Citrix FlexCast – Interesting Security Considerations

The Virtualization Security Podcast on 10/21 was the third in a series of Virtual Desktop Security discussions we are having. The special guest panelist was Chris Mayers of one of the Chief Security Architects for Citrix, the makers of XenServer, XenClient, and the FlexCast solutions. FlexCast provides an all encompassing method to provide virtual desktop  and applications that include the following mechanisms:

Let us look at each of these mechanisms in a bit of detail then discuss how they work to provide Security and how to secure them.

FlexCast allows you to divide up your desktop capabilities as three distinct mechanisms: streamed VHD, use of shared resources, or use of non-shared resources. How does it do all of this? FlexCast could be considered a deployment mechanism that makes use of Streamed VHD, PXE Boot, and ICA/HDX clients.

Streamed VHD

By far the most interesting tool is Streamed VHD. In this deployment model, FlexCast downloads a virtual hard disk (VHD) to a physical host or virtual machine running locally or within a shared infrastructure. The VHD is then treated just like any other disk available to the system. The Streamed VHD is mounted and the application within is then accessed. This processed is completely handled by the FlexCast client which is in reality ICA or HDX.

PXE Boot

FlexCast delivers fully operating systems including all applications via PXE Boot, which can be used to install a physical machine or VM on boot of the device.

ICA/HDX Clients

FlexCast also makes use of the more traditional ICA client to access shared applications in its normal means as well as using HDX is designed to give a much better “user experience” when accessing published applications or virtual desktops.

FlexCast provides a way to segment your workforce by group based on your level of trust in the workforce as well as your level in trust of the end point resource.¬† This level of Trust is defined as how much you ‘Trust’ your data on the particular end-point or in the hands of the worker. For Citrix, security is based entirely on the location of the data. Here is a breakdown of where the data resides by FlexCast functionality:

  • XenClient for local VM usage – Data on the End Point Device
  • Streamed VHD – Data on the Device (end point or within the data center)
  • Hosted Blades – Data on the Device
  • Hosted VDI – Data within the VM within the Data Center
  • Hosted Share (aka ICA) – Data within the Data Center

Policy is set within FlexCast to define determine which of these options will be used and how the data will be accessed. The theory is that it is more secure have your data only within the data center. FlexCast products use industry standard protocols to perform any streaming of data, operating system, and applications. However, only some of these protocols are encrypted. Actually, unless you are using the ICA/HDX tools to access an application or VM within the data center the protocols may not actually be encrypted. This implies that to use some of these streamed protocols you need to first establish a VPN to the FlexCast servers. One such example of unencrypted data transfer is done using PXE Boot.

FlexCast via ICA also inspects any end point first to determine if the required security is also in place. It looks for the presence of the appropriate anti-virus and anti-malware tools, as well as the current state of the virtual machine or physical host. If the security requirements to use FlexCast in one mode is not present, FlexCast can be told to use a different mode. In essence, you can select the functionality based on your Trust of any end-point device (which could also be a virtual machine).

To make use of all the FlexCast solutions, each end point must have installed on it the ICA client. Which has always been required to make use of Citrix’s application sharing.

Each packaged delivered via FlexCast (with the exception of PXE Boot deployments on physical hardware) require that all packages be properly digitally signed. So that even if the transport is not encrypted, the package has been signed to verify the integrity of the package for use. However, for defense in depth, it is suggested to use encrypted transports such as SSL tunnels.


I am intrigued by FlexCast and also a little concerned that those using Streamed VHDs could have arbitrary code streamed to an end point unless proper defense in depth is used. While it is well and good to determine the trust of the end point. I would also like to determine the trust of the networks involved. Can you trust your internal network? As we know from discussion of Virtualization Security, this is not always the case. All management tools have weaknesses. Citrix with FlexCast has two measures of security for streamed VHDs, the suggestion of using SSL Tunnels even internally, and the use of digitally signed payloads that are verified by the ICA client before use.

However, we all know most companies do not want to use encryption within their networks so that they can see what everyone is doing and determine if there is data leakage that should not exist. Given this we have to rely upon digitally signed packages to give the proper security.  Once more this seems to be a variation of the hard outer shell for security and the soft inner networks. What we really need is for the hard outer shell to be everywhere, not just outside. Make the inside crunchy and difficult for attackers as you do the outside. Data needs to be protected from everyone, even on the inside.

FlexCast provides a unique method to dial up the level of security based on policy, and that is a very good thing when it comes to virtual desktops.

Posted in End User Computing, SecurityTagged , , , ,