Configuring Port ACLs in Windows Server 2012 Hyper-V Virtual Machine

ACLs (Access Control Lists) are essentially a list of permit or deny statements that control network access to enforce a security policy. ACLs are an integral part of end-to-end security solution. Windows Server 2012 Hyper-V introduces new feature called Port ACLs. Using Port ACLs, rules can be applied to a Hyper-V switch port. The rules specify whether packets are allowed or denied on their way in or out of the VMs. So Port ACLs will act as Cisco router ACLs, where we define the direction, address and action for network rules. But Windows Server 2012 Hyper-V Port ACLs will not block the network traffic based on source and destination ports. For this feature we have to install third party software such as 5NINE software in Hyper-V host. To configure Port ACLS in Hyper-V, we use PowerShell.  There is no GUI (Graphical User Interface) till now.

There are three available commands to configure Port ACLs in Hyper-V.

1.  Get-VMNetworkAdapterAcl                —     View the existing ACLs

2.  Add-VMNetworkAdapterAcl              —      Add the new ACLs

3.  Remove-VMNetworkAdapterAcl      —      Remove the existing ACLs

In Kathmandu lab scenario:

• LEG-VM1 will be accessed only from Legal Dept. network (192.168.9.0/24)
• Block access to LEG-VM1 from HR Dept. network (192.168.11.0/24) and Admin Dept. single IP Address (192.168.10.98)

5NINE software Console

 

Summary:

With Port ACLs , we have basic virtual firewall  for virtual machines. For the granular filtering for virtual machines, we need 5nine software.