Wednesday, May 28, 2008

Direct connect: the DMZ killer

Very interesting article I read on bink.nu ...

Using Vista and WS08, you can use the IPsec features of IPv6 and NAP to create direct connectivity to the corporate servers while working remote without having to create VPN's or hastle with gateways.

Basically, a home user will have access to AD, file servers, ... without any further configuration, as long as he uses a trusted computer account AND user account.


Original story:
Last Friday, Steve Riley - security architect at Microsoft did an excellent session about various security subjects in Amsterdam. One of the subjects was a technology that I only knew of as highly secret within Microsoft and probably one of the biggest changes in network security to come.

Imagine that corporate end users are able to take their corporate mobile systems to any Internet connected place and work with corporate resources without a VPN or gateway. This enables the users to connect to Active Directory, have their clients managed while at home or traveling. At the same time users get full access to the corporate network without the hassle of extra client software or gateways.

Direct Connect uses IPv6 with IPSec to create save direct connectivity to servers on corporate networks for trusted clients. This is quite a revolutionary approach, as it enables clients from the Internet to bypass the DMZ. The concept relies on IPSec authentication and encryption. Microsoft's new IPSec implementation in Windows Vista and Server 2008 allow IPSec connections to be based on both computer and user credentials, combined with Network Access Protection for system health enforcement. The only thing an edge router has to do, is filter incoming traffic to allow only IPSec initiation requests and subsequent IPSec traffic. Any standard router can do just that.

Steve Riley pointed out that you can build a Direct Connect infrastructure with standard products currently available from Microsoft and that Microsoft will provide more information in the near future. He also mentioned that Microsoft marketing is not yet thrilled, because no extra licenses will be needed to build a Direct Connect infrastructure.

Microsoft is currently running a (secret) pilot with Direct Connect that enables participants to use their corporate laptops to directly work with systems on the corporate network from the Internet.

I told Steve I can't wait for the white paper "How to build a Direct Connect infrastructure" and get instant access to my home systems from any place in the world.