Comparing NetMotion Mobility® and Microsoft DirectAccess
DirectAccess is a Microsoft remote access technology designed for managed (domain-joined) Windows client computers. Much like NetMotion Mobility®, it provides seamless and transparent remote network connectivity. However, it differs dramatically in many important ways. This is part one in a series of articles that compare NetMotion Mobility and Microsoft DirectAccess in terms of their security, performance, visibility, supported clients and solution support.
Part 1) Comparing Security
The wireless connection itself should provide essential protection (integrity and confidentiality) for communication between remote client computers and internal systems. However, both DirectAccess and Mobility include additional security layers that ensure access to on-premises applications and data is given only to authorized users.
Despite some similar functionality, Mobility offers advanced features that allow administrators to exercise greater control over remote access clients. Ultimately, deploying Mobility offers organizations superior security overall compared to DirectAccess.
DirectAccess leverages multiple forms of authentication. First, the device itself is authenticated using its Active Directory computer account and NTLM. In most deployment scenarios a computer certificate is also required. When a user logs on, their Active Directory user account is authenticated using Kerberos. Multifactor authentication (MFA) is optional and can use smart cards, RSA SecurID or RADIUS-based One-Time Password (OTP) providers.
DirectAccess does not support the use of RADIUS challenge/response or CAPTCHA for MFA. Further, the authentication method chosen by the administrator applies globally to all users. DirectAccess is unable to enforce different authentication methods on a per user, group, or device basis.
Mobility users are authenticated using NTLM by default. Mobility also supports RADIUS user authentication. MFA can be provided by RSA SecurID and any RADIUS-based OTP provider. Mobility provides full support for challenge/response or CAPTCHA MFA.
Mobility supports machine-based authentication and includes the ability to enforce authentication on a granular basis. For example, one group of users may be allowed to authenticate using only their username and password, while another group may be required to use OTP.
IPsec Main Mode security associations (SAs) are protected using AES-128 with SHA-256, and Quick Mode SAs are protected using AES-192 with SHA-1.
These settings don’t meet the protection or assurance requirements for all deployments such as regulatory and compliance mandates like AES-256 required in high security environments. Unfortunately, it is not possible to modify the cryptographic settings for DirectAccess connections in any supported way.
Connections are fully encrypted using AES, but allow the administrator to make changes to cryptographic settings to match their specific needs, if required.
Endpoint Health Detection
In previous versions, Microsoft provided integration support for their Network Access Protection (NAP) technology to provide endpoint health detection for DirectAccess client computers. However, Microsoft recently deprecated NAP and has removed all support for it in Windows 10 and Windows Server 2016. Today, DirectAccess does not include support for endpoint health detection either natively or with third parties.
An additional policy module allows administrators to define granular and robust endpoint health and configuration policies that can be enforced on remote client connections. With policy, client devices must meet specific configuration requirements before establishing a connection; those devices that do not can be denied access, quarantined or granted limited access to corporate resources while the device is reconfigured. Once the device is deemed to be compliant, additional network access can be granted.
DirectAccess does not support conditional access; all authenticated users have the same level of access regardless of where they are, or how they connect and authenticate.
Mobility supports conditional access using access policies. Administrators can define different access levels based on factors including location, network connectivity, device configuration and more. For example, if a Mobility client connects from a trusted network as defined by the administrator, the user can be granted full access to the network. However, if client connects from an untrusted network, access can be limited only to specific resources.
Restricted Network Access
DirectAccess is incapable of controlling internal network access for connected clients. Once a DirectAccess connection is established, remote clients have full, unrestricted access to internal resources. An additional firewall must be deployed between the DirectAccess server(s) and internal network in order to control access to internal systems. However, this provides only limited usefulness, as the same policy must be applied to all DirectAccess clients; it is not possible to define network policy based on individual users or devices.
Mobility offers fine-grained control over network connectivity for remote clients based on a wide range of parameters. Administrators can restrict access to internal resources by date and time, the client’s current location, the type of network connection (for example Wi-Fi or LTE), available bandwidth, current network latency and more. In addition, network access can be restricted based on the individual application making the request, the device type (for example Windows PC or Android mobile device) and much more. The possibilities are nearly limitless.
Both Mobility and DirectAccess provide secure remote access in a seamless and transparent manner. While each solution delivers thorough protection for remote connectivity, Mobility offers greater administrative flexibility for choosing encryption algorithms, and provides broader support for multifactor user authentication including challenge/response. In addition, Mobility includes endpoint health checks and essential network access controls to ensure that remote client systems are healthy and that access to internal resources is carefully monitored and controlled.
Guest Author: Richard Hicks | Founder & Principal Consultant, Richard M. Hicks Consulting
The views and opinions of guest authors do not necessarily reflect the views and opinions of NetMotion Software.