lolloj - Fotolia


Exploring security options for your Hyper-V virtual switch

There are options available for isolating a group of virtual machines inside a Hyper-V virtual switch to monitor incoming and outgoing traffic.

Microsoft’s Hyper-V virtualization platform includes a virtual switch, and that’s where admins should focus their security efforts. There are several methods of configuring switch security in Hyper-V, all explained here.

Securing a switch with VLAN isolation

When a Hyper-V virtual machine (VM) is connected to a Hyper-V virtual switch, that VM receives and sends network traffic from other VMs on that switch, as well as remote computers and other network traffic destined to the VM. This is true as long as the VM and remote computer belong to the same subnet. There are various methods available in Microsoft Hyper-V for isolating a group of VMs. One is to use the VLAN method to separate network traffic for a select group of VMs from other VMs connected to the same Hyper-V virtual switch.

The VLAN isolation approach is mostly being used in production environments. Cloud hosting providers are also using the VLAN approach to provide isolation for customer VMs. There are situations where you still need to block incoming/outgoing network traffic for VMs residing in the “same” VLAN. For example, you wouldn't want to generate unnecessary network traffic to your critical VMs running SQL or Web applications. Similarly, in a production environment where there are a few VMs running that host finance and HR applications, you would not want finance accessing HR VMs, and vice versa. This is doable by configuring VMs in separate VLANs, but doing so would require a considerable amount of time. Not only do you need to configure VLAN IDs for VMs, you also need to make sure the proper VLAN configuration is done at the physical networking devices.

Securing a switch with Windows Firewall

If you do not want to configure VLAN, you can still use Windows Firewall (if VM is running Windows OS) to configure firewall rules to allow or block network traffic. In a large production environment, configuring Windows Firewall to allow or block traffic might not be a feasible option for two reasons. First, Windows Firewall works at the OS level, which means you must log on or connect to each VM OS and configure the necessary firewall rules. Second, since the Windows Firewall works at the OS level, the network traffic is still seen by the OS. So, if a customer demands complete isolation for their enterprise workloads hosted in an IaaS-shared cloud, the cloud hosting provider might not be able to meet the customer’s requirement since network traffic is still visible to the OS.

Along with these options, Microsoft extended the capability of the Hyper-V virtual switch by introducing a new feature in Windows Server 2012 called Port ACL. The port ACL is a built-in extension to the Hyper-V virtual switch, which provides the ability to allow or block incoming/outgoing network traffic for VMs at the virtual NIC level. The Port ACL feature allows configuration of ACL rules in such a way that the VM only looks for a specific type of traffic. Port ACL can be used to provide granular control over the network traffic generated from the VMs and remote computers.

Securing a switch with Port ACL

Port ACL serves as a basic firewall for VMs and helps you configure isolation for VMs residing on the same VLAN. It can be useful for cloud hosting providers, who can benefit by creating specific rules to meter the traffic and bill the customer based on the metering data. Since port ACL rules are configured at the virtual NIC level, you can configure, modify and remove ACL rules from a remote computer running Windows PowerShell.

Microsoft does not offer a GUI to configure Port ACL rules, but there are various third-party products available that provide similar functionality and are much easier to use. As of today, even SCVMM 2012 R2 doesn’t provide the ability to configure port ACLs on managed Hyper-V hosts, but this limitation might go away in the next version of SCVMM or Hyper-V.

To configure Port ACL rules, you must use PowerShell cmdlets. There are three PowerShell cmdlets available: Add-VMNetworkAdapterAcl, Remove-VMNetworkAdapterAcl and Get-VMNetworkAdapterAcl.

An ACL rule, created by Add-VMNetworkAdatperACL in Windows Server 2012, consists of three elements:

  • Local or Remote address is used to specify the MAC Address, IPv4/IPv6 Address, or an IP Subnet specific in the CIDR format for which the rule is created. You can also use “ANY” value while creating the ACL rule to indicate the network traffic is allowed/blocked for any address.
  • Direction specifies the type of traffic. Direction can be inbound, outbound or both.
  • Action specifies whether to allow or block the network traffic. This element also supports “Meter” value, which can be used to meter the network traffic sent to a customer VM.

A port ACL rule configured in the Windows Server 2012 looks like this:

"Add-VMNetworkAdapterAcl –VMName VM1 –RemoteIPAddress –Direction Both –Action Deny"

In the above command, the ACL rule is configured for VM1. The rule indicates that inbound and outgoing traffic from remote computer to VM1 must be blocked. In Windows Server 2012, ACL rules can be configured for VMs to allow or block network traffic only based on MAC address, IPv4/IPv6 address or a network range in CIDR format.

Since Port ACL works with a Hyper-V virtual switch, the VMs must be connected to a Hyper-V virtual switch on a Windows Server 2012 or later OSes. The virtual switch can be external, private or internal. It is important to note that the VM must be located on the Hyper-V host where ACL rules are configured. The destination address, which is specified in the ACL rule, can be a local or remote address. The local address is always an IP address/MAC address/IP subnet of the VM, whereas the remote address can be an IP address/MAC address/IP subnet of another VM or a physical computer.

Dig Deeper on Microsoft Hyper-V and Virtual Server