The next key component of a Cisco remote access solution is its new AnyConnect Secure Mobility client. The AnyConnect client has the basic feature set that one would expect in a mature product: end-point security detection and control, simplified deployment and policy downloading directly from the VPN gateway, wide-ranging user authentication options, and remote user policy enforcement features.
Cisco offers the AnyConnect client as an installed package available for all Windows versions back to XP, Mac OS X 10.5 and 10.6, Intel-based Linux distributions with the 2.6 kernel, Apple iOS 4 (the iPhone and iPad operating system), and Windows Mobile versions 5 and 6.
The AnyConnect VPN client is not required to make a VPN connection to an ASA appliance — you can still use the built-in VPN clients in Windows and Mac OS X, Nokia's Symbian phones, iPhones, iPads and iPods, as well as Cisco's older multiplatform Cisco VPN client, and a host of third-party clients.
However, you give up a lot of performance, functionality and features if you don't use it. For example, the AnyConnect client can use IPSec, SSL/TLS, or DTLS (SSL/TLS run over UDP instead of the normal TCP). We found that shifting from SSL/TLS (TCP) to DTLS (UDP) with the AnyConnect client gave us between 40% and 45% increase in total performance, depending on the characteristics of the Internet connection. DTLS and traditional IPSec had similar performance characteristics. In our testing, traditional IPSec edged out DTLS by a few percentage points in most tests, but the performance difference was difficult to perceive.
Another key feature of the AnyConnect client not found in Cisco's older IPSec clients is end-point security checking, remediation, and control. Taking a cue from the SSL VPN and NAC worlds, Cisco has folded its Cisco Secure Desktop into the AnyConnect client (for a price — there is a license fee), and has merged desktop security management into the VPN concentrator, tremendously simplifying the task of linking desktop and VPN security policies and avoiding the potential for things to drop between the cracks.
Web security is the final piece
The last major piece of Cisco's remote access solution is a new addition: the Cisco IronPort S-series Web Security Appliance. The IronPort S-series is a secure Web gateway, with the primary goals of protecting Web-browsing end-users from malware and enforcing access controls on where people can browse.
Sign up for Computerworld eNewsletters.