Always-On-VPN or MS Direct Access (or similar products) to protect against Rogue Wifi

To protect our corporate users from being compromised when they
connect to outside Wifi (which may be potentially rogue Wifi), is it
feasible if we implement MS Direct Access or Always-On-VPN?

https://technet.microsoft.com/en-us/library/dd759144(v=ws.11).aspx
https://directaccess.richardhicks.com/tag/directaccess-alternatives/

The products above would establish a tunnel so the rogue Wifi can't
steal credentials nor data & with VPN established, I suppose malwares
can't infect the laptops as the rogue Wifi has no connection to the laptop
(tunnel-protected) or did I get this idea wrong ie can still get infected
even with such tunnel??

We still want the users to be able to access Internet but protect them
in the event they're using a rogue Wifi
sunhuxAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

sunhuxAuthor Commented:
Btw, is Always-On-VPN FOC or how is it charged?
0
Prabhin MPEngineer-TechOPSCommented:
Hi,
 Always-On-VPN is a good idea to fight against this. Using the VPN all the traffic will be routed through the VPN server, hence all the data communications are encrypted, man in the middle attack wont be possible in this case. If you have IPS / IDS enabled it will protect them against the malware traffic.

if you have centralized endpoint system in the remote location, which connects automatically after once VPN is established will help the users stay away from malware and infections. You can tweak your configuration accordingly.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sunhuxAuthor Commented:
is Always-On-VPN & Direct Access  free of charge or how is it charged?
0
The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

sunhuxAuthor Commented:
Also, just when Wifi connection is established & just before the VPN/tunnel is established
(possibly a split second), is there a chance/risk of infection?
0
Prabhin MPEngineer-TechOPSCommented:
Hi,

More than explaining here, please find the doc regarding the feature.
ALways ON VPN have got with the new feature which direct access doesn't have.
https://directaccess.richardhicks.com/2018/02/05/what-is-the-difference-between-directaccess-and-always-on-vpn/

https://docs.microsoft.com/en-us/windows-serve r/remote/remote-access/vpn/always-on-vpn/always-on-vpn-enhancements
Here is the plan how to deploy the server.
https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/always-on-vpn-deploy-deployment
0
sunhuxAuthor Commented:
Thanks, I've read the 2 links earlier before posting but still have doubts, thus the question below:
"Also, just when Wifi connection is established & just before the VPN/tunnel is established
(possibly a split second), is there a chance/risk of infection?"

Any idea on the costing?
0
Prabhin MPEngineer-TechOPSCommented:
always VPN on connection will get initiated before you sign in, it only connects the VPN server once you have the internet connection.
if wifi connection connected after your sign in, the moment internet connection is active, VPN client automatically connect the VPN server and reroute the default gateway to VPN server.
0
sunhuxAuthor Commented:
The MS links out there say  Direct Access (& possibly Always-On) will establish VPN/tunnel
prior to signing into Windows.

>if wifi connection connected after your sign in
As such, does it mean that Wifi is connected even before signing into Windows?
0
sunhuxAuthor Commented:
For Wifi that requires users to manually connect certainly only get connected
after user signs in but what about those Wifi that were previously set to
'auto-connect'?  Does such Wifi auto-connect before user sign in to Windows?
0
Prabhin MPEngineer-TechOPSCommented:
if your wifi is already known in your machine. it will be connected
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.