Skip Links

VDI Security Comparison Citrix XenDesktop and VMWare View

A look at the security features that matter and who has them

By jheary on Fri, 04/15/11 - 10:36pm.

The absolute explosion of VDI deployments recently is driving security teams nuts. Everyone is scrambling to figure out which VDI solution is the most secure, what security features they have and most importantly how can I securely roll out VDI.
I couldn't find a comprehensive security review of the two big players in this space (citrix and vmware) so I decided to do my own research and write it up. My two biggest concerns with type 2 VDI clients (those that run on a host OS and not bare metal) are keyboard loggers and malware that does screen scrapes. If these two things are running on the host OS that is running a VDI session then you've got a security breach on your hands. Of course there are lots of other security concerns with VDI but those are the two I most worry about. Some others are mapping infected local drives into the VDI client, malware that can hijack the VDI session, infected USB device mapping into VDI client, allowing anything that maps to a local device driver like printers, graphics card, HDD, etc. Device drivers are a favorite attack vector of the determined hacker.

Here is a matrix that compares the security features of XenDesktop 5 and View 4.6:

Security Feature VMWare View 4.6 Citrix XenDesktop 5
Client Authentication Methods Active Directory
Kerberos Realm in mixed AD/MIT Kerberos environments
RSA SecurID
X.509 Certificate
Active Directory
Kerberos Realm in mixed AD/MIT Kerberos environments
RSA SecurID
X.509 Certificate
Support for 2-factor authentication? Yes Yes
Control redirection/mapping of local host hard drives Yes Yes
Control Host Clipboard redirection for text copy/paste Yes Yes
Control Host Clipboard redirection for files and folders? No, files and folders cannot be copied between host and view using PCoIP Yes
Full Screen only mode with no toggle to local host OS Yes, but only with hardware thin client Yes, but only with type 1 deployment
Single sign-on support Yes Yes
Granular USB redirection control No, just basic usb redirect on or off Yes, very granular criteria including: VID, PID, REL, Class, SubClass, Prot tags in the USB device descriptor field
Alow Read-only access to USB Hard drives No, but you can use GPO MSFT policies to accomplish this Yes, very granular criteria including: VID, PID, REL, Class, SubClass, Prot tags in the USB device descriptor field
Communication Protocol Used RDP or PCoIP ICA
Are communications encrypted natively Yes, if using PCoIP to a Windows 2008 security server. AES 128-bit SSL Yes, if connecting to a Citrix security gateway. AES 128-bit SSL
VDI communications can run over a 3rd party SSLVPN connection? Yes Yes
VDI can USB sync iOS devices like iPhone and iPad Yes Yes
Ability to run VDI client in offline or local mode Yes, as a type 2 hypervisor (i.e. application on an existing OS) Yes, as a type 1 bare metal hypervisor (i.e. boot directly into VDI client) The install of XenClient offline mode requires you to destroy or overwrite your current host OS. It also requires hardware virtualization found only on Intel vPro family of CPU's. The benefit is that it has better performance because it is access the hardware directly and not through a guest OS like a type 2 hypervisor. The potential drawback is that it dedicates that host to being just a XenClient unless you enable dual booting. In some cases this is actually a plus since it solves the security issues that come with having a guest OS that VDI runs on top off.
Ability to manage offline VDI clients Yes, you can also force the user to periodically check-in their VDI so it is properly backed up and updated. No, but automated backups are performed by the client
Ability to encrypt VDI files and folders on the guest OS Yes Yes, called XenVault. Uses up to 256-bit AES encryption. Can be wiped centrally/remotely if needed
Lockout VDI if communication to server is lost for X time period? Yes Unknown
Microsoft Active Directory is required for policy settings of VDI? No Yes
Control mapping to host drives Yes, RDP only Yes
Built-in bandwidth protocol management Yes, using PCoIP Yes, Limit bandwidth per session
Restrict access based on time/location/device type No Yes
Restrict VDI functionality based on time/location/device type No Yes
IPv6 Support No No
FIPS 140-2 Compliant Yes Yes
VDI Security Best Practices Whitepaper Published Yes Yes
Embedded firewall at VDI headend Yes, vShield Yes, Citrix Secure Gateway
VDI Anti-virus offload to virtual appliance Yes, vShield Endpoint required. Removes requirement for AV clients on each VDI host. Yes, using integration with Mcafee MOVE A/V. Removes requirement for AV clients on each VDI host
Supports multiple AD forests and multiple AD domains Yes Yes

As you can see, both vendors have compelling offers with their own strengths and weaknesses. I don't see a huge security advantage of one over the other. Instead, your choice will depend on your specific requirements more than anything else. Technology changes rapidly, especially in the VDI space, so be sure to validate what I have here with other sources or the vendors themselves. If you see something that has become no longer true please post a comment and I will update this posting. If you know of some security comparisons I should have included please post them as well.

VMWare View
http://www.vmware.com/support/pubs/view_pubs.html
Citrix XenDesktop
http://www.citrix.com/xendesktop




The opinions and information presented here are my PERSONAL views and not those of my employer. I am in no way an official spokesperson for my employer.

More from Jamey Heary:
* Credit Card Skimming: How thieves can steal your card info without you knowing it
* Google Nexus One vs. Top 10 Phone Security Requirements
* Why you should always shred your boarding pass
* Video rental records are afforded more privacy protections than your online data
* The truth about new SSL attacks
* 2009 Top Urban Legends in IT Security/a>

Go to Jamey’s Blog for more articles on security.