Direct Connect bypasses DMZ

Last Friday, Steve Riley, security architect at Microsoft did an excellent session about various security subjects in Amsterdam. One of the subjects was a technology that’s a highly secret within Microsoft and probably one of the biggest changes in network security to come. Imagine that corporate end users are able to take their corporate mobile systems […]

Last Friday, Steve Riley, security architect at Microsoft did an excellent session about various security subjects in Amsterdam. One of the subjects was a technology that’s a highly secret within Microsoft and probably one of the biggest changes in network security to come.

Imagine that corporate end users are able to take their corporate mobile systems to any Internet connected place and work with corporate resources without a VPN or gateway. This enables the users to connect to Active Directory, have their clients managed while at home or traveling. At the same time users get full access to the corporate network without the hassle of extra client software or gateways.

Direct Connect uses IPv6 with IPSec to create save direct connectivity to  servers  on corporate networks for trusted clients. This is quite a revolutionary approach, as it enables clients from the Internet to bypass the DMZ. The concept relies on IPSec authentication and encryption. Microsoft's new IPSec implementation in Windows Vista and Server 2008 allow IPSec connections to be based on both computer and user credentials, combined with Network Access Protection for system health enforcement. The only thing an edge router has to do, is filter incoming traffic to allow only IPSec initiation requests and subsequent IPSec traffic over IPv6. Any standard router can do just that.

Full Article