Access Control List in hyper-V

Microsoft has made many improvements and enhancements to vswitches in Windows Server 2012, which not only added technologies such as RSS, dvmq, port ing, and pvlan support, it also provides a very practical access control list (ACL) function.

In technet, we can see that in Windows Server 2012, the ACL is called port access control lists, which is based on the source/destination address, direction, and Action (allow/Deny) to filter rules:

Local or remote address	Direction	Action
12-34-56-78-9a-bc	Inbound	Allow
12-34-56-78-9a-bc	Outbound	Allow
FF-FF-FF-FF-FF-FF	Inbound	Allow
Any	Inbound	Deny
Any	Outbound	Deny

From the list above, we can see that IP and MAC addresses are supported in the ACL function of 2012, and wildcard commands such as "any" are also supported, therefore, it is very easy to get started with shoes that are familiar with mainstream network devices.

In Windows Server 2012r2, the ACL function is enhanced, which is called "extended port access control lists", that is, the list of extended port access control, it is not hard to see that this is like the standard ACL on the network device and the extended ACL. The latter adds support for source/destination ports, protocols, weights, and so on the original basis, the following shows the ACL function in the Windows server operating system:

######################################## ######################################## ##########

Demo environment:

HOST: Windows 8.1

Virtual Machine: Windows Server 2008r2 SP1 Standard

Because the ACL function has no excessive requirements on the operating system version, it belongs to the hypervisor layer technology, so I can use my laptop (windows8.1) to enable the hyper-V function, as shown in, I have prepared two test VMS, one is sql2008r2 (running sql2008r2) and the other is win2008r2 (running iis7)

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M02/45/6F/wKioL1PoUQWhUS0hAAQVRxhB51c046.jpg "Title =" 2014-08-10_22-51-36.png "alt =" wkiol1pouqwhus0haaqvrxhb51c046.jpg "/>

Before configuring ACL, I disable the firewalls of both VMS. The IP address of sql2008r2 is 192.168.10.12, which can ping win2008r2 (192.168.10.11), for example:

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M01/45/6E/wKiom1PoTAXiDjjxAAW8WK0iTyE706.jpg "style =" float: none; "Title =" 2014-08-10_23-05-14.png "alt =" wkiom1potaxidjjxaaw8wk0itye706.jpg "/>

In addition, we can see that the current TCP port 1433 of sql2008r2 is listening.

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M00/45/6E/wKioL1PoTR6AfvRNAAVn-AWem-8863.jpg "style =" float: none; "Title =" 2014-08-10_23-06-01.png "alt =" wKioL1PoTR6AfvRNAAVn-AWem-8863.jpg "/>

Return to win2008r2, and Ping 192.168.10.12 (sql2008r2 ).

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M02/45/6E/wKiom1PoTAaRWkm0AAUIkF33l80512.jpg "style =" float: none; "Title =" 2014-08-10_23-06-27.png "alt =" wkiom1potaarwkm0aauikf33l80512.jpg "/>

The Web server role has been installed, and the local default site can be accessed normally.

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M01/45/6E/wKioL1PoTR-BxQVYAAR3JtrXySE907.jpg "style =" float: none; "Title =" 2014-08-10_23-07-28.png "alt =" wKioL1PoTR-BxQVYAAR3JtrXySE907.jpg "/>

######################################## ######################################## ##########

After the test environment is ready, let's take a look at powershell on the host and mainly filter out the ACL commands under hyper-V module, we can see the "Standard ACL" and "extended ACL" mentioned earlier in this article, such:

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M00/45/6E/wKiom1PoTAazraHQAAMIlhQQ8cg664.jpg "style =" float: none; "Title =" 2014-08-10_23-08-42.png "alt =" wkiom1potaazrahqaamilhqq8cg664.jpg "/>

Next, let's try out the standard ACL. Use the following command to configure an ACL for win2008r2 on the VM and perform the deny operation on the outbound direction of the destination address 192.168.10.12.

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M02/45/6E/wKioL1PoTSDAtb97AAGF6Q2N5Vw476.jpg "style =" float: none; "Title =" 2014-08-10_23-29-49.png "alt =" wkiol1potsdatb97aagf6q2n5vw476.jpg "/>

After the configuration takes effect, you can use the GET command to query existing ACLs, as shown in:

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M01/45/6E/wKiom1PoTAey9XV7AAKdBPlha0w993.jpg "style =" float: none; "Title =" 2014-08-10_23-30-30.png "alt =" wkiom1potaey9xv7aakdbplha0w993.jpg "/>

At this time, it is no longer possible to return to win2008r2 and Ping sql2008r2.

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M00/45/6E/wKioL1PoTSCTmksKAAPRnCJ65dc404.jpg "style =" float: none; "Title =" 2014-08-10_23-30-57.png "alt =" wkiol1potsctmkskaaprncj65dc404.jpg "/>

Then, delete the ACL that has just taken effect.

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M02/45/6E/wKiom1PoTAfz5ta_AANrIqDB8VU689.jpg "style =" float: none; "Title =" 2014-08-10_23-33-45.png "alt =" wkiom1potafz5ta_aanriqdb8vu689.jpg "/>

Then ping sql2008r2 again in win2008r2, and the communication becomes normal again.

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M01/45/6E/wKioL1PoTSCAT2GiAATmhNyFif8748.jpg "style =" float: none; "Title =" 2014-08-10_23-34-07.png "alt =" wkiol1potscat2giaatmhny1_8748.jpg "/>

In addition to IP accidents, you can also use the MAC address as the filter condition, as shown in. For the win2008r2 Vm, use the MAC address and reject inbound traffic.

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M00/45/6E/wKiom1PoTAjQ2J4OAAPpDKWm6Xg930.jpg "style =" float: none; "Title =" 2014-08-10_23-38-40.png "alt =" wkiom1potajq2j4oaappdkwm6xg930.jpg "/>

Go to sql2008r2 and Ping win2008r2. The ACL takes effect.

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M01/45/6E/wKiom1PoTAiAFG2MAAQVtxhuQl8579.jpg "style =" float: none; "Title =" 2014-08-10_23-39-33.png "alt =" wkiom1potaiafg2maaqvtxhuql8579.jpg "/>

######################################## ######################################## ##########

The preceding demonstration mainly targets the "Standard ACL" operations in Windows Server 2012. In R2, "extended ACL" is divided into two types, in technet, This section describes the detailed ACL rules and stateful ACL rules. What are their differences? As we all know, in many session-type communication, we need to specify the inbound and outbound directions to ensure smooth connections. For example, a client computer needs to access a web server on the Internet, for the sake of security, the Administrator must first permit the outbound requests from the client computer. For example, to allow the Administrator to access the TCP protocol of port 80 on the Internet, after the Web server receives the access request, you need to return the corresponding information to the client computer. In this case, the administrator needs to permit the inbound request from the local port of the client. OK. There is no problem with the inbound request. What is the local port number? Enable 1024 ~ Port 5000? Don't bother ....

At this step, we will find that even the extended ACL is not very good for our needs. What should we do? What should I do with the requirements for these specific scenarios, especially stateful sessions? As a result, the statful ACL rules mentioned above is changed.

As the name implies, statful ACL is the same as stateful firewall. its working principle is roughly as follows:

1. When the data traffic reaches the firewall, the status detection engine checks whether the connection request is an initial connection (that is, whether it carries the SYN flag)
   

2. Next, we will compare it to the ACL rules. Of course, if it is not satisfied, it will be lost. If it is satisfied, it will continue.

3. The firewall has a status table and adds the connection as a session to the table for maintenance.

4. The entries in the Table generally include some source/destination addresses, source/destination port numbers, connection times, and other information.

5. When subsequent data packets arrive again, if the connection request is not initiated, that is, no SYN, the content in the status table will be most compared directly.

6. If the subsequent data packet matches the information in the status table, it will be forwarded directly without comparing it with the rules in the ACL. If it does not belong to any session, it will be discarded.

7. In addition, a session also contains a time out value. When the retention time is exceeded, the session will be deleted.

######################################## ######################################## ##########

Next, let's take a look at the special features of statful ACL. In this example, an ACL without the "-stateful" parameter is used to allow inbound access to the local port 1433 of the sql2008r2 VM, in addition, a "-weight" weight parameter is added. The larger the value, the more advanced it is to be executed. Because the ACL in hyper-V does not have a default rule, for example, deny any, so the weight value is used with other ACLs.

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M02/45/72/wKioL1PoVJ3yqD9sAAH-ey3AadE441.jpg "Title =" qq 40811132330.jpg "alt =" wKioL1PoVJ3yqD9sAAH-ey3AadE441.jpg "/>

After this ACL is configured, port 1433 of the sql2008r2 server cannot be accessed by win2008r2, as shown in. Unless I add an ACL for win2008r2 inbound, It is cumbersome.

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M00/45/6E/wKioL1PoTSGQ99srAAUv_QvyWiM732.jpg "style =" float: none; "Title =" 2014-08-10_23-56-04.png "alt =" wkiol1potsgq99sraauv_qvywim732.jpg "/>

Next, try again the effect of stateful ACL, which is also the command just now, but append a "-stateful" and assign $ true to it, for example:

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M02/45/6E/wKiom1PoTAmhgUS0AAKsCFQTaRg927.jpg "style =" float: none; "Title =" 2014-08-10_23-58-04.png "alt =" wkiom1potamhgus0aakscfqtarg927.jpg "/>

Since the stateful ACL automatically opens the port for the returned traffic and maintains the session based on the timeout value, win2008r2 can telnet to port 1433 of sql2008r2.

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M01/45/6E/wKioL1PoTSKjrCcyAALwqy6WtBc658.jpg "style =" float: none; "Title =" 2014-08-10_23-58-16.png "alt =" wkiol1potskjrccyaalwqy6wtbc658.jpg "/>

Similarly, for Web tracking requests, sql2008r2 cannot access the IIS Site of win2008r2 due to ACL restrictions.

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M02/45/6E/wKioL1PoTSKybPcJAAMo9o2GWJU893.jpg "style =" float: none; "Title =" 2014-08-11_0-04-21.png "alt =" wkiol1potskybpcjaamo9o2gwju893.jpg "/>

The-stateful parameter allows sql2008r2 outbound tcp80 requests, for example:

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M00/45/6E/wKiom1PoTAnhH4pFAAN-UtuO5Wg852.jpg "style =" float: none; "Title =" 2014-08-11_0-05-05.png "alt =" wKiom1PoTAnhH4pFAAN-UtuO5Wg852.jpg "/>

The ACL takes effect. If you drag stateful, you can access the default site of win2008r2.

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M02/45/6E/wKioL1PoTSPSVuYvAASn8QSsSkY309.jpg "style =" float: none; "Title =" 2014-08-11_0-05-23.png "alt =" wkiol1potspsvuyvaasn8qsssky309.jpg "/>

######################################## ######################################## ###########

Hyper-v acl protects the network security of virtual machines by multiple layers. In the test above, I did not add the "-Timeout" parameter, you can view get-help on your own if you need a package. Unfortunately, I have not found a way to execute ACLs in a large range of environments, even though vmm can be integrated with third-party products such as Cisco nexus 1000v, on the one hand, it requires additional costs, and on the other hand, it increases the maintenance overhead. Of course, it is feasible to simply use PS scripts, however, it would be excellent to add a global configuration for the graphic interface in the future.

This article from the "technology don't house" blog, please be sure to keep this source http://maomaostyle.blog.51cto.com/2220531/1538554