XenServer 7.0 Enterprise Edition supports Direct Inspect APIs, enabling a supported security solution to use xen to provide security software isolation. This enables the introspection of what is going on inside a VM, from a privileged service VM on the same host. This represents a radical departure from the current generation malware detection based on in-guest agents. The Direct Inspect APIs are fully supported, and enable 3rd party security products such as Bitdefender’s GravityZone to monitor and protect virtual infrastructures against malicious activity:
Guest memory can be watched in real time, detecting advanced threats as they attempt to execute inside the VM
By virtue of the isolation the hypervisor provides, the security solution can no longer be attacked by the threat

XenServer uses netfilter/iptables firewalling.
The fee-based NetScaler provides various (network) security related capabilities through e.g.
- NetScaler Gateway: secure application and data access for Citrix XenApp, Citrix XenDesktop and Citrix XenMobile)
- NetScaler AppFirewall: secures web applications, prevents inadvertent or intentional disclosure of confidential information and aids in compliance with information security regulations such as PCI-DSS. AppFirewall is available as a standalone security appliance or as a fully integrated module of the NetScaler application delivery solution and is included with Citrix NetScaler, Platinum Edition.
Details here: http://bit.ly/17ttmKk