Like most American males, there was a period of my youth when I was drawn to Martial Arts films and televisions shows. (Ok, so maybe I still am) I remember watching everything from the ridiculously dubbed movies made overseas to the very popular, and Americanized TV show “Kung Fu”. To this day there is one scene that remains particularly etched in my mind. It was a scene in “Enter the Dragon”, Bruce Lee’s last feature film prior to his untimely death. Mr. Lee is on a ship and is approached by another fighter and is asked what his fighting style is. He replies that one could call his style as the art of “Fighting without Fighting”. When pressed for a demonstration, Lee lures the potential opponent into a dinghy under the pretense of traveling to a nearby island where there is adequate room for a demonstration. Once his “opponent” is in the smaller vessel Lee proceeds to loosen the small boats restraints so that it is no longer secured to the primary vessel and subsequently begins to sink while being dragged through the wake of the larger boat. Lee won the fight without ever throwing a punch or exerting any real effort whatsoever. I always thought that this scene was not only very poignant, but insightful as well. Lee’s calm, confident state of mind, his Zen, provided the means to defeat an opponent with intelligence rather than brute force.

Most IT administrators know the agony of “fighting” with Virtual Private Networks. Yet, the need to access Corporate resources when outside the boundaries of the traditional LAN is as much a requirement for business today as is the internet itself. Initially there were IPSec VPN tunnels which provided a secure means for accessing resources but required cumbersome applications be installed on client PCs. These are difficult to troubleshoot, confusing for end users and a headache for administrators everywhere. Later the IPSec client began to give up some ground to SSL based VPNs. These solved some of the end user issues associated with IPSec VPNs. Often referred to as clientless VPNs, SSL VPNs relied on a common web browser to provide access to resources. This VPN provided an easier, and familiar, interface for users but typically the term “clientless” was over exaggeration as the SSL VPN would require a small client application, or applet, be installed on the client PC. Additionally, SSL VPNs lacked some flexibility for users, and created concerns for security professionals since everyone on the internet potentially had a client (Web Browser) to their VPN.

Now, imagine a “Zen-like” state of remote connectivity to resources. One where there are no cumbersome client applications to install or maintain, where access is granted to corporate resources in a secure and trusted manner and where clients accessing corporate resources from remote networks are doing so as managed clients bound by the same policies as when connected to the corporate LAN. Imagine a “style” of Virtual Private Networking, without the VPN! 

Enter Microsoft’s DirectAccess technology. Often referred to as “Anywhere Access” or “Always On connectivity”, DirectAccess provides companies the ability to create a boundary-less network for end users and they can do so without losing the control that has become all too important in today’s security focused IT world. DirectAccess was was introduced with Windows 7 and Windows Server 2008 R2. It works by utilizing several new features Microsoft has added to a new network stack that was introduced in Vista, Windows 2008 and enhanced further in Windows 7. These enhancements include IPV4/IPv6 interoperability capabilities, DNS client modifications and IPSec enhancements. By utilizing these features DirectAccess provides users with the experience of always being connected to corporate resources from any location so long as they have internet access. Furthermore, whenever or wherever that user is connected, administrators have the ability to manage the remote computer as well, the best of both worlds.

One question that I often hear when discussing DirectAccess is “So, how secure is DirectAccess in comparison to other VPN offerings”? My answer, “Very Secure”! To establish a DirectAccess session several identification and authorization verification processes occur. First, the client computer must be a member of the company’s AD Domain. Second, the computer must also possess a special certificate issued by the domain’s certificate authority. Finally, the user must log in using domain credentials. If these conditions are met then a traditional IPSec tunnel is established to protect data in transit much like a typical IPSec VPN. DirectAccess even can take the IPSec strategy of SDI (Server and Domain Isolation) to the next level with the option of establishing end-to-end encryption between the remote client and the internal application servers.

Have I peaked your interest at this point? If you answered, “Yes, Sensei”, then focus and pay attention students.

Microsoft has combined DirectAccess with their new Remote Access product offering called Unified Access Gateway 2010. Part of the Forefront suite of security software and built upon Microsoft’s Forefront Threat Management Gateway 2010, UAG provides secure publishing of applications such as SharePoint, Exchange, and others with the capability to provide secure tunneling in the form of either traditional SSL tunneling or DirectAccess. Think of UAG as the “Yin” of DirectAccess’ “Yang”. By combining these capabilities administrators have the capability to provide both “Anywhere Access” to resources for trusted computers via DirectAccess and on the same device provide application publishing for applications in a secure manner for less trusted or untrusted computers. In addition to these capabilities, UAG has streamlined deploying DirectAccess by incorporating several IPv6 transition technologies that provide IPv6 communication required by DirectAccess while utilizing the IPv4 networks that most corporations have in place today. For administrators this is BIG. While deploying DirectAccess is still a complicated endeavor it eliminates the need for complex, and sometimes expensive, network upgrades to accommodate IPv6. Plus, while some understanding of IPv6 is probably a good practice for anyone deploying DirectAccess, one does not need to be an IPv6 guru to manage a DirectAccess deployment.

The UAG platform offers numerous additional advantages that should be mentioned here. A few of the more important ones are:

• The ability to enforce endpoint compliance for remote clients is built in.
• UAG provides a flexible, customizable and extremely granular set of endpoint compliance policies for controlling who and what has access to your valuable applications.
• If you already have NAP (Network Access Protection) in place, then endpoint policies can be disabled in favor of NAP management and policies.
• Since UAG is built on the Enterprise version of TMG, the ability to create load balanced, high availability deployments for application publishing or DirectAccess is included.

While UAG has eased the path to deploying DirectAccess somewhat there are still quite a few requirements that must be met for a successful deployment in your network.

DirectAccess combined with UAG is a formidable opponent to any Virtual Private Networking offering in the marketplace today. Together they offer advanced capabilities for accessibility to resources while providing users with a VPN experience unlike any other. The experience that there is no VPN!

Are you ready to stop fighting with your VPN and provide seamless network access for your employees? Would you like to have the peace of mind to know that only systems owned and authorized by you have access to your valuable corporate assets? If so then DirectAccess should be on your list of initiatives for 2011.  I will leave you with a few final words of the immortal Bruce Lee, “If you spend too much time thinking about a thing, you will never get it done”. 

Regards,

Steve Angell,
Senior IDA Consultant

Unified Access Gateway 2010, DirectAccess and PKI are key components in the Identity and Access Management practice at InfraScience. For information on other Identity and Access Management solutions please visit the InfraScience Identity and Access Management section on our website and please, feel free to contact us today to discuss how UAG and DirectAccess fit into your information protection initiatives.