vTeardown

Recently, my inbox was overwhelmed with notifications about news on Citrix Essentials for XenServer.  (Ok , I admit… my spam filter was not set for the word ‘Essentials’.) I was almost sold on thinking this is the greatest thing since sliced bread until I got my hands on it to see what all the fuss is about.

We already knew that XenServer5  had a shortcoming that is showstopper for most enterprises – every user with login access to the management UI gets full root access to all management hosts and VMs.  When prospective customers ask us how VMware Infrastructure compares to our competition and we tell them about this one issue, we see their eyes bug out in surprise, especially if they operate in a security and audit conscious environment like a bank or government agency.  They simply can’t consider a virtualization platform without access controls and audit tracking of logins and configuration changes – features that VMware vCenter has provided for years.  Burton Group’s Chris Wolf made this issue his primary reason for rating XenServer “not enterprise production-ready”.  In fact, only VMware ESX made the production-ready cut in Chris’ ratings.

Would the now free XenServer, managed by the not-free Citrix Essentials for XenServer, patch up that gaping security hole?  The Citrix Essentials for XenServer trial download just recently became available and, once installed, I quickly saw they had not fixed the issue and XenServer will stay a  liability in any enterprise datacenter.

XenServer root-access only is a critical security flaw

After I connected to my XenServer 5 Server Pool using XenCenter (strangely enough, despite all the fuss about the Citrix Essentials management tools, the XenServer management console is still called “XenCenter”), I was amazed to see I was still allowed root console access to the hypervisor. It seems that there is no way to create accounts other than root that can use XenCenter to connect and manage the virtualization environment. Of course I don’t need to explain what a critical security flaw that can become if the XenCenter console is compromised – the attacker gets the keys to the kingdom – hosts, VMs, everything. Also , it seems that there is no built-in feature to integrate XenServer with any naming services such as Active Directory or LDAP and you may have to buy additional licenses for third- party software (Citrix mentions Centrify in their documentation) to provide that service for your XenServer  environment.  It appears that even though an extra cost third-party directory service connector might let you control who can access XenCenter, every user granted that privilege still has full root access to the entire XenServer environment.  We’d like to hear from anyone who’s tried XenServer with Centrify who can verify this all-or-nothing situation.

XenServer’s lack of RBAC is a critical security and operational shortcoming

RBAC ( role-based access control) is an approach to restricting VM, hypervisor or pool access to authorized users. Within a virtualization solution, roles are created for various job functions. The permissions to perform certain operations are assigned to specific roles and those roles are then granted to users registered in your directory service. Some useful  pre-defined roles you can choose in vCenter are Administrator, Manager, Virtual Machine User, NOC operator  or Read-Only, and you can also created fine-grained custom roles..

XenServer has no such capability and  gives all users  the same root-level of control over all objects. This can create an administrative nightmare as you are unable to delegate limited privileges and assign roles to  various members of your organization where granting full privileges  is not allowed.

RBAC is now integrated by many OS and application vendors in their products to support financial, government and businesses customers who have made it a mandatory feature for  managing their large networks.  Those users don’t allow  components lacking RBAC into their environments.  Unfortunately for Citrix, XenServer seems to be one of those products that will remain off-limits.

As we continue to look at XenServer and Citrix Essentials, I’ll point out in upcoming posts a number of shortcomings seen in our initial hands-on evaluation that will demonstrate why the combination falls short of enterprise datacenter requirements