Always-On-VPN or MS Direct Access (or similar products) to protect against Rogue Wifi

sunhux
sunhux used Ask the Experts™
on
To protect our corporate users from being compromised when they
connect to outside Wifi (which may be potentially rogue Wifi), is it
feasible if we implement MS Direct Access or Always-On-VPN?

https://technet.microsoft.com/en-us/library/dd759144(v=ws.11).aspx
https://directaccess.richardhicks.com/tag/directaccess-alternatives/

The products above would establish a tunnel so the rogue Wifi can't
steal credentials nor data & with VPN established, I suppose malwares
can't infect the laptops as the rogue Wifi has no connection to the laptop
(tunnel-protected) or did I get this idea wrong ie can still get infected
even with such tunnel??

We still want the users to be able to access Internet but protect them
in the event they're using a rogue Wifi
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Author

Commented:
Btw, is Always-On-VPN FOC or how is it charged?
DevOps Engineer
Distinguished Expert 2018
Commented:
Hi,
 Always-On-VPN is a good idea to fight against this. Using the VPN all the traffic will be routed through the VPN server, hence all the data communications are encrypted, man in the middle attack wont be possible in this case. If you have IPS / IDS enabled it will protect them against the malware traffic.

if you have centralized endpoint system in the remote location, which connects automatically after once VPN is established will help the users stay away from malware and infections. You can tweak your configuration accordingly.

Author

Commented:
is Always-On-VPN & Direct Access  free of charge or how is it charged?

Author

Commented:
Also, just when Wifi connection is established & just before the VPN/tunnel is established
(possibly a split second), is there a chance/risk of infection?
Prabhin MPDevOps Engineer
Distinguished Expert 2018

Commented:
Hi,

More than explaining here, please find the doc regarding the feature.
ALways ON VPN have got with the new feature which direct access doesn't have.
https://directaccess.richardhicks.com/2018/02/05/what-is-the-difference-between-directaccess-and-always-on-vpn/

https://docs.microsoft.com/en-us/windows-serve r/remote/remote-access/vpn/always-on-vpn/always-on-vpn-enhancements
Here is the plan how to deploy the server.
https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/always-on-vpn-deploy-deployment

Author

Commented:
Thanks, I've read the 2 links earlier before posting but still have doubts, thus the question below:
"Also, just when Wifi connection is established & just before the VPN/tunnel is established
(possibly a split second), is there a chance/risk of infection?"

Any idea on the costing?
Prabhin MPDevOps Engineer
Distinguished Expert 2018

Commented:
always VPN on connection will get initiated before you sign in, it only connects the VPN server once you have the internet connection.
if wifi connection connected after your sign in, the moment internet connection is active, VPN client automatically connect the VPN server and reroute the default gateway to VPN server.

Author

Commented:
The MS links out there say  Direct Access (& possibly Always-On) will establish VPN/tunnel
prior to signing into Windows.

>if wifi connection connected after your sign in
As such, does it mean that Wifi is connected even before signing into Windows?

Author

Commented:
For Wifi that requires users to manually connect certainly only get connected
after user signs in but what about those Wifi that were previously set to
'auto-connect'?  Does such Wifi auto-connect before user sign in to Windows?
Prabhin MPDevOps Engineer
Distinguished Expert 2018

Commented:
if your wifi is already known in your machine. it will be connected

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial