Beyond the recent consumer-oriented, high profile hacks to celebrity address books, the danger to enterprises is being laid bare in a more subtle manner. In May 2011, Juniper Networks published a study that found risks to mobile phone security at an all time high, and cited a 400% rise in malware against the Android, for example. In 2008, critical mobile SSL VPN vulnerabilities were discovered by Christophe Vandeplas, as a laboratory example of the man-in- the-middle (MITM) exploit.

In mid-March 2011, after Comodo issued nine fraudulent certificates affecting several domains, Microsoft issued updates for its PC platforms to fix the vulnerabilities, but the company’s patch for Windows Phone 7 was  not immediately available. More details surrounding this attack were outlined in Myth 1. But clearly, the priority is not currently on the mobile platform, creating an undeniable threat.

By Nicholas Greene

Microsoft does have its own mobile solution, which integrates swimmingly with DirectAccess. Trouble is, in the world of enterprise…the Windows 7 Phone is a small fry- holding only around 6% of the market. The top dogs are: Android, Apple and Research In Motion, and Android. Yet DirectAccess doesn’t offer support for any of them.

With this in mind, the lack of support for non-Windows mobile devices seems a rather obvious crack in DA’s armor. This, perhaps more than anything else, is what marks DirectAccess as unfeasible when compared to a standard VPN setup. It’s simply foolish to assume that every single employee will be using the same mobile device, and even more-so to think that said device will run Windows.

While a traditional solution might be a little more complex than DirectAccess, it’s also considerably more flexible in its implementation. Take NCP Engineering’s suite of solutions, for example- users can connect from virtually any device, regardless of operating system. What’s more, their Secure Entry Client supports both IPv4 and IPv6.

It’s also worth considering the idea that, as IPv6 becomes more prevalent, traditional VPNs themselves might evolve to adapt to the new features. The reason many of our remote computing solutions have the potential to cause such headaches for IT lies in IPv4’s own disadvantages and failings. Since it’s currently the dominant protocol suite, it needs to be accommodated- regardless of how painful that accommodation might be for the end user.

There’s a fairly distinct possibility that, by the time IPv6 is common enough for DirectAccess to be a completely viable remote networking solution, other VPN providers may well have produced something similar. If Microsoft hasn’t expanded DA’s compatibility by then, it could well be those providers who put a nail in DirectAccess’s coffin- and not the other way around.

As we’ve blogged in the past, the need for end-point security is critical for school systems.  Security breaches do affect this market, and hackers gain access to student’s personal records, school internal documents and other confidential data.   Education institutions need to be ware and take action to protect their network, and the most effective way to this is with a VPN.

NCPs universal client provides YES’ teachers with secure and constant communications to the Intranet, where they can access lesson plans and student files immediately.  It also enables YES staff to be in contact with each other in the seven different locations.  This access is important to YES because it grants students with the quality education they deserve.  The entry client saved YES from downgrading their 64-bit machines to 32-bit; and the client will work on new operating system, Windows 7.

For more information on this issue, check out a recent article published in Processor.

We know about Cisco moving to SSL and Microsoft pushing IPSec through Windows 7 and their server. 64-bit VPN users were being left out in the cold until NCP and a few freeware alternatives came along.

The connection to the King of Apes? Ability to take on tough challenges (read: scale the enterprise). Central policy control, NAC enforcement, change management and technical support are what drive an enterprise VPN client choice. 64-bit systems are here to stay and companies need VPN (and vendor) support that can conquer the tough enterprise problems.

There’s some interesting discussion taking place in the comments on this post. From a  security perspective, LiquidLearner writes:

When comparing 7 to XP you get Security, UAC, Federated Search. When you combine it with 2008 R2 you get VPN access without any hassle. Combine this with more robust policy support and software able to run without local admin privileges and it will be a big improvement. Also the malware headache is greatly reduced. VHD boot support will allow you to push images to workstations as well. Overall Vista had a lot of what 7 did, but 7 is fast with more usability improvements. To me that makes it extremely worthwhile for business.

The one holdup we can see is with DirectAccess – users who want to take advantage of this functionality will need to upgrade to the 2008 R2 server, which is not a cheap proposition by any measure! NCP, of course, encourages companies looking to deploy Win7 in the enterprise to have a look at our Secure Enterprise Solution.

Though Microsoft doesn’t tout DirectAccess as a VPN (presumably to avoid the stigma of complexity associated with VPNs), their server setup guide calls it exactly that. What’s more, the DirectAccess IPsec connection requires enterprises to deploy Microsoft’s server… a large investment of resources and a warning sign for future vendor lock-in.

Meanwhile, Cisco has discontinued support for IPsec clients in order to promote their AnyConnect solutions. What this creates is a large divergence of product options for customers. SSL is not ideal for all VPN needs, however Cisco is aggressively pushing this on their customers. At the same time, we predict that companies are going to resist the investment to upgrade to a new server, which will hinder adoption of DirectAccess for Windows 7.  Rather than the major industry players working toward a standard, they are trying to force the market to choose one over the other. Unfortunately, security doesn’t work that way… NCP customers we’ve spoken to are angry with the situation, and many bloggers and forum posters agree that the conflicting strategies are counterproductive to the real aims of network security.

You can download Secure Entry Client Version 9.1 here. As we prepare for beta testing of the next Secure Entry Client version – which will be Windows 7 compatible – we welcome any and all user feedback on the newest release!