The Hyper-V vs. vSphere Hypervisor Footprint War Continues
When it comes to hypervisors does size really matter?
In the ongoing “footprint war” between Hyper-V 2012 and vShpere ESXi 5.1, the key is to be smaller, smaller attack surface that is. However, both Microsoft and VMware both claim to have a smaller attack surface. My peer Brian leis dives deep into this debate his post in our VMware or Microsoft series. Here is an excerpt from his blog post and a link to the full article -
In my evaluation, I argue that when it comes to secure virtualization it doesn’t matter how big your footprint is, it is more how you use it. In order to understand the footprint war and why I believe the battle is moot you have to first assess and compare the architectures of both Hyper-V 2012 and vShpere ESXi 5.1 as I’ve done below. I then conclude with my thoughts on the technical merits of the security argument.
Microsoft Hyper-V uses a Microkernelized Hypervisor Design which means the hypervisor itself is very small. In Server 2012 it is about 600 kilobytes in size. As you can see in the diagram above it doesn’t have drivers in the hypervisor because it relies on a “special” virtual machine that has the hardware drivers in it. This means vendors don’t have to write drivers from Microsoft Hyper-V in addition to Windows drivers. You can just use the Windows drivers. This architecture, just as with VMware, has some good and some not as good points.
- No 3rd party APIs for hackers to code against in Hypervisor
- No global AV option that would could compromise all VMs
- Lots of hardware choices because it relies on the Windows drivers.
- 600k Hypervisor running in Ring –1 vs. 144 Meg in vSphere 5.1
The Not as Good
- No APIs for third parties to add value in hypervisor
- No option to run Anitvirus in the Hypervisor
- Requires hardware with CPU virtualization Extensions
- Requires Windows Management Partition for the drivers
Check out the full article on his blog -