Server 11 You can either set all the parameters manually, or select the necessary template so that all the main fields are filled with pre-defined values. To select templates open the Rule templates dialog by pressing Templates button in the left-lower corner of the Rule properties dialog:

Select the template you need, the direction and then press the Apply button. Press OK in the Rule properties dialog.

Setting ARP rule

To add ARP rule click the Add ARP Rule button on the top menu panel. The following dialog will appear:

Set the necessary parameters, use space and comma as delimiters when specifying remote IPs, VMs and MACs as it shown in the window.

(12)

To select remote virtual machines from a list, press the button to the right of the field containing their names and check the machines you need to be added then press OK in the window below:

Then press OK in the ARP Rule properties dialog.

Setting Broadcast rule

To add Broadcast rule click the Add Broadcast Rule button on the top menu panel. The following dialog will appear:

Fill out all the parameters just as like as it was done when adding ARP Rule and then press OK.

(13)

Security & Management Solutions for Hyper-V and Windows Server 13 Editing rule

To edit rule, select it in the list, then click the Edit button on the top menu panel. Then change the IP, ARP or Broadcast rule settings in the appropriate dialog just like when adding the rule.

Removing rule

To remove rule, select it in the list, then click the Remove button on the top menu panel. The rule will disappear from the list.

Changing rules order

To move the rule up or down in the list, select it and click the Change Order button on the top menu panel. The Change Order dialog will appear:

Select one of the options:

- Move First – to put the selected rule on the first place in the list.

- Move Last – to put the selected rule on the last place in the list.

- Move After – to put the selected rule after another rule. Select that rule from the list box next to this option.

Rules will be applied in accordance with their positions in the list.

(14)

Setting virtual firewall

To set 5nine Security vFirewall, first select „All Hosts‟ in the SCVMM tree on the left, then use the Security vFW Settings context menu command:

or click the Security vFW Settings button on the top bar of the Folder tab:

The Enable Monitoring dialog will appear:

Select the VMs to set the vFirewall so that the added rules are applied to these VMs. Then press OK.

(15)

Setting antivirus

To set 5nine Security Antivirus for scheduled automatic anti-malware runs, you should enable it on the necessary VMs and set antivirus schedule.

Enable antivirus

To enable 5nine Security Antivirus on the VMs needed to be checked for malware

automatically by AV schedule, first select „All Hosts‟ in the SCVMM tree on the left, then use the Security AV Settings context menu command:

or click the Security AV Settings button on the top bar of the Folder tab:

(16)

The Enable Antivirus dialog will appear:

Select the VMs for scheduled anti-malware scans on the Virtual machines tab.

Then open the Extensions tab to select the files that will be scanned for viruses:

Here you have two options:

- Scan all files – all files on the virtual machine will be checked.

- Allow me to control exactly what is scanned (default option) – only certain types of files which extensions are added to the list will be checked. There is the default list of file types which is recommended to be used. However, you are able to edit it by adding or

(17)

Security & Management Solutions for Hyper-V and Windows Server 17 removing file extensions from this list. Push the Add or Remove buttons to add or remove the extensions.

Add the file extension and its description in the dialog below, and then click Ok:

To edit the already added extension, find it in the list, then click the Edit button and do the same actions as above in the Edit extension dialog:

To include the files without extensions in the scanning process, enable the Scan files with no extensions option (disabled by default):

To restore the default settings push Restore defaults button on the Extensions tab.

(18)

If you do not wish the Hyper-V cloud snapshot to be removed after scan open the Advanced tab and clear the Remove Hyper-V snapshot after scan check box that is ticked by default:

Set Antivirus schedule

To set 5nine Security AV schedule, first select „All Hosts‟ in the SCVMM tree on the left, then use the Security AV Schedule context menu command:

(19)

Security & Management Solutions for Hyper-V and Windows Server 19 or click the Security AV Schedule button on the top bar of the Folder tab:

The Antivirus Schedule List dialog will appear:

Call out the schedule setting window by pressing the Add button in the window above:

(20)

Set the recurrence parameters hourly (shown above), daily:

weekly:

or monthly:

(21)

Security & Management Solutions for Hyper-V and Windows Server 21 At the end press Ok.

If you wish to edit or remove the existing schedule, select it in the Antivirus Schedule list dialog and press the appropriate button lower.

Changing host settings

To change host settings, first select the host in the SCVMM tree on the left, then use the Security Host Settings context menu command:

(22)

or click the Security Host settings button on the top bar of the Host tab:

The Server Properties dialog will appear:

Tick (default setting)/clear Enable Monitoring box to set/remove vFirewall on the host.

Set Authentication parameters. You can select one of authentication ways:

1. Use default credentials. Current user credentials will be used.

2. Use custom credentials. User can define credentials that will be used to manage vFirewall on target server.

That credentials will be used only for authentication to retrieve virtual machines list and will not affect user account used by vFirewall service on target machine.

Tick Enable monitoring on new VMs by default box to set vFirewall automatically when new VM is added (either created or migrated) on the host. Default monitoring state setting is stored in management service configuration file (settings “DefaultMonitoringState” in

5nine.VirtualFirewall.Manager.exe.config). Default monitoring state is individual for each monitored host. By default it set to true. It means that all new virtual machines monitoring state will be set to Enabled. When new virtual machine is created on some of monitored host vFirewall checks if there exist any saved settings (in case when machine created as result of migration from any other host with vFirewall installed). If there were no any saved settings then new VM monitoring state will be set to default monitoring state value. Click OK.

(23)

Security & Management Solutions for Hyper-V and Windows Server 23 Push the Thresholds button to change workload parameters if necessary. The following dialog will appear:

Set the virtual environment workload thresholds for server‟s processor, memory, disk

input/output and network input/output over-utilization (all in percent to maximum) then press Ok. The defaults are:

- Processor over-utilization threshold: 80 - Memory over-utilization threshold: 90 - Disk I/O over-utilization threshold: 80 - Network I/O over-utilization threshold: 80

When anti-malware scan is running, the scanning process on each VM will be automatically paused/resumed (if necessary) in accordance with current workload parameters preventing the host from overload.

(24)

Operations with virtual machines

Before making any operations with virtual machine, first select the virtual machine on the SCVMM list in the middle, and then use the VM Security Rules and Logs context menu command:

or click the VM Security Rules and Logs button on the top bar of the Virtual Machine tab:

(25)

Security & Management Solutions for Hyper-V and Windows Server 25 The Virtual machine window will open:

Setting virtual machine rules

Adding new virtual machine vFirewall rules, editing or removing existing rules are done just as like as it is done with global rules and described in „Global settings‟ section, subsections

„Setting IP rule‟, „Setting ARP rule‟, „Setting Broadcast rule‟, „Editing rule‟, „Removing rule‟ and

„Changing rules order‟. Use the appropriate buttons on the Firewall tab of the Virtual Machine rules window. The only difference is that the rules added here concern only certain selected virtual machine and do not affect the others.

(26)

Changing VM settings

To change virtual machine settings, click the Settings button on the Firewall tab of the Virtual Machine rules window. The following dialog will open:

Set vFirewall logging parameters on the Firewall tab:

- Select logging level from the list:

 Log only filtered events – only filtered VM events will be recorded to the log.

 Log only allowed events – only allowed VM events will be recorded to the log.

 Log all events (default) – all the VM events will be recorded to the log.

 Do not log any events – neither of the VM events will be recorded to the log.

- Enter the number of days to keep the log records in the Log retention days field.

- Enter the maximal number of records that will be added to the log in the Log records count field.

(27)

Security & Management Solutions for Hyper-V and Windows Server 27 Set the log size and retention for the IDS logs on the IDS tab in the same way:

Set bandwidths allowed send/receive limits:

- Enter the maximal (in Kbps) allowed send bandwidth limit in the Allowed send bandwidth (Kbps) field.

- Enter the maximal (in Kbps) allowed receive bandwidth limit in the Allowed receive bandwidth (Kbps) field.

Click OK. The settings made here will only concern the VM, which name is contained in the Name field.

View log records

To view current vFirewall log records for selected virtual machine, click the Load Log button on the Firewall tab of the Virtual Machine rules window. The log records will appear in the lower part of the Virtual Machine rules window as it is shown above.

Antivirus operation

To work with anti-malware module on the selected virtual machine, open the Antivirus tab in the Virtual Machine rules window:

(28)

To control the anti-malware engine activity, use the appropriate button of the Antivirus management block:

- Start – to start the anti-malware scan.

- Stop – to terminate the anti-malware scan.

- Pause – to temporarily pause the anti-malware scan.

- Resume – to continue the temporarily paused anti-malware scan.

- Query – to retrieve the anti-malware scan state. The state will be shown with appropriate message, e.g.:

- Log – to get the anti-malware last scan results. The results will appear in the lower part of the Virtual Machine rules window as shown above.

IDS

IDS feature is managed on the IDS tab:

Tick the Enable filter box to switch the filter on so that only IDS events matching filter parameters will be displayed.

(29)

Security & Management Solutions for Hyper-V and Windows Server 29 Set the start date for IDS events in the From field and the end date in the To field. Use

calendar for convenience:

Set event priority in the Priority field. Select the digit or „Any‟ (for all priorities) from the list:

To view IDS events click „Load Log‟ in the left-upper corner.

Attention. IDS feature works only with third-party free distributed IDS – Snort application that is able to detect inbound traffic to determine intrusion attacks. It must be running on the target host. See readme.txt file provided with 5nine Security installation archive for details how to set up and use Snort application.

5nine Security for Hyper-V Datacenter Edition. Version 3.0 Plugin for Microsoft System Center 2012 Virtual Machine Manager