Saturday, July 20, 2013

802.1x Authentication or DirectAccess. Which one should I use?

Here is a question that came to me earlier and caused me to think a bit....

"I am creating a new SSID with the intent of setting up an 802.1X wireless network to secure traffic between the WiFi access points and each client. But instead of adding another SSID to my wireless network and doing 802.1X, can't I just setup DirectAccess for my Windows computers instead?"

DirectAccess and 802.1X authentication serve two different types of purposes. Now, both technologies require certificates and both require some type of authentication to take place. But each technology is used for very different reasons.

802.1X is used for securing a wired or wireless network by enforcing user and\or computer authentication in order to gain network access. Essentially, 802.1X is used for network access control (NAC). There are various ways to implement 802.1X, but the point I am trying to make here is that it is used to encrypt network traffic in addition to only allowing authorized devices access to the network. All traffic that passes through the 802.1X secured network is encrypted (thanks to it's certificate-based requirement) which is why it is widely used on BYOD wireless networks in the enterprise.

The benefits of setting up 802.1X authentication are many. Here are a few:
  • Only allow authorized users and computers access to the network.
  • All network traffic on 802.1X networks are encrypted between the client and the authentication system.
  • 802.1X networks are more difficult to eavesdrop on (by using Wireshark or other packet capture tools).
  • If the 802.1X certificate is not on the computer, the computer is not trusted and network access will be denied.
  • Depending on the 802.1X solution used, you can do 'posturing' and perform more granular and\or dynamic control of network access per person or per device.
Even with all of the good things that 802.1X can provide, there are several drawbacks.
  • A device must support joining 802.1X networks. Mac, Windows, Linux, Apple IOS, and Android are known to support 802.1X. But, gaming devices such as Xbox and Playstation do not.
  • Takes more time to troubleshoot when users complain of issues.
  • 802.1X is an IEEE standard but every network vendor has their own way of implementing it. So however you choose to set up 802.1X, it won't be the same process with another vendor.
DirectAccess serves a very different purpose. It is a VPN-like technology that forces a Windows computer that is a member of an Active Directory domain to connect to it's home domain over an SSL tunnel (just like what a VPN connection does) but it does this automatically, in the background, without any user intervention. It is for this reason alone why DirectAccess is worth the time to give it a serious look and consider dropping other VPN solutions, especially if your organization is a "Windows shop". The moment the computer has an active internet connection (no matter where it is in the world) it establishes a secure SSL connection with the DirectAccess server. The DirectAccess server is essentially a proxy between the client and internal enterprise network resources.

There are plenty of benefits to setting up DirectAccess on your domain as well. Here are a few.
  • Windows is preconfigured for DirectAccess by Group Policy; no configuration is needed by the user. The user only needs to get the computer connected to the internet via Ethernet cable or WiFi and Windows will take care of the rest silently and in the background.
  • Ability to manage the desktop computer as if it is physically connected on-premise. This includes Group Policy enforcement, Active Directory, the user's ability to access internal network resources, and so on.
  • You can remotely join a PC to the Active Directory domain (Windows 8 only).
  • No need to finagle with KMS or MAK licensing for the desktop. With DirectAccess, you only need KMS.
  • Communication between the Windows client and the DirectAccess server is secured.
  • Relatively easy to set up. Not as complex as traditional VPN solutions (such as Cisco ASA) can be.
  • No additional licensing needed. If your computers are licensed to connect to your Windows Servers then you are all set.
  • When coupled with Windows Server's Network Access Policies, you can perform NAC-like tasks such as 'posturing'.
But, there are still some drawbacks to DirectAccess.
  • DirectAccess is only supported on Windows 7 Ultimate, Windows 7 Enterprise, and Windows 8 Enterprise computers.
  • The Windows computer must be joined to an Active Directory domain.
  • DirectAccess will not work for MAC or Linux computers - only Windows. For those operating systems, a traditional VPN connection is required.
  • If Force Tunneling is disabled in the DirectAccess configuration, then only the network traffic between the client and DA server will be secured. All other traffic will pass directly through to the internet instead of through the DirectAccess tunnel.
Don't miss that last note. If you are allowing "Split Tunneling" with your DA clients, then you really aren't securing all of the network traffic from the client. This is why you would still need 802.1X. Another reason why you would still want to use 802.1X is to enforce authentication just to gain network access.

So, in a nut shell, you would implement 802.1X to secure all network traffic on your wired and\or wireless networks but you would not use 802.1X to enforce your computers to connect to your internal network. You would implement DirectAccess for one of two reasons. The first is to make it easier for your Windows computers, or to enforce your Windows computers, to connect to your internal network via VPN. The second reason is if you intend to replace your existing VPN solutions entirely. You would not use DirectAccess to secure network communications on your wired or wireless networks.

I hope this helps some of you out with your current projects or questions regarding the subject matter.

- Joe