WavebreakmediaMicro - Fotolia


DHCP Guard and advanced Hyper-V network security features

While not right for every situation, some advanced security features can add a layer of defense to prevent malicious intrusions and protect a virtualized environment.

When Microsoft released Windows Server 2012, it completely revamped Hyper-V -- and made further enhancements in Windows Server 2012 R2. Among the new additions to Hyper-V were some advanced networking features designed to improve security, such as DHCP Guard and Router Guard.

The advanced networking features are applied at the VM level, on a per virtual network interface card (vNIC) basis. You can access these settings from the Hyper-V Manager by right clicking on a VM and selecting the Settings command from the shortcut menu. This will cause Windows to reveal the VM's Settings window. Now, expand the VM's vNIC menu and then choose the Advanced Features container. You can see what this looks like in Figure A. If the VM includes multiple vNICs, each will have its own Advanced Features container.

enable DHCP Guard and Router Guard
Advanced settings are managed on a per vNIC basis.

Two of the advanced features that are worth knowing about are DHCP (Dynamic Host Configuration Protocol) Guard and Router Guard, both of which are shown in the figure above. These features are protective mechanisms designed to protect a VM against unauthorized network services.

How Router Guard works

Router Guard for example, can prevent a VM from acting as a router, which can help to protect your virtual networks in the event the VM's operating system is compromised. On the surface, this feature might seem to be of limited usefulness. After all, most hackers probably don't go around turning VMs into routers -- although it has happened. Even so, Router Guard does have its place.

Suppose for a moment that a particular VM is providing routing services across multiple virtual networks. Often, such VMs will contain virtual network adapters that are not directly involved in the routing process. These virtual network adapters might be used for management traffic or similar purposes. Although such a VM does need to perform routing functions, network traffic typically would not be routed across a management network. As such, an administrator might enable Router Guard on the management network in an effort to prevent it from being used as a routing path.

Granted, the Routing and Remote Access Services aren't going to suddenly begin routing traffic across a management network for no reason. That being the case, enabling Router Guard for a management network should not change the VM's behavior. Router Guard only serves as a second line of defense in the event an administrator accidentally makes a configuration change that involves the management network in the routing process, or in case the router is compromised.

In case you are wondering what the Router Guard feature actually does, it works by discarding router advertisements and redirect messages. Specifically, Router Guard gets rid of the following types of packets:

ICMPv4 Type 5 (Redirect message)

ICMPv4 Type 9 (Router advertisement)

ICMPv6 Type 134 (Router advertisement)

ICMPv6 Type 137 (Redirect message)

You can read more about Router Guard on the Microsoft Developer Network website.

DHCP Guard as a second line of defense

The DHCP Guard feature requires a bit more explaining. If you have ever deployed a Windows-based DHCP server, then you know that part of the deployment process involves authorizing the new DHCP server at the Active Directory level. This allows the Active Directory to distinguish between a legitimate DHCP server and a rogue DHCP server. The problem however, is that a non-Windows DHCP server can function without the need for Active Directory level authorization. Hence, DHCP Guard can act as a second line of defense against unauthorized DHCP servers. When enabled, this setting prevents a VM from acting as a DHCP server. Malware exists that turns a machine into a DHCP server. DHCP Guard can render such malware ineffective.

DHCP guard can also be used to constrain a legitimate DHCP server. If, for example, you do not want a DHCP server making IP address offers across a particular network segment, you could enable DHCP Guard for that particular vNIC.

Hyper-V's Router Guard and DHCP Guard features are designed to protect VMs against unauthorized network services. Even so, Microsoft generally recommends enabling these features on an as needed basis rather than enabling them by default, because there is a small performance impact associated with using these features.

Next Steps

Managing Microsoft Hyper-V security settings

Improving security in Hyper-V networks

How the Hyper-V extensible virtual switch changes security

Dig Deeper on Virtualization security and patch management