Hey Checkyourlogs Fans,

 

Just a quick post tonight from a case that I was working on today for a customer. They had a special requirement to lock down their Hyper-V (Storage Spaces Direct) hosts on secure networks. These networks are going to have 2 x Node Storage Spaces Direct Clusters built that will contain PCI data (Credit Card Info) for storage terminals.

 

There were several ways that we were looking at locking down this traffic to the host management network. A couple of them were IPSec, Windows Firewall and others. What we were playing around with tonight should do the trick. It turns out you can fully configure Port Base ACL’s on the Hyper-V Switch and the associated Virtual Adapters in the Management OS by using: Add-VMNetworkAdapterACL -ManagementOS


 

Below is a screenshot of it in action. The target host from this Hyper-V Host which is a Windows 10 machine in my test lab with Hyper-V Installed. It has an External Virtual Switch configured and a Virtual Adapter for the Management network (ManagementOS).

 

We have a remote Hyper-V Host located at 10.10.2.66, and I wanted to attempt to build an ACL that prevented all traffic in both directions to and from this host.

Here is the order of events that I used for testing.

 

Opened a Command Prompt and ran a ping 10.10.2.66 -t

Checked the ACL’s if any existed on the Virtual Adapter

Set the ACL to prevent traffic both directions on 10.10.2.66/24 (DENY)

Validated the new ACL’s

Removed the ACL’s

Restarted the Network Adapter

Verified Traffic.


Here is the Powershell code I used to test this:

get-vmnetworkadapter -ManagementOS -Name ext* | get-vmnetworkadapteracl
get-vmnetworkadapter -ManagementOS -Name ext* | Add-VMNetworkAdapterAcl -RemoteIPAddress 10.10.2.66/16 -Direction Both -Action Deny -verbose
get-vmnetworkadapter -ManagementOS -Name ext* | get-vmnetworkadapteracl
get-vmnetworkadapter -ManagementOS -Name ext* | get-vmnetworkadapteracl | Remove-VMNetworkAdapterAcl -verbose
get-vmnetworkadapter -ManagementOS -Name ext* | get-vmnetworkadapteracl
get-netadapter -Name "vethernet (external)" | Restart-NetAdapter

I hope you enjoyed reading this.

 

Thanks,


Dave

Advertisements