Post to Twitter |
Comments (8) |
Views (20279) |
In a posting on his blog, Chris Hoff laid into some comments I made to security SearchSecurity.com, in which I remarked that "Virtualization vendors [are] not in the security business."
He quotes me as saying "While virtualization vendors will do their role in protecting the hypervisor, they are not in the business of catching bad guys or discovering vulnerabilities, said Simon Crosby, chief technology officer of Citrix Systems." and then goes on to berate me for that position. He says "The fact that the "industry" has "decided" that "third party vendors are required to secure any platform" simply points to the ignorance, arrogance and manifest destiny we endure at the hands of those who are responsible for the computing infrastructure we're all held hostage with"
I reckon that Hoff, who is normally fairly clued-in, has put the smoking end of the cigar in his mouth before thinking through this argument. He's horribly confused, but as smug as always, so let me clarify what I said, and what it means.
What I said is that Citrix is not a security vendor for guests of the virtualized infrastructure. We do not spend our days and nights looking for evil types that wish to attack guest OSes by looking for virus signatures or other security techniques. That is not our business, and never will be. There is a strong and vibrant ecosystem of security vendors whose job it is to protect guest operating systems in physical and now virtualized infrastructure. There are challenges that arise as a result of virtualization, and we and those vendors will work to fix them, but it is not our role to specifically protect any OS or its applications through OS/app specific knowledge in the virtualization layer. The industry has long looked to third party vendors to add security to infrastructure deployments. This is why vendors such as Symantec and McAfee exist - as customers' preferred partners to implement security for their apps/OSes. The same will be true for virtualized environments.
In terms of the hypervisor, we are manically focussed on security, as is VMware - though they appear to be more retrospectively focussed on security, judging by their incredible rate of patches (more than one per week, on average). Xen supports TPM, AMD SVM, and Intel TXT, and trusted platform boot using platform based attestation is on the roadmap. Xen does not contain drivers, and implements a multi level secure architecture. The Xen community is putting Xen through common criteria level 5 certification, which is way beyond the typical enterprise software EAL 2, or even VMware's EAL 4. Xen implements the features of IBM sHype, and has benefited from contributions of Xen security modules from the NSA and other key security research groups and agencies. Xen is open source and is available for inspection and testing by the community at all times, so bugs found are quickly fixed and vulnerabilities, should they exist, are rapidly explored. Xen is massively and continually tested by the community and there are scores of university research projects related to security that use Xen and work on Xen, including honeyfarms, Xen virtual appliances for security and more.
The largest virtualization deployment in the world, Amazon, uses Xen, and more Xen hosts face the Internet every day than VMware hosts, simply because Xen is open source and available. Xen is used in most major clouds too, and those folks really care about security. The community is are justifiably proud of the security record of Xen and its open approach to security research and vulnerability assessment.
The security of any Xen vendor's product is simply up to them. Citrix focusses very heavily on the security of XenServer. it is tiny, often embedded in read only flash on industry standard servers, doesn't run any network services except for a single secure protocol, and enforces security principles of MLS throughout. We are proud of the fact that we have only ever issued 3 hotfixes for XenServer, two of which were in beta periods. Compare that to VMware's 48 patches for this year alone! How anyone can consider software that has to be patched at a rate of more than one patch per week to be enterprise class, let alone secure, escapes me.
But we are not in the business of specifically securing guests or their applications, other than through offering a secure virtualization platform. Even VMware with VMsafe simply exposes APIs to third party security vendors, so that customers can choose their preferred security partner to secure guests. I think that the VMware Determina acquisition was very smart, and that hints to me that VMware sees itself having a greater role in the security of guest OSes, since it could choose to be in the vulnerability checking business without 3rd party security vendors, but thus far they are working very openly with the ecosystem.
In summary an assertion that the virtualization platform vendor has to fix the sad state of the OS/App world by making it secure is demanding too much. It would mean that we have to be experts in every piece of system software including all of the vulnerabilities of all OSes and their apps. In my view the reason the state of security is poor now is because of the monolithic approaches of traditional OS and app vendors. We will focus manically on our layer, make it secure, tiny and bulletproof to attack in its own right. And we will work closely with experts in security of OSes and Apps to give them an opportunity to implement guest-level security outside the guest, through privileged interfaces that themselves are secure.
Comments (8)
May 12, 2008
Anonymous says:
Love your sarcasm ..too funny "VMware - though they appear to be more retros...Love your sarcasm ..too funny
"VMware - though they appear to be more retrospectively focussed on security, judging by their incredible rate of patches (more than one per week, on average)"
May 12, 2008
Anonymous says:
What about this .. "I reckon that Hoff, who is normally fairly clued-in, ...What about this ..
"I reckon that Hoff, who is normally fairly clued-in, has put the smoking end of the cigar in his mouth before thinking through this argument. "
even better
May 12, 2008
Anonymous says:
Simon, you should blog more often, I find your posts to the point and highl...Simon, you should blog more often, I find your posts to the point and highly amusing!
May 12, 2008
Anonymous says:
Firstly, I'm really glad you wrote this. However, it unfortunately doesn't go v...Firstly, I'm really glad you wrote this. However, it unfortunately doesn't go very far towards addressing the actual issues I was concerned with.
Since you took the time to "clarify" your position, I did the same!
It's appropriately titled "Crosby: Xen and the Art of Marketcycle Maintenance."
http://rationalsecurity.typepad.com/blog/2008/05/xen-and-the-art.html
Enjoy!
/Hoff
(P.S. I really do have a cigar for you...)
May 13, 2008
Anonymous says:
"Compare that to VMware's 48 patches for this year alone!" I don't th..."Compare that to VMware's 48 patches for this year alone!"
I don't think the numbers are correct Simon. You might want to double-check this.
May 15, 2008
Anonymous says:
Speaking of VMSafe, what is XenSource's answer to the same question - how do you...Speaking of VMSafe, what is XenSource's answer to the same question - how do you enable third part ISV to secure XEN?
May 16, 2008
Anonymous says:
As soon as Xen goes into production environment you will be in the security...As soon as Xen goes into production environment you will be in the security business, whether you want to or not. The network security vendors are not ready for what you're bringing in behind their appliances and cannot see the new traffic layer. It may take them years to be effective. This isn't about your existing buyers but about your new buyers.
Sep 29
Daniel Smith says:
Today Citrix opened up the beta release of XenServer 5.5, code-named "Proje...Today Citrix opened up the beta release of XenServer 5.5, code-named "Project George." The beta is being made available to the public through www.mycitrix.com. The only requirement to participate is the time it takes you to sign up for a MyCitrix account. But if you are interested, don't wait around. The company said that the beta period is only expected to last around four weeks.
With Citrix Synergy coming right around the corner, you can bet that this is only the first of many interesting virtualization announcements coming out of Citrix answering service.
[ In this podcast, listen to how Project Remus sets out to solve high availability for Xen-based hypervisor technology | Discover what you need to know about your virtual datacenter in InfoWorld's weekly Virtualization Report newsletter ]
The beta release of Citrix XenServer 5.5 involves several new features, many of which have been highly requested by customers and previous beta participants. These features include:
Add Comment