To control Internet user access to corporate resources while ensuring in-transit data confidentiality and integrity, network infrastructure vendors have long offered virtual private network (VPN) appliances. But as mobility grew, needs evolved — as did VPN platforms. In this issue of EnterpriseNetworkingPlanet’s buyer’s guide, we examine the capabilities and features offered by Cisco ASA 5500 Series appliances when paired with the company’s AnyConnect Secure Mobility client.
Embracing mobility while protecting investment
After acquiring Altiga Networks and Compatible Systems back in 2000 and Twingo in 2005, Cisco enjoyed considerable remote access VPN market success. But by the time Cisco replaced the resulting disparate product lines with the Adaptive Security Appliance, the market had been infiltrated by SSL VPN upstarts such as Aventail (acquired by SonicWALL) and Neoteris (acquired by Juniper). Ever since, Cisco has sought ways for customers to get more from their ASA 5500 Series investments.
With the AnyConnect Secure Mobility client, Cisco has parlayed this remote access VPN appliance into a platform to enable workforce mobility by controlling and encrypting access inside or outside the corporate firewall. According to security product marketing manager Horacio Zembrano, “Our approach is fundamentally centered on breadth of support. To complement our overall teleworker remote access strategy, we see the ASA 5500 evolving to secure mobility.”
The AnyConnect Secure Mobility client aims to deliver a transparent user experience, whether connected to the enterprise LAN or mobile broadband. “We’ve worked on the ability to [automatically] reestablish connectivity after hibernation or if you lose your Wi-Fi connection and come back on 3G,” explained Zembrano. “Making this [network roaming] transparent gives mobile users an on-the-LAN-like experience. But part of making this happen is detecting whether the client is inside or outside so that we can make the right connection.”
Network Indifference vs Location Awareness
As VPNs evolved [see Part 1 of this buyer’s guide], many remote access products added “clientless” browser-based access over SSL/TLS. “We offer clientless as well as client-based operation; within that we have protocol indifference,” said Zembrano.
“We don’t care what is used for connectivity — we abstract all of these protocols into one solution,” he said. But, while users might not care about protocols, choosing the best type of connectivity in each location is critical. “There are times when IPsec might get blocked by a firewall. Then we’ll fall back to SSL, or even DTLS if that’s more useful.” Note that protocols also vary by endpoint (e.g., IPsec is not yet available for iPhone AnyConnect).
To ensure that protection is always in place, AnyConnect Secure Mobility can optionally be used with an AlwaysOn policy. In this case, VPN users are no longer required to activate tunnels — or manually relaunch or reauthenticate applications otherwise disrupted by roaming or gaps in connectivity. But these premium features come at a price.
Specifically, each ASA 5500 Series appliance supports a maximum number of “regular” IPsec VPN users (i.e., IKEv1 security associations). Connecting in clientless mode or using the AnyConnect Secure Mobility client over anything else (i.e., SSL, TLS, DTLS, IPsec IKEv2) requires purchasing an Essential VPN license. But the AlwaysOn policy, persistence, and features associated with Cisco Secure Desktop require a Premium VPN license. Licenses range from 10 to 10K users, depending on ASA model.
Sizing the Platform
Naturally, a 10K user license can’t be applied to a VPN appliance with insufficient CPU, memory, or throughput to handle that kind of workload. The ASA 5500 Series starts with the ASA 5505 (max 25 users, 100Mbps encrypted throughput), topping out with the ASA 5585-S60 (max 10K users, 5Gbps encrypted throughput). In between are nine other models — such as the midsized ASA 5540 and 5550.
“The ASA 5540 and 5550 are our primary gateways,” said product marketing manager Rajneesh Chopra. “It depends on whether VPN is a primary or secondary feature [for a given deployment], but this is our sweet spot for remote access VPN. But our feature set is the same across all of these models. We don’t stratify based on features, but rather on performance and concurrent connections.”
For example, consider an insurance company with four regional data centers and 400 branch offices, sprinkled across the country. According to Chopra, this customer might buy ASA 5505s for each branch office, but a 5540 (max 2,500 users, 325Mbps encrypted throughput) for each data center. Load balancing, stateful failover, and a shared VPN license option are available on all but the entry level 5505/5510.
Leveraging Integrated Security
Cisco is also moving the ASA 5500 Series beyond connectivity and mobility by integrating these VPN offerings with other security products. “We think that enterprise requirements related to secure mobility must be broader, tying in policies for Web usage and Web threat defense,” said Zembrano.
For baseline protection against malware-infected endpoints, customers with Premium VPN licenses can use Cisco Secure Desktop (CSD) for pre-connect assessment and host scan, post-session cache cleanup, and to create a Secure Desktop (i.e., a vault to protect data used during the session). CSD can be used in conjunction with clientless or AnyConnect client access on certain Windows, Mac OS, and Linux endpoints.
For integrated Web security, customers can hook VPN traffic through a separately priced Cisco IronPort Web Security appliance or the cloud-based ScanSafe Web security service. “This integration has enabled us to change VPN protection from purely enforcing access rules to looking at port 80 application [messages] and giving admins a way to impose policy control,” said Zembrano.
It may have taken Cisco a while to pull its many acquired VPN technologies together, but the ASA 5500 Series is popular among enterprises — especially Cisco shops. The new AnyConnect Security Mobility client plays a critical role in Cisco’s borderless network vision, bringing the ASA 5500 along for the ride.
As a supplier of network infrastructure, Cisco wants to leverage the network to enable both mobility and security with greater transparency and simplicity. But a la carte licenses that pile on cost and hard-to-identify gaps in mobile endpoint features could frustrate customers trying to head down this path.
Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. With over 25 years in the network industry, Lisa has reviewed, deployed, and tested network security products for nearly a decade.