Chris Hoff is generally right as rain when he rants about technology, but he’s still wrong on my position about Citrix’s role in the addition of security features to Xen and XenServer.
The recently launched Xen Introspection project is a very promising addition to the open source Xen project, adding a set of APIs that can be used to inspect the contents and I/O of a running virtual machine – and similar in some respects to VMware’s VMSafe API. The potential uses of this for enhancing guest security by allowing re-tooled security toolkits to identify attacks and compromised guests are very significant. A key requirement is that the API itself be suitably secured so that an attacker cannot utilize it as a way to launch an attack by inspecting a VM’s data and I/O, but assuming that this problem can be solved (and if it can be solved, then the community will do so), the opportunity for the security boffins to add very substantial value to Xen-based virtual infrastructures is obvious.
Chris is right on all this stuff, but he’s still confused as to Citrix’s role in this. Our job, both in the Xen community and in XenServer, our product, is to firstly make Xen bulletproof, through platform enablements that substantially enhance system security through design, and secondly provide enablements that offer security vendors an opportunity to extend Xen based products with specific value-added solutions that identify guest vulnerabilities, threats, compromised systems and the like. We are manically focussed on securing the platform itself, but the Xen project is not a security project. Moreover Citrix is not a vendor with a core competence in finding the bad guys that attack guests. We want to make Xen the most secure hypervisor by (open, community based) design, while providing interfaces that securely extend the platform to offer those security vendors that are good at finding bad guys, a single way to go to market on .
Unlike VMware, which with its acquisitions of Blue Lane, and Determina seems set for head to head competition with the security industry, we believe that this capability set is best added on top of the Xen hypervisor base by an ecosystem of vendors and the community, in a way that allows those vendors to add value to all Xen based products, independent of the particular Xen vendor. If, say, a McAfee or Symantec product were released for the Xen Introspection API, then it is our specific goal that it would work for XenServer and for all other Xen based products on the market. Leading the Xen project is a role that demands openness and integrity when working with the ecosystem of vendors. Ian Pratt, the leader of the project, is a passionate defender of the independence of the project from any vendor bias, and in the area of security specifically, his goal is to foster an ecosystem of community and vendor based security enhancements to Xen that will enable Xen users to achieve far better security than is possible with a closed source virtualization platform such as VMware’s that also competes with the security ecosystem.
Re-reading Hoff’s posts, I find that I agree with him in just about every respect in his assessment of the technology and its implications, and I think we’re doing exactly as he would recommend, so I’ll be interested to hear if he has more to say on this.