Direct Access at NEBytes

Tonight was the second NEBytes event, and after the launch event I was looking forward to it. Unfortunately the turn out wasn’t as good as the first event, 56 were registered but I only counted approximately 22 in the audience. The topic I was most interested in was a discussion of Microsoft’s Direct Access (DA), this was billed as an ‘evolution in remote access capabilities’. Being a security guy, obviously this piqued my interest.
Tonight’s speaker covering DA was Dr Dan Oliver, managing director at Sa-V. Before I start I want to state that I have/had no prior knowledge of DA, and my entire understanding comes from the presentation/sales-pitch by Dan tonight, if anyone with more knowledge once to point out any inaccuracies in my understanding or thoughts I’d more than welcome getting a better understanding of the technology.
DA is an ‘alternative’ to VPNs (discussed more later) for a Microsoft environment. The premise is that it provides seamless access to core resources whether a user is in the office or mobile. The requirements are fairly steep, and as Dan discussed on several occasions may be a stumbling block for an organisation to implement DA immediately. These are (some of) the requirements:

  • At least one Windows 2008 R2 server for AD and DNS services
  • A Certificate Authority
  • Recent, high-end client OS: Windows 7, Ultimate or Enterprise SKU only.
  • IPv6 capable clients (DA will work with IPv6 to IPv4 technologies)

As few organisations have a complete Win7 roll-out, and even less have the resources available to roll-out the higher end versions Dan was asked why the requirement. Answer: ‘Microsoft want to sell new versions, sorry’.
With DA pitched as an alternative to VPN at numerous points in the presentation the was a comparison between the two solutions, and to me the sales pitch for DA seemed schizophrenic. Dan kept switching between DA being an improvement to the current VPN solutions completely, and DA being suitable for access to lower priority services and data but organisation may prefer to remain with VPNs for more sensitive data. At this point I couldn’t help thinking ‘why add DA to the environment if you’re still going to have VPN technologies as well’. This was especially the case as Dan stated (and I can’t verify) that Microsoft do not intend to stop providing VPN functionality in their technologies.
From a usability and support perspective DA is recommended as it does not require additional authentication to create a secure connection to ‘internal’ services. Apparently having to provide an additional username/password (with RSA token/smartcard/etc.) needed to establish a VPN connection is beyond the capabilities of the average user.
One aspect that I did agree with (and if you listen to Exotic Liability you will be familiar with) is the concept of re-perimeterisation. The concept that the traditional perimeter of assets internal to a firewall is no longer relevent to protect resources in the modern environment, and that the modern perimeter is where data and users are, not tied to a particular geographical location or network segment. However, rather than the perimeter expending to encorporate any end user device that may access or store sensitive data, Dan claimed that DA would shrink the perimeter to only include the data centre, effectively no longer being concerned with the securityof the client system (be it desktop, laptop, etc.).
This point made me very concerned for the model of DA, if the client machine has seamless, always on access to ‘internal’ corporate services and systems I would be even more concerned for the security of the end user machine. If a virus/trojan/worm infects the system with the same access as the user account, then it too has seamless, always on access to the same internal services. I’m hoping this weakness is only my understanding of the technology, seems like a gaping whole in technology. If anyone can shed any light on this aspect of DA I’d appreciate some additional pointers to help clear up my understanding.
At this point I still can’t see an advantage to implementing DA over more established alternatives, my gut feeling is that DA will either become ubiquitous over the coming years or disappear without making an impact. Due to the fact it doesn’t play nice with the most widely implemented MS technologies, let alone ‘nix or OSX clients and the strict requiremented making a roll-out expensive I expect it to be the latter, but I’ve been wrong before.
At this point I decided to make a speedy exit from the event (after enjoying some rather good pizza) as the second event was dev based (Dynamic consumption in C# 4.0, Oliver Sturm) and I definitely fit in the ‘IT Pro’ camp of NEBytes audience.
Dispite my misgivings from the DA presentation I still enjoyed the event and look forward to the next. If you were at either of the events please let the organisers know your thoughts and ideas for future events by completing this (very) short survey. Thanks Guys.
— Andrew Waite

Join the conversation

5 Comments

  1. I was attending a Microsoft event last year and also was really interested in the Direct Access setup. The guy talked on it briefly in the talk, but it was still pretty new at the time so didn’t hit on it much. So after wards I managed to get a few moments with him and played with it a bit more.
    As far as ease of use and streamlining into the OS I couldn’t be more impressed. It would also blow holes in a firewall trying to figure out a connection. I am not sure what all security settings they had setup, but it would honestly tunnel out to ‘home’ on any open port it could find. You could even close ports as it was running and it would dynamically switch to an open port, even going out on 80 if it had to.
    The one thing that he said is that it honestly allowed administrators more control of the roaming machine since settings could be changed on the fly anytime it connected. It also allowed more seamless integration with the home network since it would map drives, printers, and even let you use internal DNS requests.
    But like you all I could think of was this was pretty much running a split tunnel, allowing the attacker to access the laptop then have free reign of the home network. Granted you can limit access to subnets, devices, and all of that, but once you start limiting things it no longer becomes seamless to the user and they will complain.
    I honestly think it will take off. People like ease of use, and from what I could tell DA sure made that possible.

    1. Hi Zac,
      thanks for giving me your take on DA, I always like to hear what others think, especially on a topic where my own knowledge is limited. There wasn’t a demo of the technology last night so I didn’t have the chance to actually see it running I can kind of see the appeal from an ease of use perspective, but I’m not sure what is so complicated about the current solutions (VPN, etc.). Likewise, I can see the appeal of better management of the remote systems.
      Everything is a trade-off between usability, price and security, my personal feeling at this point is that it trades too much security for not enough gain, but I am a paranoid security guy. But unfortunately I’m starting to agree with you, as security usually takes a back seat to usability and the ‘shiny’ factor this could take off, for better or worse.

  2. One of the key points about it that I took away (and one that I don’t think came across very well), is that the direct access server itself acts as a proxy to the internal systems, so you only get access to what the admin permits. You can secure this server with eg ISA or TMG to harden it.
    I had some misgivings too, but the impression I get is that this is actually going to end up being more restrictive than a vpn in many cases, since you need to enable every service you want it to access. Lots of vpns I’ve seen give full access to everything since thats the default and the most convenient, with direct access the default is deny until the admin sets it up.
    Some other advantages are that if a computer gets stolen, it will still connect in automatically using the computer account even if the thief doesn’t know the user password to log in. You can then use this to either try and track its location via IP, or perform a remote wipe. In most cases the thief won’t be aware this is going on until its too late.

  3. I agree with AG, the call home feature is pretty handy for a network admin. It appears to not allow access to any network resources, but WILL take policy changes and you can force a patch, trace, or wipe. Haha, the only bad thing from a Pen Tester standpoint is if I can gain access to the proxy, I could now probably write a login policy that gives me access to, or even sends me, data from the victim laptop.

  4. Thanks guys, guess I better keep an open mind.
    Zac, I think there could be a scarier scenario if a malicious user gets access to the proxy: telling all remote machines to wipe/lock-out next time they have a network connection. How confident are you that all remote users are fully backed up?
    AG, I do like that the default is to restrict access to everything by default, but I don’t think that this will necessarily help an organisations security posture over VPNs. I’ve seen just as many VPNs allow full access between ‘trusted’ locations running on devices with a default deny policy as those with default allow.
    It won’t take long before there are plenty of how-to guides suggesting allow everything to get it working with a largely ignored footnote suggesting that you lock access down to suite your specific environment. Experience makes me pessimistic, an environment will only be as secure as the admin makes and most (rightly or wrongly) seem focus on getting functionality working first over security. Hopefully time will prove me wrong.

Leave a comment

Leave a Reply to Zac Cancel reply

Your email address will not be published. Required fields are marked *