5nine Security Manager for Hyper-V Standard edition Ver. 3.0 Getting Started Guide Table of Contents Summary... 2 Features and Benefits... 2 Virtual Firewall Silent installation... 13 5nine Security Manager Menu... 14 System Requirements... 24 5nine Security Manager Configuration file and PowerShell API... 24 1
Summary 5nine Security Manager is a Virtual Infrastructure monitoring tool with an ability to define network traffic rules for Hyper-V Virtual Machines and harden your Virtual Infrastructure from Security perspective. Both programmatically using PowerShell API and via Management Console. Security Manager allows reviewing network traffic logs for each of the monitored Virtual machines and generates related reports. Special Security Heartbeat service checks if firewall rules are enforced, and powers Virtual machine down, of network filter is not communicated. Version 3.0 of 5nine Security Manager monitors and controls the traffic between Hyper-V Virtual machines and between Virtual machines and external network. Version Standard works in User Mode, designed for local users and has lower capabilities compare to Version Data Center which is designed for hosting companies. Features and Benefits Simple installation. 5nine Security Manager has 1 component that is needed to be installed intuitive Management interface (DLL) that supports PowerShell API (described below) to set and change traffic rues. Management API also has a simple to use GUI application that allows setting the traffic rules between the virtual machines and external network. Management interface can be installed either on a server or Virtual machine, and allows System Administrator to access rules, logs and reports: 2
To setup Management interface (DLL and Management GUI application) admin needs to run setup.exe application from the downloaded 5nine Security Manager Standard 3.0 archive on the server or VM that matches 5nine Security Manager Standard 3.0 System Requirements, and use appropriate license when prompted: Then the 5nine Security Manager Setup Wizard will be opened: 3
Choose the path where 5nine Security Manager 3.0 is supposed to be installed and the users who will be able to work with the product: You can check the physical space available on your drives and the space required for the installation by pressing the Disc Cost button on the window shown above: The 5nine Security Manager Information window will then appear: 4
Select MS SQL data source: Virtual Firewall remote installation is one step of installation process. Installing vfw (Virtual Firewall) on some machine locally user can define servers on which he want to install vfw remotely. After data source selection page user will see page where he can select include remote setup stem to setup process or not. If remote setup checkbox is not checked setup goes with common scenario. 5
Specify if a remote installation step in setup process is required: If checkbox is checked user can select servers for remote installation. Remote installation server selection dialog goes after user credentials dialog. That dialog is similar to monitored servers discovery dialog. For remote management Security Manager uses WinRM service and it should be available. For cases listed below trusted hosts should be configured: - Client and remote server are in different domains and there is no trust between the two domains; - Client or remote server is located in domain and other one is located in workgroup; - Both client and remote server are located in workgroup. Trusted hosts should be configured on both client and remote server sides. It can be done with command: Set-Item wsman:localhost\client\trustedhosts -Value "{CompureName}" Or manually with gpedit.msc console: gpedit.msc console -> Local Computer Policy/Computer Configuration/Administrative Templates/Windows Components/Windows Remote Management (WinRM)/WinRM Client -> Trusted Hosts To add all machines from workgroup to trusted hosts {local} name can be used. Typical symptom of such problem is error WinRM cannot process the request in Management Console log. Also that message can appear when system can t resolve remote host path (it is wrong or DNS server is inaccessible for example) or there is wrong credentials used. Security Manager Standard Edition uses system security log events for logging denied packets. By default Windows Filtering Platform filtering audit is disabled to prevent system log overflow and avoid storing unnecessary data. WFP filtering audit can be enabled with following command: auditpol /set /subcategory:"filtering Platform Packet Drop" /success:enable /failure:enable 6
WFP filtering can be enabled from Security Manager Standard Edition setup. Enable Windows Filtering Platform audit checkbox exists on page Installation settings. If that checkbox is checked command listed above will be executed during installation process: User can manually disable WFP with following command: auditpol /set /subcategory:"filtering Platform Packet Drop" /success:disable /failure:disable It will be better to disable WFP filtering audit if it is not used or after Security Manager uninstallation. Confirm installation: 7
Confirm to the 3f3b34c.msi installation program to be run and make the necessary settings if asked (it depends on your server s OS security settings): Set the SQL Server instance that will be used and connect to it by entering user name and password. There could be either SQL Server Authentication or Windows Authentication used while gaining access to your database. To find out which authentication is used and get the user name and password contact your database administrator. You can test the database connection by pressing the Test connection button. In the case of successful connection the following message of the kind will appear: 8
Then select the 5nine Security Manager Standard 3.0 license file provided with distributive: Set account for Security Management service as required: If you earlier chose the option Include Remote installation step in setup process as described above, you ll be advised to choose the remote host(s) for the 5nine Security Manager Standard 3.0 installation: There will be table with servers and installation status. Possible statuses: - Idle. Idle for installation start. Waiting for start button will be pressed. - Processing. Remote installation in progress. - Complete. Remote installation completed. - Failed. Remote installation failed. Additional information about error will be in Description column. Remote installation will be processed in parallel for each selected server. MSI file and selected license file will be copied to drive C: on remote machine (user should have permissions to write file on target machine). After files will be copied, installation will be started in silent mode with parameters selected for local installation. After installation will be completed temporary files will be removed and remote machine will be rebooted. For using remote installation feature user should pass msi file name unchanged vfwsetup.msi. 9
After all installations will be finished (successful completed or failed) user can close dialog and go forward with installation. After remote installation step will go monitored servers selection step. Local machine included into list by default. Also servers from previous installation config (if it was saved) also included into list. Press then the Start button to start the remote installation, watch the process and results and press the Close button when the remote installation process is complete: Add servers for monitoring (press the Add button in the window below to add the servers): 10
Select the servers from the list (separate window Select Hyper-V Servers shown below will be opened) and then set the credentials in the dialog window. Contact your network administrator to get the credentials. You may change properties to the already added server at any time by pressing the Edit button in the Servers for monitoring window shown above. User also can change server credentials and default monitoring state in Server Properties dialog further. To view that dialog user should select Settings menu item from server context menu in Virtual Firewall Management Console tree view. User can select on of authentication way 1) Use default credentials. Current user credentials will be used. 2) Use custom credentials. User can define credentials that will be used to manage Virtual Firewall on target server. That credentials will be used only for authentication to retrieve virtual machines list and manage Virtual Firewall with Powershell API. It will not affect user account used by Virtual Firewall service on target machine. Also in Server Properties dialog user can define default monitoring state for newly created/ migrated machines. Default monitoring state setting is stored in management service config file (settings DefaultMonitoringState in 5nine.VirtualFirewall.Manager.exe.config). Default monitoring state is individual for each monitored host. By default it set to true. It means that all new virtual machines monitoring state will be set to Enabled. When new virtual machine is created on some of monitored host Virtual Firewall check is there exist any saved settings (for case when machine created as result of 11
migration from any other host with Virtual Firewall installed). If there were no any saved settings then new VM monitoring state will be set to default monitoring state value. You may also add servers to the list one by one by pressing the Add button and enter server name manually in the dialog window below: or let 5nine Security Manager 3.0 search and add them automatically by pressing the AD Discovery button, or search them by IP range/subnet mask which can be set in the window below called out by pressing the IP Discovery button: 12
At the end of 5nine Security Manager Standard 3.0 successful installation process the following message will appear: To finally complete the 5nine Security Manager Standard 3.0 installation, confirm rebooting of your host: Virtual Firewall Silent installation Virtual Firewall installer accepts following parameters: 1) DataSource. Defines SQL database to use. Consists of the several parts. First part defines type of data source. Possible variants: CE and SQLInstance. First of them specifies that local SQL CE 4.0 server will be used, second one specifies that will be used some SQL server instance. Second part defines name of used SQL Server (in case of using SQL instance). Third part defines SQL Server authorization type. Possible variants: WinAuth (Authorization with Windows User credentials) and SQLAuth (Authorization by SQL account). If SQLAuth variant was specified user should define SQL user name and password separated by comma. All parts of datasource parameter should be separated by comma. Common form of datasource string: { CE, SQLInstance }[, ServName,{ WinAuth, SQLAuth }[, UsrName,Password]] Examples of datasource parameter: CE SQLInstance, SOME_SERVER\SQLEXPRESS, WinAuth SQLInstance, SOME_SERVER\SQLEXPRESS, SQLAuth, sa,sa 13
2) SrvUserName. Defines user name for Virtual Firewall service. 3) SrvPassword. User password. 4) LicenseFile. License file path. Silent installation command line sample: vfwsetup.msi /q Datasource= SQLInstance, SOME_SERVER\SQLEXPRESS, WinAuth SrvUserName= SOME_DOMAIN\Administrator SrvPassword= 123 LicenseFile= c:\license.txt After silent installation machine will be automatically rebooted. 5nine Security Manager Menu To configure 5nine Security Manager use the menu commands described below: To add host(s) for monitoring type the host(s) name to the dialog or select them from the list (as described above): To add 5nine Security Manager rules use the Rules menu commands: 14
Adding IP rule: Set the necessary parameters, use space and comma as delimiters when specifying remote IPs and VMs as it shown in the windows: 15
To select remote virtual machines from a list, press the button to the right of the field containing their names and check the machines you need to be added then press OK in the window below: 16
Adding rules for multiple virtual machines: The following message will appear in the case of successful adding of multiple rules: 17
Adding default gateway rule: After pressing Ok the following message should appear to inform you about successful adding of default gateway rule: To configure antivirus schedule, set workload thresholds and enable monitoring on servers use the Settings menu: 18
Specify which hosts and VMs will be controlled and monitored by 5nine Security Manager Standard 3.0: Set the virtual environment workload thresholds for server s processor, memory, disk input/output and network input/output over-utilization (all in percents to maximum) then press Ok: 19
Choose the servers and VMs to enable antivirus activity: Set Antivirus schedule: 20
Call out the schedule setting window by pressing the Add button in the window above: Set the recurrence parameters hourly (shown above), daily: 21
weekly: or monthly: 22
At the end press Ok. To refresh or change the view (list or tree) and get the 5nine Security Manager version info use the View menu: To change Virtual Machine settings use the VM Settings menu command: length in days and log records count. Here you can set logging parameters such as retention 23
To change rules order in the list (up or down) use the Change Order menu command and set the wanted order in the dialog window below: Network Statistics and Logs - Network activity data is collected by 5nine Security Manager into a database or flat files (optionally); Load Log pane needs to be clicked to load the current Firewall logs. System Requirements OS: Host: Windows Server 2012 or Windows 8 with enabled Hyper-V; Guest VM: any XP Pro SP3, Vista SP1 (Business, Enterprise or Ultimate editions), Win 2003 R2 SP2, Win 2008 server or later virtual machine(s), x64 or x86 for Management API and GUI application; v- Firewall Web Console Virtual machine needs to be on the same Hyper-V host where the service and the driver get installed;.net 3.5 Sp1 or higher on the Server or VM that hosts Management API and/or GUI application; SQL 2008 Express edition on Management server/vm (in case DB logging is required); MS PowerShell IIS. 5nine Security Manager Configuration file and PowerShell API v-firewall vfw3 service configuration file %Program Files%\5nine\5nine v-firewall 3.0\5Nine.vFW.vFWService.exe.cfg <?xml version="1.0" encoding="utf-8"?> <configuration> <configsections> <section name="monitoredhosts" type="fivenine.vfw.vfwservicehelpers.monitoredhostsconfigurationsection, 5Nine.vFW.vFWServiceHelpers" /> </configsections> <MonitoredHosts> <host name="host1" /> <host name="host2" />... <host name="hostn" /> </MonitoredHosts> 24
<appsettings> <add key="heartbeatperiod" value="5000" /> <add key="attemptsbeforepause" value="4" /> <add key="logfile" value="virtual Firewall2.log" /> <add key="loglevel" value="information" /> </appsettings> </configuration> Get the list of VM machines The sample of Power Shell script to get GUIDs of VM machines from the specified host $VMs = get-wmiobject -computername $hyper -namespace "root\virtualization" -query "SELECT * FROM Msvm_ComputerSystem WHERE Caption Like '%virtual%'" foreach ($VM in $VMs) { write-host "==================================" write-host "VM Name: " $VM.ElementName write-host "VM GUID: " $VM.Name } API description Add-IP-Rule Add-IP-Rule -VMId <Guid> -Name <String> [-Description <String>] [- Type <String>] -Action <RuleAction> -Protocol <String> [-LocalPort s <String>] [-RemotePorts <String>] [-IPAddresses <String>] [-VMs <String>] [-MACAddresses <String>] [-Priority <Int32>] [-ApplyNow] [-Verbose] [-Debug] [-ErrorAction <ActionPreference>] [-WarningAc tion <ActionPreference>] [-ErrorVariable <String>] [-WarningVariab le <String>] [-OutVariable <String>] [-OutBuffer <Int32>] Set-VMMonitoring Set-VMMonitoring -VMId <Guid> -Enable 1 0 [-Verbose] [-Debug] [-ErrorA ction <ActionPreference>] [-WarningAction <ActionPreference>] [-Er rorvariable <String>] [-WarningVariable <String>] [-OutVariable <S tring>] [-OutBuffer <Int32>] Get-LogRecords Get-LogRecords -VMId <Guid> [-Verbose] [-Debug] [-ErrorAction <Act ionpreference>] [-WarningAction <ActionPreference>] [-ErrorVariabl e <String>] [-WarningVariable <String>] [-OutVariable <String>] [- OutBuffer <Int32>] 25
Get-Rules Get-Rules [-Id <Guid[]>] [-VMId <Guid>] [-Verbose] [-Debug] [-Erro raction <ActionPreference>] [-WarningAction <ActionPreference>] [- ErrorVariable <String>] [-WarningVariable <String>] [-OutVariable <String>] [-OutBuffer <Int32>] Get-VMIPMAC Get-VMIPMAC -VMId <Guid> [-Verbose] [-Debug] [-ErrorAction <Action Preference>] [-WarningAction <ActionPreference>] [-ErrorVariable < String>] [-WarningVariable <String>] [-OutVariable <String>] [-Out Buffer <Int32>] Get-VMMonitoring Get-VMMonitoring [-VMId <Guid>] [-Verbose] [-Debug] [-ErrorAction <ActionPreference>] [-WarningAction <ActionPreference>] [-ErrorVar iable <String>] [-WarningVariable <String>] [-OutVariable <String> ] [-OutBuffer <Int32>] Remove-Rule Remove-Rule -Id <Guid> [-ApplyNow] [-Verbose] [-Debug] [-ErrorActi on <ActionPreference>] [-WarningAction <ActionPreference>] [-Error Variable <String>] [-WarningVariable <String>] [-OutVariable <Stri ng>] [-OutBuffer <Int32>] Reset-Rules Reset-Rules -VMId <Guid> [-Verbose] [-Debug] [-ErrorAction <Action Preference>] [-WarningAction <ActionPreference>] [-ErrorVariable < String>] [-WarningVariable <String>] [-OutVariable <String>] [-Out Buffer <Int32>] Set-Rule Set-Rule -Id <Guid> [-Name <String>] [-Description <String>] [-Typ e <String>] [-Action <RuleAction>] [-Protocol <String>] [-LocalPor ts <String>] [-RemotePorts <String>] [-IPAddresses <String>] [-MAC Addresses <String>] [-VMs <String>] [-Priority <Int32>] [-ApplyNow ] [-Verbose] [-Debug] [-ErrorAction <ActionPreference>] [-WarningA ction <ActionPreference>] [-ErrorVariable <String>] [-WarningVaria ble <String>] [-OutVariable <String>] [-OutBuffer <Int32>] Set-VMIPMAC Set-VMIPMAC -VMId <Guid> [-IPAddresses <String>] [-MACAddresses <S tring>] [-Verbose] [-Debug] [-ErrorAction <ActionPreference>] [-Wa 26
rningaction <ActionPreference>] [-ErrorVariable <String>] [-Warnin gvariable <String>] [-OutVariable <String>] [-OutBuffer <Int32>] How to Set Firewall rules in vfw3 Sample scenario to allow RDP access to VM Launch Power Shell and input the following commands: 1. Add-PSSnapIn RulesAPI add vfw3 API snap-in to Power Shell 2. Get VM GUIDs by applying sample PS script 3. Set-VMMonitoring -VMId <Guid> -Enable 1 - set VM to vfw3 monitoring 4. Add-IP-Rule -VMId <Guid> -Name "Allow RDP" -Action Allow -Protocol TCP -LocalPort 3389 add IP rule to allow incoming packets to 3389 port ( RDP ) The same scenario with vfw3 management console 1. Set VM machines for monitoring (use Settings Monitoring menu command) 2. Set IP rule to allow inbound traffic to port 3389 27
Sample scripts Basic sample script to allow 80 port on Win2003 VM: 1. $VMs = get-wmiobject -computername superserver2 -namespace "root\virtualization" query "SELECT * FROM Msvm_ComputerSystem WHERE Caption Like '%virtual%'" foreach ($VM in $VMs) { write-host "==================================" write-host "VM Name: " $VM.ElementName write-host "VM GUID: " $VM.Name } Press Enter two times. Get GUID for Win2003 - it is 7D2FDDAB-3B41-4FB1-99E0-CDD633453FCA 2. Set-VMMonitoring -VMId 7D2FDDAB-3B41-4FB1-99E0-CDD633453FCA -Enable 1 3. Add-IP-Rule -VMId 7D2FDDAB-3B41-4FB1-99E0-CDD633453FCA -Name "Allow RDP" -Action Allow - Protocol TCP -LocalPort 80 4. Get-LogRecords -VMId 7D2FDDAB-3B41-4FB1-99E0-CDD633453FCA The same scenario for RDP access is described in QSG document. Sample common scenarios using Management console GUI a) Allowing FTP, DHCP 1. allow active FTP on VM 28
b) Allow remote access to VM Common scenario: - VM has IIS on it, and possibly MS SQL server; - RDP should be opened; - http:// traffic should be allowed: 29