The download page for XenServer / Essentials for XenSource now says:

“The new free Citrix XenServer will be available on March 30.”

So, we’ll have to wait until Monday. No reason is given for this change that I can find.

Meanwhile, you can still download the current version of XenServer for free along with a license key that apparently enables the high availability and storage management features of Essentials.

Related posts:

• XenServer virtualization to go free today

As of 8:30am EDT their download page still points to a different version. Hopefully that will change in a few hours.

VMware paved the way a few years ago by releasing VMWare Server for free, followed later the higher performance ESXi hypervisor kernel. Microsoft has their own “free” hypervisor HyperV, but this offering from Citrix blows all of those away.

XenServer with Essentials provides VMotion-like live migration of running VMs for load balancing and high availability, shared storage management, and centralized management of VM image. Apparently it can provision both virtual and physical servers by booting either from images served over the network.

Xen has been popular for a while with newer virtual private server hosting providers like SliceHost and GoGrid , and is the hypervisor used by “cloud computing” providers, most notably Amazon EC2.

Related posts:

• Free XenServer release moved to March 30
• Security of virtualization
• Can virtualization be trusted for security?

The ESX guidelines cover basic to intermediate techniques for hardening the ESX host and linux-based service console, including ESX-specific guidance for file and directory permissions and kernel tuning, and recommendations for the remote web and GUI consoles.

There is no automated scoring tool for assessing conformance to the recommendations, but a backup script and list of critical files to backup in the service console before making changes are provided.

Download the guidelines here: VMware ESX Server 3.x Benchmark

Update (Mar 2008): Another VMware ESX guide that also covers SAN, network and other often ignored components has been released by by the NSA. Find it (and guidelines for many other products) here: NSA Current Security Configuration Guides

Related posts:

• CIS releases virtual machine security guide
• Multiple critical vulnerabilities in all VMware products
• VMware Workstation 6 released

Interestingly, the issues are not in the virtualization technology itself but in supporting services like the DHCP service and components of the Linux-based admin console in VMware ESX such as Samba and cron.

Secunia has posted some details . The official announcement from VMware seems to have only gone out to subscribers of their security mailing list (I can’t find it on their web site) but Full Disclosure has a copy here .

Now, is there anyone who still wants to argue that isolation of VMware guests is just as good as physical servers? Even if the virtualization mechanism itself is sound (which is still an very risky assumption to make), bugs in the guest-to-host communication components or admin components could be exploited.

Related posts:

• VMware Workstation 6 released
• CIS releases Vmware ESX security guide
• CIS releases virtual machine security guide

CIS has created a number of guidelines for hardening popular operating systems, routers and server applications such as Apache, IIS, and Oracle. They called them “benchmarks” and are developed with input from private industry and government players. The guidelines are not as in-depth as those from NIST , but are very readable and cover the minimum requirements for hardening systems. CIS has also created some automated assessment tools for many products to evaluate how well the guidelines have been applied.

This new virtualization security guide is just 30 pages but manages to broadly cover the issues:

• Types of virtual machines (e.g. paravirtualization vs hardware-based VMs)
• Types of threats (escaping a guest, host compromize, denial of service etc)
• Best practices for hardening guests and host OSs
• Best practices for managing VMs, including remote managemen

The guide is not specific to one virtualization product so obviously there is no accompanying automated assessment tool. Hopefully in the future CIS will publish a guide specifically for market leader VMWare ESX.

Related posts:

• CIS releases Vmware ESX security guide
• Attacks on Virtual Machines
• Fuzzing virtual machines

In addition to the usual incremental improvements and official support for an even greater number of guest operating systems (including Windows Vista as both host and guest), this iteration of Workstation adds USB 2.0 support, session record/reply, and ability to run VMs without the console also running. See the full release notes for details.

There are only a few really useful new features I see:

• Ability to use all host memory (previous limit was 4GB) and up to 8GB per VM.
• Debugger integration with Eclipse and Visual Studio IDEs.
• Experimental support for para-virtualized kernels in Linux guests (“Virtual Machine Interface 3.0 enabled kernels”, according to the release notes).
• a new “ACE option pack” add-on that allows Workstation to create guests that can run stand-alone from portable media.

It’s not clear whether the guests created with the “option pack” are equally as protected from the host as they are with VMware ACE. Looks like I’ll find out soon… until May of 2006, VMware is offering the ACE option pack free both for new purchases and for users upgrading from Workstation 5.5.

It’s painful to think how we ever got anything done before VMware Workstation (and later VMware Server) became available. Five years ago for research, testing, and supporting clients we had several boxes with one or two removable hard drive caddies, and a closet full of drives containing flavors of Linux, BSD, Windows, and Solaris all ready to boot when needed. Dedicated servers ran the OSs we needed to access the most.

Now we have a library of images stored on one file server, ready to boot up under VMware Server or copy to a laptop to run under Workstation, and a couple of production VMs always running. We keep images of some client’s production servers on hand for support and for testing upgrades. No need to decide what to keep either… obsolete OS images get burned to DVD in case they’re ever needed again (I think we even have an image of SCO Unix in the vault).

It’s become fantastically easier (and cheaper) to get things done thanks to virtualization tools. The trade press concentrates heavily on “revolutionary” benefits of virtualization for consolidating physical servers, but I think the real revolution for most organizations has been in using tools like VMWare Workstation for research, development and support.

Related posts:

• Multiple critical vulnerabilities in all VMware products
• CIS releases Vmware ESX security guide
• XenServer virtualization to go free today