Problem solve Get help with specific problems with your technologies, process and projects.

Will the new Hyper-V extensible virtual switch change the VM security game?

Windows Server 2012's new extensible virtual switch opens the door for agentless antivirus products – and that could change the virtual security game.

Among the many new features included with the release of Windows Server 2012 is the Hyper-V extensible virtual switch. This switch, like other virtual switches, connects virtual machines to physical network adapters. The key feature with Windows Server 2012 is the switch's extensibility, or ability for third parties to extend its functionality.

How an extensible virtual switch works

The Windows Server 2012 Hyper-V extensible switch uses extensions (Network Driver Interface Specification filter drivers), created by Microsoft and third parties, that bind to the switch driver stack. Those switch extensions can perform common network monitoring and filtering actions on the virtual network. Thus, the switch extensions that send virtual network traffic to and from network management tools have the ability to monitor the virtual network as well as modify it. That allows the extensions to not only report on the virtual network traffic but also act as firewalls or bandwidth throttling applications.

This extensibility can help the Hyper-V admin by allowing important applications to access the Hyper-V virtual network. This extensibility could allow applications to access the virtual network directly. Examples of such applications include network analysis, antivirus or anti-malware scanning, firewall packet filtering and bandwidth control. (For more on the architecture of the extensible virtual switch and how to create drivers, Microsoft's website has a section on Hyper-V virtual switch extension drivers.)

Last year's Microsoft TechEd conference featured several applications that could use the Hyper-V virtual network: Cisco's Nexus 1000V for Windows 2012 Hyper-V, Inmon sFlow for Windows 2012 Hyper-V and OpenFlow for Windows 2012 Hyper-V by NEC.

How one Windows 2012 Hyper-V agentless security product works

One unique product is 5nine Software's Security Manager, which the company claims is the first agentless security solution for Hyper-V. Their product uses the Windows 2012 Hyper-V extensible switch to provide firewalls, antivirus and anti-malware, and intrusion prevention on a Hyper-V virtual network.

The company is hoping its Security Manager will replace existing enterprise antivirus solutions used in the Hyper-V virtual infrastructure. There are several benefits to using an agentless antivirus product. Agentless antivirus scanning is much faster than agent-based scanning of VMs. In testing, 5nine Software says that its agentless antivirus incremental full scanning can be done as much as 10 to 70 times faster than agent-based products. Initial full scans, depending on amount of VMs, are 40 to 100% faster than traditional antivirus products. They claim that time savings equates to resource savings across every VM running antivirus software. The reduction in resources also means that the VM's performance and the antivirus scanning doesn't adversely affect the end user's experience. Through the agentless approach, the dreaded "AV storms" are eliminated and there is no need to maintain agents and keep antivirus signatures up-to-date across all servers. An organization could increase its VM-to-host consolidation ratio with an agentless antivirus approach, potentially saving money on server hardware.

The time savings occurs because the VM's operating system is never used. Instead it's the Hyper-V host that initiates the incremental antivirus scan of the VM's virtual disk file. This incremental scan will only need to scan the virtual disk's changed blocks since the last scan (unlike antivirus clients running inside the VM operating system that would scan all changed files).

5nine Software's Security Manger
Figure 1. 5nine Software's Security Manger.

5nine Software's Security Manager shows an incremental full scan of a VM averaging between 40 seconds and three minutes, depending on changes to the VM virtual disk and memory.

You can also create firewall rules to filter inbound and outbound traffic to and from each VM. It's through this switch extension that Security Manager performs its real-time virtual network traffic filtering, monitoring and bandwidth throttling. In the image below, you can see that with the centrally controlled virtual firewall in place for Hyper-V VMs, I can create inbound and outbound rules and monitor what traffic is permitted and denied.

Three things Hyper-V admins should consider

We've seen how Windows 2012 Hyper-V's virtual switch is now extensible, how new products are being created for it and what one product, 5nine Software's Security Manager for Hyper-V, can do. So what action items should Hyper-V admins take, considering the new capabilities the Windows 2012 Hyper-V extensible switch enables?

  1. Reevaluate traditional security products: Keep in mind that when you move from physical servers to VMs, traditional backup and security products may not work as well.
  2. Consider other options: Hyper-V and the extensible switch will allow you to do things that you may not have thought possible. For example, perhaps you didn't use an antivirus product across your physical servers because it would have hurt server performance. With Hyper-V and tools like 5nine Software's Security Manager, you can now protect all servers with an antivirus product without hurting performance. Similarly, you may have never thought that it was possible to have a firewall running between all servers in the data center -- something now possible with Hyper-V and the extensible switch.
  3. Test and learn: With the release of new hypervisors and the features that come with them (like the extensible switch), it's time for admins to take some time to test and learn how these solutions can help their virtual infrastructure. The value of these features can be tough to imagine without trying them for yourself.

Dig Deeper on Network virtualization

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.