1 / 81

announcing

announcing. Microsoft Assessment & Planning Toolkit 5.0 Customer Technology Preview http://connect.microsoft.com. MAP: User Interface & Reports S erver Migration & Virtualization Candidates. Windows Server 2008. Virtualization. Windows 7.

shanon
Download Presentation

announcing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. announcing Microsoft Assessment & Planning Toolkit 5.0 Customer Technology Previewhttp://connect.microsoft.com

  2. MAP: User Interface & ReportsServer Migration & Virtualization Candidates Windows Server 2008 Virtualization Windows 7 • Heterogeneous Server Environment Inventory Linux, Unix & VMware • Windows 7 & Server 2008 R2 HW & Device Compatibility Assessment • Speed up Planning with Actionable Proposals and Assessments • Collect Inventory of Servers, Desktops and Applications Agentlessly • Offers Recommendations for Server/Application Virtualization • Works with the Virtualization ROI Tool to generate ROI calculations • More on MAP: http://www.microsoft.com/map

  3. announcing Visual Studio Team System 2010 Lab Management Beta 2

  4. VSTS Lab Management Beta 2 • Scenarios • Create and manage virtual or physical environments • Take environment snapshots or revert to existing snapshots for virtual environments • Interact with the virtual machines in the environments through environment viewer • Define test settings for the environments • New Beta 2 Features • Simplified Environment creation & edit experience • Full-screen environment viewer • Out of the box template for application build-deploy-test workflow • Network isolation with support for domain controller Virtual Machines • “In-Use” support for shared environments

  5. VSTS “Environments” • Typical multi-tier application consist of multiple roles Database Server, Web Server, Client, etc. • An environment is a set of roles that are required to run a specific application and the lab machines to be used for each role. • Managing environments for multi-tier applications is an error prone task today. Replicating the same environment at same or another site is even a bigger problem.

  6. Windows Server 2008 R2 Hyper-V Security & Best Practices Jeff Woolsey Principal Group Program Mgr Windows Server, Hyper-V SVR307

  7. Agenda • Virtualization Requirements • Hyper-V Security • Hyper-V & Storage • Windows Server 2008 R2: SCONFIG • Designing a Windows Server 2008 Hyper V & System Center Infrastructure • Deployment Considerations • Best Practices & Tips and Tricks • Microsoft Hyper-V Server 2008 R2

  8. Virtualization Requirements • Scheduler • Memory Management • VM State Machine • Virtualized Devices • Storage Stack • Network Stack • Ring Compression (optional) • Drivers • Management API

  9. Virtualization Stack Provided by: Rest of Windows Hyper-V ISV WindowsKernel OSKernel DeviceDrivers Windows hypervisor VirtualizationServiceClients(VSCs) Enlightenments VMBus Hyper-V Architecture Parent Partition Child Partition Guest Applications VM WorkerProcesses WMI Provider VMService Ring 3: User Mode VirtualizationServiceProviders(VSPs) Server Core Ring 0: Kernel Mode Server Hardware

  10. Virtualization Stack Provided by: Rest of Windows Hyper-V VM WorkerProcesses WMI Provider ISV VMService WindowsKernel DeviceDrivers Windows hypervisor VirtualizationServiceClients(VSCs) VirtualizationServiceClients(VSCs) Enlightenments Enlightenments VMBus Virtualization Attacks Parent Partition Child Partition Guest Applications Ring 3: User Mode Hackers OSKernel VirtualizationServiceProviders(VSPs) Server Core VMBus Ring 0: Kernel Mode Server Hardware

  11. What if there was no parent partition? • No defense in depth • Entire hypervisor running in the most privileged mode of the system Virtual Machine Virtual Machine Virtual Machine User Mode User Mode User Mode Ring 3 Kernel Mode Kernel Mode Kernel Mode Ring 0 Scheduler Memory Management Storage Stack Network Stack VM State Machine Virtualized Devices Drivers Management API Ring -1 Hardware

  12. Hyper-V Hypervisor • Defense in depth • Hyper-V doesn’t use ring compression uses hardware instead (VT/AMD-V) • Further reduces the attack surface Parent Partition Virtual Machine Virtual Machine VM State Machine Virtualized Devices Management API User Mode User Mode Ring 3 Storage Stack Network Stack Drivers Kernel Mode Kernel Mode Ring 0 Ring -1 Scheduler Memory Management Hardware

  13. Hyper-V Security

  14. Security Assumptions • Guests are untrusted • Trust relationships • Parent must be trusted by hypervisor • Parent must be trusted by children • Code in guests can run in all available processor modes, rings, and segments • Hypercall interface will be well documented and widely available to attackers • All hypercalls can be attempted by guests • Can detect you are running on a hypervisor • We’ll even give you the version • The internal design of the hypervisor will be well understood

  15. Security Goals • Strong isolation between partitions • Protect confidentiality and integrity of guest data • Separation • Unique hypervisor resource pools per guest • Separate worker processes per guest • Guest-to-parent communications over unique channels • Non-interference • Guests cannot affect the contents of other guests, parent, hypervisor • Guest computations protected from other guests • Guest-to-guest communications not allowed through VM interfaces

  16. Hyper-V & SDL • Hypervisor built with • Stack guard cookies (/GS) • Address Space Layout Randomization (ASLR) • HW Data Execution Prevention • No Execute (NX) AMD • Execute Disable (XD) Intel • Code pages marked read only • Memory guard pages • Hypervisor binary is signed • Entire stack through SDL • Threat modeling • Static Analysis • Fuzz testing & Penetration testing

  17. Hyper-V Security Model • Uses Authorization Manager (AzMan) • Fine grained authorization and access control • Department and role based • Segregate who can manage groups of VMs • Define specific functions for individuals or roles • Start, stop, create, add hardware, change drive image • VM administrators don’t have to be Server 2008 administrators • Guest resources are controlled by per VM configuration files • Shared resources are protected • Read-only (CD ISO file) • Copy on write (differencing disks)

  18. BitLocker– Persistent Protection • Mitigating Against External Threats… • Very Real Threat of Data Theft When a System is Stolen, Lost,or Otherwise Compromised (Hacker Tools Exist!) • Decommissioned Systems are not Guaranteed Clean • Increasing Regulatory Compliance on Storage Devices Drives Safeguards(HIPPA, SBA, PIPEDA, GLBA, etc…) • BitLocker Drive Encryption Support in Windows Server 2008/2008 R2 • Addresses Leading External Threats by Combining Drive Level Encryptionwith Boot Process Integrity Validation • Leverages Trusted Platform Model (TPM) Technology (Hardware Module) • Integrates with Enterprise Ecosystem Maintaining Keys in Active Directory • Protects Data While a System is Offline • Entire Windows Volume is Encrypted (Hibernation and Page Files) • Delivers Umbrella Protection to Applications (On Encrypted Volume) • Ensures Boot Process Integrity • Protects Against Root Kits – Boot Sector Viruses • Automatically Locks System when Tampering Occurs • Simplifies Equipment Recycling • One Step Data Wipe – Deleting Access Keys Renders Disk Drive Useless

  19. Physical Security • Device installation group policies: "no removable devices allowed on this system" • BitLocker: encrypts drives, securing • laptops • branch office servers • BitLocker To Go: encrypts removable devices like USB sticks • Includes group policies that say, "don't let the user save data onto a USB stick unless the stick's been encrypted"

  20. McAfee: VirusScan Enterprise for Offline Virtual Images • Reduce IT management overhead for virtual environmentsAnti-malware security profiles of offline virtual machines are updated automatically without having to bring virtual machines online, reducing the risk of infecting the rest of the virtual environment. • Ensure security for virtual machines.Automatically scan, clean and update virtual machines while offline, to eliminate the risk of dormant virtual machines threatening the corporate network. • Achieve efficiencies with security management.Minimize IT efforts and reduce operating costs with common security management for both physical and virtual environments. • Improve disaster recovery.Ensure that backup virtual images are up-to-date with respect to malware signatures before they go into production.

  21. VHD Performance

  22. Hyper-V R1 Performance • Focused on Fixed Disk Performance • Why? • Allocating storage resources upfront and prevent surprises • Result: • Excellent near native performance for Fixed VHDs • Dynamic VHDs performance had room for improvement • Let’s take a look at R2 performance…

  23. Fixed VHD vs Raw Disk Throughput Comparison

  24. Fixed VHD vs Raw Disk Latency Comparison

  25. WS2008 vs WS2008R2Dynamic VHD Throughput Comparison Up to 15x Performance Improvement with R2

  26. Dynamic VHD vs Raw DiskThroughput Comparison

  27. Dynamic VHD vs Raw DiskLatency Comparison

  28. VHD Types Throughput Comparison

  29. VHD Types Latency Comparison

  30. Hyper-V R2 Storage Key Takeaways • Fixed Disks are on par with Native Disk Performance • Dynamic and Differencing Disks are up to 15x times faster than Hyper-V and ~15% performance delta from native

  31. Multi-Path I/O (MPIO) & Adv. Storage

  32. Multipath I/O (MPIO) • What is it? • Provides logical facility for routing I/O over redundant hardware paths connecting the server to storage • Works with a variety of storage types (iSCSI, SCSI, SAS, Fibre Channel) • Many hardware vendors provide MPIO capable drivers • How do I enable it? • Windows Server 2008 Full: Server Manager -> Features • Windows Server 2008 Core: start /w ocsetupMultipathIo

  33. Enabling MPIO with iSCSI • Open iscsicpl.exe (iSCSI configuration) • Set up (discover 2 connections to iSCSI target • Open mpiocpl.exe (MPIO configuration) • Discover Multi-Path tab, “Add support for iSCSI Devices” • In iscsicpl.exe, Targets tab, Connect • Check “Enable multi-path” • Under Advanced, specify Target Portal IP • Repeat, choosing other Target Portal IP

  34. iSCSI Quick ConnectNew in Windows 7/Windows Server 2008 R2

  35. Advanced Storage Capabilities • Is there a Hyper-V Storage Certification? • What about storage De-duplication? • What about Storage Replication? • Hyper-V is compatible with block based de-duplication and replication solutions that are certified for Windows Server 2008/2008 R2. • Solutions from: NetApp, HP, EMC, Hitachi, NEC, Compellent and more… • www.windowsservercatalog.com

  36. Hyper-V Networking

  37. Hyper-V Networking • Don’t forget the parent is a VM • Two physical network adapters at minimum • One for management • One (or more) for VM networking • Dedicated NIC(s) for iSCSI • Connect parent to back-end management network • Only expose guests to internet traffic

  38. Hyper-V Network Configurations • Example 1: • Physical Server has 4 network adapters • NIC 1: Assigned to parent partition for management • NICs 2/3/4: Assigned to virtual switches for virtual machine networking • Storage is non-iSCSI such as: • Direct attach • SAS or Fibre Channel

  39. Hyper-V Setup & Networking 1

  40. Hyper-V Setup & Networking 2

  41. Hyper-V Setup & Networking 3

  42. Each VM on its own Switch… VM Worker Processes Child Partitions Parent Partition Applications Applications Applications User Mode WMI Provider VM 3 Windows Server 2008 VM 1 VM 2 VM Service Windows Kernel Linux Kernel Windows Kernel VSC VSC VSC Kernel Mode VSP VMBus VMBus VMBus VMBus VSP VSP Windows hypervisor Ring -1 “Designed for Windows” Server Hardware Mgmt NIC 1 VSwitch 1 NIC 2 VSwitch 2 NIC 3 VSwitch 3 NIC 4

  43. Hyper-V Network Configurations • Example 2: • Server has 4 physical network adapters • NIC 1: Assigned to parent partition for management • NIC 2: Assigned to parent partition for iSCSI • NICs 3/4: Assigned to virtual switches for virtual machine networking

  44. Hyper-V Setup, Networking & iSCSI

  45. Now with iSCSI… VM Worker Processes Child Partitions Parent Partition Applications Applications Applications User Mode WMI Provider VM 3 Windows Server 2008 VM 1 VM 2 VM Service Windows Kernel Linux Kernel Windows Kernel VSC VSC VSC Kernel Mode VMBus VMBus VMBus VMBus VSP VSP Windows hypervisor Ring -1 “Designed for Windows” Server Hardware Mgmt NIC 1 iSCSI NIC 2 VSwitch 1 NIC 3 VSwitch 2 NIC 4

  46. Legacy vs. Synthetic NIC • Legacy Network Adapter • Up to 4 per virtual machine • Pros: Needed for PXE/RIS/WDS installation • Cons: Slow • Synthetic Network Adapter • Up to 8 per virtual machine! • Pros: Blazing fast • Both: • Support VLANs • Dynamic or Static MAC addresses

  47. Hyper-V R2 Networking with VMQ

  48. Virtualized Network I/O Data PathWithout VMQ Parent Partition Parent Partition VM1 VM2 Virtual Machine Switch Virtual Machine Switch (VSP) Routing,VLAN Filtering, Data Copy Ethernet TCP/IP TCP/IP Routing VLAN filtering Data Copy Port 2 Port 1 VM NIC 1 VM NIC 2 Port 2 Port 1 Miniport Driver Miniport Driver VM BUS NIC

  49. Networking Virtual Machine Queues • Hyper-V uses virtual machine queue (VMQ) support in new NICs to offload processing to hardware • VMQ operation: • Each VM is assigned a hardware-managed receive queue • Hardware performs MAC address lookup and VLAN ID validation • Places receive packets in appropriate queue • Queues are mapped into VM address space to avoid copy operations

More Related