Cybersecurity Talk is a part of a conference series of interviews with the most prominent, and experienced people in the infrastructure and IT security world that we deliver within the CQURE Academy. In this chapter Aidan Finn is focusing on infrastructure solutions, Hyper-V and Azure.
Paula J:
Aidan speaks on different kinds of events like Microsoft Ignite and
Tech Heads and all the other conferences. I’m pretty sure that if you are
within the subject, you’ve seen him. A couple of words regarding the introduction.
Well, I know that you are in the business since 1996, right?
Aidan Finn:
Yeah, I’ve seen a lot of change over the time. Started working in Unix and VAX/VMS
and stuff like that and accidentally fell into the windows world and then into the
virtualization and cloud world.
Paula J:
That’s good. Basically, you’ve seen a lot of different types of changes and transformations of the customer sites.
Aidan Finn:
Yeah, things have changed a lot as you’ve seen in the security business.
Paula J:
Yeah, cool. Aiden is a specialist on Hyper-V and infrastructure solutions and in
Hyper-V particular, that’s what we’re going to be talking about. Is there something
that you want to … You do a blog, right?
Aidan Finn:
Yeah, I’ve been blogging on aidanfinn.com since 2006.
Paula J:
Oh, that’s a lot.
Aidan Finn:
Yeah, it’s a lot.
Paula J:
That’s great.
Aidan Finn:
The blog has changed over the years. Started off on spaces.live.com or whatever it was called.
Paula J:
There was something like that, yeah.
Aidan Finn:
Yeah, way back when and then moved onto WordPress, and then I moved it onto my own site.
Paula J:
That’s good.
Aidan Finn:
I write for petri.com about Microsoft Cloud and virtualization stuff as well.
Paula J:
Petri is a great forum.
Aidan Finn:
Yeah, Petri is a fantastic site. A lot of support from them as well. It’s a growing and
changing site too. I tweet at @joe_elway where you can find me,
sometimes tweeting about IT as well.
Paula J:
Perfect okay. I’ve got a couple of disturbing questions for you today.
Aidan Finn:
Oh, no.
Can Hyper-V be hacked?
Paula J:
Yeah, sorry. The first questions is something that is bothering everybody about
Hyper-V security. Moving straight to the point, can Hyper-V be hacked?
Aidan Finn:
Wow, what a great question. Can any software be hacked? I guess if it’s more than
‘Hello World,’ it probably can be hacked. Software is huge and complex and there’s
always things. What I will say about Hyper-V is it’s incredibly secure because it’s a
relatively new hypervisor.
Microsoft designed it with security in mind so each of the pieces have been specifically placed in kernel mode, or within user mode in the management OS, or the host OS if you want to call it that which is sitting directly on the hypervisor. So it’s a myth that Hyper-V sits on top of the host. That’s not true. If you look at the architecture it’s quite clear.
The components are specifically placed. For example, drivers, yes they sit in kernel
mode but things that the virtual machines are communicating with are running in
user mode like the virtual switch or the integration services are all sitting there
safely in user mode.
Then the components don’t actually necessarily have a whole lot of trust in each
other and they specifically have this trust-lead model where they trust certain
amounts of communication but not that much.
That’s very clear to see when you see an error in Hyper-V because the error, when you look at it doesn’t tell you a whole lot of information. When you expand it you can see all the various different pieces of information from the different layers of the management OS.
There is complete isolation there. It’s enforced using data execution prevention
from the processor. We’ve got memory marking to say this is owned by a virtual
machine, this is owned by the host, and these two things can’t be read by each
other. It’s a secure hypervisor. Have there been vulnerabilities? Yeah, they’ve been
found.
Paula J:
They’re everywhere.
Aidan Finn:
Yeah, every software has vulnerabilities, and Microsoft are quick to patch them.
They’ve hardened the hypervisor a lot in 2016. They went deep back into the
hypervisor and said okay, we want to build something that people can use as a
platform for cloud computing. They hardened the architecture again and they
started building out other pieces to sit on top of the platform. We got things like
shielded virtual machines.
Paula J:
Yeah, that’s a pretty good feature.
Aidan Finn:
Yeah, it’s a great feature, the ability to have a virtual TPM chip put in the virtual machines.
Paula J:
Actually, if someone asks me like what is the hottest thing that happened in 2016, I would say it’s the VTPM.
Aidan Finn:
Really?
Paula J:
Yeah, seriously. It’s something that at least from a security perspective, in my opinion, changes a landscape drastically.
Aidan Finn:
Yeah, it brings control back to the tenant where they can say, “You know what, I
don’t trust the sysadmin. I don’t trust the storage admin.” It’s an old question that
I’ve seen in IT going back years and years where HR have a database of all the
salaries, and they don’t trust IT because they’re afraid we’re going to peak in and
see what the boss is making and demand a pay rise.
Paula J:
That is one of the scenarios, yeah.
Aidan Finn:
Now, HR can run that application in the VM, have that box checked so they get
their virtual TPM, and then they control the recovery key. It’s outside of the control
of IT.
The forecast for a change in the security landscape
Paula J:
It’s a very nice architecture. Do you think, by the way, that virtualization based
security, referring to what you said, will this change in the future the security
landscape?
Aidan Finn:
Yeah, I think that’s already started to happen. If you look at the specific
implementation of EPS within Windows Server and Windows 10 Enterprise, so if
you get Windows 10 Enterprise E3, whether it’s true software assurance or CSP
subscription or whatever, you now have this ability to turn on the hypervisor itself,
not just Hyper-V with all the management for use for virtual machines, but you get
the ability to isolate the LSASS process.
Paula J:
Which is a fantastic option, right, for credentials?
Aidan Finn:
Yeah, I’ve seen your presentations where you start harvesting hashes and stuff like that, you know, where you can say, okay, we’re going to put this away.
Paula J:
No longer possible.
Aidan Finn:
Yeah, or you’re just coming up with a blank result.
Paula J:
Yeah.
Aidan Finn:
Your legacy applications can still have that interface to this little LSASS that’s left behind that has no secrets.
Paula J:
Yeah, I got to believe that from my perspective, I’m… well, it’s hard to say that I’m not happy about it.
Aidan Finn:
It’s killed your demos by bypass the hash.
Paula J:
Well, yeah, exactly. I’ve got to figure out something else but you know, from that
perspective. Then when the customers will start implementing what you were talking about so… credential guard and so on, then sorry, this is no longer possible. That’s quite nice.
Aidan Finn:
Yeah, and it’s all hardware enforced. It’s Hyper-V marking the memory this is
owned by that specific little VM that you don’t have to manage. It’s running on
micro-kernel. It’s got a Hyper-V code integrity checking. It’s got kernel code
integrity checking. It’s got that little isolated LSASS and the whole thing is very
cleverly built. It’s their Windows server. It’s there in Windows 10 Enterprise. If
you’re looking for something to secure your environment, you’ll be more familiar with the statistics than I am. They’re saying that once an attacker is on your network it takes them two days to become a domain admin.
Paula J:
Or even faster.
Aidan Finn:
Yeah.
Paula J:
Absolutely. Well, actually today this is more like if you’re going to bake yourself
cookies in the company’s kitchen and…
Aidan Finn:
You’ve got a lot of customers to work on at the same time.
Paula J:
Yeah, and you’re going to sleep well and something, and you’re going to spend this 15 minutes to get access to the infrastructure that’s basically…
Aidan Finn:
With this feature now that’s a couple of clicks away and some group policy away, you’re able to stop that.
Paula J:
Yeah, exactly, like stop-stop.
Aidan Finn:
Yeah, and I think that’s one of the things Microsoft might have said may have protected Sony when they got hacked.
Paula J:
Well.
Aidan Finn:
Maybe, maybe not, who knows. I think those attackers were pretty determined and
motivated. If you can stop that basic attack where someone is able to harvest those
hash details and find okay, domain admin has signed into this PC at some point and
here’s some details that are interesting, yeah, you’re able to protect the
environment. I think that’s cool and we’re seeing this technology now being
extended in future Windows 10 updates where age, for example, has got to be
isolated in one of these PSMs.
Paula J:
This is one of the coolest moves I would say.
Aidan Finn:
Yeah, and if Microsoft can come up with a way to put or encapsulate all software in
these types of virtual machines, could be our virtual machines in the end. Then we certainly have a security model to protect everything.
Paula J:
Absolutely.
Aidan Finn:
Everything’s sandboxed.
Paula J:
Everything’s sandboxed, yeah. That’s a very cool thing. I always compare the
browser like a little mouse amongst like the big crowd of lions, because you write a
browser, which is absolutely a challenging task, and then you put it in the internet.
Then you have the whole world against you. They’re building all the different crazy
websites that are out there that when you enter you are actually producing the
code in order to display that for the user.
The browser, it’s a very advanced piece of code. Obviously, that’s why we’ve got
this news like Firefox, Internet Explorer, whatever, they have vulnerabilities. Finally,
when you’re going to isolate it, is everything just going to stay in one place?
Aidan Finn:
It protects you against those zero days, which we know are no longer so rare.
Paula J:
I loved it, yeah.
The requirements of the implementation of the new technology
Aidan Finn:
Yeah, I loved that idea that we can isolate this thing and you know, if it blows up, you don’t care. It doesn’t infect the system.
Paula J:
That’s definitely the point. But of course, there are some requirements to implement that, right?
Aidan Finn:
Yeah, so you need fairly modern hardware. This is the thing, so it’s hardware in the
last couple of years, realistically, and enterprise hardware. It’s not the cheap
business PC. You need Intel VTX, for example. You need a machine with data
execution prevention, and you need a Second Level Address Translation (or SLAT). To
be honest, that’s been around PCs for five, six years.
Paula J:
Of course.
Aidan Finn:
That’s not a problem.
Paula J:
No.
Aidan Finn:
But realistically you need good machines.
Paula J:
Secure boot.
Aidan Finn:
Secure boots so you need UFE. You got to start getting this UFE in your OS deployment.
Paula J:
That’s going to come anywhere, right?
Aidan Finn:
Yeah, and new machines are coming configured like that so if you’re getting
service, for example, you’re getting anything kind of like that from your HPs, or
your Dells, your Lenovos, you’re getting machines that are ready for this
technology. Realistically, if you’ve bought the machines in the last couple of years,
they probably have … if they’re business class machines, they probably have the
components to make this possible.
Paula J:
Yeah, and then you can freely use credential guards and all the other solutions that are within the virtualization to cyber security.
Aidan Finn:
Yeah, and the ATP and all the cool things that are either here or coming with Windows 10 Enterprise.
Paula J:
Yeah, that’s a cool set of features.
Aidan Finn:
Yeah, there’s a lot of stuff there and don’t forget they’re in Windows 2016 too.
A few words about trusting the company
Paula J:
Yes, absolutely, but here comes one thing. You are also engaged in different types
of private clouds so building private cloud and all the situations related with that.
Questions is, when you’ve got a private cloud, it’s quite a popular service recently.
You not necessarily put machines in Azure but then you just put in the company X,
Y, Z. Can we really trust those environments? If the answer is no, because you put
your machines over there, it’s kind of, let’s say cheaper or it’s within the same
country maybe so some companies have this requirements, what kind of tips could
you give to administrators when they put their virtual machines in the cloud that is
a private cloud, that’s maybe not necessarily can be fully trusted?
Aidan Finn:
I guess the trust thing comes down to… Do you trust the company? If you don’t trust the company, you don’t do business with them.
Paula J:
That’s a very simple approach.
Aidan Finn:
That’s a simple approach.
Paula J:
Thank you.
Aidan Finn:
That’s all that sorted, moving on. That’s your first … it’s a basic thing, do you trust
the company. Do they have their various certifications? Are they making the efforts
when you knock on the door without making an appointment, are the security staff
there? The simple things because I can tell you I haven’t worked in the hosting
business that’s not always true.
Paula J:
Okay.
Aidan Finn:
Yeah, sometimes security staff are hired for the meetings.
Paula J:
Oh, that’s interesting.
Aidan Finn:
Yes, that’s an interesting one. Been there done that. Then the real threat is
probably the staff. Realistically, it’s probably the lesser paid staff when you think
about it.
Paula J:
Could be.
Aidan Finn:
Yeah, or the disgruntled staff. What is that company doing to protect you against their staff? That’s the real thing you’ve got to start looking into.
Paula J:
You may want to have a look at the paycheck of …
Aidan Finn:
Well, it’s not necessarily that you want to start looking at their HR system like we
were talking about earlier. It’s that you want to look at what systems they’ve got in
place. Are security monitoring the environment? Are cameras all over the place?
Are people in a position where they can pull disks? Do they have auditing systems?
Is anyone looking at those auditing systems?
Paula J:
Can someone do memory dumps, yeah?
Aidan Finn:
Yeah. Then you want to say, okay, I’m putting stuff into an environment that I don’t
trust necessarily 100% the physical security. Maybe I want things like shielded
virtual machines, and virtual TPM, and key storage drive, and all these sort of things
that are available that I can take advantage of.
Paula J:
That’s awesome, yeah.
Aidan Finn:
Yeah, so drive that hosting service provider, that cloud provider to use the
technologies that are now available to us. Don’t settle for technology that’s four,
five years old. Too many of us do that in the IT business. If you want security, you
need up-to-date systems and there’s nothing more up-to-date than Windows
Server 2016. It is the most secure hypervisor there is out there especially, if you’re
talking about public or private cloud.
Paula J:
That’s good. That’s good to hear.
Aidan Finn:
Yeah, the tenant can protect themselves, isolate themselves from that environment and it’s hardware backed by HSM.
Paula J:
Oh, which is absolutely a case, yeah.
Aidan Finn:
Yeah, the host guardian service, the production and deployment, it is protected by
an HSM. The hosts are not trusted and they have to get the keys to start the virtual
machines in the first place. If the virtual machine moves to another environment, it
can’t get the keys, it won’t start.
Paula J:
Yeah, so just to summarize because it’s a very interesting idea in a server
environment is that the host cannot be trusted over here. The same is like when we
have a look at the credential guard, the Windows, it’s something that we cannot be
trusted. That’s why we’re isolating things to protect really applications and so on from Windows kernel itself.
If someone runs an application that affects Windows kernel security, we’re still
okay, and that’s the whole point. We can assure our kind of personal interest by
creating even our own applications that we’re going to isolate. The
same story is with the sheltered VMs that are available in Windows Server 2016.
We isolate them. They behave kind of like a … at least I see it this way, as a process
that you isolate. Whether it’s a virtual machine, or a process, or the opposite, we
call them virtual machines, it’s isolation that prevents all the different types of
exploitation techniques.
Aidan Finn:
Yeah, and for the IT pros on the customer site, this is great because it’s not outsourcing anymore.
Paula J:
No.
Aidan Finn:
The infrastructure might be outsourced, but you’re still responsible for what runs
inside the virtual machine, which is where the value is, which is where your value is
is as an employee, as a member of IT to the enterprise.
Paula J:
You can sleep well because you will not be affected from host computer, yeah?
Aidan Finn:
Yeah, and there’s other protections in there as well so Hyper-V has the ability to detect rogue virtual machines, for example.
Paula J:
That’s great.
Aidan Finn:
Someone starts… another tenant gets compromised because they wrote bad code
for their website or something or wrote for their databases, and they start trying to
do a DDoS attack or a DoS attack on the hosts. Well, Hyper-V can detect that and
start starving that virtual machine of resources so the DoS attack becomes
pointless.
Paula J:
Things changed in the virtualization for the past couple of years.
Aidan Finn:
Yeah, it’s great. It’s all driven by Azure as well, which is kind of cool. It’s stuff that
Microsoft either are doing in Azure or want to do in Azure because they use Hyper-
V and they use the same hypervisor that we do, in fact. They’re using 2012 and
2012 R2 Hyper-V so they’re actually a little bit behind where we can be.
Paula J:
Yeah, but it’s still on the safe side, right?
Aidan Finn:
Yeah, it’s driving the security. It’s driving supportability, it’s driving the performance and what we can do in cloud public and private.
A few tips from a professional for beginners
Paula J:
Okay, cool. This is a set of information for you guys. Now, very important questions
that I believe that young people starting their career would like to know about.
What would be the set of skills that is necessary for the young person? Does a
young person looks at you and says like, “Oh, I want to do the same stuff as this guy
does.” What kind of skills this person should have at the very beginning so starting
from the basics?
Aidan Finn:
Yeah, first thing I would tell anyone getting into IT is don’t be me, be a
programmer. I actually started off as a programmer so I was a C and C++
programmer. That’s how I started off.
Paula J:
C++, I have been once on a C++ party. Nobody was talking to anyone, you know.
Aidan Finn:
Oh, no messages.
Paula J:
They were like all the time during the program like what am I doing over here? That was the best party ever.
Aidan Finn:
Wow. I think it’s a great foundation so even if you don’t decide, oh, this is my
career path, I think it’s a good career path going forward as a programmer in the
cloud, data analytics, data science, and all that stuff. I think it’s a great path to go
down. I think it’s longevity there, and not necessarily on the IT pro side. If I think
there’s always going to be stuff running on-premises. I think I agree with Microsoft
on that, and there’s still always going to be skills required and just as there are
today for mainframe administrators, for example.
What I would say is it’s a great foundation and that sets you up for the first thing I
think you need, which is the ability to script.
Paula J:
That’s great, of course.
Aidan Finn:
You need to know PowerShell and too few of us know PowerShell. I find it’s a thing that saves me so much time and allows me to deploy thing fast.
Paula J:
I used PowerShell as a hiking tool.
Aidan Finn:
Jeffrey Snover will be delighted to hear that.
Paula J:
Oh.
Aidan Finn:
Second thing, networking. You need to know your basic networking.
Paula J:
That’s good.
Aidan Finn:
You’d be amazed how many people are trained who do not know how to do some netting.
Paula J:
Oh, no.
Aidan Finn:
I mean basics of netting, class B, class C. To understand the basics because when
you understand that stuff, you are able to build the most important … one of the
two most important things in virtualization, which is networking, and the second
thing you want to learn or the third thing you want to learn is storage.
Paula J:
Oh, okay.
Aidan Finn:
Software defined storage not the classic SAN thing because that’s going to dwindle.
Software defined storage is the way to go. It’s cloud inspired, it’s cost-effective. The
performance is just crazy. I saw today here at this event a NVME disk running at …
a single disk running at 1.1 million IOPS.
Paula J:
No kidding.
Aidan Finn:
That used to be a rack and a half of spinning disks.
Paula J:
I have to do that, I’m sorry. I mean, it’s crazy.
Aidan Finn:
Imaging putting that thing into your laptop.
Paula J:
I want that, of course. I already imagined, I already imagined when you said that.
Aidan Finn:
Yeah, so those will be big things. Then I would say you want to learn how to deploy design, secure, and fast virtual machines.
Paula J:
That’s good.
Aidan Finn:
That all comes down to understanding your workload and kind of the security threat.
Paula J:
Scalability is one.
Aidan Finn:
Yeah, there’s so many things but when you start with the fundamentals, I think
everything else kind of attaches to itself. The last skill I would recommend is learn how to learn.
Paula J:
Oh, that’s a fantastic skill.
Aidan Finn:
Yeah.
Paula J:
It’s getting harder and harder, isn’t it?
Aidan Finn:
All the time. I’m lucky, my job is learn and then teach. I’m in a lucky position where I can spend a week just reading articles, doing this stuff.
Paula J:
Because that’s your job, yeah?
Aidan Finn:
Yeah. My job is to document and teach.
Paula J:
In security, it’s the same story, like every single day there’s something new
happening. If I’m going for a vacation, I’m like, okay. I will be reading news but only
for that like a little moment. Then I really feel that I’m not informed, and I have to
catch up very quickly to find out what was happening within the past three weeks.
Aidan Finn:
It’s amazing how fast like I have so many little folders in my mail for various
different distribution lists I’m on, and I have thousands of emails to catch up on
from the last six months. My ORSS feeds, right now the only one I’m
keeping up with is my cloud. I’m not keeping up with my Windows Server the way I
need to be. I’m not keeping up with System Center and Windows 10.
Paula J:
It’s so many news in that area.
Aidan Finn:
It’s just so much to keep up with.
Paula J:
Well, you see. That’s a good news, at least virtualization is growing, yeah?
Aidan Finn:
Yeah, when you think about there’s so much information out there. It means
there’s more skills required. If you’re getting into the IT business, wherever you are,
the opportunities are there because of the cloud. I mean, this is just such an
amazing time because we really don’t know what’s coming in the future.
Paula J:
No, that’s true.
Aidan Finn:
Things are changing so fast, and it’s truly a global scale as well.
Paula J:
There are a bunch of things that changed in a morning in Azure.
Aidan Finn:
Really? I need to go look.
Paula J:
Yeah, that’s how fast it’s changing. It can surprise you pretty much every day there is something new and you’re like, okay, time to learn.
Aidan Finn:
Yeah, some things I know about and then there’s other things like I should have known about that. Why didn’t I know about that?
A piece of advice for professionals
Paula J:
Yeah. Okay, so we have got this, but what about the professional guys, like the
ones that are already doing a lot of stuff in the infrastructure? Do you have some
advice like what kind of skills should they have, what they should know in their
virtualization to be even better?
Aidan Finn:
Yeah, so the two things I would say that they need to look at are software defined
storage and software defined networking. The Enterprise guys right now, if they’re
doing virtualization, vSphere or Hyper-V, what they’re mainly working with is SAN.
That’s the most expensive way to do disk-
Paula J:
It is.
Aidan Finn:
… and it’s not necessarily the most reliable and because SANs do have crashes.
They do have single points of failure, which is the SAN as a unit, and the software
sometimes does crash and corrupt the data, and yet that … There’s that and it’s
just so expensive to do storage that way.
Paula J:
It is.
Aidan Finn:
That’s why there are zero SANs in the cloud, by the way. It’s all software defined
storage and you can do that yourself, whether you’re doing vSphere or Hyper-V,
they are software defined storage solutions. In Hyper-V what we’ve got is storage
Spaces and Storage Spaces Direct. There’s a commodity hardware. We can do the
tiered storage thing using NVME, so you’re talking about your half million, million
IOPS per disk.
Paula J:
Which is great, yeah.
Aidan Finn:
Your SSD storage so your 65,000 IOPS per disk, and your traditional HTD, which
gives you 10 terabytes per disk. You can have your cold data on the nice slow cheap
disks, and you can have your operational data on those SSDs or NVME, and you can
have your persistent cache sitting on NVME. You can have amazing performance at
a much lower cost.
Networking side or DMA for our great performance but software defined
networking gives you the ability to scale out. You’re no longer looking at the
complexities of VLANs. You keep those VLANs for some of the basic infrastructural
things but you start doing your isolation using software defined networking, same
way you would do an AWS or Azure.
In fact, in Windows Server 2016, you’re actually using Azure. The code has been
ported down so you’re using the network controller, you’re using a switch-enabled
team, which enables things like the hardware offloads like ODM8 go into
the host through converged networking. We’re going to have some very, very clever, flexible, fast to deploy stuff that doesn’t give you a hairline like me every
time you deploy a new VLAN. It doesn’t make your firewall guys stress out every
time you say, “Listen, we need to deploy a new VLAN,” and the firewall rules
become incredibly more complex. So software defined networking, it’s isolated
networks by default.
Paula J:
It’s quite comfortable to configure it, yeah.
Aidan Finn:
Yeah, I’ve never configured a VLAN in my life and I can do software defined networking so easily.
Paula J:
Just like this, yeah.
Aidan Finn:
What you’re doing on-prem with 2016 is exactly what you would do in Azure.
Paula J:
Oh, that’s good to know. Yeah, so let’s sum up. What we have discussed today with
Aidan are all the new solutions that are within the virtualization and also with
Azure, available for you pretty much immediately because Azure is out there. It’s
just enough to sign up, yeah?
Aidan Finn:
Yeah.
Paula J:
You become familiar with all the newest solutions that are also within the security
so things like virtual VM, virtual DPM, credential guard, and so on. This is all thanks
to virtualization and Hyper-V out there, yeah?
Aidan Finn:
Yeah.
Paula J:
The newest one.
Aidan Finn:
Yeah, the newest one, 2016.
Paula J:
Exactly.
Aidan Finn:
Well, thank you so much for the great interview.
Paula J:
Thanks for the invitation. I enjoyed it.
Aidan Finn:
Yeah, absolutely. If you guys liked it, we really hope that you’re going to have some
questions and so that you can post them in the comment section below our
interview. We are looking forward to them. We hope you like it and that you will
also like our other content related series that we’ve got out there for you. Basically,
see you next time.
Paula J:
Bye.
Aidan Finn:
Bye.