A Malware and Firewall Protection Solution for the Private Cloud 2008 R2

A Malware and Firewall Protection Solution for the Private Cloud 2008 R2

Note: This article is based on Hyper-V 2.0,  this might not apply to Hyper-V 3.0 (Server 2012)

By Leandro Carvalho

Private clouds are becoming increasingly necessary and common in both large and small environments due to the significant benefits delivered by a private cloud. However, administrators often struggle with the application of basic security policies in a private cloud deployment. These include firewall, antivirus and antispyware policies.

An example is a Private Cloud infrastructure containing multiple virtual machines for different types of networks, services or even clients – this infrastructure needs to have strong security policies applied. Each of these elements needs isolation, individual policies and rules that are in accordance with business requirements. Even if you have a private cloud only for your local VMs, sometimes we need different security configuration settings for lab networks, production networks, externals servers, etc. Host-based firewalls and antivirus will not help you to protect all virtual machines in your private cloud.

I’ve identified a potentially useful solution to many of these security issues in the Microsoft Private Cloud: V-Firewall for Microsoft Hyper-V. This tool consists of a management console and one agent per host that helps enable you to apply important security policies based on your requirements. It’s also includes others features such as a Heartbeat Service and Bandwidth Throttling.

With a single and easy to use console and intuitive installation, the V-Firewall offers centralized management of your entire virtual environment to implement such policies, as you can see in figure 1.

Figure 1 – V-Firewall Console


As I mentioned earlier, in large private cloud deployments it can be challenging to manage the firewall for virtual machines with different network configuration requirements. However, with the V-Firewall, this job is easy! At the time that I write this, the V-Firewall is the only solution available that provides a dedicated firewall tool for virtual machines in Hyper-V.

The firewall rules include the following configuration options:

  • ARP Rule
  • IP Rule
  • Broadcast Rule
  • Default Gateway Rule

Figure 2 – Rules Type

With these rules it is possible to create and apply policies to block or allow almost everything through inbound, outbound or vice versa.

All rules can be applied to a single virtual machine, a group of VMs, or to all VMs (Global Configuration). This last option is great for administrators who want to create a firewall rule for multiple VMs with a few clicks, as shown in figure 3.

In addition to the rules is also possible to monitor the policies that have been allowed or denied in real time (figure 1).

Figure 3 displays a rule to allow ICMP for a group of VMs from a certain location.

Figure 3 – New ICMP Rule

For those who like automation and command line configuration, the V-Firewall support a number of commands through PowerShell. For the most common configuration tasks, you can perform them through the GUI or use PowerShell commandlets.

To use PowerShell cmdlets, simply import the V-Firewall Snap in with the command Add-PSSnapinRulesAPI and then several commands will be available, such as:

  • Add-ARP-Rule
  • Add-BroadcastIP-Rule
  • Add-IP-Rule
  • Set-Heartbeat
  • Set-VMMonitoring
  • Get-Heartbeat
  • Get-LogRecords
  • Get-Rules
  • Get-VMMonitoring
  • Remove-Rule
  • Reset-Rules
  • Set-Rule

Figure 4 shows how to add a rule to allow RDP protocol to a specific VM:

Figure 4 – Command let to allow RDP

In figure 5, you can see how to create an ARP rule to another VM.

Figure 5 – Command let to allow ARP


The antivirus and antispyware protection uses the Sophos engine and can scan the VMs at random, based on their workload and resource utilization to ensure that the AV/AS does not create any problems in the VM’s performance.

Figure 6 – Antivirus Option

The options offered by antivirus are somewhat limited, but it is possible to do some basic customization. In figure 7 you can see an antivirus schedule configuration:

Figure 7 – Antivirus Schedule

Heartbeat Service

Heartbeat Service checks the VMs according to the rules specified to make sure the firewall and other policies are being applied. If the service finds any problems in applying these rules it may stop or pause the VM to ensure that their safety is not compromised. This is consistent with a “fail closed” approach to security.

Figure 8 – Heartbeat Service Parameters

Bandwidth Throttling

In scenarios where virtual machines share the same physical network card or maybe you have a VM that needs limited network bandwidth, you can apply rules to limit the network bandwidth available to the VM ensure that there is no network bottlenecks.

Figure 9 – Bandwidth Policy

So if you have group of host computers running Hyper-V and you need to apply some antivirus updates, firewall policies and other configuration you have seen that V-Firewall may can help you to address these policies.

For more information, access the website http://www.5nine.com/hyper-v-virtual-firewall2.aspx

Leandro Carvalho
MCSA+S+M| MCSE+S | MCTS | MCITP | MCBMSS | MCT | MVP Virtual Machine
BetterTogether | MSVirtualization | Winsec.org| LinhadeCodigo | MVP Profile
Twitter: LeandroEduardo | LinkedIn: Leandroesc

Tom Shinder
Principal Knowledge Engineer, SCD iX Solutions Group
Follow me on Twitter: http://twitter.com/tshinder

Leave a Comment
  • Please add 3 and 3 and type the answer here:
  • Post
Wiki - Revision Comment List(Revision Comment)
Page 1 of 1 (5 items)
Wikis - Comment List
Posting comments is temporarily disabled until 10:00am PST on Saturday, December 14th. Thank you for your patience.
  • Fernando Lugão Veltem edited Revision 5. Comment: added toc

  • Danny van Dam edited Revision 7. Comment: added note about that this might not apply to Hyper-V 3.0

  • Thomas W Shinder - MSFT edited Original. Comment: added pics

  • Thomas W Shinder - MSFT edited Revision 1. Comment: added graphics

  • Thomas W Shinder - MSFT edited Revision 2. Comment: Added byline

  • Nice and very useful article

  • As far as antivirus, is it possible to add exceptions? I can't imagine using this (otherwise great) tool in our production if Exchange, DC, SQL,... exceptions are not possible.

Page 1 of 1 (7 items)