AnyConnect is your network-access control (NAC) client (with 802.1X and end-point security checking, remediation, and enforcement) when in the office, and your VPN client (with IPSec and SSL transports, as well as the same end-point security features) when on the road. Even better, the AnyConnect client can figure out where you are by using a feature called Trusted Network Detection, which looks at domain names and DNS servers being handed out via DHCP. This can help automate the process of choosing whether to use 802.1X and NAC or bring up a VPN tunnel. In our testing using an Enterasys C2 Ethernet switch, Trusted Network Detection and the 802.1X supplicant both worked without any hitches.
It's hard to describe how complete the AnyConnect client experience is without turning this test into a laundry list of features. Cisco has done a good job of covering all the bases, supporting both strict and loose security policies, as well as multiple deployment options (such as pre-installing the client or letting end-users download it from the ASA appliance using a Web browser) and authentication settings (such as whether the VPN client launches before the user logs into Windows or after). We tried a good assortment of these features and found that in this area the AnyConnect client worked as advertised.
We had mixed success with end-point security posture checking. Basic host scanning is included as part of the ASA AnyConnect Premium license, while remediation features (such as forcing an anti-malware update or turning on a desktop firewall) require the Advanced Endpoint Assessment license.
Part of the difficulty in end-point security within the AnyConnect client is that the policy is spread across different parts of ASDM. For example, you look for the presence of a particular anti-virus package in one part of ASDM, but you look to make sure you're not executing in a virtual machine in a completely different part of the policy.
The ASDM management tool lets you build a posture checking decision tree using traditional flow-chart symbols, a technique that looks suspiciously like the one F5 pioneered in their SSL VPN product. In any case, this configuration approach to end-point posture checking is approximately 10,000% more understandable and scalable than Cisco's old approach based on the ACS RADIUS/TACACS server.
The AnyConnect client's end-point security approach represents Cisco's current thinking on how to do both NAC and VPN posture checking in the same client. Cisco is continuing to avoid the Trusted Computing Group's open standards for posture checking, and has forged ahead with a single-vendor solution, incorporating its own Cisco Secure Desktop and OPSWAT's end-point posture checking toolkit together into a single nicely merged solution. (The Oesis Framework, an OPSWAT product, is a software library incorporated in other security products that detects the presence and state of a wide variety of end-point security products.)
Sign up for Computerworld eNewsletters.