XenServer 5.6 and XenDesktop 4.0 achieve Common Criteria EAL2 certification – UPDATED

Posted by virtualization.info Staff   |   Thursday, September 16th, 2010   |  

At the beginning of last week Citrix announced that both its hypervisor, XenServer 5.6, and its VDI platform XenDesktop 4.0 achieved the Common Criteria certification Evaluation Assurance Level (EAL) 2.

While this is good start, Citrix has to work harder to match the level achieved by other virtualization platforms:

As usual, it’s worth to remind that the certification value is really meaningful only when compared against a reference model, the Protection Profile, used to verify the functionality and security levels of a certain class of solutions, and a definition document prepared by the vendor, the Security Target, used to describe the security properties of the specific solution.

The protection profiles are written by the industry groups and a security target may use one of more of them as a template.
We still don’t have a protection profile for the hypervisors or the virtual infrastructures, so that a virtualization vendor is free to shape the security target without any constrain and being certified for the definition it provided. 
This doesn’t mean that the certification is useless, but that the EAL ranking alone doesn’t imply a secure product.

Update: The Security Target used by Citrix to certify XenDesktop 4.0 Platinum Edition (running on top of Microsoft Windows Server 2003 SP2) is finally available online.

It’s interesting to note that a number of components of the suite have been excluded from the Target of Evaluation (TOE):

  • XenServer
  • XenApp for Virtual Desktops
  • Access Gateway
  • Provisioning Services
  • Workflow Studio
  • Profile Managemen
  • EdgeSight for Endpoint
  • Repeater
  • GoToAssist
  • EasyCall

The implication of this is pretty significant, as Citrix details in the document:

  • Server-side and client-side application virtualisation is not included; only applications ’baked-in’ to the virtual desktop image are included in the evaluation;
  • Smart card support for desktop user authentication is included in the evaluation, but tokens are not;
  • Administrators can enable/disable local peripheral support either as a global control policy or for individual users and groups of users; only the facility for applying a global control policy is included in the evaluation
  • Desktop appliances and client devices other than Windows PCs are not included as User Devices in the evaluation
  • The capability for Desktop users to belong to multiple desktop groups is not included, a Desktop user can only use a virtual desktop from one desktop group.

So what has been tested and certified exactly? The TOE Security Objectives list clarifies it:

  • Desktop users and administrators must be successfully identified and authenticated before being granted access to the TOE.
  • TOE server components must authenticate themselves to User Devices and other servers before communication of Userdata or Configdata.
  • Desktop users must be granted access only to virtual desktops for which they have been authorised.
  • The confidentiality and integrity of data required for setup and assignment of a virtual desktop must be maintained during processing and transmission between servers.
  • The confidentiality and integrity of Userdata being processed on the virtual desktop must be maintained.
  • TOE components must invoke FIPS 140-2 level 1 validated cryptographic functions in accordance with the conditions of the validation.
  • The contents of the memory used by the Virtual Desktop Agent to run the virtual desktop during a desktop user’s session must not be available to other processes when that user’s session is complete.
  • Virtual desktops must be configured by administrators such that it is not possible for users to gain access to the underlying operating system or hardware on which the Virtual Desktop Agent is running.
  • An administrator must be able to control the use of User Device resources by authorised desktop users. This includes the ability to cut, copy and paste information between a virtual desktop and a User Device operating system clipboard; access, from a virtual desktop, to local drives on the User Device; access, from a virtual desktop, to local USB devices on the User Device.
  • The operating systems of the server components must be securely configured according to [CCECG], including appropriate file protection.
  • VM Host software must be securely configured.
  • Trusted third party software must be securely configured according to [CCECG]. Trusted third party software is defined as: Microsoft IIS (the secure Web Server) and Microsoft Windows (including Terminal Services)
  • Desktop users and administrators must be authenticated by the underlying operating system on the relevant platform.
  • Authentication requirements in the operating system shall be configured according to the risks in the operational environment.
  • All communication between the TOE servers (apart from communications between the Desktop Delivery Controller and the VM Host), and between Virtual Desktop Agents and User Device Citrix online plug-ins, uses the configured IPSec protocol. This is accomplished by the administrator setting these servers to use the IPSec protocol.
  • All communication between the Web Interface and the User Device (web browser or Citrix online plug-in), and between the Desktop Delivery Controller and the VM Host, uses the configured TLS protocol.
  • The User Device operating system must be securely configured according to [CCECG], including appropriate file protection.
  • User Devices must be configured such that desktop user authentication credentials and user data are not left in memory after the user has logged out from their virtual desktop.
  • Secure encryption modules used to provide IPSec and TLS must be FIPS 140-2 level 1 compliant. This means that the software in the environment used by the TOE must be configured such that only FIPS140-2 level 1 validated algorithms are used.
  • Any keys and other secret data that are generated and stored outside the TOE must be managed in accordance with the level of risk.
  • The operational environment shall provide physical protection to the TOE servers to ensure only administrators are able to gain physical access to the servers.
  • User Devices must have only trusted third party software installed. This software must be configured securely according to the risks in the operational environment.
  • Configdata stored outside the TOE, such as in the datastore, must be accessible only by administrators.

The Security Target for XenServer 5.6 Platinum Edition is here instead.
Even in this case, the TOE includes some significant omissions:



Labels: , ,

blog comments powered by Disqus

virtualization.info Newest articles
Release: VMware vRealize Log Insight 4.5

June 13th, 2017

Log Insight is a log aggregation, management and analysis tool, that VMware first introduced in 2013 and considered a competitor of Splunk.
Yesterday VMware announced the release of version 4.5, available for…

Release: VMware vRealize Automation 7.3

June 6th, 2017

Today VMware announced the latest release of its cloud management platform vRealize Automation, former vCloud Automation Center.
VMware vRealize Automation 7.3 release notes can be found at this link.


Paper: Introducing the NSX-T Platform

February 9th, 2017

“We see greater potential strategic opportunity in NSX over the next decade than our franchise product vSphere has had for the past decade.”
said VMware’s CEO Pat Gelsinger talking about…

Paper: VMware vSphere Virtual Machine Encryption Performance

November 22nd, 2016

Encryption of virtual machines is something that has been requested for years by the security community. VMware continued to postpone its implementation due to the negative operational impact that many…

Quest Software leaves Dell

November 1st, 2016

In September 2012 Dell announced to have completed the acquisition of Quest Software, a Californian company with an history in systems management, security, business intelligence and, falling back in our…

Citrix announces Q3 2016 results

October 21st, 2016

Citrix announced its financial results for third quarter 2016.
The revenues for the second quarter were $841 million for an increase of 3% compared to Q3 2015.
Net income was $132…

Release: VMware vSphere 6.5 & Virtual SAN 6.5

October 19th, 2016

2016 edition of VMworld US has been quite turbulent, on the other hand during VMworld Europe, happening these days in Barcelona, the company announced a few more products for the…

Release: VMware vRealize Log Insight 4.0

October 18th, 2016

Log Insight is a log aggregation, management and analisys tool, that VMware first introduced in 2013 and now is usually compared with Splunk.
Yesterday VMware announced Log Insight’s new major…

Release: Windows Server 2016 with support for Window Server & Hyper-V containers

October 13th, 2016

Yesterday Microsoft announced the general availability of Windows Server 2016 which the company defines as a cloud-ready OS.
Beside fancy definitions, one of the most relevant perks of this release…

Release: Oracle VM 3.4.2

September 22nd, 2016

During Oracle OpenWorld 2016 the company released version 3.4.2 of its enterprise virtualization solution.
Oracle VM is available for both x86 and SPARC based processor architectures and uses the Xen hypervisor…

VMworld US 2016 Wrap-up

September 1st, 2016

Today was the last day of VMware’s flagship conference VMworld in Las Vegas, an highly controversial edition which left a good chunk of the audience disoriented if not properly disappointed….

Gartner releases its Magic Quadrant for Cloud Infrastructure as a Service for 2016

August 11th, 2016

Last week Gartner updated its Magic Quadrant for Cloud Infrastructure as a Service (IaaS) for the year 2016. The Magic Quadrant for the year 2015 was released in May last year…

Release: Ansible Tower 3 by Red Hat

August 2nd, 2016

Ansible is one of the four main players in the automation market, younger then the well known Chef and Puppet, has been launched in 2013 in Durham, N.C. and acquired…

IBM announces earnings for Q2 2016

July 19th, 2016

Yesterday IBM announced its results for Q2 2016.

If we compare with the same quarter in 2015 earnings per share, from continuing operations, decreased 22%. Net income, from continuing operations,…

Monthly Archive