Cisco has been a leader in remote access VPNs since 1999, and its latest release, the AnyConnect Secure Mobility Solution, will make both end users and network managers very happy, despite a few rough parts.
The AnyConnect Secure Mobility Solution (part of Cisco's Borderless Networks initiative) consists of three seamlessly integrated products: the AnyConnect Secure Mobility Client 3.0, the ASA Adaptive Security Appliance (firewall/VPN) 8.4 and Cisco IronPort S-series web security appliance 7.1.
Customers aren't required to buy all three products, but we found that you get better performance and better functionality if you do. In our testing, AnyConnect Secure Mobility Solution is all about managed endpoint client software that's always active, protecting enterprise users and enforcing security policy no matter where they are, on a multitude of devices and platforms.
And enterprise network managers will be especially pleased with features such as optimal gateway selection (which automatically picks the best gateway for a user based on network characteristics), endpoint posture assessment and better performance over more diverse types of networks.
It all starts with the VPN concentrator
The starting point for any remote access VPN discussion is Cisco's ASA 5500 series Adaptive Security Appliance, a combination VPN and firewall, with optional anti-malware and IPS capabilities.
Although older Cisco VPN clients can connect to non-VPN devices, such as PIX firewalls and IOS routers, connectivity with the new client is more limited. To get the benefit of the AnyConnect client's full feature set, you'll need an ASA appliance. IOS routers, including the 2851, 1951, 3800 and 3900, can also accept AnyConnect clients, but don't support the full feature set.
Your best bet, then, is to use an ASA appliance, which ranges from the ASA 5505 (10 to 25 users) up to the ASA 5585X (5,000 to 10,000 users).
All ASA appliances have SSL VPN features, including reverse proxying (gatewaying web applications at the application layer) and application tunnelling (using encrypted tunnels to expose single applications through the VPN device), although we didn't focus on those features during this test. We spent most of our testing looking at network extension, bringing remote devices onto the corporate LAN and Cisco's approach to securing those remote devices, what is now the traditional remote access use case.
Next comes the client software
The next key component of a Cisco remote access solution is its new AnyConnect Secure Mobility client. The AnyConnect client has the basic feature set that one would expect in a mature product: endpoint security detection and control, simplified deployment and policy downloading directly from the VPN gateway, wide ranging user authentication options and remote user policy enforcement features.
Cisco offers the AnyConnect client as an installed package available for all Windows versions back to XP, Mac OS X 10.5 and 10.6, Intel-based Linux distributions with the 2.6 kernel, Apple iOS 4 (the iPhone and iPad operating system) and Windows Mobile versions 5 and 6.
The AnyConnect VPN client is not required to make a VPN connection to an ASA appliance, you can still use the built-in VPN clients in Windows and Mac OS X, Nokia's Symbian phones, iPhones, iPads and iPods, as well as Cisco's older multiplatform Cisco VPN client and a host of third party clients.
However, you give up a lot of performance, functionality and features if you don't use it. For example, the AnyConnect client can use IPSec, SSL/TLS, or DTLS (SSL/TLS run over UDP instead of the normal TCP). We found that shifting from SSL/TLS (TCP) to DTLS (UDP) with the AnyConnect client gave us between 40% and 45% increase in total performance, depending on the characteristics of the Internet connection. DTLS and traditional IPSec had similar performance characteristics. In our testing, traditional IPSec edged out DTLS by a few percentage points in most tests, but the performance difference was difficult to perceive.
Another key feature of the AnyConnect client not found in Cisco's older IPSec clients is endpoint security checking, remediation and control. Taking a cue from the SSL VPN and NAC worlds, Cisco has folded its Cisco Secure Desktop into the AnyConnect client (for a price, there is a licence fee), and has merged desktop security management into the VPN concentrator, tremendously simplifying the task of linking desktop and VPN security policies and avoiding the potential for things to drop between the cracks.
Web security is the final piece
The last major piece of Cisco's remote access solution is a new addition: the Cisco IronPort S-series Web Security Appliance. The IronPort S-series is a secure web gateway, with the primary goals of protecting web-browsing end users from malware and enforcing access controls on where people can browse.
We didn't do a full evaluation of the product, focusing only on its integration with the ASA and VPN clients. But the IronPort S-series has the expected feature set for a web security gateway: malware scanning using multiple engines, URL filtering to avoid bad neighbourhoods and enforce acceptable use policies, bandwidth management and the ability to look at content to enforce general security policies, such as blocking PowerPoint attachments.
The IronPort S-Series includes "man-in-the-middle" SSL decryption, which lets it scan both encrypted and un-encrypted connections, and leverages the IronPort reputation service to do reputation-based lookup of URLs and web servers. This feature set makes it a fairly complete web security gateway, not all that different from the other market-leading products.
We focused on integrating the IronPort S-series with the ASA appliance, and applying web security gateway policies to remote access VPN users. A cynic might say that Cisco requires network managers to buy a whole separate box, and an expensive one at that, because they don't have built-in web security in the firewall. That's true, of course, but it's also true that the web security in the IronPort S-series is more powerful than what you can get with the web security feature built-in to unified threat management firewalls.
Kicking it Old School
Even if you're satisfied with your current VPN deployment and are on an upgrade cycle, with no plans to turn on any new features, you'll be happy with the new products because they make life a little easier.
For example, if you already know how to run Cisco's older VPN 3000 GUI, you'll see that most of the VPN parts have been transplanted into ASDM, Cisco's Java-based ASA appliance management tool Adaptive Security Device Manager.
The ASA appliance can be your source for the VPN client software, and you don't have to build pesky policies that get glued into the AnyConnect client at installation time, so you can have a VPN deployment up and running more quickly than using the old client and old hardware.
The AnyConnect client is also more firewall friendly, falling back to SSL/TLS encryption over the Secure-HTTP (443) port, which means less frustration for end users on the road. And ASDM includes a VPN wizard, to guide you step-by-step and help automatically glue together the bits and pieces that all have to match to make things work.
Well, there's actually one problem that will frustrate VPN 3000 users: licensing. The ASA appliance is really the next generation of PIX firewall, with a merging of the best VPN features from both the PIX and the old VPN 3000. One of the features carried over from the PIX is feature-based licensing, and the ASA licensing can best be described as "you've got to be kidding."
For remote access feature set alone, there are 6 types of licences, with another half dozen types for the platform itself. For inexplicable reasons, you need a special licence to also use mobile devices with your ASA appliance, although only if you use AnyConnect client software, and not if they use the old client, and don't forget the special licence for your IronPort S-series WSA to make it part of the Secure Mobility Solution.
Fortunately, there's a 48-page manual which explains it all. Make sure you sit down and read it through a few times before you start. Our only other advice is to be sure to get your strong encryption licence (it's free, fast and online, you just have to promise not to let your ASA slip into the wrong hands) before you start, because encryption profiles will only be correctly set up using the wizards if the strong encryption licence is already installed.