Looking for an always-on mobile connection to your enterprise network? How about a VPN-type link that doesn't require users to manually connect to a virtual private network?
Microsoft's DirectAccess may be the solution.
With DirectAccess all that is needed to create a seamless mobile computing experience for users is Windows 7 Ultimate or Enterprise on the desktop and Windows Server 2008 R2 at the network perimeter. Check out Microsoft's detailed list of technical requirements.
More on upgrading to Windows 7:
But are the Windows upgrades and extra network configurations worth it -- especially when users can just click on a VPN link from their desktops? They could be.
The benefits of DirectAccess include:
- Single user interface for connecting to the Internet and intranet (including no separate mobile broadband client)
- No firewalls or proxies getting in the way of intranet access
- Streamlined remote user management allowing for group policies and Windows updates to be pushed out any time the computer is connected to the Internet with no network login required (Just make sure your mobile broadband users have unlimited access plans and understand that remote connections may run slower at times.)
- IPv6 running over IPsec to ensure that there are enough Internet Protocol addresses and that communications are secure (Finally, an IPv6 application we can relate to.)
- Integrates with Network Access Protection (not that anyone's using it)
- Granular controls for restricting which internal servers and applications are accessible based on where the user is located
- Scripting options via PowerShell and a comprehensive support/resources page
Microsoft is also touting DirectAccess's ability to separate Internet traffic from intranet traffic to reduce IT costs and free up valuable bandwidth and other resources. But I don't see what the big deal is -- this functionality has been around with VPNs forever. If you do want to control remote Internet access (for things such as content filtering and employee monitoring) and can justify the bandwidth, you could use DirectAccess to tunnel all traffic through your enterprise Internet connection.
What's the bottom line?
Will DirectAccess be a VPN-killer? Maybe -- but not anytime soon. And what about security risks – will DirectAccess increase their likelihood? Perhaps -- through an expanded attack surface. Furthermore, when you've got careless users leaving their systems unattended and screens unlocked in public places, it'll be that much easier for someone to gain unauthorized access into your enterprise network. But DirectAccess can also help reduce security risks by allowing administrators to better maintain remote Windows systems. So the excuse "our users never come into the office" will no longer be valid when outdated Windows patches and antivirus signatures are found during vulnerability assessments and security audits.
DirectAccess can simplify enterprise desktop management and take us to that next level of mobile computing we've needed to get to for a few years. But given the security implications, make sure you think things through and have a plan before deploying DirectAccess. As with any new technology, convenience and complexity translate very nicely into security exploits.
ABOUT THE AUTHOR:
Kevin Beaver is an information security consultant, expert witness, as well as a seminar leader and keynote speaker at Atlanta-based Principle Logic LLC. In the industry for over two decades and having worked for himself the past eight years, Beaver specializes in performing independent security assessments in support of compliance and managing business risks. He has also authored/co-authored seven books on information security, including Hacking for Dummies and Hacking Wireless Networks for Dummies (Wiley). In addition, he's the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Beaver can be reached at www.principlelogic.com.
This was first published in March 2010