Does Windows 7 Make VPNs Obsolete?

Posted by Alexander Wolfe
September 10, 2009

The new one-two operating system ecosystem from Microsoft -- Windows 7 on the client side coupled with Windows Server 2008 R2 on the back end -- includes a feature, called DirectAccess, which automatically connects users to their enterprise network without having to go through a VPN client, effectively eliminating the need for users to fiddle with (or hide from ) virtual private network clients.

DirectAccess connects users via IPv6 over IPsec. The IPsecurity portion is used for both authentication and encryption. The other notable point is that you don't have to have IPv6 deployed throughout your organization to use DirectAccess -- you can use an IPv6-over-IPv4 tunnel -- but it helps, security-wise, if you implement a full IPv6 network.

As well, organizations can keep their VPN clients both as backup and to support legacy users.

The most interesting thing that strikes me about DirectAccess isn't so much its technical guts. Let's face it -- this is nice stuff, but nothing unusual technically speaking -- but rather the usability angle. As in, it makes administration much easier on a lot of levels, in terms of making sure users are properly audited and are running what they're supposed to.

Personally, I know I hate the application restrictions my company imposes on me; I want to run what I want to run, and I also am not happy with the (slow) antivirus client I've got on my laptop. So when I'm mobile, I never VPN in. (For email, I use a Webmail client.)  However, I realize that, on a global level, as a network admin, you don't want folks like me. With DirectAccess, admins don't have to worry about this, because anytime you're on the Internet, you're also seen by your enterprise network. Which means the latter can enforce policies etc.

Here's what I wrote about DirectAccess in my recent InformationWeek feature, "Windows 7 Deep Dive":

"This connectivity-on-steroids feature will be a big worry remover, at least as far as nervous CIOs and admins are concerned. The deal here is that, with DirectAccess, you need no longer use a VPN to log onto your corporate network.

Instead, anytime you have an Internet connection, you're in. You might not know it, but you are. How? Well, Windows 7 authenticates you in the background (without your having to overtly click on a VPN icon and type in your user name and password).

DirectAccess performs user authentication using IPsec and IPv6. What, you don't support the IPsec or IPv6? Well, here's the best part: If your shop doesn't have these things in place, you can roll out DirectAccess in tandem with your current VPN. This mix-and-match strategy should alleviate any worries about your corporate network going down during changeover. The real win here for admins is that DirectAccess enables organizations to deal with users who like to "hide" from the corporate network, mostly so they don't have to deal with the constant pushing-down by IT of performance-draining antivirus updates and other policies (like maybe those which keep them from playing games or watching videos on their laptops). There are probably a lot more of those folks than is commonly recognized.

Personally, as a knowledgeable user, I've always hated the fact that my machine is saddled with crap that I don't need, but I recognize that centralized policy control is there for a reason. So with Windows 7, the IT team won't have to constantly call outliers like me to ask when they're going to connect so that their PCs can get updated, audited, or otherwise put through the ringer.

I should add that, if you're at all worried that your enterprise might be degrading security by bypassing the VPN, don't be. IPsec is a very secure suite of protocols, which encrypts data packets. I should also add that DirectAccess requires enterprises to be running Windows Server 2008 R2 on the back end."

So what do you think about DirectAccess in Windows 7 and Windows Server 2008 R2? Is it a useful genuinely useful feature? Let me know by leaving a comment below, or emailing me directly at alex@alexwolfe.net.

Also, fyi, Microsoft has a useful white paper, entitled "DirectAccess Technical Overview." It can be downloaded here.

Follow me on Twitter at @awolfe58.

Related Reading

More data-networking-management Insights