We didn't do a full evaluation of the product, focusing only on its integration with the ASA and VPN clients. But the IronPort S-series has the expected feature set for a Web security gateway: malware scanning using multiple engines, URL filtering to avoid bad neighborhoods and enforce acceptable use policies, bandwidth management, and the ability to look at content to enforce general security policies, such as blocking PowerPoint attachments.
The IronPort S-Series includes "man-in-the-middle" SSL decryption, which lets it scan both encrypted and un-encrypted connections, and leverages the IronPort reputation service to do reputation-based lookup of URLs and Web servers. This feature set makes it a fairly complete Web security gateway, not all that different from the other market-leading products.
We focused on integrating the IronPort S-series with the ASA appliance, and applying Web security gateway policies to remote access VPN users. A cynic might say that Cisco requires network managers to buy a whole separate box — and an expensive one at that — because they don't have built-in Web security in the firewall. That's true, of course, but it's also true that the Web security in the IronPort S-series is more powerful than what you can get with the Web security feature built-in to unified threat management firewalls.
Kicking it Old School
Even if you're satisfied with your current VPN deployment and are on an upgrade cycle, with no plans to turn on any new features, you'll be happy with the new products because they make life a little easier.
For example, if you already know how to run Cisco's older VPN 3000 GUI, you'll see that most of the VPN parts have been transplanted into ASDM, Cisco's Java-based ASA appliance management tool Adaptive Security Device Manager.
The ASA appliance can be your source for the VPN client software, and you don't have to build pesky policies that get glued into the AnyConnect client at installation time, so you can have a VPN deployment up and running more quickly than using the old client and old hardware.
The AnyConnect client is also more firewall-friendly, falling back to SSL/TLS encryption over the Secure-HTTP (443) port, which means less frustration for end users on the road. And ASDM includes a VPN wizard, to guide you step-by-step and help automatically glue together the bits and pieces that all have to match to make things work.
Sign up for Computerworld eNewsletters.