Microsoft vs VMware: who has the biggest hypervisor footprint?

Posted by Staff   |   Monday, August 24th, 2009   |  

microsoft logo

The conference VMworld is just one week away and this year VMware’s competitors seem to have additional reasons to start a controversy and disturb the event.

The topic of the day is the size of the hypervisor footprint, which equals to a certain attack surface and has a relevance when you try to estimate the overall security level of a platform.

This is an area where VMware always claimed a neat superiority over Microsoft because the primary version of Hyper-V comes with a full copy of Windows Server 2008 as its parent partition.
VMware believes this is a major selling point at the point that it is highlighted on the corporate website.

Microsoft never addressed the critique before a couple of weeks ago, when it published an interesting analysis (part 1, part 2 and part 3) of what happens to the hypervisors footprint after a round of patches.

On its website, VMware compares its lightweight ESXi, the hypervisor version without the Console Operating System (COS), against the full version of Hyper-V. For Microsoft a more fair comparison should be between ESXi and its lightweight Hyper-V Server.
Nonetheless the company prepared three different analysis (only including critical and security patches):

  • Hyper-V Server 2008 vs ESXi 3.5 | June 2008 – June 2009
    Hyper-V: 82MB footprint increase with 26 patches
    ESXi: 2.7GB footprint increases with 13 patches
  • Windows Server 2008 Hyper-V vs ESX 3.5 | January 2008 – June 2009
    Hyper-V: 408MB footprint increase with 32 patches
    ESX: 3GB footprint increases with 85 patches
  • Windows Server 2008 Hyper-V vs ESXi 3.5 | January 2008 – June 2009
    Hyper-V: 408MB footprint increase with 32 patches
    ESX: 2.7GB footprint increases with 13 patches

Without patches, Microsoft highlights that the only part of the two platforms that can be really attacked (the hypervisor plus the virtualization stack) is 32MB in ESX and 20MB in Hyper-V.

At the end of the last week VMware officially answered. 
First on the hypervisors footprint without patches:

We don’t know how many lines of code are in a Hyper-V system, so we use the installed disk footprint– the size of the installed files needed to support virtual machines — as a reasonable proxy for lines of code.

A df -h command will then show you that the total size of those compressed ESXi boot images in the directory corresponding to /bootbank is 59.3MB — somewhat less than the 70MB figure we’ve publicly stated.

For comparison, here’s a look at the disk footprint of ESX 4.0 “Classic”, which measures about 1.7GB.  Most of the additional footprint is due to the Linux-based service console.

The disk footprints we measured for Hyper-V R2 RTM are far larger.  Windows 2008 R2 Server Core with the Hyper-V role enabled, was 3.6GB.  For those Hyper-V users that want to preserve the “Windows they know,” a full Windows Server 2008 R2 installation is pushing 10GB.

Yes, ESX “Classic” does use a Linux-based service console and therefore has a larger disk footprint, but VMware has publicly stated that the OS-free ESXi architecture is our future direction and ESXi has all the capabilities of ESX “Classic”.  Microsoft has made no such commitments to eliminate Hyper-V’s dependency on Windows…

And then on the footprint with patches:

Because ESXi is installed and patched like an appliance — the entire image is replaced as a whole — our patches are naturally the size of the full ESXi installer package.  Our customers prefer that appliance approach because it ensures consistency in the their installations and avoids “patch drift” away from a validated configuration.  With the Windows Update-based patching used for Hyper-V, patches can be smaller, but customers can skip or miss patches, resulting in insecure, partially patched configurations.

With both ESX and ESXi, a host reboot following patching has always been non-issue because VMotion and Maintenance Mode make it trivial to shift VMs to alternate hosts during the reboots.  Microsoft’s customers must certainly be looking forward to using those same features in the long-awaited release of Hyper-V R2

We’ve kept track of the “Patch Tuesday” patches required on a Server Core Hyper-V system since Hyper-V first shipped in June 2008 and there have been multiple “Important” or “Critical” patches to apply almost every month.  Most of those patches don’t apply to Hyper-V, but users must still install them and then reboot their hosts.  And, as users are painfully aware, Hyper-V R1′s missing live migration support has meant downtime for their VMs with each reboot.  The downtime may lessen with Hyper-V R2, but the patches won’t…

Both positions are extremely long and articulated. The excerpts above can’t really give the readers a full summary of every detail that both companies covered in their analysis.

A complete reading of all articles is recommended to evaluate who’s right.

Anyway it’s worth to remind everybody that security of the hypervisor impacts the security of the virtual infrastructure just partially.
The attacks can come from everywhere: the security columnist, Claudio Criscione, is covering this very topic on his first series: Real-World Security in a Virtual Infrastructure (Part 1, Part 2 and Part 3. Wait for Part 4 in the coming days).

blog comments powered by Disqus Newest articles
Release: VMware vRealize Log Insight 4.5

June 13th, 2017

Log Insight is a log aggregation, management and analysis tool, that VMware first introduced in 2013 and considered a competitor of Splunk.
Yesterday VMware announced the release of version 4.5, available for…

Release: VMware vRealize Automation 7.3

June 6th, 2017

Today VMware announced the latest release of its cloud management platform vRealize Automation, former vCloud Automation Center.
VMware vRealize Automation 7.3 release notes can be found at this link.


Paper: Introducing the NSX-T Platform

February 9th, 2017

“We see greater potential strategic opportunity in NSX over the next decade than our franchise product vSphere has had for the past decade.”
said VMware’s CEO Pat Gelsinger talking about…

Paper: VMware vSphere Virtual Machine Encryption Performance

November 22nd, 2016

Encryption of virtual machines is something that has been requested for years by the security community. VMware continued to postpone its implementation due to the negative operational impact that many…

Quest Software leaves Dell

November 1st, 2016

In September 2012 Dell announced to have completed the acquisition of Quest Software, a Californian company with an history in systems management, security, business intelligence and, falling back in our…

Citrix announces Q3 2016 results

October 21st, 2016

Citrix announced its financial results for third quarter 2016.
The revenues for the second quarter were $841 million for an increase of 3% compared to Q3 2015.
Net income was $132…

Release: VMware vSphere 6.5 & Virtual SAN 6.5

October 19th, 2016

2016 edition of VMworld US has been quite turbulent, on the other hand during VMworld Europe, happening these days in Barcelona, the company announced a few more products for the…

Release: VMware vRealize Log Insight 4.0

October 18th, 2016

Log Insight is a log aggregation, management and analisys tool, that VMware first introduced in 2013 and now is usually compared with Splunk.
Yesterday VMware announced Log Insight’s new major…

Release: Windows Server 2016 with support for Window Server & Hyper-V containers

October 13th, 2016

Yesterday Microsoft announced the general availability of Windows Server 2016 which the company defines as a cloud-ready OS.
Beside fancy definitions, one of the most relevant perks of this release…

Release: Oracle VM 3.4.2

September 22nd, 2016

During Oracle OpenWorld 2016 the company released version 3.4.2 of its enterprise virtualization solution.
Oracle VM is available for both x86 and SPARC based processor architectures and uses the Xen hypervisor…

VMworld US 2016 Wrap-up

September 1st, 2016

Today was the last day of VMware’s flagship conference VMworld in Las Vegas, an highly controversial edition which left a good chunk of the audience disoriented if not properly disappointed….

Gartner releases its Magic Quadrant for Cloud Infrastructure as a Service for 2016

August 11th, 2016

Last week Gartner updated its Magic Quadrant for Cloud Infrastructure as a Service (IaaS) for the year 2016. The Magic Quadrant for the year 2015 was released in May last year…

Release: Ansible Tower 3 by Red Hat

August 2nd, 2016

Ansible is one of the four main players in the automation market, younger then the well known Chef and Puppet, has been launched in 2013 in Durham, N.C. and acquired…

IBM announces earnings for Q2 2016

July 19th, 2016

Yesterday IBM announced its results for Q2 2016.

If we compare with the same quarter in 2015 earnings per share, from continuing operations, decreased 22%. Net income, from continuing operations,…

Monthly Archive