5nine Security for Hyper-V Datacenter Edition Version 3.0 Plugin for Microsoft System Center 2012 Virtual Machine Manager November 2013 11
Table of Contents Summary... 5 System requirements... 5 Permissions... 5 Installation... 6 5nine Security Operations... 8 Global settings... 9 Setting IP rule... 10 Setting ARP rule... 11 Setting Broadcast rule... 12 Editing rule... 13 Removing rule... 13 Changing rules order... 13 Setting virtual firewall... 14 Setting antivirus... 15 Enable antivirus... 15 Set Antivirus schedule... 18 Changing host settings... 21 Operations with virtual machines... 24 Setting virtual machine rules... 25 Changing VM settings... 26 View log records... 27 Antivirus operation... 27 IDS... 28 2
2013 5nine Software. All rights reserved. All trademarks are the property of their respective owners. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form by any means, without written permission from 5nine Software Inc (5nine). The information contained in this document represents the current view of 5nine on the issue discussed as of the date of publication and is subject to change without notice. 5nine shall not be liable for technical or editorial errors or omissions contained herein. 5nine makes no warranties, express or implied, in this document. 5nine may have patents, patent applications, trademark, copyright, or other intellectual property rights covering the subject matter of this document. All other trademarks mentioned herein are the property of their respective owners. Except as expressly provided in any written license agreement from 5nine, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. Important! Please read the End User Software License Agreement before using the accompanying software program(s). Using any part of the software indicates that you accept the terms of the End User Software License Agreement. 3
Contacting 5nine Software We are always welcome your feedback on the product as well as your user experience. In case you would like to help us improve the product, please contact us at info@5nine.com. Customer Support Please contact techsupport@5nine.com if you have encountered any issue using 5nine Security 3.0 for Hyper-V Datacenter Edition Plugin for Microsoft System Center 2012 Virtual Machine Manager. Please supply product log files with your query to the support team. 4
Summary 5nine Security 3.0 for Hyper-V Datacenter Edition Plugin for Microsoft System Center 2012 Virtual Machine Manager is a program module designed to allow managing Security Manager Virtual Firewall and Antivirus directly from SCVMM console. The plugin allows performing all the actions with virtual firewall traffic rules, set and remove monitoring from virtual machines, run anti-malware scanning processes, and get log records just as like as it is established in the 5nine Security Management console. To download and install Plugin, please register on 5nine web page (or login), and download the product at 5nine Security 3.0 for Hyper-V Datacenter Edition http://www.5nine.com/productsetup/5nine.virtualfirewall.vfwvmmextension.dc.zip. System requirements OS: Host: Windows Server 2012 or Windows 8 with enabled Hyper-V; Guest VM: any.net 4.0 or higher on the Server or VM that hosts Management API and/or GUI application; SQL 2008 Express edition on Management server/vm (in case DB logging is required); 5nine Security 3.0 for Hyper-V Datacenter Edition minimal setup on the hosts. Microsoft System Center 2012 Virtual Machine Manager on the hosts. Permissions For both for domain and workgroup configurations: TCP port 8788 should be opened on managed host. 5nine Security (Datacenter Edition or Free Edition ) should be installed on each Hyper-V host monitored and protected ( in case several hosts are managed from one Management console ). Same with the 5nine Security service for SC VMM 5nine Security plugins. WMI access (http://technet.microsoft.com/en-us/library/cc787533(ws.10).aspx ) SQL database or file access (read/write). Allow to control Hyper-V (http://blogs.msdn.com/b/virtual_pc_guy/archive/2008/01/17/allowing-nonadministrators-to-control-hyper-v.aspx) User should be local administrator. If host is managed remotely from centralized management console, there should be also an account with similar permissions used in Server Settings. Best practice to use the same account for service on managed host and in Server Settings in management console. 5
For workgroup/mixed domains environment: Account for workgroup environment also should have similar permissions for current managed host. Managed and management servers should be marked as trusted hosts in case if workgroup environment is used on several domains environment. Installation VMM extension source package is zip archive. Installation is performed through the MS SC VMM Management Console itself: Below are brief Installation and deployment instructions: 1. Select the Settings workspace. 2. Next, select the Console Add-Ins node. 3. Finally, click the Import Console Add-In button. An import wizard will then be opened allowing you to select a ZIP file that contains the Add-In. 6
Once the above is completed a new buttons and menu items with 5nine icon and Security Manager label will appear in VMM Main top bar and context menus: When selecting All Hosts : When selecting certain host: 7
When selecting certain virtual machine: 5nine Security Operations The plugin allows you to perform the following 5nine Security operations from the SCVMM console context menu and top bar buttons: 1. Security Global Rules. Allows user to edit global filtering rules. Described in Global settings section. 2. Virtual Firewall Management and Monitoring Management. Allows user to enable or disable firewalling, monitoring and protection for individual VMs. Described in Setting virtual firewall section and Setting virtual machine rules subsection of Operations with virtual machines section. 3. Anti-Virus schedule management. Allows user to view and manage the Anti-Virus schedules and enable or disable it for VMs select VMs for scheduled anti-malware checks. Described in Setting antivirus section. 4. Anti-Virus Operation on individual VMs. Allows user to run anti-malware scan jobs on particular VM, manually control the scan job state (start/pause/resume/stop) and see log records. Described in Antivirus operation subsection of Operations with virtual machines section. 5. Intrusion Detection System (IDS). Allows detection 1 and prevention of intrusion attacks and see event log. Described in IDS subsection of Operations with virtual machines section. All these operations are similar to operations in standalone 5nine Security Management Console. 1 Detection of intrusion attacks is done through free IDS Snort third-party free distributed application that is able to determine whether certain inbound traffic is considered as an intrusion and then blocked by 5nine vfirewall. 8
Note. In all windows that contain host and VMs tree only VMs or Hosts that are monitored by 5nine Security are visible. Global settings To change 5nine Security global settings, first select All Hosts in the SCVMM tree on the left, then use the Security Global Rules context menu command: or click the Security Global Rules button on the top bar of the Folder tab: 9
The Virtual Machine rules window will appear: Setting IP rule To add IP rule click the Add IP Rule button on the top menu panel. The following dialog will appear: 10
You can either set all the parameters manually, or select the necessary template so that all the main fields are filled with pre-defined values. To select templates open the Rule templates dialog by pressing Templates button in the left-lower corner of the Rule properties dialog: Select the template you need, the direction and then press the Apply button. Press OK in the Rule properties dialog. Setting ARP rule To add ARP rule click the Add ARP Rule button on the top menu panel. The following dialog will appear: Set the necessary parameters, use space and comma as delimiters when specifying remote IPs, VMs and MACs as it shown in the window. 11
To select remote virtual machines from a list, press the button to the right of the field containing their names and check the machines you need to be added then press OK in the window below: Then press OK in the ARP Rule properties dialog. Setting Broadcast rule To add Broadcast rule click the Add Broadcast Rule button on the top menu panel. The following dialog will appear: Fill out all the parameters just as like as it was done when adding ARP Rule and then press OK. 12
Editing rule To edit rule, select it in the list, then click the Edit button on the top menu panel. Then change the IP, ARP or Broadcast rule settings in the appropriate dialog just like when adding the rule. Removing rule To remove rule, select it in the list, then click the Remove button on the top menu panel. The rule will disappear from the list. Changing rules order To move the rule up or down in the list, select it and click the Change Order button on the top menu panel. The Change Order dialog will appear: Select one of the options: - Move First to put the selected rule on the first place in the list. - Move Last to put the selected rule on the last place in the list. - Move After to put the selected rule after another rule. Select that rule from the list box next to this option. Rules will be applied in accordance with their positions in the list. 13
Setting virtual firewall To set 5nine Security vfirewall, first select All Hosts in the SCVMM tree on the left, then use the Security vfw Settings context menu command: or click the Security vfw Settings button on the top bar of the Folder tab: The Enable Monitoring dialog will appear: Select the VMs to set the vfirewall so that the added rules are applied to these VMs. Then press OK. 14
Setting antivirus To set 5nine Security Antivirus for scheduled automatic anti-malware runs, you should enable it on the necessary VMs and set antivirus schedule. Enable antivirus To enable 5nine Security Antivirus on the VMs needed to be checked for malware automatically by AV schedule, first select All Hosts in the SCVMM tree on the left, then use the Security AV Settings context menu command: or click the Security AV Settings button on the top bar of the Folder tab: 15
The Enable Antivirus dialog will appear: Select the VMs for scheduled anti-malware scans on the Virtual machines tab. Then open the Extensions tab to select the files that will be scanned for viruses: Here you have two options: - Scan all files all files on the virtual machine will be checked. - Allow me to control exactly what is scanned (default option) only certain types of files which extensions are added to the list will be checked. There is the default list of file types which is recommended to be used. However, you are able to edit it by adding or 16
removing file extensions from this list. Push the Add or Remove buttons to add or remove the extensions. Add the file extension and its description in the dialog below, and then click Ok: To edit the already added extension, find it in the list, then click the Edit button and do the same actions as above in the Edit extension dialog: To include the files without extensions in the scanning process, enable the Scan files with no extensions option (disabled by default): To restore the default settings push Restore defaults button on the Extensions tab. 17
If you do not wish the Hyper-V cloud snapshot to be removed after scan open the Advanced tab and clear the Remove Hyper-V snapshot after scan check box that is ticked by default: Set Antivirus schedule To set 5nine Security AV schedule, first select All Hosts in the SCVMM tree on the left, then use the Security AV Schedule context menu command: 18
or click the Security AV Schedule button on the top bar of the Folder tab: The Antivirus Schedule List dialog will appear: Call out the schedule setting window by pressing the Add button in the window above: 19
Set the recurrence parameters hourly (shown above), daily: weekly: or monthly: 20
At the end press Ok. If you wish to edit or remove the existing schedule, select it in the Antivirus Schedule list dialog and press the appropriate button lower. Changing host settings To change host settings, first select the host in the SCVMM tree on the left, then use the Security Host Settings context menu command: 21
or click the Security Host settings button on the top bar of the Host tab: The Server Properties dialog will appear: Tick (default setting)/clear Enable Monitoring box to set/remove vfirewall on the host. Set Authentication parameters. You can select one of authentication ways: 1. Use default credentials. Current user credentials will be used. 2. Use custom credentials. User can define credentials that will be used to manage vfirewall on target server. That credentials will be used only for authentication to retrieve virtual machines list and will not affect user account used by vfirewall service on target machine. Tick Enable monitoring on new VMs by default box to set vfirewall automatically when new VM is added (either created or migrated) on the host. Default monitoring state setting is stored in management service configuration file (settings DefaultMonitoringState in 5nine.VirtualFirewall.Manager.exe.config). Default monitoring state is individual for each monitored host. By default it set to true. It means that all new virtual machines monitoring state will be set to Enabled. When new virtual machine is created on some of monitored host vfirewall checks if there exist any saved settings (in case when machine created as result of migration from any other host with vfirewall installed). If there were no any saved settings then new VM monitoring state will be set to default monitoring state value. Click OK. 22
Push the Thresholds button to change workload parameters if necessary. The following dialog will appear: Set the virtual environment workload thresholds for server s processor, memory, disk input/output and network input/output over-utilization (all in percent to maximum) then press Ok. The defaults are: - Processor over-utilization threshold: 80 - Memory over-utilization threshold: 90 - Disk I/O over-utilization threshold: 80 - Network I/O over-utilization threshold: 80 When anti-malware scan is running, the scanning process on each VM will be automatically paused/resumed (if necessary) in accordance with current workload parameters preventing the host from overload. 23
Operations with virtual machines Before making any operations with virtual machine, first select the virtual machine on the SCVMM list in the middle, and then use the VM Security Rules and Logs context menu command: or click the VM Security Rules and Logs button on the top bar of the Virtual Machine tab: 24
The Virtual machine window will open: Setting virtual machine rules Adding new virtual machine vfirewall rules, editing or removing existing rules are done just as like as it is done with global rules and described in Global settings section, subsections Setting IP rule, Setting ARP rule, Setting Broadcast rule, Editing rule, Removing rule and Changing rules order. Use the appropriate buttons on the Firewall tab of the Virtual Machine rules window. The only difference is that the rules added here concern only certain selected virtual machine and do not affect the others. 25
Changing VM settings To change virtual machine settings, click the Settings button on the Firewall tab of the Virtual Machine rules window. The following dialog will open: Set vfirewall logging parameters on the Firewall tab: - Select logging level from the list: Log only filtered events only filtered VM events will be recorded to the log. Log only allowed events only allowed VM events will be recorded to the log. Log all events (default) all the VM events will be recorded to the log. Do not log any events neither of the VM events will be recorded to the log. - Enter the number of days to keep the log records in the Log retention days field. - Enter the maximal number of records that will be added to the log in the Log records count field. 26
Set the log size and retention for the IDS logs on the IDS tab in the same way: Set bandwidths allowed send/receive limits: - Enter the maximal (in Kbps) allowed send bandwidth limit in the Allowed send bandwidth (Kbps) field. - Enter the maximal (in Kbps) allowed receive bandwidth limit in the Allowed receive bandwidth (Kbps) field. Click OK. The settings made here will only concern the VM, which name is contained in the Name field. View log records To view current vfirewall log records for selected virtual machine, click the Load Log button on the Firewall tab of the Virtual Machine rules window. The log records will appear in the lower part of the Virtual Machine rules window as it is shown above. Antivirus operation To work with anti-malware module on the selected virtual machine, open the Antivirus tab in the Virtual Machine rules window: 27
To control the anti-malware engine activity, use the appropriate button of the Antivirus management block: - Start to start the anti-malware scan. - Stop to terminate the anti-malware scan. - Pause to temporarily pause the anti-malware scan. - Resume to continue the temporarily paused anti-malware scan. - Query to retrieve the anti-malware scan state. The state will be shown with appropriate message, e.g.: - Log to get the anti-malware last scan results. The results will appear in the lower part of the Virtual Machine rules window as shown above. IDS IDS feature is managed on the IDS tab: Tick the Enable filter box to switch the filter on so that only IDS events matching filter parameters will be displayed. 28
Set the start date for IDS events in the From field and the end date in the To field. Use calendar for convenience: Set event priority in the Priority field. Select the digit or Any (for all priorities) from the list: To view IDS events click Load Log in the left-upper corner. Attention. IDS feature works only with third-party free distributed IDS Snort application that is able to detect inbound traffic to determine intrusion attacks. It must be running on the target host. See readme.txt file provided with 5nine Security installation archive for details how to set up and use Snort application. 29