3365_evangelist-series-buttonMy Team at Microsoft is writing a series of articles this month looking at Server Virtualization between VMware and Microsoft. You can follow the full series of our articles this month at:

VMware or Microsoft? – The Complete Series

The Hyper-V vs. vSphere Hypervisor Footprint War Continues

When it comes to hypervisors does size really matter?  In the ongoing “footprint war” between Hyper-V 2012 and vShpere ESXi 5.1, the key is to be smaller, smaller attack surface that is.  However, both Microsoft and VMware both claim to have a smaller attack surface.  In my evaluation, I argue that when it comes to secure virtualization it doesn’t matter how big your footprint is, it is more how you use it.  In order to understand the footprint war and why I believe the battle is moot you have to first assess and compare the architectures of both Hyper-V 2012 and vShpere ESXi 5.1 as I’ve done below. I then conclude with my thoughts on the technical merits of the security argument.

VMware vSphere ESXi 5.1 Architecture


VMware vSphere 5.1 uses a Monolithic Hypervisor design that is about 144 Megabytes in size. As you can see in the picture above the drivers are in the hypervisor layer which leads to some good and some not as good points.

The Good

  • You have an API set in here that vendors can program against
  • Antivirus can run in this level and you can use that to scan all virtual machines.
  • You can run on CPUs that don’t have virtualization extensions
  • Only 144 Meg of code vs competitions 5 Gig*

The Not as Good

  • You have an API set in there that hackers can program against
  • Antivirus has access to all VMs – so would an exploited AV
  • You have 144 Meg of stuff running at Ring –1
  • Drivers must be written for this Hypervisor so supported hardware is limited

Microsoft Hyper-V 2012 Architecture


Microsoft Hyper-V uses a Microkernelized Hypervisor Design which means the hypervisor itself is very small. In Server 2012 it is about 600 kilobytes in size. As you can see in the diagram above it doesn’t have drivers in the hypervisor because it relies on a “special” virtual machine that has the hardware drivers in it. This means vendors don’t have to write drivers from Microsoft Hyper-V in addition to Windows drivers. You can just use the Windows drivers. This architecture, just as with VMware, has some good and some not as good points.

The Good

  • No 3rd party APIs for hackers to code against in Hypervisor
  • No global AV option that would could compromise all VMs
  • Lots of hardware choices because it relies on the Windows drivers.
  • 600k Hypervisor running in Ring –1 vs. 144 Meg in vSphere 5.1

The Not as Good

  • No APIs for third parties to add value in hypervisor
  • No option to run Anitvirus in the Hypervisor
  • Requires hardware with CPU virtualization Extensions
  • Requires Windows Management Partition for the drivers

If you are interested in reading a more indepth article on the architectures, I really like the article  at ServerWatch.com. You can find it here:

Hyper-V and VMware vSphere Architectures: Pros and Cons

So How do we Measure Size?

VMware will claim that the attack surface of Hyper-V includes the management partition and is therefor 5 gig of disk space. Microsoft will claim that one component that is often overlooked in the VMware’s footprint size argument is the management tools machine. Do you measure Hyper-V at 600k or 5 Gig in size? Do you measure ESXi at 144 Meg or do you add the Management tools Machine to this? When considering the architecture both sides have valid arguments as to who is smaller. However, I frankly don’t think it matters who is bigger.

The Security Discussion (and why the whole discussion above is silly)

Sometimes things in computer security can be complex to comprehend and sometimes they’re easy. This one is easy…

It is true that in general, one tenant in security is that a smaller attack surface reduces the areas for vulnerabilities.  However, that general principle isn’t a law. When it comes to securing your virtualization environment size doesn’t matter.  It just is not true that a smaller disk footprint allways equals a more secure product. If that were true then Windows 95, at 80 Megabytes, would be more secure than both ESXi and Windows Server 2012. We all know that just isn’t the case. Oh, if it could be that easy.

Even if a software company built software without a single vulnerability it still wouldn’t be secure on it’s own because hackers often enter in via the same way other users and administrators get in. It is the security practices that keep a system secure. It’s your people and processes that keep you secure. Do your people know how to secure Windows?

There is a great post by Edward Haletky way back in August of 2009. He talks about virtualization security where he concludes:

For each company using virtualization products it is about assessing the Risk to the environment. If you have the proper compensating controls then the risk will be mitigated.

You can read his full post here:
Measuring Hypervisor Footprints

 My Conclusion

The reality is that both products are solid offerings. Understanding which one is right for you is going to take more analysis than trying to understand which one is more secure via it’s hypervisor size. Not just because you can argue that either way but because it is irrelevant. The true analysis of the security between the two virtualization products is to look at your tools, knowledge, and processes. This is where a secure environment will come from. So can we stop the whole silly footprint thing?

The analysis I recommend is to treat it like car shopping. You see they both have horsepower and shiny wheels. So take them for a test drive. Both have trial versions that you can get from the links below.


Download Links

Windows Server 2012 Download


Windows Server 2012 R2 Preview Download


VMware Trials http://www.vmware.com/try-vmware/