The absolute explosion of VDI deployments recently is driving security teams nuts. Everyone is scrambling to figure out which VDI solution is the most secure, what security features they have and most importantly how can I securely roll out VDI.
I couldn't find a comprehensive security review of the two big players in this space (citrix and vmware) so I decided to do my own research and write it up. My two biggest concerns with type 2 VDI clients (those that run on a host OS and not bare metal) are keyboard loggers and malware that does screen scrapes. If these two things are running on the host OS that is running a VDI session then you've got a security breach on your hands. Of course there are lots of other security concerns with VDI but those are the two I most worry about. Some others are mapping infected local drives into the VDI client, malware that can hijack the VDI session, infected USB device mapping into VDI client, allowing anything that maps to a local device driver like printers, graphics card, HDD, etc. Device drivers are a favorite attack vector of the determined hacker.
Here is a matrix that compares the security features of XenDesktop 5 and View 4.6:
|Security Feature||VMWare View 4.6||Citrix XenDesktop 5|
|Client Authentication Methods|| Active Directory
Kerberos Realm in mixed AD/MIT Kerberos environments
| Active Directory
Kerberos Realm in mixed AD/MIT Kerberos environments
|Support for 2-factor authentication?||Yes||Yes|
|Control redirection/mapping of local host hard drives||Yes||Yes|
|Control Host Clipboard redirection for text copy/paste||Yes||Yes|
|Control Host Clipboard redirection for files and folders?||No, files and folders cannot be copied between host and view using PCoIP||Yes|
|Full Screen only mode with no toggle to local host OS||Yes, but only with hardware thin client||Yes, but only with type 1 deployment|
|Single sign-on support||Yes||Yes|
|Granular USB redirection control||No, just basic usb redirect on or off||Yes, very granular criteria including: VID, PID, REL, Class, SubClass, Prot tags in the USB device descriptor field|
|Alow Read-only access to USB Hard drives||No, but you can use GPO MSFT policies to accomplish this||Yes, very granular criteria including: VID, PID, REL, Class, SubClass, Prot tags in the USB device descriptor field|
|Communication Protocol Used||RDP or PCoIP||ICA|
|Are communications encrypted natively||Yes, if using PCoIP to a Windows 2008 security server. AES 128-bit SSL||Yes, if connecting to a Citrix security gateway. AES 128-bit SSL|
|VDI communications can run over a 3rd party SSLVPN connection?||Yes||Yes|
|VDI can USB sync iOS devices like iPhone and iPad||Yes||Yes|
|Ability to run VDI client in offline or local mode||Yes, as a type 2 hypervisor (i.e. application on an existing OS)||Yes, as a type 1 bare metal hypervisor (i.e. boot directly into VDI client) The install of XenClient offline mode requires you to destroy or overwrite your current host OS. It also requires hardware virtualization found only on Intel vPro family of CPU's. The benefit is that it has better performance because it is access the hardware directly and not through a guest OS like a type 2 hypervisor. The potential drawback is that it dedicates that host to being just a XenClient unless you enable dual booting. In some cases this is actually a plus since it solves the security issues that come with having a guest OS that VDI runs on top off.|
|Ability to manage offline VDI clients||Yes, you can also force the user to periodically check-in their VDI so it is properly backed up and updated.||No, but automated backups are performed by the client|
|Ability to encrypt VDI files and folders on the guest OS||Yes||Yes, called XenVault. Uses up to 256-bit AES encryption. Can be wiped centrally/remotely if needed|
|Lockout VDI if communication to server is lost for X time period?||Yes||Unknown|
|Microsoft Active Directory is required for policy settings of VDI?||No||Yes|
|Control mapping to host drives||Yes, RDP only||Yes|
|Built-in bandwidth protocol management||Yes, using PCoIP||Yes, Limit bandwidth per session|
|Restrict access based on time/location/device type||No||Yes|
|Restrict VDI functionality based on time/location/device type||No||Yes|
|FIPS 140-2 Compliant||Yes||Yes|
|VDI Security Best Practices Whitepaper Published||Yes||Yes|
|Embedded firewall at VDI headend||Yes, vShield||Yes, Citrix Secure Gateway|
|VDI Anti-virus offload to virtual appliance||Yes, vShield Endpoint required. Removes requirement for AV clients on each VDI host.||Yes, using integration with Mcafee MOVE A/V. Removes requirement for AV clients on each VDI host|
|Supports multiple AD forests and multiple AD domains||Yes||Yes|
As you can see, both vendors have compelling offers with their own strengths and weaknesses. I don't see a huge security advantage of one over the other. Instead, your choice will depend on your specific requirements more than anything else. Technology changes rapidly, especially in the VDI space, so be sure to validate what I have here with other sources or the vendors themselves. If you see something that has become no longer true please post a comment and I will update this posting. If you know of some security comparisons I should have included please post them as well.
The opinions and information presented here are my PERSONAL views and not those of my employer. I am in no way an official spokesperson for my employer.
More from Jamey Heary:
* Credit Card Skimming: How thieves can steal your card info without you knowing it
* Google Nexus One vs. Top 10 Phone Security Requirements
* Why you should always shred your boarding pass
* Video rental records are afforded more privacy protections than your online data
* The truth about new SSL attacks
* 2009 Top Urban Legends in IT Security/a>
Go to Jamey’s Blog for more articles on security.
Jamey Heary, CCIE #7680, sits on the PCI Security Standards Council- Board of Advisors where he provides strategic and technical guidance for future PCI standards. Jamey is the author of Cisco NAC Appliance: Enforcing Host Security with Clean Access. (Check out all of Jamey Heary's books from Cisco Press.) He also has a patent pending on a new DDoS mitigation technique.
Jamey sits on several security advisory boards for Cisco Systems and is a founding member of the Colorado Healthcare InfoSec Users Group. He is an experienced speaker who is recognized as an expert in network security architecture, regulatory compliance, and routing and switching. His other certifications include CISSP, CCSP, and he is a Certified HIPAA Security Professional. He has been working in the IT field for 15 years and in IT security for 10 years. Jamey is currently a Distinguished Systems Engineer at Cisco Systems.