Cisco sets the bar for mobile security

It's hard to describe how complete the AnyConnect client experience is without turning this test into a laundry list of features. Cisco has done a good job of covering all the bases, supporting both strict and loose security policies, as well as multiple deployment options (such as pre-installing the client or letting end-users download it from the ASA appliance using a Web browser) and authentication settings (such as whether the VPN client launches before the user logs into Windows or after). We tried a good assortment of these features and found that in this area the AnyConnect client worked as advertised.

We had mixed success with end-point security posture checking. Basic host scanning is included as part of the ASA AnyConnect Premium license, while remediation features (such as forcing an anti-malware update or turning on a desktop firewall) require the Advanced Endpoint Assessment license.

Part of the difficulty in end-point security within the AnyConnect client is that the policy is spread across different parts of ASDM. For example, you look for the presence of a particular anti-virus package in one part of ASDM, but you look to make sure you're not executing in a virtual machine in a completely different part of the policy.

The ASDM management tool lets you build a posture checking decision tree using traditional flow-chart symbols, a technique that looks suspiciously like the one F5 pioneered in their SSL VPN product. In any case, this configuration approach to end-point posture checking is approximately 10,000% more understandable and scalable than Cisco's old approach based on the ACS RADIUS/TACACS server.

The AnyConnect client's end-point security approach represents Cisco's current thinking on how to do both NAC and VPN posture checking in the same client. Cisco is continuing to avoid the Trusted Computing Group's open standards for posture checking, and has forged ahead with a single-vendor solution, incorporating its own Cisco Secure Desktop and OPSWAT's end-point posture checking toolkit together into a single nicely merged solution. (The Oesis Framework, an OPSWAT product, is a software library incorporated in other security products that detects the presence and state of a wide variety of end-point security products.)

Overall, network managers will have to balance the simplicity of Cisco's strategy, which requires only a single client and no particular cooperation from the end-point security vendor, with a lock-in to what Cisco and OPSWAT are willing to support.

Our experience with OPSWAT, which has shown up in both our NAC and SSL VPN security tests for years, has generally been good, although we have had recurrent difficulties getting consistent results when testing against our lab's standard anti-virus package, Sophos. This experience was echoed in this test, where different configurations of the same anti-virus package gave different results in the AnyConnect client. Network managers using the AnyConnect client to do end-point posture checking will want to experiment with their own configuration and end-points to avoid false positive and negative results.

Web security goes to the cloud

Cisco's Secure Mobility Solution has three specific strategies for protecting end users from the vast wasteland of the Internet: end-point security, cloud-based security, and enterprise proxy protections.

On the end-point, the AnyConnect client with its Cisco Secure Desktop feature set doesn't provide much protection itself (beyond a basic personal firewall), but can be used to detect the state of end-point security and, with the purchase of an Advanced Endpoint Assessment license, perform some limited controls.

The second strategy, cloud-based security is offered in conjunction with ScanSafe, a recent Cisco acquisition. Cisco has incorporated the ScanSafe client tool into the AnyConnect client and the ScanSafe policy management tool into ASDM, making the option of deploying cloud-based malware scanning and Web filtering functionality fairly simple. ScanSafe licensing is completely separate from all other Secure Mobility licensing, and ScanSafe is only supported on Windows platforms.

While the integration makes it easy for an enterprise to select cloud-based scanning, we think that most enterprises will see cloud-based scanning vs. enterprise proxy protections as an "either/or" choice. From a policy point of view, Cisco has put a very light touch on the whole ScanSafe interface.

For example, while the AnyConnect Client has a trusted network detection feature, ScanSafe also has a similar feature. Rather than combine the two, each runs independently, letting ScanSafe work in a non-AnyConnect environment. Similarly, all of the Web-based security policies established on the IronPort S-Series Web proxy are completely independent of the policies set up for ScanSafe; you can't reuse any of the components and you can't easily translate the policy from one to the other.

We chose to focus on the third type of Web security: the Web proxy. Cisco's approach to applying Web-based security to VPN users requires a tight linkage between the ASA VPN concentrator and the S-series Web proxy, in order to transfer authentication information to the Web proxy. Making that linkage is very simple — you just put a common port number and shared secret into both devices, click the "test" button, and if everything is correct, you're done.

The ASA sends the username, but not any group membership information, over to the IronPort S-series, so we had to link to our Active Directory (NTLM or LDAP are supported) to get this information. Once that was settled, we were able to apply user- and group-based Web security policies.

One of the most important parts of the integration between the AnyConnect client, the ASA appliance, and the IronPort S-Series is the automatic download of proxy information to AnyConnect clients. We tested this with Windows (Internet Explorer), Mac (Safari, Chrome, and Firefox), and iPhone systems all running the AnyConnect client and had seamless experiences browsing through the VPN tunnel, passed to the IronPort S-Series proxy, and off to the Internet.

The IronPort S-series has a fairly standard set of protections, including URL filtering (for example, blocking gambling sites), malware scanning with two different engines (Webroot and McAfee in our test system), and Web reputation checking, used to block access to known bad Web pages or objects. The IronPort S-series also supports sanctioned man-in-the-middle, a way to "break in" to the SSL conversation by pretending to be the encrypted Web server with a fake public-key infrastructure certificate.

We briefly tested the malware scanning and URL filtering. As with all URL filtering products, we had a very high success rate, but were able to slip through a few URLs in violation of policy. A selection of 10 recent viruses transmitted into our test lab network were all caught by the malware scanner.

We 'like' the Facebook controls

A new feature in the IronPort S-Series is application visibility and control. This lets the network manager monitor and block various Web-based applications directly, separately from the URL filtering part of the product. The version we tested is more of a proof-of-concept than a fully-baked application visibility tool, with only eight categories, including "Blogging," "Facebook," "IM," "LinkedIn," "Media," "P2P/File Sharing," "Conferencing," and "Social Networking."

These are a bit of a mish-mash of different applications, many of which could be caught by simple URL filtering. However, the idea behind application visibility appears to go beyond the simple block/allow/warn of URL filtering, and get more specific in the controls.

For example, Facebook is broken down into 15 subcategories, such as "Facebook Applications: Games" and "Facebook Applications: Education," which would allow you to differentiate different types of Facebook usage, blocking those you don't allow. In our testing, the S-Series was able to differentiate different types of Facebook usage and blocked access accordingly. In fact, Facebook is one of the most sophisticated sets of controls. For example, you can block all Facebook Events, or you could just block posting of events but allow "Like" of events. In LinkedIn's controls, you can block the employment section separately from the messaging section, or you can block job searches separately from job postings.

In our testing, the IronPort S-Series did exactly what it said it would — identify applications and apply application controls, including bandwidth limits, as a Web proxy. However, it's clear that for this to work, you need a proper configuration.

For example, now that many Facebook users are selecting to encrypt their sessions, you must use the sanctioned man-in-the-middle to decrypt the SSL, or there's no possibility of applying fine-grained application controls. Similarly, if you want to control BitTorrent, you must force the traffic through the proxy by blocking VPN users who try and go around the proxy.

Overall, the Web security options within Cisco's Secure Mobility Solution give network managers enough choices to provide strong policy enforcement for end users no matter where they are.

Snyder is a senior partner at Opus One in Tucson, Ariz. He can be reached at Joel.Snyder@opus1.com.