Remote Access VPN Buyer's Guide: Cisco - Page 2

Using AnyConnect Secure Mobility, Cisco leverages its VPN appliance to enable 'borderless' protection.

 By Lisa Phifer
Page 2 of 2   |  Back to Page 1
Print Article

Sizing the Platform

Naturally, a 10K user license can't be applied to a VPN appliance with insufficient CPU, memory, or throughput to handle that kind of workload. The ASA 5500 Series starts with the ASA 5505 (max 25 users, 100Mbps encrypted throughput), topping out with the ASA 5585-S60 (max 10K users, 5Gbps encrypted throughput). In between are nine other models -- such as the midsized ASA 5540 and 5550.

"The ASA 5540 and 5550 are our primary gateways," said product marketing manager Rajneesh Chopra. "It depends on whether VPN is a primary or secondary feature [for a given deployment], but this is our sweet spot for remote access VPN. But our feature set is the same across all of these models. We don't stratify based on features, but rather on performance and concurrent connections."

For example, consider an insurance company with four regional data centers and 400 branch offices, sprinkled across the country. According to Chopra, this customer might buy ASA 5505s for each branch office, but a 5540 (max 2,500 users, 325Mbps encrypted throughput) for each data center. Load balancing, stateful failover, and a shared VPN license option are available on all but the entry level 5505/5510.

Leveraging Integrated Security

Cisco is also moving the ASA 5500 Series beyond connectivity and mobility by integrating these VPN offerings with other security products. "We think that enterprise requirements related to secure mobility must be broader, tying in policies for Web usage and Web threat defense," said Zembrano.

For baseline protection against malware-infected endpoints, customers with Premium VPN licenses can use Cisco Secure Desktop (CSD) for pre-connect assessment and host scan, post-session cache cleanup, and to create a Secure Desktop (i.e., a vault to protect data used during the session). CSD can be used in conjunction with clientless or AnyConnect client access on certain Windows, Mac OS, and Linux endpoints.

For integrated Web security, customers can hook VPN traffic through a separately priced Cisco IronPort Web Security appliance or the cloud-based ScanSafe Web security service. "This integration has enabled us to change VPN protection from purely enforcing access rules to looking at port 80 application [messages] and giving admins a way to impose policy control," said Zembrano.

Bottom Line

It may have taken Cisco a while to pull its many acquired VPN technologies together, but the ASA 5500 Series is popular among enterprises -- especially Cisco shops. The new AnyConnect Security Mobility client plays a critical role in Cisco's borderless network vision, bringing the ASA 5500 along for the ride.

As a supplier of network infrastructure, Cisco wants to leverage the network to enable both mobility and security with greater transparency and simplicity. But a la carte licenses that pile on cost and hard-to-identify gaps in mobile endpoint features could frustrate customers trying to head down this path.


Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. With over 25 years in the network industry, Lisa has reviewed, deployed, and tested network security products for nearly a decade.

This article was originally published on Jun 21, 2011
Get the Latest Scoop with Networking Update Newsletter