Windows Server 8 Hyper-V Security: overview of new features

Since Microsoft released its flagship virtualization platform Hyper-V, security professionals have been wondering if Microsoft will catch up with its main competitor VMware. VMware has always been competitive in providing more virtual network control capabilities, while providing more effectiveness and simplifying the integration of new security products and existing security products and technologies. Before Windows 8 Server and the new Hyper-V platform are released, does Microsoft Excel in security? In many ways, the answer is yes. Next, let's take a look at what the vendor has added to Hyper-V security.
 
Windows Server 8 Hyper-V Security: Upgrade vswitch
 
The first item added to the new version of Hyper-V is certainly the most important thing to be born for security, that is, a more powerful virtual switch. The key of any hypervisor is the networking capability. The virtual switch must be naturally integrated into the physical network environment, and theoretically provide the same security control functions as the enterprise physical switch. Virtual machines before Hyper-V allow administrators to create virtual networks to connect internal (physical) networks, virtual machines (VMS) and Hyper-V hosts, or other VMS. The only available real segment control is the local Virtual LAN (VLAN) Tag.
 
With the Windows 8 vswitch, Microsoft has extended a set of APIs and drivers, which simplifies Virtual Devices of network security vendors and allows them to create Virtual Switch Extensions ), www.2cto.com naturally integrates Hyper-V. For example, Cisco's Nexus V vswitch will fully support Hyper-V.
 
The new vswitch also provides many built-in security features. These performances include:
 
Traffic Monitoring and filtering: The new virtual switch can monitor traffic using traditional port mirroring technology, or filter traffic based on IT and MAC addresses. OpenFlow and sFlow are also built-in.
 
ARP and Node Discovery Spoofing Protection: Layer 2 spoofing and relies on ARP spoofing or Node Discovery (IPv6) spoofing man-in-the-middle attacks will be mitigated in the new Hyper-V vswitch because it can monitor MAC addresses and ports.
 
DHCP (Dynamic Host Configuration Protocol) Guard: The new switch will defend against malicious virtual machines posing as DHCP servers.
 
Port ACL: the IP address and MAC address can be used to control which virtual machine can communicate with others.
 
Dedicated VLAN: adds layer 2 segmentation and isolation between existing VLAN segments.
 
In addition, the administrator can now use the vswitch port as the specified relay port to install the port, allowing traffic traversal on multiple VLANs. As an intrusion detection sensor or traffic monitoring system, virtual devices are very important.
 
From the perspective of network availability, the capability of NIC cooperation, active-passive, and fault recovery policies are mandatory for any key core virtualization services. In the past, Hyper-V was not strong enough to support this performance. In the end, it introduced local support for NIC cooperation with multiple vendors.
 
Windows Server 8 Hyper-V Security: Operation Features
 
The new version of Hyper-V will support multiple operational features, which is crucial for availability and security. For example, the built-in application and event log monitoring will appear for virtual machines, providing this data for Hyper-V hosts to quickly detect service failures and other problems. This service is designed to replace clusters (for applications and systems that do not support clusters), but it does have security benefits, including higher availability and automatic remediation, like restarting VMS and services. Administrators can create affinity rules to allow specific VMS to run together when migrating from one host to another. This can also be used for different data confidentiality levels of the system. For example, rules can command virtual machines to process payment card data and never migrate to a cluster outside the scope of pci dss regulations.
 
Windows Server 8 and Hyper-V have two additional performance modules, including the cluster. The first performance directly affects confidentiality and is able to build the capacity of a disk encrypted (BitLocker-encrypted) Hyper-V cluster. This performance allows cluster members to access the virtual machines stored on the capacity. encryption is performed in appropriate places to protect access by persons with the capacity not prohibited. The second performance is the cluster identification patch (clusteraware patching). This performance will greatly simplify the large-scale patching operation on the Hyper-V host and improve security.