RSS
Email
Print
ShareDoes Windows 7 Make VPNs Obsolete?
Posted by Alexander Wolfe on September 10, 2009
The new one-two operating system ecosystem from Microsoft -- Windows 7 on the client side coupled with Windows Server 2008 R2 on the back end -- includes a feature, called DirectAccess, which automatically connects users to their enterprise network without having to go through a VPN client, effectively eliminating the need for users to fiddle with (or hide from ) virtual private network clients.
DirectAccess connects users via IPv6 over IPsec. The IPsecurity portion is used for both authentication and encryption. The other notable point is that you don't have to have IPv6 deployed throughout your organization to use DirectAccess -- you can use an IPv6-over-IPv4 tunnel -- but it helps, security-wise, if you implement a full IPv6 network.
As well, organizations can keep their VPN clients both as backup and to support legacy users.
The most interesting thing that strikes me about DirectAccess isn't so much its technical guts. Let's face it -- this is nice stuff, but nothing unusual technically speaking -- but rather the usability angle. As in, it makes administration much easier on a lot of levels, in terms of making sure users are properly audited and are running what they're supposed to.
Personally, I know I hate the application restrictions my company imposes on me; I want to run what I want to run, and I also am not happy with the (slow) antivirus client I've got on my laptop. So when I'm mobile, I never VPN in. (For email, I use a Webmail client.) However, I realize that, on a global level, as a network admin, you don't want folks like me. With DirectAccess, admins don't have to worry about this, because anytime you're on the Internet, you're also seen by your enterprise network. Which means the latter can enforce policies etc.
Comment by tyniem on September 11, 2009 1:23 PM
Speaking as someone who hasn't used DirectAccess - but will begin evaluating it soon - I believe it will prove to be very beneficial. We maintain both SSL and IPSec VPN connections for our employees. Being able to remove the IPSec VPN and the dedicated concentrators that go along with it will be helpful for us if we can make it happen.
Reply to this comment
Comment by David on September 14, 2009 10:34 AM
How does this feature work with virtualization? We virtualize a lot of our servers and would likely continue to do so with Server 2008. Does the network layer abstraction imposed by something like VMWare prevent the DirectAccess from working?
Reply to this comment
Comment by CISO on September 23, 2009 11:26 AM
I am not that worried about the security of the implementation (well, not THAT worried anyway) as the weakness of this "always connected to the network" approach lacks 2-factor authentication mechanisms
Reply to this comment
Comment by Willie on September 23, 2009 2:00 PM
CISO brings up a great point about 2-factor authentication. If you are in a shop, where PCI compliance is a concern, can 2-factor be used. My assumption (since you are always connected), would be yes, but I haven't yet had a chance to play with 2008.
Reply to this comment
Comment by JWalk on November 9, 2009 5:25 AM
You're kidding right??
Have you really looked at this thing...
You do realize that users have to be joined to the domain to use this thing. That could be a problem on the road. That could be a problem working from home as well. Windows still runs scripts dog slow over a broadband connection.
This is as awful as the Edge Transport server role in Exchange 2007/2010. Anyone with Postini and passing knowledge of a CIsco ASA can provide better connectivity with superior security. IPV6? So what, that's no exactly ahead of the curve. It's been available for almost a decade but issues with privacy have rightly kept it out of the mainstream. Do you really want an IP address that follows you everywhere and identifies you to anyone who can use dig?
No thanks, I'll run their servers, dabble with hyperV but I have yet to see microsoft get networking right and let's not even start down the security road.
Reply to this comment