Directly connect to your corpnet with IPsec and IPv6

re: Directly connect to your corpnet with IPsec and IPv6

adimcev — Thu, 12 Feb 2009 01:02:04 GMT

I was reading the DirectAccess Early Adopter’s Guide, and it looks I have to take my words back...

IP-HTTPS will be here, so the idea of "anywhere" might be indeed true...

And in the OS arena, Windows 7 promises to be a hit...

Adrian

re: Directly connect to your corpnet with IPsec and IPv6

Anders Vinger — Mon, 26 Jan 2009 18:04:05 GMT

Hello Steve.

I really like the concept of implementing an ipsec solution in order to give my roaming users acess to log into my AD and get all the "corp-net" resources while skipping VPN.

However one question keeps popping up; Why exactly do I need to use IPv6 ?

Apart from my users being in a country with IPv6 all over (China comes to mind), and planning for the future. Are there other reasons for why I couldnt just base my solution on IPv4 ?

Direct Connect - kick out your gnarly ol'VPN!

Matt Deacon's digestive blog — Tue, 09 Dec 2008 18:07:38 GMT

I blogged some time ago about the " Shrinking Enterprise " and wouldn't it be neat if we could do away

re: Directly connect to your corpnet with IPsec and IPv6

TechNet Archive — Thu, 16 Oct 2008 01:06:48 GMT

Now that the blog spam is somewhat under control, I've reopened comments for longer than 90 days.

jcorey-- You've nailed the biggest obstacle to deploying something like direct connect. Many security professionals have been taught that there simply is, and never will be, a process or technology that allows you to trust anything that originates from outside your corpnet. These professionals cling to this belief, and have been the cause that allowed the whole "detection" market to bloom.

Let me be clear: this total lack of trustworthiness is no longer absolutely true. Of course there will be times when unknown machines will be used by known and unknown people to access your information. But what about one particular subset -- known humans, with known portable computers -- can't we do something better than treat them as toxic invaders?

Indeed we can. And that's what I'm proposing with direct connect. The technology -- managed, of course, with the right processes -- exists so that you can extend the trust to known computers even though you don't trust the network they're connected to. This is because you have mechanisms that:

1. Allow you to configure the machine according to your requirements (domain join, group policy)

2. Dictate computer and user authentication requirements (IPsec policies, smart cards)

3. Limit what the users of these machines can do (UAC, non-admin, Forefront Client Security, Windows Firewall, even software restriction policies)

4. Validate the health of machines initiating incoming connections and remediate if necessary (NAP, System Center Configuration Manager)

5. Limit the threat of attacks against stolen computers (domain logon, smart cards, BitLocker with TPM)

With the robust authentication, validation, configuration, and control mechanisms available to you, I simply don't see that there's any need to fall back to "detection" now. Detection technologies were -- and remain -- necessary for the times when we have no clue about the health of client computers and when we had no way to gauge the intent of the users. But it is truly reflective of a head-in-the-sand mentality to assume that this is a complete description of what's capable today.

You know, someone once asked me what it takes to be a security professional. I answered that there are two primary elements: become a networking/packet wonk, and be willing to change your opinions when the right evidence comes along. Indeed, I suspect that many security folk have forgotten the need to keep their wonikness updated, which in turn makes them resist new ideas regardless of the strength of the evidence. I'm not very proud of what I just wrote, because I loathe generalities, but I'm not sure what else to think here. Sigh.

re: Directly connect to your corpnet with IPsec and IPv6

Joseph Ozdemir — Sun, 14 Sep 2008 09:57:46 GMT

G'day Steve,

I was quite pleased when I came to this session - first session of the second day of Tech Ed Australia and I didn't fall asleep! One of my colleagues whom you know all to well (you went to dinner with him the night before) strongly reccomended swinging by one of your sessions...

And anyway back to my point your session on 21st century really really amazed me - I loved the idea! So basically being the nerd that I am, I'm replacing my current home server machine, implementing a Server 08 domain within my own home (Still have my free copy from Heroes Happen), and I'm going to have a crack at setting this up!

Just wanted to say thanks for giving such great sessions at Tech Ed and id I run into any problems setting it all up I'll shoot you an emal haha.

Cheers!

Joseph

re: Directly connect to your corpnet with IPsec and IPv6

Richard — Fri, 12 Sep 2008 06:39:30 GMT

Hi Steve,

Great article! Great presentation (went to your talks at Tech.Ed Australia recently).

Really can't wait to see this written up in full in something like Tech Net Magazine so that novices like me can start to think about how to implemented it!

Regards,

Richard

re: Directly connect to your corpnet with IPsec and IPv6

dodacrazy — Thu, 11 Sep 2008 12:47:12 GMT

Hey Steve you and your montize buddy Scott will soon have your hands full after the federal officers come down on your data scams and as for your educational acts i'm not buying it and if others are willing to trade your data for their profits guess there are fools born everyday tunnels oh I see drug dealers right Stevo

re: Directly connect to your corpnet with IPsec and IPv6

Steve — Tue, 09 Sep 2008 07:43:38 GMT

Hi Steve after seeing you at techEd Australia Ive pretty much sold my management that we can do this and we should do this, bring on the instruction set :)

re: Directly connect to your corpnet with IPsec and IPv6

adimcev — Fri, 15 Aug 2008 19:39:37 GMT

Hi Joe,

If you and Steve allow me to add a few words(in case they were not already added somewhere before):

This "network of the future" has some of its bits way in the past, in the 90s, in a paper written by Steven M. Bellovin, called Distributed Firewalls, paper which addresses some of your questions too:

http://www.cs.columbia.edu/~smb/papers/distfw.pdf

Looks like with the new line of products, Microsoft managed to "link these bits" with practical means, while adding some new bits too.

Interesting, eh ?

Take care,

Adrian

re: Directly connect to your corpnet with IPsec and IPv6

Joe Corey — Wed, 13 Aug 2008 16:56:22 GMT

Steve,

Great post - even the argumentative responses! My question is how you feel about the security community's never-ending need to do stateful packet inspection on this traffic which would now be encrypted with IPSec. I've spent hours arguing with absentminded security folks who fail to see the future of networks as you do. They are always a proponent of VPN (or IPSec) termination points so they can do packet inspection on traffic in the clear. Their contention is that a host could be infected, then begin attacks which are wrapped in encrypted end-to-end IPSec packets - thus losing the ability to "detect" and attack. I hate the idea that these "professionals" continue to think that IDS/IPS is the answer. Until they can detect unknown attacks, signature based anything will continue to be behind the curve. Am I wrong and is this still a valid way to think about network security? Or is the average security professional that out of touch with how we should architecting the next generation of networks.

Btw, thanks for all the good info!

-joe c