This post was made to detail the differences between DirectAccess and VPN. Often misconceived as the same, but between DirectAccess and VPN they are Not the Same.
Although a lot of people are thinking of deploying DirectAccess, I have to remind them that while DirectAccess has many characteristics that might make you think that it is a VPN, but in actuality DirectAccess isn't a VPN. DirectAccess is more than just a VPN, it s much more.
One way to understand how DirectAccess differs from VPN is to put in a different perspective with other types of clients on your network and look at the connectivity and security issues that are important with each of these client types.
Different 'client'.
Let's assume that there are two types of clients that are domain members and are under your control.
- DirectAccess client
- the roaming remote access VPN client
DirectAccess Client
Very much like the VPN client, this computer can move from the hotel room to the airport and anywhere else that a roaming remote access VPN client might be located.
The DirectAccess client will be connected to all networks, just like the roaming remote access VPN client, and the risk of physical compromise of the computer is also similar to that seen with the roaming remote access VPN client.
The result being that often the VPN client and the DirectAccess client is often compared to be the same.
However there is some significant difference between the roaming remote access VPN client and the DirectAccess client:
- DirectAccess client uses two separate tunnels to connect. DirectAccess client connected through the first tunnel only to management and configuration infrastructure by default. If added access of general network isn't available until the user logs on and creates a separate infrastructure tunnel.
- DirectAccess client is always serviceable. If you ever want to, you will need to connect to the DirectAccess client to perform custom software configuration or troubleshooting on an issue on the DirectAccess client, there shouldn't be a problem because both clients are bidirectional.
- DirectAccess client is always managed. This means that the DirectAccess client is always connected with management servers that keep the DirectAccess client well within the security compliance configuration of management servers.
VPN Client
The roaming remote access VPN client poses a different threat profile.
These machines are domain members, have anti-malware software installed, have Windows Firewall with Advanced Security enabled. However, that configuration and security state doesn't last for long. A user may not connect to the VPN for days or weeks, and during that period of time, the VPN client then slowly falls out of compliance.
Everything doesn't get updated, anti-virus updates, anti-malware software, security and compliance all fail to connect.
As this small problem grows it falls further and further out of your defined security compliance and requirements and magnifies to connect to a large number of networks with unknown trust.
Soon the computer becomes compromised by worms, viruses, Trojans and various other forms of malware. The damage will be limited if you have NAP (Network Access Protection) enabled on the network, but not many networks have it.
The VPN client as you can see has a host of security issues:
- Users can do anything they want while they are connected to the internet without a filter in place
- Updating of malware softwares and policies may not be done in a timely basis
- Greater access to the VPN client computer than what has been initially thought of
- Irregular connectivity compromises security policies
- Exposure to unmanaged and poorly managed networks
The critical difference between the DirectAccess client and the VPN client
Here is the critical difference between the DirectAccess client and the VPN client:
"the DirectAccess client poses a lower threat profile."
---
My conclusion
There are concerns over the DirectAccess client as well, but in this article, it clearly shows that the DirectAccess client is always managed, and it is a much lower threat profile as compared to the threat posed by the VPN client.
If there are any strong objections or discussions in regards to this, please feel free to share your thoughts in the comments below!