Cisco recently released version 2.5 of its AnyConnect SSLVPN thick client. This release brings with it two new innovative features called Always-on VPN and AnyConnect Secure Mobility. Several other feature additions made it into this release as well not least of which is optimal gateway selection. AnyConnect 2.5 is a maintenance release so it includes bug fixes and other reliability improvements. According to Cisco, "This release has undergone the most extensive internal alpha and quality testing of any prior AnyConnect version which has allowed us to bundle key product innovations with a high quality maintenance release." Let's take a look at what's new. AnyConnect Always-on VPN - The ASA administrator can configure AnyConnect to automatically establish and maintain an SSLVPN session as soon as the user logs into their operating system. If you use identity certificates, instead of a username/password, the user will not be prompted at all and the VPN experience will be totally transparent and in the background. Of course, you can still use passwords, tokens, etc for the vpn session if required. After the session is established it will maintain itself even if the host hibernates, sleeps, moves networks or hotspots. If the session drops the Anyconnect client will automatically and transparently attempt to re-establish the connection. Given that you now have control of the client at all times no matter what network they are connected to you can now ensure they are running through the same security controls that a LAN PC would. Anyconnect will always send back network traffic to corporate for inspection and control. This helps to protect the endpoint from internet threats. The always-on setting cannot be disabled by normal end users, only ASA administrators. However, the administrator can choose to provide the user with a disconnect button in the client which will drop the session. The ASA administrator determines what happens if Anyconnect fails to re-establish the VPN connection for whatever reason. The two choices are Fail-open and Fail-closed. Fail-open allows the user to use the network while fail-closed disabled all user network access until the VPN session re-establishes. Administrators can enable/disable always-on VPN based on ASA group policies or Dynamic Access Policies (DAP). Anyconnect will detect when users much authenticate through a captive portal, like at Starbucks. The administrator determines how long the user has to authenticate to the portal before network access is restricted. Client Firewall Control - The Anyconnect 2.5 client adds the ability add or remove inbound or outbound client firewall rules based on ASA group policy. This feature works on both Windows and Mac operating systems. Optimal Gateway Selection - The AnyConnect 2.5 client can determine which ASA, from a list of gateways, it should connect to for optimal performance. The session will choose a new ASA if there will be at least a 20% (default value) improvement in performance. The Anyconnect client performs a round trip time (RTT) check to determine the best gateway. Quarantine - This new feature applies a dynamic access control list to a VPN session that has failed host posture checks or dynamic access policy rules. The ACL allows the user to have access to remediation resources but nothing else as determined by the administrator. Once the host is patched the user reconnects and the dynamic ACL is removed from the session. Another new feature, or really a change to an existing feature, is that Anyconnect 2.5 will now check the validity of the ASA certificate. It is checking for Man-in-the-middle attacks. If you are using a self-signed ASA certificate, or a certificate that is not from a trusted root on the client then you will not be able to connect. The administrator can change this default behavior if required (which should be only for testing). Anyconnect 2.5 requires ASA version 8.0(2) or later and ASDM 6.1(3) or later. The preferred releases are ASA 8.3 and ASDM 6.3(1). The minimum Cisco Secure Desktop release is 3.2(2) or later. In addition to the new features, Anyconnect 2.5 fixed 14 caveats and software bugs. You can find the Anyconnect 2.5 release notes here http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect25/release/notes/anyconnect25rn.html Anyconnect 2.5 documentation is here http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect25/administration/guide/anyconnectadmin25.html
The opinions and information presented here are my PERSONAL views and not those of my employer. I am in no way an official spokesperson for my employer.
More from Jamey Heary: Credit Card Skimming: How thieves can steal your card info without you knowing it Google Nexus One vs. Top 10 Phone Security RequirementsWhy you should always shred your boarding pass Video rental records are afforded more privacy protections than your online dataThe truth about new SSL attacks 2009 Top Urban Legends in IT Security/a>Go to Jamey’s Blog for more articles on security.*
*
*
*
*
*