Security Advisor

Can DirectAccess Replace Your VPN?

Despite some drawbacks, DirectAccess will likely become the preferred remote-access method as Windows 7 becomes more prevalent.

Windows Server 2008 R2 and Windows 7 will appeal to IT organizations that would be happy to ditch their VPN infrastructures for a more viable alternative. That's now possible with DirectAccess, a new technology that lets mobile users connect securely to an internal network from the Internet without having to use VPN connections.

With DirectAccess, client computers establish IP connections to corporate resources, such as application servers, whether they're plugged into your internal network or connected to the Internet. It uses the standard IP-based security protocol IPSec between the client and the server, ensuring mutual authentication and encryption of all network packets. In addition to IPSec, DirectAccess uses IPv6 for all network traffic between a client and a server.

To enable IPv6 traffic across an Internet connection that most likely only supports IPv4, DirectAccess encapsulates IPv6 traffic in IPv4 packets using several different methods. Even more impressive, if the traffic must traverse an existing firewall or proxy server that only allows HTTP, all IPv6 traffic can be encapsulated in HTTPS packets. As a result, you might have HTTP traffic in IPv6 packets, which are encapsulated in HTTP packets that are transmitted using IPv4.

How Does It Work?
With DirectAccess, all client connections from the Internet to internal servers are established through one or more DirectAccess servers, which all must be running Windows Server 2008 R2. A DirectAccess server can be connected directly to the Internet or it can be located behind your firewall.

If you've deployed IPv6 in your internal network, the DirectAccess server handles any encapsulated packets connected via the Internet and forwards all IPv6 traffic to the internal application server. If IPv6 is not available internally, DirectAccess forwards traffic to application servers using IPv4. When using IPv4 internally, packet-level encryption and authentication only occurs between the client and DirectAccess server, and packets travel across the internal network unsecured.

Is It Secure Without VPN?
If you're accustomed to using VPNs, you can probably think of some potential security risks that DirectAccess might create. However, on closer examination you'll find that most of them -- if not all -- have been addressed by Microsoft. To begin with, only computers that have a valid and trusted certificate can connect from the Internet. These are most likely the same computers that are already plugged into your network at other times. The only difference is how they're connected.

Worried about not being able to monitor the traffic between external clients and internal servers? If so, you should be just as concerned when the same computers are back on the local network, and you may need to monitor your internal network instead of just the network perimeter. What about malware-laden or insecurely configured remote clients connecting to your network? You can combine DirectAccess with Network Access Protection (NAP) to enforce a number of security settings and prevent computers that don't meet your requirements from connecting.

DirectAccess effectively extends your internal network to your mobile computers while they're out of the office. As far as users and applications are concerned, connections to internal resources happen automatically, regardless of how the mobile clients are connected.

Of course, there are some obstacles to DirectAccess. Most noteworthy are the system requirements. You'll need at least one DirectAccess server running Windows Server 2008 R2, and the clients must run Windows 7. Also, DirectAccess depends on IPSec, IPv6 and a Public Key Infrastructure for the computer certificates.

Despite these drawbacks, DirectAccess will likely become the preferred remote-access method as Windows 7 becomes more prevalent, and you should start becoming familiar with it now so you'll be ready once your Windows 7 deployment takes off. The best way to start is to review the resources on the DirectAccess page on TechNet.

About the Author

Joern Wettern, Ph.D., MCSE, MCT, Security+, is the owner of Wettern Network Solutions, a consulting and training firm. He has written books and developed training courses on a number of networking and security topics. In addition to helping companies implement network security solutions, he regularly teaches seminars and speaks at conferences worldwide.


comments powered by Disqus

Subscribe on YouTube