The absolute explosion of VDI deployments recently is driving security teams nuts. Everyone is scrambling to figure out which VDI solution is the most secure, what security features they have and most importantly how can I securely roll out VDI. I couldn't find a comprehensive security review of the two big players in this space (citrix and vmware) so I decided to do my own research and write it up. My two biggest concerns with type 2 VDI clients (those that run on a host OS and not bare metal) are keyboard loggers and malware that does screen scrapes. If these two things are running on the host OS that is running a VDI session then you've got a security breach on your hands. Of course there are lots of other security concerns with VDI but those are the two I most worry about. Some others are mapping infected local drives into the VDI client, malware that can hijack the VDI session, infected USB device mapping into VDI client, allowing anything that maps to a local device driver like printers, graphics card, HDD, etc. Device drivers are a favorite attack vector of the determined hacker. Here is a matrix that compares the security features of XenDesktop 5 and View 4.6:
| Security Feature | VMWare View 4.6 | Citrix XenDesktop 5 |
|---|---|---|
| Client Authentication Methods | Active Directory Kerberos Realm in mixed AD/MIT Kerberos environments RSA SecurID X.509 Certificate | Active Directory Kerberos Realm in mixed AD/MIT Kerberos environments RSA SecurID X.509 Certificate |
| Support for 2-factor authentication? | Yes | Yes |
| Control redirection/mapping of local host hard drives | Yes | Yes |
| Control Host Clipboard redirection for text copy/paste | Yes | Yes |
| Control Host Clipboard redirection for files and folders? | No, files and folders cannot be copied between host and view using PCoIP | Yes |
| Full Screen only mode with no toggle to local host OS | Yes, but only with hardware thin client | Yes, but only with type 1 deployment |
| Single sign-on support | Yes | Yes |
| Granular USB redirection control | No, just basic usb redirect on or off | Yes, very granular criteria including: VID, PID, REL, Class, SubClass, Prot tags in the USB device descriptor field |
| Alow Read-only access to USB Hard drives | No, but you can use GPO MSFT policies to accomplish this | Yes, very granular criteria including: VID, PID, REL, Class, SubClass, Prot tags in the USB device descriptor field |
| Communication Protocol Used | RDP or PCoIP | ICA |
| Are communications encrypted natively | Yes, if using PCoIP to a Windows 2008 security server. AES 128-bit SSL | Yes, if connecting to a Citrix security gateway. AES 128-bit SSL |
| VDI communications can run over a 3rd party SSLVPN connection? | Yes | Yes |
| VDI can USB sync iOS devices like iPhone and iPad | Yes | Yes |
| Ability to run VDI client in offline or local mode | Yes, as a type 2 hypervisor (i.e. application on an existing OS) | Yes, as a type 1 bare metal hypervisor (i.e. boot directly into VDI client) The install of XenClient offline mode requires you to destroy or overwrite your current host OS. It also requires hardware virtualization found only on Intel vPro family of CPU's. The benefit is that it has better performance because it is access the hardware directly and not through a guest OS like a type 2 hypervisor. The potential drawback is that it dedicates that host to being just a XenClient unless you enable dual booting. In some cases this is actually a plus since it solves the security issues that come with having a guest OS that VDI runs on top off. |
| Ability to manage offline VDI clients | Yes, you can also force the user to periodically check-in their VDI so it is properly backed up and updated. | No, but automated backups are performed by the client |
| Ability to encrypt VDI files and folders on the guest OS | Yes | Yes, called XenVault. Uses up to 256-bit AES encryption. Can be wiped centrally/remotely if needed |
| Lockout VDI if communication to server is lost for X time period? | Yes | Unknown |
| Microsoft Active Directory is required for policy settings of VDI? | No | Yes |
| Control mapping to host drives | Yes, RDP only | Yes |
| Built-in bandwidth protocol management | Yes, using PCoIP | Yes, Limit bandwidth per session |
| Restrict access based on time/location/device type | No | Yes |
| Restrict VDI functionality based on time/location/device type | No | Yes |
| IPv6 Support | No | No |
| FIPS 140-2 Compliant | Yes | Yes |
| VDI Security Best Practices Whitepaper Published | Yes | Yes |
| Embedded firewall at VDI headend | Yes, vShield | Yes, Citrix Secure Gateway |
| VDI Anti-virus offload to virtual appliance | Yes, vShield Endpoint required. Removes requirement for AV clients on each VDI host. | Yes, using integration with Mcafee MOVE A/V. Removes requirement for AV clients on each VDI host |
| Supports multiple AD forests and multiple AD domains | Yes | Yes |
The opinions and information presented here are my PERSONAL views and not those of my employer. I am in no way an official spokesperson for my employer.
More from Jamey Heary: Credit Card Skimming: How thieves can steal your card info without you knowing it Google Nexus One vs. Top 10 Phone Security RequirementsWhy you should always shred your boarding pass Video rental records are afforded more privacy protections than your online dataThe truth about new SSL attacks 2009 Top Urban Legends in IT Security/a>Go to Jamey’s Blog for more articles on security.*
*
*
*
*
*