1
5nine Security Manager
for Hyper-V Standard edition
Ver. 3.0 Getting Started Guide
Table of Contents
Summary ... 2
Features and Benefits ... 2
Virtual Firewall Silent installation ... 13
5nine Security Manager Menu ... 14
System Requirements ... 24
Summary
5nine Security Manager is a Virtual Infrastructure monitoring tool with an ability to define network traffic rules for Hyper-V Virtual Machines and harden your Virtual Infrastructure from Security perspective. Both programmatically – using PowerShell API and via Management Console. Security Manager allows reviewing network traffic logs for each of the monitored Virtual machines and generates related reports. Special Security Heartbeat service checks if firewall rules are enforced, and powers Virtual machine down, of network filter is not communicated.
Version 3.0 of 5nine Security Manager monitors and controls the traffic between Hyper-V Virtual machines and between Virtual machines and external network. Version Standard works in User Mode, designed for local users and has lower capabilities compare to Version Data Center which is designed for hosting companies.
Features and Benefits
Simple installation. 5nine Security Manager has 1 component that is needed to be installed – intuitive
Management interface (DLL) that supports PowerShell API (described below) to set and change traffic rues. Management API also has a simple to use GUI application that allows setting the traffic rules between the virtual machines and external network. Management interface can be installed either on a server or Virtual machine, and allows System Administrator to access rules, logs and reports:
3 To setup Management interface (DLL and Management GUI application) – admin needs to run setup.exe application from the downloaded 5nine Security Manager Standard 3.0 archive on the server or VM that matches 5nine Security Manager Standard 3.0 ‘System Requirements’, and use appropriate license when prompted:
Choose the path where 5nine Security Manager 3.0 is supposed to be installed and the users who will be able to work with the product:
You can check the physical space available on your drives and the space required for the installation by pressing the Disc Cost… button on the window shown above:
5 Select MS SQL data source:
Virtual Firewall remote installation is one step of installation process. Installing vFW (Virtual Firewall) on some machine locally user can define servers on which he want to install vFW remotely. After data source selection page user will see page where he can select – include remote setup stem to setup process or not.
Specify if a remote installation step in setup process is required:
If checkbox is checked user can select servers for remote installation. Remote installation server selection dialog goes after user credentials dialog. That dialog is similar to monitored servers discovery dialog.
For remote management Security Manager uses WinRM service and it should be available. For cases listed below trusted hosts should be configured:
- Client and remote server are in different domains and there is no trust between the two domains;
- Client or remote server is located in domain and other one is located in workgroup; - Both client and remote server are located in workgroup.
Trusted hosts should be configured on both client and remote server sides. It can be done with command:
Set-Item wsman:localhost\client\trustedhosts -Value "{CompureName}" Or manually with gpedit.msc console:
gpedit.msc console -> Local Computer Policy/Computer Configuration/Administrative
Templates/Windows Components/Windows Remote Management (WinRM)/WinRM Client -> Trusted Hosts
To add all machines from workgroup to trusted hosts “{local}” name can be used. Typical symptom of such problem is error “WinRM cannot process the request” in Management Console log. Also that message can appear when system can’t resolve remote host path (it is wrong or DNS server is
7 WFP filtering can be enabled from Security Manager Standard Edition setup. “Enable Windows Filtering Platform audit” checkbox exists on page “Installation settings”. If that checkbox is checked command listed above will be executed during installation process:
User can manually disable WFP with following command:
auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:disable /failure:disable
It will be better to disable WFP filtering audit if it is not used or after Security Manager uninstallation. Confirm installation:
Confirm to the 3f3b34c.msi installation program to be run and make the necessary settings if asked (it depends on your server’s OS security settings):
Set the SQL Server instance that will be used and connect to it by entering user name and password. There could be either SQL Server Authentication or Windows Authentication used while gaining access to your database. To find out which authentication is used and get the user name and password contact your database administrator.
You can test the database connection by pressing the Test connection button. In the case of successful connection the following message of the kind will appear:
9 Then select the 5nine Security Manager Standard 3.0 license file provided with distributive:
Set account for Security Management service as required:
If you earlier chose the option Include Remote installation step in setup process as described above, you’ll be advised to choose the remote host(s) for the 5nine Security Manager Standard 3.0 installation:
There will be table with servers and installation status. Possible statuses: - Idle. Idle for installation start. Waiting for start button will be pressed. - Processing. Remote installation in progress.
- Complete. Remote installation completed.
- Failed. Remote installation failed. Additional information about error will be in Description column.
Remote installation will be processed in parallel for each selected server. MSI file and selected license file will be copied to drive C: on remote machine (user should have permissions to write file on target machine). After files will be copied, installation will be started in silent mode with parameters selected for local installation. After installation will be completed temporary files will be removed and remote machine will be rebooted.
After all installations will be finished (successful completed or failed) user can close dialog and go forward with installation. After remote installation step will go monitored servers selection step. Local machine included into list by default. Also servers from previous installation config (if it was saved) also included into list.
Press then the Start button to start the remote installation, watch the process and results and press the Close button when the remote installation process is complete:
11 Select the servers from the list (separate window Select Hyper-V Servers shown below will be opened) and then set the credentials in the dialog window. Contact your network administrator to get the credentials.
You may change properties to the already added server at any time by pressing the Edit button in the
Servers for monitoring window shown above.
User also can change server credentials and default monitoring state in Server Properties dialog further. To view that dialog user should select Settings menu item from server context menu in Virtual Firewall Management Console tree view.
User can select on of authentication way
1) Use default credentials. Current user credentials will be used.
2) Use custom credentials. User can define credentials that will be used to manage Virtual Firewall on target server.
That credentials will be used only for authentication to retrieve virtual machines list and manage Virtual Firewall with Powershell API. It will not affect user account used by Virtual Firewall service on target machine.
Also in Server Properties dialog user can define default monitoring state for newly created/ migrated machines. Default monitoring state setting is stored in management service config file (settings “DefaultMonitoringState” in 5nine.VirtualFirewall.Manager.exe.config). Default monitoring state is individual for each monitored host. By default it set to true. It means that all new virtual machines monitoring state will be set to Enabled. When new virtual machine is created on some of monitored host Virtual Firewall check is there exist any saved settings (for case when machine created as result of
migration from any other host with Virtual Firewall installed). If there were no any saved settings then new VM monitoring state will be set to default monitoring state value.
You may also add servers to the list one by one by pressing the Add button and enter server name manually in the dialog window below:
or let 5nine Security Manager 3.0 search and add them automatically by pressing the AD Discovery button, or search them by IP range/subnet mask which can be set in the window below called out by pressing the IP Discovery button:
13 At the end of 5nine Security Manager Standard 3.0 successful installation process the following message will appear:
To finally complete the 5nine Security Manager Standard 3.0 installation, confirm rebooting of your host:
Virtual Firewall Silent installation
Virtual Firewall installer accepts following parameters:
1) DataSource. Defines SQL database to use. Consists of the several parts. First part defines type of data source. Possible variants: CE and SQLInstance. First of them specifies that local SQL CE 4.0 server will be used, second one specifies that will be used some SQL server instance. Second part defines name of used SQL Server (in case of using SQL instance). Third part defines SQL Server authorization type. Possible variants: WinAuth (Authorization with Windows User credentials) and SQLAuth (Authorization by SQL account). If SQLAuth variant was specified – user should define SQL user name and password separated by comma. All parts of datasource parameter should be separated by comma. Common form of datasource string:
{“CE”, “SQLInstance”}[, ServName,{“WinAuth”, “SQLAuth”}[, UsrName,Password]] Examples of datasource parameter:
“CE”
“SQLInstance, SOME_SERVER\SQLEXPRESS, WinAuth” “SQLInstance, SOME_SERVER\SQLEXPRESS, SQLAuth, sa,sa”
2) SrvUserName. Defines user name for Virtual Firewall service. 3) SrvPassword. User password.
4) LicenseFile. License file path.
Silent installation command line sample:
vFWsetup.msi /q Datasource=”SQLInstance, SOME_SERVER\SQLEXPRESS, WinAuth”
SrvUserName=”SOME_DOMAIN\Administrator” SrvPassword=”123” LicenseFile=”c:\license.txt” After silent installation machine will be automatically rebooted.
5nine Security Manager Menu
To configure 5nine Security Manager use the menu commands described below:
To add host(s) for monitoring type the host(s) name to the dialog or select them from the list (as described above):
15 Adding IP rule:
Set the necessary parameters, use space and comma as delimiters when specifying remote IPs and VMs as it shown in the windows:
To select remote virtual machines from a list, press the button to the right of the field containing their names and check the machines you need to be added then press OK in the window below:
17 Adding rules for multiple virtual machines:
Adding default gateway rule:
After pressing Ok the following message should appear to inform you about successful adding of default gateway rule:
To configure antivirus schedule, set workload thresholds and enable monitoring on servers use the
19 Specify which hosts and VMs will be controlled and monitored by 5nine Security Manager Standard 3.0:
Set the virtual environment workload thresholds for server’s processor, memory, disk input/output and network input/output over-utilization (all in percents to maximum) then press Ok:
Choose the servers and VMs to enable antivirus activity:
21 Call out the schedule setting window by pressing the Add button in the window above:
weekly:
23 At the end press Ok. To refresh or change the view (list or tree) and get the 5nine Security Manager version info use the View menu:
To change Virtual Machine settings use the VM Settings menu command:
Here you can set logging parameters such as retention length in days and log records count.
To change rules order in the list (up or down) use the Change Order menu command and set the wanted order in the dialog window below:
Network Statistics and Logs - Network activity data is collected by 5nine Security Manager into a database or flat files (optionally); ‘Load Log’ pane needs to be clicked to load the current Firewall logs.
System Requirements
OS:
Host: Windows Server 2012 or Windows 8 with enabled Hyper-V; Guest VM: any
XP Pro SP3, Vista SP1 (Business, Enterprise or Ultimate editions), Win 2003 R2 SP2, Win 2008 server or later virtual machine(s), x64 or x86 for Management API and GUI application; v- Firewall Web Console Virtual machine needs to be on the same Hyper-V host where the service and the driver get installed;
.NET 3.5 Sp1 or higher on the Server or VM that hosts Management API and/or GUI application; SQL 2008 Express edition on Management server/VM (in case DB logging is required);
MS PowerShell IIS.
5nine Security Manager Configuration file and PowerShell API
v-Firewall vFW3 service configuration file
%Program Files%\5nine\5nine v-Firewall 3.0\5Nine.vFW.vFWService.exe.cfg
<?xml version="1.0" encoding="utf-8"?> <configuration> <configSections> <section name="MonitoredHosts" type="FiveNine.vFW.vFWServiceHelpers.MonitoredHostsConfigurationSection, 5Nine.vFW.vFWServiceHelpers" /> </configSections>
25 <appSettings>
<add key="HeartBeatPeriod" value="5000" /> <add key="AttemptsBeforePause" value="4" /> <add key="LogFile" value="Virtual Firewall2.log" /> <add key="LogLevel" value="Information" /> </appSettings>
</configuration>
Get the list of VM machines
The sample of Power Shell script to get GUIDs of VM machines from the specified host
$VMs = get-wmiobject -computerName $hyper -namespace "root\virtualization" -query "SELECT * FROM
Msvm_ComputerSystem WHERE Caption Like '%virtual%'" foreach ($VM in $VMs)
{
write-host "==================================" write-host "VM Name: " $VM.ElementName
write-host "VM GUID: " $VM.Name }
API description
Add-IP-Rule
Add-IP-Rule -VMId <Guid> -Name <String> [-Description <String>] [- Type <String>] -Action <RuleAction> -Protocol <String> [-LocalPort s <String>] [-RemotePorts <String>] [-IPAddresses <String>] [-VMs <String>] [-MACAddresses <String>] [-Priority <Int32>] [-ApplyNow] [-Verbose] [-Debug] [-ErrorAction <ActionPreference>] [-WarningAc tion <ActionPreference>] [-ErrorVariable <String>] [-WarningVariab le <String>] [-OutVariable <String>] [-OutBuffer <Int32>]
Set-VMMonitoring
Set-VMMonitoring -VMId <Guid> -Enable 1|0 [-Verbose] [-Debug] [-ErrorA ction <ActionPreference>] [-WarningAction <ActionPreference>] [-Er rorVariable <String>] [-WarningVariable <String>] [-OutVariable <S tring>] [-OutBuffer <Int32>]
Get-LogRecords
Get-LogRecords -VMId <Guid> [-Verbose] [-Debug] [-ErrorAction <Act ionPreference>] [-WarningAction <ActionPreference>] [-ErrorVariabl e <String>] [-WarningVariable <String>] [-OutVariable <String>] [- OutBuffer <Int32>]
Get-Rules
Get-Rules [-Id <Guid[]>] [-VMId <Guid>] [-Verbose] [-Debug] [-Erro rAction <ActionPreference>] [-WarningAction <ActionPreference>] [- ErrorVariable <String>] [-WarningVariable <String>] [-OutVariable <String>] [-OutBuffer <Int32>]
Get-VMIPMAC
Get-VMIPMAC -VMId <Guid> [-Verbose] [-Debug] [-ErrorAction <Action Preference>] [-WarningAction <ActionPreference>] [-ErrorVariable < String>] [-WarningVariable <String>] [-OutVariable <String>] [-Out Buffer <Int32>]
Get-VMMonitoring
Get-VMMonitoring [-VMId <Guid>] [-Verbose] [-Debug] [-ErrorAction <ActionPreference>] [-WarningAction <ActionPreference>] [-ErrorVar iable <String>] [-WarningVariable <String>] [-OutVariable <String> ] [-OutBuffer <Int32>]
Remove-Rule
Remove-Rule -Id <Guid> [-ApplyNow] [-Verbose] [-Debug] [-ErrorActi on <ActionPreference>] [-WarningAction <ActionPreference>] [-Error Variable <String>] [-WarningVariable <String>] [-OutVariable <Stri ng>] [-OutBuffer <Int32>]
Reset-Rules
Reset-Rules -VMId <Guid> [-Verbose] [-Debug] [-ErrorAction <Action Preference>] [-WarningAction <ActionPreference>] [-ErrorVariable < String>] [-WarningVariable <String>] [-OutVariable <String>] [-Out Buffer <Int32>]
Set-Rule
Set-Rule -Id <Guid> [-Name <String>] [-Description <String>] [-Typ e <String>] [-Action <RuleAction>] [-Protocol <String>] [-LocalPor ts <String>] [-RemotePorts <String>] [-IPAddresses <String>] [-MAC Addresses <String>] [-VMs <String>] [-Priority <Int32>] [-ApplyNow ] [-Verbose] [-Debug] [-ErrorAction <ActionPreference>] [-WarningA
27 rningAction <ActionPreference>] [-ErrorVariable <String>] [-Warnin
gVariable <String>] [-OutVariable <String>] [-OutBuffer <Int32>] How to Set Firewall rules in vFW3
Sample scenario to allow RDP access to VM
Launch Power Shell and input the following commands:
1. Add-PSSnapIn RulesAPI – add vFW3 API snap-in to Power Shell 2. Get VM GUIDs by applying sample PS script
3. Set-VMMonitoring -VMId <Guid> -Enable 1 - set VM to vFW3 monitoring
4. Add-IP-Rule -VMId <Guid> -Name "Allow RDP" -Action Allow -Protocol TCP -LocalPort 3389 – add IP rule to allow incoming packets to 3389 port ( RDP )
The same scenario with vFW3 management console
1. Set VM machines for monitoring (use Settings – Monitoring menu command)
Sample scripts
Basic sample script to allow 80 port on Win2003 VM:
1. $VMs = get-wmiobject -computerName superserver2 -namespace "root\virtualization" –query "SELECT * FROM Msvm_ComputerSystem WHERE Caption Like '%virtual%'"
foreach ($VM in $VMs) {
write-host "==================================" write-host "VM Name: " $VM.ElementName
write-host "VM GUID: " $VM.Name }
Press Enter two times . Get GUID for Win2003 - it is 7D2FDDAB-3B41-4FB1-99E0-CDD633453FCA 2. Set-VMMonitoring -VMId 7D2FDDAB-3B41-4FB1-99E0-CDD633453FCA -Enable 1
3. Add-IP-Rule -VMId 7D2FDDAB-3B41-4FB1-99E0-CDD633453FCA -Name "Allow RDP" -Action Allow - Protocol TCP -LocalPort 80
4. Get-LogRecords -VMId 7D2FDDAB-3B41-4FB1-99E0-CDD633453FCA The same scenario for RDP access is described in QSG document.
Sample common scenarios using Management console GUI a) Allowing FTP, DHCP
29
b) Allow remote access to VM
Common scenario:
- VM has IIS on it, and possibly MS SQL server; - RDP should be opened;