Windows 7’s DirectAccess is a win for users: convenient network access, no virtual private network needed. But it’s a stickier prospect vis-a-vis security and administration.
Think of the new DirectAccess feature in Windows 7 as VPN without thought. Your enterprise’s users can be out there, blithely roaming the world. They never have to tinker with a VPN connection to access the network. Instead, they just flip open their laptops and reach corporate resources whenever they have Internet access: while traveling, at home, or at the local coffee shop.
Here’s the $64,000 question: Does that idea make your typically-tense system administrator shoulders relax a little, or did it make your security senses break out in a cold sweat?
On the plus side, IT administrators are champing at the bit when it comes to the thought of always-on access to the network. DirectAccess promises the prospect of users’ files always being synced, with automatic deployment of settings via Group Policy as well as automatic updating of anti-virus or other software, all without the need to install special client software.
Among the potential downsides: the very idea of precious corporate resources hanging out there with users’ always-on connections, in notoriously bad security environments such as WiFi hotspots, prey to cyber-attack. Or how about this one: DirectAccess requires IPv6 , complete with the migraine-inducing prospect of relying on IPv4 tunneling technologies such as Teredo or 6to4.
To unravel both the hype and the heebie-jeebies, and to get a clear idea of the hoops enterprises should expect to jump through if they want to use DirectAccess, I got input from three groups of typical suspects:
- Members of the discussion group on the League of Professional System Administrators (LOPSA), none of whom had experimented with DirectAccess when we spoke but who raised some valid concerns about the technology
- an IT administrator who’s testing Windows 7, and
- a security professional, Chester Wisniewski, a senior security advisor at Sophos, who’s been pondering possible holes in DirectAccess and Windows 7.
Without further ado, here’s the good, the maybe bad and the potentially bugly, along with best practices to counter the latter two categories.
The Good
Jeff Field, IT manager, K-12 Education, works for the Clayton Board of Education in Clayton, N.J. The Board of Education has about 200 employees and about 1,500 users. Field’s in charge of over 500 desktops and laptops, over 90% of which were running Windows 7 in the fall. Field hopes that 100% will be running Windows 7 by year’s end.
Pre-Windows 7, only a few people at the administrator level had remote access, but Field says he’d love to get his hands on an easy way to allow all users remote access — “Which is why I’m excited about DirectAccess,” he says.
One might be justified in asking, though, If you want to give your remote users access to the network, what’s wrong with setting up a plain old VPN? The technology is tried and true, after all.
The problem, Field says, is that VPNs are neither easy to use nor to set up, in his experience, and they add yet another piece of complicated software to his image beyond the operating system itself.
DirectAccess makes it easier for users to get access because the function is built right into Windows 7 Enterprise. As such, “I don’t need to worry about special client software and I can deploy settings automatically via Group Policy,” Field says.
Field has a specific headache he’s hoping DirectAccess will ease: file synchronization. “Someone might take their laptop home for weeks or months at a time, and it won’t synchronize their files on the network until [the laptop] is brought back in.” He anticipates that DirectAccess will make his life easier because he “won’t need to worry about people losing files because they rarely bring in their laptop,” he says.
Field plans to enable the DirectAccess feature on teachers’ and other staff laptops, but he isn’t ready to kiss VPN technology goodbye just yet. “I will continue to use a VPN myself, if only because I need something that is independent of the Windows network in case things go awry,” he says.
How did he justify the cost of the physical server that DirectAccess needs? (For a complete list of DirectAccess requirements, see the chart at the end of this article.) By making do with what he has instead of buying a brand-new computer. “It is recommended to be a new physical server — but sometimes you have to improvise!” Field says.
His primary cost-justification rationale is that DirectAccess provides users with an incredibly useful feature. The DirectAccess system will be locked to the Clayton Board of Education’s computers and not used from users’ home computer; all computers will be isolated from the existing network. “Security risks can be reduced — but never eliminated,” Field says. “By following best practices I hope to make it clear that this can be used securely to increase our users’ access to our system.”
The Potentially Bad
To counterbalance all that optimism, professional system administrators from LOPSA and Sophos’ Wisniewski share similar security concerns about DirectAccess. They’re also concerned about getting tangled in implementing IPv6 — technology that’s far from broadly understood, let alone adopted.
IPv6 is designed as the next-generation replacement for Internet Protocol Version 4, which is still the predominant implementation but which eventually will run out of address space. For more on DirectAccess and IPv6, especially the IPv6 techie details, see Windows 7 and IPv6: Useful at Last?
As Wisniewski noted in an August 2009 blog posting, DirectAccess requires IPv6 both on the intranet and on workstations. Unfortunately, not many enterprises have IPv6 technologies deployed. Nor do IT administrators know how to use the technology, he says. In addition, to manage clients still using IPv4 (which includes most, if not all, clients), Microsoft recommends using tunneling technologies such as Teredo or 6to4 to transmit IPv6 traffic through network address translators.
Such a setup introduces additional overhead and complexity for administrators to support, Wisniewski says. In addition, enterprises that don’t yet have IPv6-enabled corporate resources will need yet another server, Network Address Translation/Protocol Translation (NAT-PT), to enable communication between endpoints and IPv4 resources. All that adds up to a complex infrastructure, Wisniewski says, and complexity is, after all, the enemy to security.
“DirectAccess, it’s portrayed as the holy grail of remote connectivity, like I don’t have to do anything [to connect] a remote user. It just works, and that’s what you want,” Wisniewski says. “But … realistically, we may never see IPv6 deployed on the Internet.”
In fact, many admins disconnect IPv6, even on Windows 7, where it’s deployed by default, he says, because it bogs down performance. “[The operating system] prefers that [IPv6] interface, especially Windows 7 and Windows Server 2008. You’ve got IPv6 and IPv4 both listed. When you surf, the machine by default tries to connect with IPv6. Then if it’s not working, it tries IPv4. Every transaction is slowed by micro amounts as the operating system tries to see if it can use [IPv6]. All it does is cause micro delays. A lot of admins say, ‘I’ll just turn that off.’”
If we were already living in an IPv6 world, DirectAccess would be “awesome,” Wisniewski says. But we’re not, so it raises concerns. For one thing, DirectAccess administrators have to use Teredo or 6to4 tunneling, and those “are not trivial to get going,” he says. Even if admins get those tunneling protocols going, he says, “There other concerns with internal things supporting IPv6. Every tool I have doesn’t seem to work over IPv6, which means you’ll have another translation server in place.”
And then there’s security.
Admin Tom Perrine, chiming in on the LOPSA forum when asked to contribute thoughts for this article, had four major DirectAccess concerns: As an Enterprise customer, he needs to be able to at least:
- set specific policies (no split tunneling)
- force specific VPN technology including encryption algorithms (IPSEC, AES, etc.)
- ensure proper key and credential management, including two-factor or challenge/response
- audit activities while user is connected to the VPN.
According to Sophos’ Wisniewski, concerns about split tunneling arise from the fact that Microsoft chose Point-to-Point Tunneling Protocol (PPTP) — a protocol widely believed to be insecure from the get-go — to be the default method of using DirectAccess. “Microsoft has chosen this to be the default method of using DirectAccess, … continuing a tradition of insecure default settings,” he blogs. “They proclaim it to be for performance reasons, which has a degree of truth to it, but the risk associated with allowing endpoints to communicate directly with their home LANs, the Internet, and unsecured WiFi access points in public negates any minor performance increase that may be had. The majority of attacks against computers are over the Web, so leaving a workstation open to the Web while accessing sensitive corporate data is counter-intuitive.”
This concern may be trivial, however, for two reasons.
First, most enterprise customers have global security policies that disallow split tunneling. “Our global policy specifies that ’split tunneling,’ a simultaneous connection to the public Internet and our internal network, is prohibited,” Perrine wrote in the LOPSA discussion “We are forced to require a VPN client that allows us to force that particular option in the client in such a way that the user can’t turn it off. Sure, they want to print to their home printer while connected to our VPN, or access their home server with all their MP3s, but that’s specifically what we must prevent. If you don’t think this is important, I can refer you to any number of corporate breaches.”
And second, split tunneling may be the default in DirectAccess, but it’s simple — and it’s common — to just turn it off. “A best practice would be to turn off split tunneling and make everything come thru the VPN,” Wisniewski says.
Some LOPSA members also brought up the specter of users potentially making mistakes regarding what resources belong to the company. Could users potentially leave company information on non-company systems if they don’t have to fire up a VPN connection? Field wasn’t worried about the prospect, given that all of the computers that will be accessing the Clayton Board of Education’s system will be provided by the Board, “so they will be well aware it is a school system they are using.”
What about leaving open connectivity to the company network on a home PC? Or keeping the laptop running in a hotspot of dubious security, such as an airport or coffee shop? Doesn’t that make it easier to attack the company network? Field admits that it could happen, but it’s up to the network administrator to make sure it doesn’t by enforcing health requirements and proper isolation. At any rate, his users will only use DirectAccess to gain access to their Outlook-based e-mail and their own files. Most services they use are already available via a Web interface.
More Best Practices
Beyond turning off split tunneling as a default, best practices around DirectAccess mostly have to do with figuring out how to properly manage IPv6 and ensure compatibility, Wisniewski says. He cited a study that analyzed how many enterprise firewall vendors properly support IPv6; it found that very few vendors properly support it in enterprise products, he says. Fewer vendors still have proper analysis and packet inspection for IPv6.
A top priority is educating the IT department on IPv6 security issues, he says. “Make sure that your firewall vendors are able to support it properly and that staff understands company policy for IPv6,” he says. “The Average IT guy, we haven’t had to deal with it much.”
Field says that IPv6 is his number-one issue. “We have no IPv6 infrastructure yet … IPv6 is something that I’ve been peripherally aware of but isn’t something I’ve dedicated much time to, and I still need to learn more.”
DirectAccess Requirements
- One or more DirectAccess servers running Windows Server 2008 R2 with two network adapters: one that is connected directly to the Internet, and a second that is connected to the intranet
- Two consecutive, public IPv4 addresses on the DirectAccess server
- DirectAccess clients running Windows 7
- At least one domain controller/DNS server running Windows Server 2008 SP2 or Windows Server 2008 R2
- PKI infrastructure to issue certificates
- IPsec policies to set security rules for traffic
- IPv6 transition technologies on the DirectAccess server: ISATAP, Teredo, and 6to4.
- Optionally, a third-party NAT-PT device to provide access to IPv4-only resources for DirectAccess clients.
Source: Adapted from Microsoft TechNet
Want more like this? Sign up for the weekly IT Expert Voice newsletter so you don’t miss a thing!
The other $64,000 question is – will Microsoft poison their IPV6 services so that non-Windows users are excluded? They have a long and storied history of doing exactly that sort of thing.
Social comments and analytics for this post…
This post was mentioned on Twitter by infosecupdate: IUNews: Windows 7 DirectAccess – Oh Really?: Hands up those with functional secured IPv6 connections. Nobody? Well … http://bit.ly/7DoKfp…
Microsoft makes available a product called Unified Access Gateway (UAG), which enhances DirectAccess deployments by several things:
1. Adds support for multiple linked machines (load balancing, fault tolerance)
2. Provides NAT-PT services for IPv4 only corporate networks
3. Offers an easy management solution for DirectAccess
I'll comment vpn's in an environment where every machine can have a public ip address, which is the case where I work.
Well, I think the basic argument for using vpn's is flawed. It's based on prehistoric security practices, as ineffective and old-fashioned as they are a pain for the end-user. Those bad practices are based on the principle that someone gets access to resources based on it's ip-address and the fact that they are "from the enterprise network". VPN's give someone an ip-address on the enterprise network. If someone can get one, he'd probably get access to corporate resources, if there aren't additional security restrictions. Which is too often the case if sysadmins think that the corporate network is safe.
As a sysadmin, I consider that the network is unsecure. And that users can't be identified by an ip address. All services should be secured on their own (strong encryption, strong authentication, …). And guess what? Once you do that, it isn't that difficult to implement, and much more comfortable for your users. They can access your secure services from everywhere the same way. And your security is much simpler and more reliable.
“But … realistically, we may never see IPv6 deployed on the Internet.”
Well, is this guy kidding or what ? I mean, google is already providing IPv6 for most of their services. My ISP also provide plain IPv6 for millions of theirs users ("Iliad/Free) as part of their DSL basic plan.
Not caring about IPv6 or not beeing IPv6 ready, does not mean the rest of the world is not IPv6 ready or the rest of the world does not care about IPv6.
This is US-centrism again I am afraid. The same kind of USScentrism that lead slashdot to keep latin 1 pages and not swith to UTF-8
[...] Go here to read the rest: DirectAccess and the VPN Dragon | IT Expert Voice [...]
[...] http://itexpertvoice.com/ad/directaccess-and-the-vpn-dragon/ [...]
Nice fill someone in on and this mail helped me alot in my college assignement. Thanks you for your information.
[...] with IPv6. For starters, Windows 7 comes with two networking programs that rely on IPv6. These are DirectAccess, Microsoft’s IPv6 enabled Virtual Private Networking (VPN) program, and the small group [...]
[...] DirectAccess. DirectAccess, a feature in Windows 7, makes remote access a lot easier — and it doesn’t require a VPN. (Lisa Vaas interviews security experts and network admins to find out what they think of that [...]
[...] locked down a laptop or other endpoint, with today’s focus on people working from home and accessing files from outside the company networks, through VPNs, getting access to companies’ databases through wireless networks… If your assets are [...]
[...] for years. It’s not as though there are some killer IPv6 applications. While IPv6 does make Virtual Private Networks (VPNs), Voice over Internet Protocol (VoIP), and peer-to-peer (P2P) networking easier, we’ve [...]