Is Citrix right about its client hypervisor design?

citrix logo

At the end of January Citrix and Intel announced a major partnership to jointly develop a client hypervisor based on Xen (codename Project Independence).
The news definitively had an impact on competitors as VMware felt the need to remark that its partnership with Intel is stronger.

The two companies plan to release the new product somewhere in H2 2009 (likely immediately before or during VMworld 2009) so nobody really expected any additional information going public for a while (at least nothing before the upcoming Synergy conference in May).

Unexpectedly, last week Gabrie van Zanten, a well-known virtualization blogger, published an early preview of the Citrix client hypervisor, highlighting interesting features:

…After the primary partition is loaded, the other partitions (virtual machines) can be managed through a web interface in the primary partition. This interface integrates with XenDesktop (VDI) and XenApp (Presentation Server), which gives the user great control over what technique to use, depending on the device he or she is or the location. The user will also be given the option to check out a VM to take it on the road…

as well as some concerning design approaches:

…the primary partition will often hold the users “private” OS. The OS that he or she will use to install all the stuff he downloaded from unknown sources, the OS that will hold pictures of family, etc. If it is anything like my home pc, Vista will already claim at least 1GB of RAM after startup. This memory is no longer available to secondary partitions that will be started…

As van Zanten says the idea of using the primary partition for the untrusted personal environment is really concerning for the corporate security:

…I’m willing to accept that the network stack going through the primary partition is safe enough, but if this primary partition is needed to boot the whole client hypervisor, present the web interface and manage the VMs, isn’t this “dirty home OS” primary partition connected to your business network then? There should be some kind of firewall in between that is managed by the hypervisor that can detect the business network and isolate this primary partition from the business network. At this point Citrix has no solution for this.

As this an alpha Citrix may have to reconsider its approach several times before hitting the general availability but if this is the direction they took, they’ll have a lot of work to do to convince the customers that this architecture is secure and suitable for a corporate environment.