Tom Decaluwé

During community days 2009 in Mechelen after giving my TMG presentation an attendee asked what the difference / hit points are between Direct Access and the SSL VPN in TMG. In this post I will try to give an answer on this question.

Before we get started lets recap on an important question.

What is a VPN:

According to Wikipedia:

Virtual private network (VPN) is a computer network in which some of the links between nodes are carried by open connections or virtual circuits in some larger networks (such as the Internet). The Link Layer protocols of the virtual network are said to be tunneled through the transport network. One common application is to secure communications through the public Internet, but a VPN does not need to have explicit security features such as authentication or content encryption.

Internet VPNs
Several protocols are used to provide security over the Internet. For brief transactions at a Web site, SSL is widely used. For extended, secure transmissions, IPsec, L2TP and PPTP are used to provide secure "tunnels" over the Internet. See IPsec, L2TP, PPTP and SSL.

There are some great marketing slides going around about Direct Access stating that it’s not a VPN. As good as it might sound I must however disagree. If you think about VPN and read the above definitions it’s clear that Direct access just like SSTP are both VPN technologies .

However after reading this article I’m pretty sure you will agree with me that both technologies have their place and Direct Access clearly utilizes a more advanced feature set to do it’s stuff.

Feature overview and comparison

• Client computer connects automatically: This must be the number one benefit of using DirectAccess above any other technology. With direct access your clients automatically and seamlessly connect to the corporate network. There is no need for users to open up a remote dialer, enter a password,… They just switch on the computer, connect to a network and that’s it. The downside to this is of course that users don’t have the choice, they are always connected. When thinking about split tunneling and corporate policies this could however form a problem. What if your corporate policy is to prohibit split tunneling (http://en.wikipedia.org/wiki/Split_tunneling) and you block users from accessing encrypted private banking site. After implementing direct access this would mean people taking their corporate laptops home in the evening should also be prohibited from accessing the banking sites. This could be exactly what you want to achieve but this could also be a cause of great grievance.
  
  With an SSL VPN you leave the choice in the hands of the end user to connect. This level of choice of course is great for some but can be confusing for others. Using TMG’s rich interface you can even set time limits for allowing and disallowing the access to private banking sites. Don’t forget also that playing with redial settings can give you quick reconnection and less end user awareness.
  
• Work through all firewalls:
  • Direct access: supports a variety of different protocols to establish IPv6 connectivity to the DirectAccess server. On the IPv6 Internet, DirectAccess client computers connect by using native IPv6. On the IPv4 Internet, DirectAccess client computers connect by using IPv6 transition technologies. If a firewall blocks these protocols, DirectAccess uses IP over HTTPS (IP-HTTPS).
  • SSL VPN: This protocol immediately encapsulates IP in HTTPS traffic.
    
• Supports selective server access: We all know TMG has a great amount of granularity allowing you total control over who can access what network, what server, what protocol at any given time. Direct access also has the possibility to limit access to hosts and if I’m not mistaken to protocol level but I’m guessing this will be far less advanced than what TMG has to offer.
  
• Supports end to end authentication and encryption: Even though the auto connecting feature must be the number one reason why you would go for Direct access from an end user perspective, this must be the number one reason from a security perspective.

  When using the End-to-End Access model, DirectAccess client computers establish an IPsec connection directly to the resource servers, enabling network-level security to function exactly as it does when computers are connected directly to the internal network. End-to-end security is made possible by using IPv6 and IPsec, which provides end-to-end global addressing and traffic protection capabilities that are not easily available with traditional IPv4-based VPNs. Figure 1 compares the DirectAccess End-to-End Access model with a traditional VPN.

  You can best see the difference in the below diagram.

  

  As illustrated the encryption / authentication model for Direct access end-to-end allows an auth/encrypted connection straight into the end application server while the direct access server does nothing else than setup the initial connection and proxy the traffic. (there is a different option with Direct Access end-to-Edge or tunnel mode which works differently).

  This scenario is very secure as it ensures even non secure protocols are secure from client till application server. With standard vpn technology the connection between the VPN server and application server is not encrypted leaving your data vulnerable on the internal network.

  Management of remote computers: Another great benefit of direct access is that the connection establishes during bootup. This allow for group policies to process seamlessly. With traditional vpn your GPO processing will fail until the VPN connection is established. 

  Both Direct access and SSTP trough TMG support NAP ensuring host health before they are granted full network access.

  OS compatibility: Direct Access requires Windows 7 or Windows Server 2008 R2  as clients an requires Windows Server 2008 R2 on the edge side.. While SSTP is supported on vista SP1 and onwards and could be supported on non MS OS’s.

  Domain membership: If the previous reasons all spoke in favor of direct access, this must be the number one downside to the technology. Clients must be domain members us utilize this complex access method. SSTP on the contrary is supported for domain members and stand alone clients allowing you to extend you WAN to both corporate and 3de party clients.

Summary: In this article we had a look at both SSTP and DirectAccess exploring the two technologies side by side. As we discussed both technology are VPN like but each has his place key benefits and place within the corporate network. The below diagram provides a nice overview to finish off this article.

Today was a shaking day for me in vm-land. I have always been a great fan of Vmware’s virtualization  products and strategy. Don’t get me wrong, MS has a great sollution with Hyper-V and I love the product as well but as a long time vmware user I just loved the product.

When they release ESXi free edition I really thought this was a great break through for computing in general. A reduced feature set ESX at a Null cost is a great way to introduce the platform in place that would otherwise lose out.

However today to my great disappointment it seems Vmware has grown money craze and although ESXi is still free and a great product they are putting political pressure on 3de party vendors to no longer develop software that supports ESXi.

I was looking at Veeam and Esxpress as online backup sollutions hoping to use an ESXi as target sollution offsite and host a few minor business apps. I know veeam has worked with ESXi a while back and esxpress was going to implement soon but when i request info on this topic, this was the reply i got:

• Recently, VMware requested that XXX Software discontinue support for ESXi Free in XXX Backup and Replication in order to comply with VMware’s updated licensing policy.  In light of VMware's request, and our close technical partnership, XXX Backup and Replication will no longer support ESXi Free.

• I understand that this sudden change causes lots of disappointment, but unfortunately all vendors were restricted of supporting ESXi free

Of all the crappy stuff going on with licensing and big companies putting pressure on great third party developing companies, this really out rates them all! If you don’t like the fact that people are using your free ESXi than stop putting it on the market.

Boehoe! Boehoe! Great products, vmware, but really crappy politics!!

www.it-talks.be

It’s been a while but our next event is up on the board and it’s time to sync your calendars! This will be a great opportunity for you to prep yourself for the release of win7 and win2k8 R2.

Event Name: "Automating windows7 and windows 2008 R2 deployment"
Topic: During this event we will focus on the different ways you can automatically and easily deploy windows7 and windows 2008 R2 in your environments.

Speaker: Manu Verzelen

Event dates:

you can register for these event by sending an email to tom[-@-T]decaluwe.eu, include what events you will attend, seats are limited so register ASAP!
(*) Please note that both events are complementary, meaning you can follow one or both events individually and learn great new things each time.

For those of you that are coming to community day 2009 I look forward to meeting you at my TMG beta3 introduction session. A must attend for all you ISA server lovers out there.

If you like network monitoring you’ll know the race is on  between MS’s Netmon 3.3 and our trusted wireshark. And as sure as MS released it’s latest and greatest, wireshark is preparing for their next release.

And you will not be disappointed ;-)

Version 1.2 of wireshark is now in pre-release so lets have a quick look at the new features by reviewing the release notes.

New and Updated Features

• Wireshark has a spiffy new start page. => looks nice for the GUI lovers

• Display filters now autocomplete => this is one you have got to love.

• A 64-bit Windows (x64) installer is now provided. => if i need to explain this you should not be reading this article

• Support for the c-ares resolver library has been added. It has many advantages over ADNS.  => c-ares is a C library that performs DNS requests and name resolves asynchronously. I can’t tell you yet why it’s better as stated by the wireshark guys and to be honest i’m not a big fan of doing DNS lookup during traces but from time to time it can be nice.

• Many new protocol dissectors and capture file formats have been added (see below for a complete list).

• Macintosh OS X support has been improved. => cool :-p

• GeoIP database lookups. => Does what it says, links geographical info to ip addresses

to get this working you need to download the geoip database off of http://www.maxmind.com/app/ip-locate

point wireshark to the geoip datbase files in the preference > nameresolution tab

enable the geoip in the protocol preferences

head out to statistics > endpoints and you should see the country / city / … attributes fill

• OpenStreetMap + GeoIP integration.  => If everything goes well and you click the map icon you should get red dots with the ip locations.

• Improved Postscript® print output.

• The preference handling code is now much smarter about changes.

• Support for Pcap-ng, the next-generation capture file format. => this is the follow up ofr the open pcap standard and allow a more flexible and rich saving of capture files. One of the great features in adding comments like we have come to love in netmon. As of today however this format is not yet supported by netmon so for people like me using both tools for the best of both worlds we are still stuck with pcap.

 http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html 

• Support for process information correlation via IPFIX.

• Column widths are now saved. => finally!!!

• The last used configuration profile is now saved. => fianally!!!

• Protocol preferences are changeable from the packet details context menu.

• Support for IP packet comparison.

• GTK1 is no longer supported. (Yes, this is a feature.)

• Official Windows packages are now built using Microsoft Visual C++ 2008 SP1.

New Protocol Support

Anything in Anything Protocol, ATM PW, N-to-one Cell Mode, B.A.T.M.A.N. Layer 3 Protocol, BACnet MS/TP, BSS LCS Assistance Protocol, Canon BJNP, CESoPSN basic NxDS0 mode (no RTP support), Charging ASE, Cimetrics MS/TP, DECT Protocol, Digital Private Signalling System No 1 Link Layer, DOCSIS Mac Domain Description, DOCSIS Registration Request Multipart, DOCSIS Registration Response Multipart, DOCSIS Synchronisation Message, E100 Encapsulation, EHS, Enhanced Variable Rate Codec, Ethernet Global Data, Ethernet PW, Exchange 2003 Directory Request For Response, Far End Failure Detection, FCoE Initialization Protocol, GOOSE, GPEF, GPRS Tunneling Protocol V2, GSM A-I/F COMMON, GSM A-I/F GPRS Mobility and Session Management, GSM SACCH, GSM Um Interface, HDLC PW, FR port mode (no CW), HDLC-like framing for PPP, IEC 60870-5-104,Apci, IEC 60870-5-104,Asdu, IEEE 802.15.4 Low-Rate Wireless PAN non-ASK PHY, IEEE C37.118 Synchrophasor Protocol, Intelligent Platform Management Interface (Session Wrapper), Inter-Integrated Circuit, Internal TDM, IPSICTL, ISMACryp Protocol, iWARP Direct Data Placement and Remote Direct Memory Access Protocol, iWARP Marker Protocol data unit Aligned framing, Kontiki Delivery Protocol, LANforge Traffic Generator, Layer 1 Event Messages, Lb-I/F BSSMAP LE, LeCroy VICP, Link Access Procedure, Channel Dm (LAPDm), Local Download Sharing Service, LTE Radio Resource Control (RRC) protocol, MAC-LTE, Memcache Protocol, Mesh Header, MP4V-ES, Nasdaq TotalView-ITCH, Nasdaq-SoupTCP version 2.0, NAT Port Mapping Protocol, Netdump Protocol, Non-Access-Stratum (NAS)PDU, PacketLogger, Paltalk Messenger Protocol, PDCP-LTE, PW Associated Channel Header, PW Ethernet Control Word, PW Frame Relay DLCI Control Word, PW MPLS Control Word (generic/preferred), Real-Time Publish-Subscribe Wire Protocol 2.x, Remote Packet Capture, RLC-LTE, SAToP (no RTP support), SERCOS III V1.1, SIMULCRYPT Protocol, Subnetwork Dependent Convergence Protocol XID, Teamspeak2 Protocol, TTEthernet, TTEthernet Protocol Control Frame, Turbocell Aggregate Data, Turbocell Header, TURN Channel, Unreliable Multicast Inter-ORB Protocol, VCDU, Wave Short Message Protocol(IEEE P1609.3), Wireless Access Station Session Protocol, Wireshark Expert Info, World of Warcraft, Xpress Transport Protocol, ZigBee Application Framework, ZigBee Application Support Layer, ZigBee Device Profile, ZigBee Encapsulation Protocol, ZigBee Network Layer, Zipped Inter-ORB Protocol, ZRTP

For those of you that have been using Netmon 3.3 for doing your network analysis you’ll be happy to know there is a great new expert out there called

- top by endpoint: Top Users by Endpoint allows you to understand which machines are sending the most data in a trace.  This is useful for finding machines that could be monopolizing bandwidth or perhaps generating unwanted traffic, for instance a virus.

- top by conversation: Top Users by Conversation allows you to understand which pairs of machines are sending the most data in a trace.  This is useful for finding machines that could be monopolizing bandwidth or stuck in a loop or long lasting process.

Both experts come in the same package and have a grid view, pie chart and bar chart. They also allow you to view at a layer 3 ip (both V4 and V6) and layer 2 Data link layer perspective.

interested? Get it Now: http://www.codeplex.com/NMExperts

It’s been a while since my last post but I have been pretty tangled up the last months and weeks. Just let me put the general statement out “think twice before renovating a house!!!”

In any case great news from the Microsoft front that i have been really looking forward on blogging about. TMG beta 3 is out in the open pick up your copy here: http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=e05aecbc-d0eb-4e0f-a5db-8f236995bccd

This latest version is as they say feature complete so it’s high time to dig in and melt with desire…

What’s new, great and amazing?

- Firewall level:

•VoIP traversal (SIP)

•Enhanced NAT

• ISP Link Redundancy & Aggregation

- Secure Web Access level:

•HTTP Anti-virus/spyware

•URL Filtering

•HTTPS forward inspection

- E-mail Protection level:

•Exchange Edge/FSE integration

•Anti-Virus

•Anti-spam

- Intrusion Prevention level:

•Network Inspection System (NIS)

- Remote Access level:

•NAP integration with VPN role

•SSTP support

- Deployment & Management level:

•Array Management

•Scenario UI & Wizards

•Change tracking

•Enhanced reporting

•W2K8, native 64-bit

- Subscription Services level:

•Update Center :

•HTTP: AV+URL Filtering

•Email: AV+Anti-Spam

•NIS signatures

Not to mention all the great stuff that was already in there with ISA 2006 !!!

Does  this all sound good to you and do you want to learn more. Here is how:

- I’ll be doing some blog posts and/or chopsticks videos on each item individually so stay tuned

- A community days Belgium on the 25th I’ll be giving a 60 minute presentation on TMG. There’s now way I can cover it all in 60 minutes but I’ll sure as hell try ;-)

- In September It-Talks will be hosting a short talks 2 hour session on TMG and a full day hands on playing with the product the week after so keep an eye on that.

Enjoy TMG and keep you networks safe

Tom