Overall, network managers will have to balance the simplicity of Cisco's strategy, which requires only a single client and no particular cooperation from the end-point security vendor, with a lock-in to what Cisco and OPSWAT are willing to support.
Our experience with OPSWAT, which has shown up in both our NAC and SSL VPN security tests for years, has generally been good, although we have had recurrent difficulties getting consistent results when testing against our lab's standard anti-virus package, Sophos. This experience was echoed in this test, where different configurations of the same anti-virus package gave different results in the AnyConnect client. Network managers using the AnyConnect client to do end-point posture checking will want to experiment with their own configuration and end-points to avoid false positive and negative results.
Web security goes to the cloud
Cisco's Secure Mobility Solution has three specific strategies for protecting end users from the vast wasteland of the Internet: end-point security, cloud-based security, and enterprise proxy protections.
On the end-point, the AnyConnect client with its Cisco Secure Desktop feature set doesn't provide much protection itself (beyond a basic personal firewall), but can be used to detect the state of end-point security and, with the purchase of an Advanced Endpoint Assessment license, perform some limited controls.
The second strategy, cloud-based security is offered in conjunction with ScanSafe, a recent Cisco acquisition. Cisco has incorporated the ScanSafe client tool into the AnyConnect client and the ScanSafe policy management tool into ASDM, making the option of deploying cloud-based malware scanning and Web filtering functionality fairly simple. ScanSafe licensing is completely separate from all other Secure Mobility licensing, and ScanSafe is only supported on Windows platforms.
While the integration makes it easy for an enterprise to select cloud-based scanning, we think that most enterprises will see cloud-based scanning vs. enterprise proxy protections as an "either/or" choice. From a policy point of view, Cisco has put a very light touch on the whole ScanSafe interface.
For example, while the AnyConnect Client has a trusted network detection feature, ScanSafe also has a similar feature. Rather than combine the two, each runs independently, letting ScanSafe work in a non-AnyConnect environment. Similarly, all of the Web-based security policies established on the IronPort S-Series Web proxy are completely independent of the policies set up for ScanSafe; you can't reuse any of the components and you can't easily translate the policy from one to the other.
Sign up for Computerworld eNewsletters.