In the last post of the XenClient CTO blog series, I discussed how the sharing of hardware and software resources results in security challenges for IT. System virtualization provides unique advantages that can address these challenges. Essentially, system virtualization decouples the operating system from the underlying hardware, thus allowing running of multiple, concurrent operating systems on the same client device and server hardware. This was made possible by the introduction of the new software layer known as the System Hypervisor or the Virtual Machine Monitor (VMM).
Enforcing certain levels of access control became mandatory. This is where system virtualization came as a true game changer, providing unique advantages that can address all of the above. Essentially, system virtualization decouples the operation system from the underlying hardware allowing us to run concurrently multiple operating system on the same client device and server hardware. This was made possible by the introduction of the new software layer that we all know by as the System Hypervisor or the Virtual machine Monitor (VMM).
Hardware virtualization vendors were conscious to the importance of measuring hypervisor code before it runs on the system, thus establishing what’s known as the Trusted Computing Base (TCB). A good example of this is Intel’s Trusted Execution Technology (TXT), which allows us to form a dynamic root of trust by measuring the hypervisor code image as it starts executing on the hardware system. While TXT was available in Intel’s vPro business client machines, it was not enabled in all consumer devices processors. This reduced the adoption and enablement of hypervisor measurement across the ecosystem.
XenClient is Citrix’s Type-1, bare-metal virtualization offering for personal computers. It’s the only viable solution in the market today operating as a true Type-1 solution for business client devices, which gives it unique advantages over other potential solutions. XenClient takes full advantage of system virtualization for CPU, memory and I/O resources. It’s able to isolate the software environment entirely from the underlying hardware. XenClient also enforces various levels of hardware-assisted access control policies and mechanisms to CPU, memory and I/O resources. To enumerate some of the unique capabilities of XenClient:
- Restricts access to USB device only to trusted virtual machines.
- Offloads network traffic to an isolated virtual machine, therefore eliminating the foundation of malicious covert network channels.
- Isolates critical business workloads in a dedicated virtual machine that is locked, updated and managed by IT administrators.
Not only does XenClient allow IT administrators to create, deploy, manage and monitor virtual machines on their organization-managed PCs, but it also entitles end users to create, run and manage their own personal virtual machines. Those VMs are strictly isolated, with the ability to share in-guest OS resources under the direct control of IT administrators.
XenClient delivers unique features even in the case of running only with a single IT managed virtual machine on the device. In my coming blogging series I’ll be talking more about those benefits of XenClient along with our vision for where the product will evolve, along with how it will be integrated with other Citrix key technological assets like XenDesktop, Receiver and RemotePC.
Join the conversation by connecting with the Citrix XenClient team online!
- Visit the XenClient product page
- Follow us on Twitter
- Like us on Facebook
- Visit our XenClient Technical Forum
About the author:
Ahmed Sallam drives technology and product strategy working with ecosystem partners for Citrix XenClient and the emerging client devices virtualization market. Prior to Citrix, he was CTO and chief architect of advanced technology at McAfee, now part of Intel Corp. He was co-inventor and architect of DeepSAFE, co-developed with Intel Labs, and co-designer of VMware’s VMM CPU security technology known as VMsafe. Prior to McAfee, Ahmed was a senior architect with Nokia’s security division and a principal engineer at Symantec. He holds 17 issued patents and has more than 40 pending patent applications. He earned a bachelor’s degree in computer science and automatic control from the University of Alexandria.
Follow Ahmed on twitter: https://twitter.com/ahmedsallam
Check ahmed public profile: www.linkedin.com/in/ahmedsallam