XenServer 5.6 and XenDesktop 4.0 achieve Common Criteria EAL2 certification – UPDATED

At the beginning of last week Citrix announced that both its hypervisor, XenServer 5.6, and its VDI platform XenDesktop 4.0 achieved the Common Criteria certification Evaluation Assurance Level (EAL) 2.

While this is good start, Citrix has to work harder to match the level achieved by other virtualization platforms:

As usual, it’s worth to remind that the certification value is really meaningful only when compared against a reference model, the Protection Profile, used to verify the functionality and security levels of a certain class of solutions, and a definition document prepared by the vendor, the Security Target, used to describe the security properties of the specific solution.

The protection profiles are written by the industry groups and a security target may use one of more of them as a template.
We still don’t have a protection profile for the hypervisors or the virtual infrastructures, so that a virtualization vendor is free to shape the security target without any constrain and being certified for the definition it provided. 
This doesn’t mean that the certification is useless, but that the EAL ranking alone doesn’t imply a secure product.

Update: The Security Target used by Citrix to certify XenDesktop 4.0 Platinum Edition (running on top of Microsoft Windows Server 2003 SP2) is finally available online.

It’s interesting to note that a number of components of the suite have been excluded from the Target of Evaluation (TOE):

  • XenServer
  • XenApp for Virtual Desktops
  • Access Gateway
  • Provisioning Services
  • Workflow Studio
  • Profile Managemen
  • EdgeSight for Endpoint
  • Repeater
  • GoToAssist
  • EasyCall

The implication of this is pretty significant, as Citrix details in the document:

  • Server-side and client-side application virtualisation is not included; only applications ‘baked-in’ to the virtual desktop image are included in the evaluation;
  • Smart card support for desktop user authentication is included in the evaluation, but tokens are not;
  • Administrators can enable/disable local peripheral support either as a global control policy or for individual users and groups of users; only the facility for applying a global control policy is included in the evaluation
  • Desktop appliances and client devices other than Windows PCs are not included as User Devices in the evaluation
  • The capability for Desktop users to belong to multiple desktop groups is not included, a Desktop user can only use a virtual desktop from one desktop group.

So what has been tested and certified exactly? The TOE Security Objectives list clarifies it:

  • Desktop users and administrators must be successfully identified and authenticated before being granted access to the TOE.
  • TOE server components must authenticate themselves to User Devices and other servers before communication of Userdata or Configdata.
  • Desktop users must be granted access only to virtual desktops for which they have been authorised.
  • The confidentiality and integrity of data required for setup and assignment of a virtual desktop must be maintained during processing and transmission between servers.
  • The confidentiality and integrity of Userdata being processed on the virtual desktop must be maintained.
  • TOE components must invoke FIPS 140-2 level 1 validated cryptographic functions in accordance with the conditions of the validation.
  • The contents of the memory used by the Virtual Desktop Agent to run the virtual desktop during a desktop user’s session must not be available to other processes when that user’s session is complete.
  • Virtual desktops must be configured by administrators such that it is not possible for users to gain access to the underlying operating system or hardware on which the Virtual Desktop Agent is running.
  • An administrator must be able to control the use of User Device resources by authorised desktop users. This includes the ability to cut, copy and paste information between a virtual desktop and a User Device operating system clipboard; access, from a virtual desktop, to local drives on the User Device; access, from a virtual desktop, to local USB devices on the User Device.
  • The operating systems of the server components must be securely configured according to [CCECG], including appropriate file protection.
  • VM Host software must be securely configured.
  • Trusted third party software must be securely configured according to [CCECG]. Trusted third party software is defined as: Microsoft IIS (the secure Web Server) and Microsoft Windows (including Terminal Services)
  • Desktop users and administrators must be authenticated by the underlying operating system on the relevant platform.
  • Authentication requirements in the operating system shall be configured according to the risks in the operational environment.
  • All communication between the TOE servers (apart from communications between the Desktop Delivery Controller and the VM Host), and between Virtual Desktop Agents and User Device Citrix online plug-ins, uses the configured IPSec protocol. This is accomplished by the administrator setting these servers to use the IPSec protocol.
  • All communication between the Web Interface and the User Device (web browser or Citrix online plug-in), and between the Desktop Delivery Controller and the VM Host, uses the configured TLS protocol.
  • The User Device operating system must be securely configured according to [CCECG], including appropriate file protection.
  • User Devices must be configured such that desktop user authentication credentials and user data are not left in memory after the user has logged out from their virtual desktop.
  • Secure encryption modules used to provide IPSec and TLS must be FIPS 140-2 level 1 compliant. This means that the software in the environment used by the TOE must be configured such that only FIPS140-2 level 1 validated algorithms are used.
  • Any keys and other secret data that are generated and stored outside the TOE must be managed in accordance with the level of risk.
  • The operational environment shall provide physical protection to the TOE servers to ensure only administrators are able to gain physical access to the servers.
  • User Devices must have only trusted third party software installed. This software must be configured securely according to the risks in the operational environment.
  • Configdata stored outside the TOE, such as in the datastore, must be accessible only by administrators.

The Security Target for XenServer 5.6 Platinum Edition is here instead.
Even in this case, the TOE includes some significant omissions: