It has been a long time coming but it is finally here, the Cisco uber security agent AnyConnect 3.0 has been released. Cisco's AnyConnect agents used to be just for SSLVPN connectivity. With the 3.0 release all that changes and the agent gets a new face-lift too. AnyConnect going forward is a single modular agent that can provide connectivity and always-on security from any location, any connection type and with any device (well, almost any device). Check out the connectivity and security options now available with the AnyConnect 3.0 Secure Mobility Client:
-SSLVPN (both TLS and DTLS)
-IPSEC VPN (with the more secure IKEv2)
-Wired 802.1x supplicant (includes 802.1x-REV and 802.1AE MACsec wired encryption between host and switch)
-Wireless 802.1x supplicant (full 802.11i support, EAP-TTLS, EAP-GTC, CCX)
-Host Scan module (embedded host posture assessment scanning, NAC)
-ScanSafe Web Security module (embedded SaaS cloud based web security offering)
-Anti-Virus Telemetry (Increases efficacy of Cisco IP reputation Database)
The modular structure of Anyconnect 3.0 and beyond allows you to centrally manage what modules are installed and activated on each host. Administrators can use a robust policy definition to determine which host gets which functionality. The modules then show up in the client as tabs on the left hand side.
The most exciting feature for me is the integration of ScanSafe Web Security. This technology splits off http and https traffic from the client, encrypts it, and sends it to the ScanSafe web security service in the cloud. It can be configured to be active even if your VPN tunnel is not activated. In this configuration, all of the hosts web traffic is being inspected all of the time providing constant web security. The traffic then goes through URL filtering, AV, AS, Acceptable Use, web reputation, and day zero-outbreak detection processing. Because the service is in the cloud it eliminates the need to backhaul your web traffic to HQ for this type of protection. This results in decreased bandwidth requirements for your HQ Internet links. When you couple this with the typically lower per user cost a SaaS service like ScanSafe provides it makes for a compelling reason to take a look. The only draw back to this solution today is it only works with Windows OS, but I'd expect that to change in the next 6 months.
Let's dive a little deeper in the changes in AnyConnect 3.0. First, the addition of IPSEC VPN capability. Going forward AnyConnect will replace the existing stand-alone IPSEC clients from Cisco. The two huge differences in this new client are IKEv2 support and more client security features. IKEv2 is important because it brings enhanced security to your VPNs that IKEv1 was lacking. The AnyConnect IPSEC module brings a host of additional security options for your IPSEC clients. Features like Full Host Scan, SCEP certificate auto-enrollment, Profile updating, enhanced client upgrade process and language customization are now available.
The other major change was the addition of a free 802.1x supplicant for wired and wireless connectivity. Cisco previous sold this product, Cisco Secure Services Client, as a stand-alone agent. The new functionality is called the Network Access Manager (NAM) module. It supports Windows OS, including Win7, only right now. This supplicant provides cutting edge feature support like 802.1AE MACsec. MACsec provides wired encryption of all traffic from the client to the switch. It is the endpoint piece of the Cisco TrustSec Architecture which provides hop by hop encryption between their switches. The decision to encrypt or not is maintained by a central policy in Cisco ACS 5.2. The AnyConnect NAM also allows for EAP-TTLS and EAP-GTC functionality that is lacking in the Windows OS built-in supplicant. EAP-TTLS provides two-factor authentication capability for wired and wireless using a certificate and a username/password check. EAP-GTC allows for the support of password replacement technologies like tokens and smartcards. The NAM has the ability to allow only one connection type at a time and by default it prefers wired over wireless. It will automatically shut down the wireless connectivity once it detects wired. In addition to 802.1x connectivity the NAM can also run a script after logon completes. You can use this scripting capability to run a program, update GPO, run a login script, or all sorts of other things. Last but not least, the NAM supports remote desktop connectivity even if the user logs off. The NAM will maintain session state if required.
The embedded Host Scan module in AnyConnect 3.0 removes the requirement to download Cisco Secure Desktop for this purpose. This in turn makes the host scan user experience faster and seamless. Host Scan can also be more easily updated to support the latest AV, AS, PFW product sets for scanning. The host scanning results are used by the Cisco ASA to dynamically change or apply security policies to the host.
The Cisco Anyconnect 3.0 agent is available now. The Cisco AnyConnect software is supported on the following operating systems: -Windows XP, Vista and 7 32 and 64bit OS -MAC OSX 10.5 10.6 32bit and 64bit -Linux -iPhone 4.1+ -iPad 4.2 -Windows Mobile 6.1 -HP webOS 2.0 To use many of the advanced features you will have to upgrade your Cisco ASA to 8.4.1 code. Check out the release notes for more information on AnyConnect features, client support info, and upgrade instructions. http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/release/notes/anyconnect30rn.html What other features would you like to see in Cisco's Anyconnect solution?
The opinions and information presented here are my PERSONAL views and not those of my employer. I am in no way an official spokesperson for my employer.
More from Jamey Heary: Credit Card Skimming: How thieves can steal your card info without you knowing it Google Nexus One vs. Top 10 Phone Security RequirementsWhy you should always shred your boarding pass Video rental records are afforded more privacy protections than your online dataThe truth about new SSL attacks 2009 Top Urban Legends in IT Security/a>Go to Jamey’s Blog for more articles on security.*
*
*
*
*
*