Direct Connect: death of the DMZ becoming reality

Last Friday, Steve Riley – security architect at Microsoft did an excellent session about various security subjects in Amsterdam. One of the subjects was a technology that I only knew of as highly secret within Microsoft and probably one of the biggest changes in network security to come.

Imagine that corporate end users are able to take their corporate mobile systems to any Internet connected place and work with corporate resources without a VPN or gateway. This enables the users to connect to Active Directory, have their clients managed while at home or traveling. At the same time users get full access to the corporate network without the hassle of extra client software or gateways.

Direct Connect uses IPv6 with IPSec to create save direct connectivity to servers on corporate networks for trusted clients. This is quite a revolutionary approach, as it enables clients from the Internet to bypass the DMZ. The concept relies on IPSec authentication and encryption. Microsoft’s new IPSec implementation in Windows Vista and Server 2008 allow IPSec connections to be based on both computer and user credentials, combined with Network Access Protection for system health enforcement. The only thing an edge router has to do, is filter incoming traffic to allow only IPSec initiation requests and subsequent IPSec traffic. Any standard router can do just that.

Steve Riley pointed out that you can build a Direct Connect infrastructure with standard products currently available from Microsoft and that Microsoft will provide more information in the near future. He also mentioned that Microsoft marketing is not yet thrilled, because no extra licenses will be needed to build a Direct Connect infrastructure.

Microsoft is currently running a (secret) pilot with Direct Connect that enables participants to use their corporate laptops to directly work with systems on the corporate network from the Internet.

I told Steve I can’t wait for the white paper "How to build a Direct Connect infrastructure" and get instant access to my home systems from any place in the world.

This entry was posted in Windows Server 2008. Bookmark the permalink.

3 Responses to Direct Connect: death of the DMZ becoming reality

  1. Pingback: How-to: Is it possible to use VPN for only one Program? #answer #fix #development | SevenNet

  2. Pingback: How to: Is it possible to use VPN for only one Program? #programming #solution #development | Good Answer

  3. Pingback: Server Bug Fix: Is it possible to use VPN for only one Program? - TECHPRPR

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s