Security Considerations for DirectAccess Deployments. Whitepaper



Similar documents
PSN compliant remote access Whitepaper

DirectAccess in Windows 7 and Windows Server 2008 R2. Aydin Aslaner Senior Support Escalation Engineer Microsoft MEA Networking Team

Modern Multi-factor and Remote Access Technologies

Centrify Cloud Connector Deployment Guide

Implementing and Administering Security in a Microsoft Windows Server 2003 Network

FileCloud Security FAQ

Celestix Cloud Edge Security: Why an appliance? Whitepaper

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Cisco ASA 5500 Series Adaptive Security Appliance 8.2 Software Release

Virtual Private Networks (VPN) Connectivity and Management Policy

With a little bit of IPv6 magic: Windows 7 DirectAccess

Achieving PCI-Compliance through Cyberoam

EXAM Recertification for MCSE: Server Infrastructure. Buy Full Product.

Why Choose Integrated VPN/Firewall Solutions over Stand-alone VPNs

SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG)

1. Introduction to DirectAccess. 2. Technical Introduction. 3. Technical Details within Demo. 4. Summary

Windows Remote Access

Securing SIP Trunks APPLICATION NOTE.

When your users take devices outside the corporate environment, these web security policies and defenses within your network no longer work.

This section provides a summary of using network location profiles to identify network connection types. Details include:

Ensuring the security of your mobile business intelligence

Understanding the Cisco VPN Client

Secure VidyoConferencing SM TECHNICAL NOTE. Protecting your communications VIDYO

Microsoft Systems Architecture 2.0 (MSA 2.0) Security Review An analysis by Foundstone, Inc.

Using Remote Desktop Clients

Endpoint Security VPN for Mac

Ensuring the security of your mobile business intelligence

MS Managing and Maintaining Windows 8

White Paper. Protecting Mobile Apps with Citrix XenMobile and MDX. citrix.com

ipad in Business Security

Additional Security Considerations and Controls for Virtual Private Networks

What s New in Juniper Networks Secure Access (SA) SSL VPN Version 6.4

Beyond passwords: Protect the mobile enterprise with smarter security solutions

Ovation Security Center Data Sheet

How To Achieve Pca Compliance With Redhat Enterprise Linux

Secure Remote Access Solutions Balancing security and remote access Bob Hicks, Rockwell Automation

Security. TestOut Modules

Best Practices for Secure Remote Access. Aventail Technical White Paper

Building Your Complete Remote Access Infrastructure on Windows Server 2012

Cisco Secure Access Control Server 4.2 for Windows

Using Entrust certificates with VPN

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

Securing Internet Facing. Applications. Technical White Paper. configuration drift, in which IT members open up ports or make small, supposedly

- Introduction to PIX/ASA Firewalls -

Why it s Time to Make the Change Analysis of Current Technologies for Multi-Factor Authentication in Active Directory

Windows 7, Enterprise Desktop Support Technician

ARCHITECT S GUIDE: Mobile Security Using TNC Technology

End User Devices Security Guidance: Apple OS X 10.10

Release Notes. NCP Secure Entry Mac Client. Major Release 2.01 Build 47 May New Features and Enhancements. Tip of the Day

NETASQ & PCI DSS. Is NETASQ compatible with PCI DSS? NG Firewall version 9

Release Notes. NCP Secure Entry Mac Client. 1. New Features and Enhancements. 2. Improvements / Problems Resolved. 3. Known Issues

NETASQ MIGRATING FROM V8 TO V9

Using Rsync for NAS-to-NAS Backups

Windows 7, Enterprise Desktop Support Technician Course 50331: 5 days; Instructor-led

RSA Solution Brief. RSA & Juniper Networks Securing Remote Access with SSL VPNs and Strong Authentication. RSA Solution Brief

Policy Management: The Avenda Approach To An Essential Network Service

Security Technology: Firewalls and VPNs

Professional Integrated SSL-VPN Appliance for Small and Medium-sized businesses

JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA

Authentication. Authentication in FortiOS. Single Sign-On (SSO)

Course Description. Course Audience. Course Outline. Course Page - Page 1 of 12

Load Balancing Microsoft 2012 DirectAccess. Deployment Guide

Deploying iphone and ipad Security Overview

74% 96 Action Items. Compliance

Implementing and Managing Security for Network Communications

Enterprise Mobility as a Service

Software Defined Perimeter: Securing the Cloud to the Internet of Things

ADDING STRONGER AUTHENTICATION for VPN Access Control

iphone in Business Security Overview

F5 and Microsoft Exchange Security Solutions

Public Key Applications & Usage A Brief Insight

"Charting the Course to Your Success!" MOC D Windows 7 Enterprise Desktop Support Technician Course Summary

HOTPin Integration Guide: Microsoft Office 365 with Active Directory Federated Services

Fireware How To VPN. Introduction. Is there anything I need to know before I start? Configuring a BOVPN Gateway

WICKSoft Mobile Documents for the BlackBerry Security white paper mobile document access for the Enterprise

Inspection of Encrypted HTTPS Traffic

VPN. VPN For BIPAC 741/743GE

MOBILITY & INTERCONNECTIVITY. Features SECURITY OF INFORMATION TECHNOLOGIES

Netop Remote Control Security Server

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?

Innovative Secure Boot System (SBS) with a smartcard.

Enterprise Security Management CheckPoint SecuRemote VPN v4.0 for pcanywhere

Description: Objective: Attending students will learn:

MCTS Guide to Microsoft Windows 7. Chapter 7 Windows 7 Security Features

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

What is the Barracuda SSL VPN Server Agent?

IPSec vs. SSL: Why Choose?

Course 20688A: Managing and Maintaining Windows 8

Solution Review: Siemens Enterprise Communications OpenScape Session Border Controller

Chapter 12. Security Policy Life Cycle. Network Security 8/19/2010. Network Security

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

FIREWALL POLICY DOCUMENT

Using a VPN with Niagara Systems. v0.3 6, July 2013

Transcription:

Security Considerations for DirectAccess Deployments Whitepaper February 2015

This white paper discusses security planning for DirectAccess deployment. Introduction DirectAccess represents a paradigm shift for remote access. What is DirectAccess Technology to provide secure, seamless, always on remote network connectivity. DirectAccess Authentication Tunnel infrastructure leverages IPsec. DirectAccess Network Configuration Leverage edge security to reduce exposure. Advanced DirectAccess Security Configuration Employ strong authentication. Comparing DirectAccess to Client-Based VPN Security benefits and limitations. Split Tunneling vs. Force Tunneling Tunnel connection benefits and limitations. Lost or Stolen DirectAccess Devices Mitigated risk for missing devices. Security and the Celestix E Series Appliance Stronger security, simpler deployment. Conclusion The Celestix E Series helps you to better manage your remote access solution. i 2015 Celestix Networks, Inc.

Microsoft DirectAccess is a remote access technology included as part of the Unified Remote Access role in Windows Server 2012 R2. It represents a paradigm shift in the way remote access is provided to corporate-managed Windows devices. DirectAccess is fundamentally built using existing, widely deployed industry standard protocols for which security configuration is will understood. However, many organizations want to better understand the specific security features incorporated with DirectAccess. This whitepaper serves to provide an overview of security features in DirectAccess. It will explain in detail how the authentication process works, provide insight in to optional security configurations, compare DirectAccess with traditional client-based VPN, explore the differences between split and force tunneling, and outline how to address lost or stolen DirectAccess devices. Finally the benefits of using the Celestix E Series hardware appliance platform and its additional features and enhancements can provide the best experience for DirectAccess deployments. DirectAccess is a collection of Windows platform technologies that are assembled to provide secure, seamless and transparent, always on, bi-directional network connectivity for remote Windows machines. DirectAccess leverages authenticated IPsec encryption for integrity and confidentiality, and IPv6 for transport. IPv6 transition and translation protocols are used to ensure full compatibility with IPv4 networks and hosts. Authentication occurs at several stages and utilizes a combination of digital certificates, NTLM, and Kerberos. Windows Firewall with Advanced Security (WFAS) connection security rules on the client are used to establish DirectAccess communication, and DirectAccess configuration for both the client and the server are distributed via Active Directory group policy. When a DirectAccess client is outside of the corporate network and has an active Internet connection, the client will attempt to establish connectivity with the DirectAccess gateway by creating IPsec tunnels defined by the connection security rules in the Windows Firewall on the client. In a typical configuration, two distinct DirectAccess tunnels are established an infrastructure tunnel and an intranet tunnel. Infrastructure tunnel This IPsec tunnel provides secure remote network access to limited internal resources. Specifically, only infrastructure 2 2015 Celestix Networks, Inc.

services such as domain controllers and systems management servers are available over this first tunnel. The infrastructure IPsec tunnel requires two forms of authentication. First, the client machine is authenticated using a computer certificate issued by the corporate Public Key Infrastructure (PKI). Second, the client machine s computer account is also authenticated against Active Directory using NTLM. If the client successfully passes both authentication steps, the infrastructure IPsec tunnel is established and the client can access infrastructure resources defined by the remote access policy. This IPsec tunnel uses 192 bit AES encryption and SHA-1 for integrity. Intranet tunnel This IPsec tunnel provides the end user with full access to the corporate network. It is initiated when the users logs on to the DirectAccess client. The intranet tunnel also requires two forms of authentication. First, the computer is authenticated once again using the computer certificated issued by the corporate PKI. Second, the user account is authenticated against Active Directory using Kerberos. If the client successfully passes both authentication steps, the intranet IPsec tunnel is established. Like the infrastructure tunnel, this IPsec tunnel also uses 192 bit AES encryption and SHA-1 for integrity. DirectAccess in Windows Server 2012 R2 can now be configured behind an existing edge firewall for additional protection. Using this deployment model, the DirectAccess server is configured using private IPv4 addresses. The server can be configured with two network interfaces in parallel with existing perimeter networks, or with a single network interface either in the DMZ or on the LAN. Perimeter/DMZ deployments reduce the exposure of the DirectAccess server to untrusted networks. This improves security, but can negatively impact scalability and performance when Windows 7 clients are supported. When the DirectAccess server is located behind a device performing NAT, it supports only the IP-HTTPS IPv6 transition protocol for DirectAccess clients. IP-HTTPS uses SSL/TLS to encrypt DirectAccess communication which is already encrypted using IPsec. This double encryption results in high protocol overhead that introduces latency and increases resource utilization on both the client and the server. To provide even higher levels of assurance for DirectAccess clients, strong user authentication can be implemented using smart cards (physical or virtual), RSA SecurID tokens, or One-Time Password (OTP). Custom configuration can be employed to provide 3 2015 Celestix Networks, Inc.

additional security. For example, with additional configuration, DirectAccess clients can perform more stringent validation checks when establishing DirectAccess IPsec tunnels, ensuring that DirectAccess clients will only establish a connection with a DirectAccess server with a specific tunnel endpoint IPv6 address and that includes a certificate that uses a custom Object Identifier (OID). To further enhance the overall security of DirectAccess, a third-party Application Delivery Controller (ADC) can be deployed to provide a level of pre authentication for DirectAccess clients. Also, encryption methods using stronger cipher suites and Perfect Forward Secrecy (PFS) can be configured. DirectAccess provides a much higher level of security when compared to traditional client-based VPN. The supporting infrastructure requirements make the solution inherently more resistant to unauthorized access. For attackers to compromise a DirectAccess connection, they would require a computer that is a member of the organization s Active Directory domain, and the computer account would need to belong to the defined DirectAccess security group. In addition, a computer certificate issued by the company s internal Public Key Infrastructure (PKI) is required. The attacker would also require valid user credentials to access corporate resources. To compromise a client-based VPN connection, an attacker would only require a VPN client, which is included in the operating system or readily available. Since the attacker can mount the attack from any system, the risk of compromise through this channel is great. Multifactor authentication can mitigate this risk for both VPN and DirectAccess, however. Both solutions share similar potential risks. The remote access server can be discovered via common reconnaissance methods and user credentials obtained surreptitiously. However, the DirectAccess connection is more resistant to compromise because the attack cannot be carried out from just any machine. For an attacker to successfully spoof both an AD computer account and computer certificate is extremely difficult. And if successful, the attacker has likely already compromised the target organization. By default, DirectAccess is configured with split tunneling enabled. This allows the DirectAccess client to connect to the public Internet and the corporate network 4 2015 Celestix Networks, Inc.

simultaneously. Some security administrators believe this to be a security risk, but closer evaluation reveals this risk to be more perceived than actual. One concern with split tunneling is that a compromised device could allow an attacker to tunnel from the Internet through the connected DirectAccess client to access resources on the corporate network. However, the authenticated nature of the DirectAccess IPsec tunnels makes this impossible. If a DirectAccess client is infected with a virus or malicious software, it may be possible for it to infect other hosts on the corporate network via the DirectAccess connection. However, this scenario also applies to traditional VPN clients. The risk is reduced with DirectAccess because they are always managed, and this maintenance of client security posture allows for better malware defense and client protection. With split tunneling, DirectAccess clients have unrestricted access to the public Internet. This lack of filtering is a valid concern for security administrators, but again, this problem exists for traditional VPN clients too. A VPN client with split tunneling disabled may not be able to access the Internet freely while connected to the VPN, but once the user disconnects the VPN session they will once again has full unrestricted Internet access. There are several ways to mitigate this issue. DirectAccess can be configured to enable force tunneling, which requires DirectAccess clients to use the on-premises corporate proxy servers to access the Internet. Force tunneling has some potential negative side effects, however. By forcing all of the client s Internet traffic over the DirectAccess connection, the user experience is often degraded by additional network latency introduced by encryption and web proxy traffic inspection. Also, the added network load can degrade performance and limit scalability of the DirectAccess server. A better solution is to enable remote filtering on existing on-premises secure web gateways (if available) or to investigate the use of cloud-based web content filtering solutions for mobile clients. Concerns that always-on DirectAccess clients represent an increased security risk are unfounded. Like a device configured for client-based VPN, an attacker would need valid user credentials to gain access to the network, but DirectAccess includes additional safeguards. Clients use computer accounts that can be disabled in Active Directory to prevent connectivity, even if valid user credentials are supplied. If real-time remediation is necessary, terminating an active client session forces authentication, which will fail after the computer account is disabled. The DirectAccess client presents the same risks as a client configured with client-based VPN. Many of these risks can be mitigated using a combination of operational security 5 2015 Celestix Networks, Inc.

techniques and technologies commonly used today. Mobile clients should be configured with full disk encryption and require a PIN to boot the device. They should be configured to require a password to be entered when waking from sleep or hibernation. Strong user authentication using smart cards or dynamic passwords can also be leveraged. The DirectAccess solution is improved by additional security measures included with the Celestix E Series appliance platform. Based on Microsoft and industry standard security best practices, the E Series has undergone extensive hardening and attack surface reduction. These processes disable or remove unnecessary services, applications, roles, and features for a stronger security posture. Additional measures include updating the default configuration of the Windows firewall to further restrict remote access to services running on the host and improving default encryption algorithms used by applications and services. While augmenting the security, the E Series also offers simplified deployment and centralized management features. The platform lowers the total cost of ownership and maintenance overhead presented in other deployment options. DirectAccess is a compelling remote access solution that can be used to better manage remote Windows clients and dramatically improve their security posture, while at the same time securely providing ubiquitous and familiar remote access to on-premises applications and data. DirectAccess leverages mature, well understood, and commonly deployed Windows platform technologies. Client connections are fully authenticated using a combination of digital certificates, in addition to machine and user authentication. The solution provides significantly higher levels of assurance when compared to traditional VPN, and security can be further enhanced with custom configuration. DirectAccess provides support for both split and force tunneling, and lost or stolen devices can be denied remote access administratively. The Celestix E Series hardware appliance platform increases the solution s security through service hardening and attack surface reduction, and simplifies feature installation with streamlined management interface. 6 2015 Celestix Networks, Inc.

Celestix Networks, Inc. 3215 Skyway Ct. Fremont, California 94539 www.celestix.com sales@celestix.com 510.668.0700 facebook.com/celestixnetworks twitter.com/celestixnetwork 7 2015 Celestix Networks, Inc.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information