In this two-part blog article we will take a look at 5Nine Security Manager for Windows Server 2012 Hyper-V. In the first part I will give a global overview and take a look at the installation of this product. In the second part we will take a look at the configuration of this interesting solution. So here we go…. Glimlach

In the ‘classic’ world of physical machines there’s in most cases a lot of attention for a secure server environment. People make their environment as secure as possible with firewalls, intrusion detection systems and anti-virus/ anti-malware protection. These products are working very well in the classic physical server environments.

However the world of IT is changing and virtualization of servers and devices has become common. Although we are using virtualization techniques for a couple of years now we are still using the security solution in the classic way by installing anti-virus/ anti-mallware agents in the virtual machine and try to controll VM traffic through a physical firewall.

These classic ways of securing the IT infrastructure are not efficient and cause unnecessary load inside the virtual machines. This can be fixed smarter, don’t you think so?

In Windows Server 2012 Hyper-V Microsoft introduced the extensible virtual switch. The Hyper-V virtual switch is a software-based layer-2 network switch. With built-in support for Network Device Interface Specification (NDIS) filter drivers and Windows Filtering Platform (WFP) callout drivers, the Hyper-V virtual switch enables independent software vendors to create extensible plug-ins (known as Virtual Switch Extensions) that can provide enhanced networking and security capabilities.

The Hyper-V extensible switch supports an interface in which independent software vendors can extend the switch functionality in the following ways:

  • The Hyper-V extensible switch supports an interface that allows NDIS filter drivers, known as extensions, to bind within the extensible switch driver stack. This allows extensions to capture, filter, and forward packets to extensible switch ports. This also allows extensions to inject, drop, or redirect packets to ports that are connected to the network adapters exposed in the Hyper-V partitions.
  • The Windows Filtering Platform (WFP) provides an in-box filtering extension (Wfplwfs.sys) that allows WFP filters or callout drivers to intercept packets along the Hyper-V extensible switch data path. This allows the WFP filters or callout drivers to perform packet inspection or modification by using the WFP management and system functions.

In this blog article we will look at a Hyper-V extensible switch extension which uses the Windows Filtering Platform called 5NINE Security Manager.

5Nine Security Manager

5Nine is one of the first companies that came with an extension for the Hyper-V extensible vSwitch. The first version only has a virtual firewall which made it possible to controll traffic to and from virtual machines within the virtual switch. Currently they have three editions of the 5Nine Security Manager:

  • Essentials Edition (agent-less Anti-Virus and Anti-Malware for multiple hosts and virtual machine, centralized management console, Hyper-V stack management and local GUI for Windows Server 2012).
  • Standard Edition (Real time agent-less monitoring and network traffic filtering across multiple hosts and virtual machines, agent-less Anti-Virus and Anti-Malware, Simplified Virtuall Firewall, centralized management console)
  • Data Center Edition (Real time agent-less monitoring and network traffic filtering across multiple hosts and virtual machines, agent-less Anti-Virus and Anti-Malware, Full Kernel mode Virtuall Firewall with MAC address filtering/ ARP rules/ Stateful packet inspection/ Network traffic analysis/ inbound-outbound VM bandwith throttling, Intrusion Detection System, Centralized management console).

Installation of 5Nine Security Manager

In this blog article we will take a look at the installation and configuration of the Data Center Edition of the 5Nine Security Manager.

The software is delivered in a ZIP file. The ZIP file contains five files:

  • core-preinstall.bat
  • EnableLog.bat
  • rtm_readme.txt
  • SecurityManagerDatacenter.msi
  • setup.exe

The file ‘core-preinstall.bat’ needs to be installed on Windows Server Core edition servers. This batch file runs the following commands:

DISM.exe /online /enable-feature /featurename:ServerCore-WOW64
DISM.exe /online /enable-feature /featurename:NetFx2-ServerCore
DISM.exe /online /enable-feature /featurename:NetFx3-ServerCore
DISM.exe /online /enable-feature /featurename:NetFx2-ServerCore-WOW64
DISM.exe /online /enable-feature /featurename:NetFx3-ServerCore-WOW64
DISM.exe /online /enable-feature /featurename:MicrosoftWindowsPowerShell
DISM.exe /online /enable-feature /featurename:MicrosoftWindowsPowerShell-WOW64

The file setup.exe and ‘EnableLog.bat’ needs to be run on each Hyper-V host where the 5Nine software will be installed. This batch file runs the following command:

auditpol /set /subcategory:”Filtering Platform Packet Drop” /success:enable /failure:enable
pause

Ok, now let’s start the installation:

image We’re starting the setup by double clicking the file setup.exe. The wizard will launch and we click on ‘Next’ te continue.
image Then we receive a message that we need to have a configured instance of Microsoft SQL Server or SQL Express/ Compact edition.We will use an existing SQL server instance (see later steps).
image We will use the default proposed installation folder and continue to the ‘Next’ step. In the next screen we accept the End User License Agreement, after we read it from the first to the last letter off course ;-)
image In the ‘Data source’ screen we select the option ‘Existing MS SQL Server instance’
image Then an interesting option shows up, we can select the option ‘Include remote installation step in setup process’ this will perform remote installation on other hosts so it is not necessary to perform the installation on each host locally.After this the installer is ready to install 5Nine Security Manager.
image When the installation starts a couple of settings needs to be done because of the previous choices we’ve made.The first one is the configuration of the SQL Server Instance. When you’ll choose Windows Authentication then it only can use the account which is running the installation itself. It is also possible to choose SQL authentication.
image The license file is also required during the setup…
image We also need to configure an account with WMI access to the Hyper-V hosts. For my demo environment I choose the administrator account but this is not recommend for production environments. This account is used for running the NT services ‘59vFWManager’ and ‘5Nine Antivirus’
image Then we can select the hosts on which we also want to install the software.
image For this demo I select the hosts PSRV01 and PSRV02, select ‘OK’ and now we are done
image The installation completed succesfully so we can close this installation wizard.

This completes part 1 of this 2 part blog article. In the next part we will take a look at the configuration of the hosts and the 5Nine Security Manager solution. I hope you enjoyed it.