Q&A on VPNs & DirectAccess with Patrick Oliver Graf, Part 4

This is part four in a series of questions related to DirectAccess and VPNs. Last week we addressed whether Microsoft can improve the implementation of DirectAccess under Windows Server 2012. Earlier in our series we examined the hardware requirements with DirectAccess and whether DirectAccess, in combination with Windows 8, supersedes VPNs.  Question: Do networks that employ the Windows Server 2008 R2 and the Windows Server 2012 also feature the improved configuration and management features of DirectAccess? Patrick Oliver Graf: No, they do not. The improvements for DirectAccess are only available for Windows Server 2012. It can be expected that users will slowly migrate their systems from Windows Server 2008 R2 to version 2012. This means, companies will have to continue living with the restrictions resulting from DirectAccess in a Windows Server 2008 environment for quite a time. Question: Can companies use DirectAccess in combination with a VPN? For example can they use DirectAccess for computers running on Windows 7 and Windows 8 while they need an IPsec/SSL VPN for Windows XP, MacOS, iOS, Android or Linux at the same time? Patrick Oliver Graf: Windows Server 2012 does not change anything in this scenario. DirectAccess can only be used for Windows 7/8 clients. Anybody who wants to use other clients (MacOS, iOS, Android, Linux, Unix) has to setup and operate a parallel VPN infrastructure. Although Windows Server 2012 offers the default setting of an additional installation of VPNs for non-Windows clients upon implementation of DirectAccess, two separate worlds remain if a user also uses clients with other operating systems, other than Windows 7 and 8. This naturally increases the installation, configuration and operating effort....

Q&A on VPNs & DirectAccess with Patrick Oliver Graf, Part 3

This is part three in a series of questions related to DirectAccess and VPNs. Earlier this week we addressed the hardware requirements with DirectAccess and whether DirectAccess, in combination with Windows 8, supersedes VPNs. Question: Its inflexible and complex implementation was one of the greatest weaknesses of DirectAccess in combination with Windows Server 2008 R2. Microsoft has improved Windows server 2012 in this regard. Are there still issues Microsoft could improve or optimize? Patrick Oliver Graf: Microsoft has considerably improved the implementation of DirectAccess under Windows Server 2012. For example, users can now implement DirectAccess through a single console where they had to use several before. Network Access Translation (NAT) is now able to direct incoming remote access connections to a central DirectAccess Server. Through the new features, there is no need for several servers any more. The system furthermore supports global server load balancing. This means that now a Windows 8 client is easily able to log on to the closest network entry point. However, there are still several unsolved issues. In Windows Server 2012 and DirectAccess, multi-site support still causes quite a bit of hassle. Apart from that, multi-site implementations strictly require a Public Key Infrastructure (PKI). This increases the users’ effort and contradicts Microsoft’s statement, maintaining that with Windows 8, setting up secure connections with DirectAccess and Windows Server 2012 has become easier than it is within a VPN infrastructure. According to users’ experiences, it is essential to configure DHCP and DNS entries (Dynamic Host Configuration Protocol / Domain Name Server) of DirectAccess implementations with particular care. This, too, increases the implementation effort and makes the system prone...

Q&A on VPNs & DirectAccess with Patrick Oliver Graf, Part 2

This is part two in a series of questions related to DirectAccess and VPNs. Last week, we addressed why VPNs are still necessary with Windows 8. Question: Does DirectAccess have any hardware requirements? Patrick Oliver Graf: While DirectAccess doesn’t require the Trusted Platform Module (TPM) – based virtual smart card capabilities in Windows Server 2012/Windows 8, it is an optional component. It’s worth noting, as small and medium-sized businesses, in particular, often use Windows consumer PCs that do not feature TPM. However, Microsoft does require TPM to be enabled and configured for its employees who wish to enable DirectAccess connectivity. VPN solutions do not have such requirements. Question: Does DirectAccess in combination with Windows 8 supersede VPNs? Patrick Oliver Graf: No, it does not, because Windows 8 systems are only able to use DirectAccess to communicate with servers and clients in pure Windows environments. Users of mixed environments cannot forego a VPN, if their environments include Linux Server, MacOS computers or end devices running on the Android operating system. The BYOD trend will only put further momentum towards environments with a multitude of platforms, which will further diminish the influence of DirectAccess. Moreover, a lot of companies and public institutions, like educational institutions or authorities, have already implemented a VPN infrastructure. Those customers will unlikely abandon their VPNs in favor of Windows 8, in combination with Windows Server 2012. Stay tuned as Patrick addresses more questions related to DirectAccess and VPNs. If you have any questions that you would like answered, send them to editor@vpnhaus.com.  Patrick Oliver Graf is General Manager at NCP...

Q&A on VPNs & DirectAccess with Patrick Oliver Graf, Part 1

Today’s post kicks off a series of questions related to DirectAccess and VPNs that we’ll post over the next few weeks. Question: Microsoft equipped Windows 8 with additional DirectAccess features. Why should companies that have deployed Windows 8, continue using VPNs? Patrick Oliver Graf: At first glance, the reasons for implementing VPNs in a pure Windows environment with Windows 8 clients seem few and far between. After all, Windows 8 does not require the user to install a separate DirectAccess client – a task that was still required under Windows 7. Windows 8, however, shows certain weaknesses in combination with DirectAccess. For example, only Windows 8 Enterprise supports the improved DirectAccess management features of Windows Server 2012. In fact, many users, including business, run their systems on Windows 8 Pro, which means they do not benefit from the new features. A further, potentially problematic, issue is the close interlocking of DirectAccess and the Windows 8 operating system. This means security vulnerabilities or direct attacks on the operating system could also compromise DirectAccess connections. Stay tuned as Patrick addresses more questions related to DirectAccess and VPNs next week. If you have any questions that you would like answered, send them to editor@vpnhaus.com.  Patrick Oliver Graf is General Manager at NCP...

The Benefits and Pitfalls of Using Sandboxing Techniques in SSL VPN, Part 2

*Editor’s Note: This is the second post in a two-part series.  By Dr. Matthias St. Pierre, Senior Developer at NCP engineering In my previous post on sandboxing, I explained why this security function is necessary and how it operates. Let’s now look deeper at the impact of sandboxing. A side effect of the file system redirection and the desktop isolation is, they prevent accidental changes to the client computer. All changes to the file system during the SSL VPN session disappear once the user terminates the session.  Even in the case of a power failure, the data would not be jeopardized, since the encryption key is lost and the content of the sandbox remains garbled because of the encryption and will automatically be deleted when the user starts the next SSL VPN session. The sandbox might even prevent some downloaded malicious code from doing harm to your file system. But it is important to note, sandboxing should not be considered an absolute security barrier. For instance, the sandbox will not shield you from any keylogger or Trojan that has already infected the computer.  Neither will it be able to give you a 100% guarantee that it cannot be circumvented by malicious code. This limitation is due to the fact that the sandbox is implemented entirely as a user mode process with limited user rights. There is no kernel driver or high privileged service involved. This is a design decision, as it enables the sandbox to run out-of-the-box without installation. Ultimately, using an SSL VPN from an untrusted computer, like a dubious PC at an Internet café, is not a...

NCP News: Android client and Windows 8 compatibility now available

Lots of news from NCP engineering, as we gear up for Interop 2012. Today,  NCP announced the preview release of the first third-party IPsec VPN client available for Android 4.0.  Now available for free download in the Google Play store, the client represents the next step forward in enterprise network security for workers using Android devices. The VPN supports the Android 4.0 (“Ice Cream Sandwich”) platform, and will be available for preview through June 30, with further versions released later this year that include a number of other important features, such as central management capabilities for enterprise network administrators. Earlier this week, NCP announced its Entry and Juniper Edition VPN clients now support Windows 8. The Windows 8-compatible clients boast identical benefits to NCP’s other IPsec clients, including being equipped with an intuitive graphical user interface, simple enough for any employee to understand and control.  In fact, Microsoft too, is making usability a core component of Windows 8, outfitting its newest operating system with a revamped user interface optimized for both mobile and touch screen...