To control Internet user access to corporate resources while ensuring in-transit data confidentiality and integrity, network infrastructure vendors have long offered virtual private network (VPN) appliances. But as mobility grew, needs evolved -- as did VPN platforms. In this issue of EnterpriseNetworkingPlanet's buyer's guide, we examine the capabilities and features offered by Cisco ASA 5500 Series appliances when paired with the company's AnyConnect Secure Mobility client.
Embracing mobility while protecting investment
After acquiring Altiga Networks and Compatible Systems back in 2000 and Twingo in 2005, Cisco enjoyed considerable remote access VPN market success. But by the time Cisco replaced the resulting disparate product lines with the Adaptive Security Appliance, the market had been infiltrated by SSL VPN upstarts such as Aventail (acquired by SonicWALL) and Neoteris (acquired by Juniper). Ever since, Cisco has sought ways for customers to get more from their ASA 5500 Series investments.
With the AnyConnect Secure Mobility client, Cisco has parlayed this remote access VPN appliance into a platform to enable workforce mobility by controlling and encrypting access inside or outside the corporate firewall. According to security product marketing manager Horacio Zembrano, "Our approach is fundamentally centered on breadth of support. To complement our overall teleworker remote access strategy, we see the ASA 5500 evolving to secure mobility."
The AnyConnect Secure Mobility client aims to deliver a transparent user experience, whether connected to the enterprise LAN or mobile broadband. "We've worked on the ability to [automatically] reestablish connectivity after hibernation or if you lose your Wi-Fi connection and come back on 3G," explained Zembrano. "Making this [network roaming] transparent gives mobile users an on-the-LAN-like experience. But part of making this happen is detecting whether the client is inside or outside so that we can make the right connection."
Network Indifference vs Location Awareness
As VPNs evolved [see Part 1 of this buyer's guide], many remote access products added "clientless" browser-based access over SSL/TLS. "We offer clientless as well as client-based operation; within that we have protocol indifference," said Zembrano.
"We don't care what is used for connectivity -- we abstract all of these protocols into one solution," he said. But, while users might not care about protocols, choosing the best type of connectivity in each location is critical. "There are times when IPsec might get blocked by a firewall. Then we'll fall back to SSL, or even DTLS if that's more useful." Note that protocols also vary by endpoint (e.g., IPsec is not yet available for iPhone AnyConnect).
To ensure that protection is always in place, AnyConnect Secure Mobility can optionally be used with an AlwaysOn policy. In this case, VPN users are no longer required to activate tunnels -- or manually relaunch or reauthenticate applications otherwise disrupted by roaming or gaps in connectivity. But these premium features come at a price.
Specifically, each ASA 5500 Series appliance supports a maximum number of "regular" IPsec VPN users (i.e., IKEv1 security associations). Connecting in clientless mode or using the AnyConnect Secure Mobility client over anything else (i.e., SSL, TLS, DTLS, IPsec IKEv2) requires purchasing an Essential VPN license. But the AlwaysOn policy, persistence, and features associated with Cisco Secure Desktop require a Premium VPN license. Licenses range from 10 to 10K users, depending on ASA model.