Layered Defense - Managing Risk While Extending the Enterprise

By Haystax, January 21, 2016 | SHARE

By Marvin Marin, Haystax Technology Program Manager and Cybersecurity Expert

Due to the mobile nature of many workforces, IT support personnel and security managers are required to provide remote access capabilities to their user base. The security manager is put in the difficult position of satisfying user needs, protecting against multiple vectors of attack and deciding what is acceptable organizational risk.

The traditional approach to providing employees remote access to a (Windows) enterprise network has been to implement a Virtual Private Network (VPN) solution and provide the software to end users or as baseline software on an organization’s issued asset.  While this approach offers some level of security, it doesn’t provide the holistic solution needed for security managers to proactively defend their networks.

Microsoft released DirectAccess for Windows 2008 Server R2 to address exactly these concerns and give security managers a suite that provides a comprehensive security solution. This solution allows for a security manager to decrease the complexity of remote access from the user’s perspective, verify the identity of the asset, determine the health of the asset and ensure the session and access to internal resources are encrypted in transit. For example, corporate users working from an unsecured wireless network at an airport would need to connect to the access point, activate their VPN software, authenticate to the corporate network and then access resources.

However, a DirectAccess enabled system could have pre-authenticated to the enterprise in a secure manner based on a certificate issued to the asset prior to the user even logging into Windows.  When users authenticate themselves to the asset they’ll be able to access intranet resources (in an encrypted manner) as if they were connected locally to the organization’s network. Additionally, if Network Access Protection (NAP) is enabled, an asset’s present configuration is assessed against the permitted security configuration to determine if the asset can be 1) denied access, 2) allowed access to a restricted environment to patch or fix, or 3) be allowed access.

This type of granular control provides a framework to manage the risk of those distributed assets, providing the IT department an easier-to-manage, integrated solution, while offering the user improved functionality and security, all while being transparent to the user experience.

For the government sector, specifically Defense, DirectAccess can solve many problems and help a security manager better manage risk and apply appropriate and required security governance. Benefits to the public sector users and IT managers include:

  1. Support costs can be reduced by moving to an integrated solution that does not rely on vendor supplied appliances or client software.
  2. Intranet and internet traffic are separated at the endpoint, thereby reducing network latency and congestion by having internet traffic use the local internet connection and reducing costs by not having to supply transport for that traffic as occurs with a VPN.
  3. The experience is transparent to the end user.
  4. Based on the configuration, the technology can provide encryption from endpoint to edge or endpoint to endpoint.
  5. Existing Public Key Infrastructure (PKI) can be used to support two factor authentication and Single Sign On (SSO) implementations.
  6. Machine certificates can be revoked, thereby denying access to lost or stolen IT assets.
  7. An IPSec tunnel is established automatically, transparently and without additional software.
  8. A NAP allows for ‘sick’ systems (health indicators) to be placed into a sandbox to receive required patches or configurations prior to accessing sensitive data.
  9. Compliance with required baseline security configurations such as the United States Government Configuration Baseline (USGCB) or Defense Information Security Agency (DISA) Security Technical Implementation Guide (STIG) can be enforced, assisting the organization with auditing, inspection and governance.

I recommend DirectAccess as a way to accommodate the needs of a mobile workforce while providing security managers with some peace of mind. And as a provider of network and infrastructure management and cybersecurity services, and as a Microsoft Gold Partner, Haystax is in a unique position to recommend, architect and implement this type of innovative solution.