Review: Microsoft Windows Server 2016 steps up security, cloud support

Security improvements with SDN

One of the advantages of going to SDN is security, because virtualizing the network infrastructure introduces additional layers of defense that can thwart attacks. The first layer is virtual network isolation; if an attacker managed to penetrate the physical infrastructure but was not part of the virtual network, the attack would not proceed. If the attacker does manage to attach himself to a virtual network, you as the administrator can deploy a distributed firewall as well as a network security group, which are essentially policies that will stall him at that layer. You can even inject virtual security appliances into your network to further filter attacks, providing multiple layers of security defense.

Windows Server 2016 supports all of this: You can create a network security group associated with a group of VMs -- so that new VMs added to the group automatically inherit the settings without further configuration -- that say, for instance, that only port 443 is open on this group, and only the internet can talk to it but also say the internet can't talk to any other network security group.

This allows you to dynamically segment the network to meet evolving security needs and do this on the fly. (For container fanatics, note than in Server 2016, you can associate these policies with container endpoints as well.) You can also create user-defined routes to route tenant traffic to virtual appliances; this is how you can inject that virtual appliance into traffic flow to further defend against malfeasance. You don't have to change these virtual appliances to work with Server 2016, and all of the appliances that work in Azure will transfer over to work in Windows Server on-premises.

Even better, you can turn on port mirroring to mirror tenant traffic: Inbound and outbound packets on any given port on a virtual switch can be mirrored to a virtual appliance, and a single appliance has the capability to serve multiple ports.

Other minor networking improvements

Other improvements to the networking stack in Windows Server 2016 include:

• Support for virtual machine multiqueue, or VMMQ, to get 40G Ethernet performance directly into a virtual machine with almost no overhead. This works with both Windows and Linux guests.
• Support for converged NICs, where traffic from both the data network and the storage network can sit simultaneously on two teamed NICs rather than four teamed NICs, as this solution required before. You can now also set quality of service (QoS) thresholds on storage performance so that, for example, a live migration of a virtual machine at 40G on a converged NIC's storage "side" doesn't take down the compute and data network with it.

The verdict on SDN

Software-defined networking is obviously the destination where networks are heading over the next five to 10 years. The improvements to management, flexibility and security are just too hard to ignore, even putting aside the difficulty in fully deploying SDN-capable infrastructure at the start. As the hybrid cloud becomes real for more and more businesses, and as networks become more capable and hardware gets refreshed, I think there is real technical goodness within Windows Server 2016 to be able to usher in this new era of network virtualization.

Storage Spaces Direct (S2D)

Storage vendors have, to put it mildly, been ripping off IT budgets for years now, with, among other things, special gold-plated enclosures for super-disks that are marked up 30x over the retail price of a typical solid state drive or spinning disk. The move to the cloud, however, has accentuated the need for fast, accessible storage using commodity components.

In Windows Server 2016, Microsoft is debuting Storage Spaces Direct. This role turns a four-node cluster -- with directly attached commodity disks you could buy at Best Buy if you wanted to -- into a lean, mean storage machine with fault tolerance and a great deal of headroom if you buy the right networking components.

From a hardware standpoint, for each machine in the cluster you just need regular solid state drives or spinning hard disk drives and NICs that support RDMA, a protocol for increasing the performance of remote storage operations. Only one network switch per cluster is needed because all the machines connect directly to it.

Put all of that together in a four-node cluster, and then use a really simple PowerShell command -- literally a couple of cmdlets to first create and then add nodes to your storage cluster -- and watch as Windows Server 2016 automatically figures out what drives you have, sets up hot and cold tier caching and storage, and stripes data for maximum fault tolerance.

As you add nodes, simply run a PowerShell cmdlet and Windows will do all of the heavy lifting for you, adding the storage capacity by itself. There are also simple management tools built in so you can hot-swap drives to do repairs without bringing down the whole cluster. Best of all, it performs brilliantly -- Intel just released a reference configuration that achieved one million I/O operations per second.

If you're due for a SAN refresh or you are in the market for more disk capacity, then do yourself a favor and check out Storage Spaces Direct.

Hardening Windows Server to breaches

It's a fact: Hack attacks have evolved over time. It started, generally speaking, with unsophisticated script kiddies in their youth, then it morphed into organized crime when IT became normal in the corporate world. Recently, with the Edward Snowden revelations and examination of really complex malware found out in the wild, we find that now nation-states and terror groups that are very sophisticated and well resourced are involved in attacks.

As attacks have evolved, one thing has stayed the same: The security perimeter you cared about, and that was the edge of your network. The wild west of the internet on the other side of your firewall was not to be trusted, and the network you run within the (relatively) safe confines of your firewall was made up of good guys with good machines that did little harm. You VPNed into your corporate network from the outside to access secure resources, and if you weren't on campus and not VPNed, your IT resources were invisible. They simply disappeared, outside of your access.

As technology has matured, the edge of the network is no longer the perimeter that really matters. With features like DirectAccess, Outlook Anywhere, server publishing, reverse proxies and more, in a corporate environment that is configured properly, one can access everything now with SSL and perhaps two-factor authentication. The edge that really matters, the perimeter we need to secure in this generation, is actually identity. More specifically, the identity of the administrator.

Most attacks these days involve somehow abusing and misusing administrative privilege. It may even begin with harvesting low-end credentials and then escalating attacks to attempt to continue to raise the privilege from normal "peon" user to administrator. The fact remains that we still live in an operating system world where there is a single user, the administrator, who can access (read: compromise) all of the assets within that system.

When you're talking one or two systems that is a bad outcome -- but not a disaster. But now virtualization has brought us systems that run other systems as simple files on disk, and that means the administrator on the host can compromise all of the guests. Moreover, virtualization has brought us the cloud, where we have multiple hosts running tens or hundreds of guests, and even the guests represent different organizations if you're into multitenancy. An administrator on the cloud fabric can compromise all of the guests, and when it comes to the public cloud, the trust boundary between tenants and service providers is fragile.

Protecting the virtualization fabric that undergirds data centers and private and public clouds involves protecting access to bare metal machines. With physical admins, again, just the server administrator has that -- bad, certainly, but more limited. With virtual machines, the server administrator, storage administrator, network administrator, backup operator and fabric administrator have access, because it's just a couple of files. That's where shielded virtual machines come in.