Posts Tagged ‘Microsoft DirectAccess’

Microsoft’s DirectAccess: Reinventing VPN

June 8, 2009

By Tim Cronin

As we know, Virtual Private Networking (VPN) is a technology that allows remote systems to connect to a local system in a secure manner.  This is what Microsoft’s DirectAccess is setting out to do as well.  Microsoft is marketing the new remote access tool as somewhat of a revolution, claiming that you can throw the VPN out with the bathwater.  This is not necessarily the case, but DirectAccess may still herald a new generation of VPN technologies.

WHAT IS DirectAccess

DirectAccess is a technology that allows Vista, Server 2008 and Windows 7 to connect with the office LAN seamlessly, without having to log into any clients.  DirectAccess is also being used to remotely manage remote PCs without the PCs needing logged in user (for instance, you can push a new update to an idle PC).  This technology comes at a time when there are a multitude of remote technologies to choose from so Microsoft is distinguishing itself by saying that DirectAccess is basically a hands-off technology.  The user doesn’t need to do anything except get a network connection and log into the machine as normal – the OS takes care of the rest. 

HOW IT WORKS

Despite Microsoft’s marketing, DirectAccess is a VPN technology with new functionality.  For those familiar with configuring VPNs, DirectAccess uses IPSec to tunnel the remote system to a DirectAccess server.  The DirectAccess server then authenticates the system and, if configured, authenticates the user.  Both of these steps rely on certificates (and the option of smart cards for multi-factor authentication for the user).  From here, there are differences in topology and design from which you can choose.  You can use “End to End” (security to the application server) or “End to Edge” (security to the perimeter, then letting unsecured traffic on the LAN). 

One key piece of information that must be taken into account: DirectAccess uses IPv6 as the preferred protocol.  You can use IPv4, but there will be extra steps that you may need to take.  There are several more key points to the connection for which I will refer you to Microsoft’s documentation at http://www.Microsoft.com/servers/directaccess.mspx.   

SECURITY CONCERNS

Microsoft has taken steps to make sure that security of this technology is the focus and seems to have been successful.  When this technology is configured properly and used properly, I can see a step forward with this technology.  That being said, DirectAccess does assume some things.  The most glaring is that user authentication is not required. If a user’s laptop is stolen and not reported in time, then it is conceivable that an attacker would have access to your internal network.  Although, they may not be able to log into the domain, there is still an IPSec connection between the attacker and the LAN.  This will make the use of full disk encryption even more necessary.  Also, the fact that there are so many technologies involved in order to get a connection is a concern.  If any one of them has a vulnerability it can be a problem to say the least.

END OF THE VPN?

All-in-all, I don’t think DirectAccess will herald the end of the VPN.  I think that there may be some changes, but VPN is here to stay for the moment.  The public information on DirectAccess is still a bit hazy on site to site connections (in fact, I am not sure it’s possible).  For this reason VPNs are still going to be in use.  Also, remote access VPN technologies, as they exist today, will adapt to new market requirements.  I foresee the major VPN vendors keeping pace with Microsoft.

Advertisements