Windows Insider

Joys and Perils of the Always-On VPN

How to get the benefits of an always-on VPN while mitigating the security risks.

• By Greg Shields
• 05/02/2011

I recently discovered LogMeIn Hamachi, and it's everything Microsoft DirectAccess should have been. The reason: Dead simplicity. In 20 minutes, its software was installed and an always-on virtual private network (VPN) connection was established into my LAN. From a hotel in Alaska, my laptop was once again a member of my domain in Colorado.

Anyone who's suffered the pains of working while traveling will immediately see the joy in this technology. With 20 minutes of effort, I was calling up files from my laptop's Run prompt using nothing more than \\servername\share. I could print them on the printer back at the office. I was once again a productive member of my Windows domain, even as I was thousands of miles away.

Yet what's most impressive is that productivity came with exactly zero change to my usual workflow. I powered on my laptop and connected to the Internet, and I was automatically on the LAN. That simplicity is quite possibly the biggest road warrior productivity boost I've seen in years.

Worth the Risk
The always-on VPN is at the same time our industry's most exciting and most perilous new technology. With it, the road warrior employee is never more than a UNC path away from his files and folders. Accessing internal applications works no differently (albeit a bit more slowly) than it does on the LAN. Connecting a laptop to any network automatically returns that laptop to its Windows domain with all the functionality that connection bestows.

Yet these open and free connections also send shivers down the spines of many security professionals. Enabling them means extending your LAN outside the protections of your brick-and-mortar. Every connecting laptop is at the same time on the LAN and also in the dirty, unsecured and untrustworthy wild. Connections and data transfer are secured via authentication, encryption and traffic filtering, but there's always that risk of a hacked machine in some coffee shop becoming the vector for a LAN-wide exploit.

But I'm an optimist when it comes to security. I've also seen the evolution of security technologies over the years. In my experience, a hacked machine gets hacked most often when it's behind on updates and configurations. It stands to reason, then, that a road warrior's security liability isn't with his connection -- it's with his configuration.

That's why an always-on VPN is a brilliant approach for managing the "rarely in the office" employee: its VPN goes in both directions. As the user is conveniently connected to LAN resources, your management tools are at the same time conveniently connected to the user. Updates, configuration changes, anti-malware signatures, new software -- all the typical IT management tasks that used to wait until employees returned home now occur at all times and in all places.

DirectAccess Challenges
So, while the always-on VPN is indeed a peril, do its joys outweigh the risk? There's an argument that they do. Microsoft wouldn't have created its own always-on solution in DirectAccess had there not been a secure way to accomplish it.

Perhaps my initial assertion was a bit harsh. LogMeIn Hamachi isn't the solution that companies larger than "small" will likely find attractive.

DirectAccess arrives with manageability features and controls that bigger businesses most assuredly require.

Integrating it with the Microsoft Forefront Unified Access Gateway (UAG) extends those capabilities even further.

Where Microsoft failed with DirectAccess was in making its simplest implementation not that simple. Just getting DirectAccess running is far from a 20-minute activity. Lacking any implementation that's even remotely simple inhibits curious IT pros from testing out its joy and thus moving past worrying about its peril.

There are simpler ways to incorporate its functionality into your LAN, though all require up-front costs and time to implement. Until Microsoft simplifies its installation, or you can procure the time and budget, you might check out its alternative. Small environments can immediately benefit.