The benefits of enabling your workforce with mobile access to enterprise applications, regardless of whether those applications are in the cloud or in the corporate data centre, are clearly recognised. The ease of providing secure remote access to employees, and the ability to maintain corporate data security policies is, however, not simple.
Both networking and security vendors are actively working to provide solutions to the mobile workforce challenge. So it's no surprise the latest VPN end point client from Cisco is built for today's applications on some of today's most popular mobile devices.
Cisco's new AnyConnect client for iOS, Windows and Mac OSX provides an always on SSL based network aware VPN which provides secure connectivity between a user end point and a Cisco ASA firewall.
Cisco has been in the VPN end point game for many years. In 2010 Cisco claimed to have the most widely deployed VPN client base through the inclusion of Cisco VPN code in all Windows desktop environments but was limited in an IPSEC connectivity environment. So why the move to SSL VPNs?
The Internet has evolved from an environment where applications and ports required network to network encrypted tunnels to a world of applications inside web browsers and data tunnelled over http and https.
A further reason for the move away from IPSEC VPNs is the requirement to install an IPsec client on your endpoints, and to maintain the IPsec configuration files for each IPsec gateway. For clients of large multi-national companies this could mean ten or more xml configuration files which need to be updated when gateway details change.
Vivian Ganitsky, management director of Juniper Networks’ SSL VPN product line, said plenty of Juniper's customers have been moving to SSL VPN for many years. As a result, she said Juniper's Pulse is designed to make it easier for companies to use both IPsec and SSL which allows for a migration path between the VPN technologies.
"The great benefit with IPsec is that it's a fast mode of transport," she said. "It is optimized for quick access to VoIP and screaming media, and fast access to items at the network layer."
Forrester Research analyst Rob Whiteley believes most companies will eventually push IPsec to the sidelines and go full-on with SSL.
"We are in a transition phase," he said in an interview with Information Security magazine, a sister publication to SearchSecurity.com. "We are going to see more SSL deployments until IPSec becomes the niche technology, which is the reverse of today."
As mobile workers roam to different locations, with always-on and intelligent VPN, the Cisco AnyConnect client can:
- Automatically select the optimal network access point
- Adapt its tunneling protocol to the most efficient method
- Direct web requests to the ScanSafe web filtering cloud service
- Split tunnel between a corporate VPN network and the Internet
Cisco AnyConnect also takes advantage of the Datagram Transport Layer Security (DTLS) protocol which helps provide an optimized connection for latency-sensitive traffic, such as voice over IP (VoIP) and TCP-based application access. AnyConnect was the first VPN client to use DTLS on the market.
RFC4347 explains “The basic design philosophy of DTLS is to construct ‘TLS over datagram’. The reason that TLS cannot be used directly in datagram environments is simply that packets may be lost or reordered. TLS has no internal facilities to handle this kind of unreliability, and therefore TLS implementations break when rehosted on datagram transport."
"The purpose of DTLS is to make only the minimal changes to TLS required to fix this problem. To the greatest extent possible, DTLS is identical to TLS. Whenever we need to invent new mechanisms, we attempt to do so in such a way that preserves the style of TLS.”
Support for DTLS first arrived in ASA release 8.0(2) some three years ago; however for the IOS this has just recently been added in IOS® 15.1(2)T. To enable DTLS support network administrators need to enable the dtls service (svc dtls) in the WebVPN group policy. The command has no arguments or keywords.
DTLS is enabled by default on the Cisco ISR G2 series routers (3900, 2900, 1900, 890, and 880) and is disabled by default on other routers. The command config-webvpn-group is used to configure WebVPN group policy.
The Apple AppStore provides the following directive:
AnyConnect for iOS requires a Cisco Adaptive Security Appliance (ASA) running software image 8.0(3).1 or later. The ASA requires an AnyConnect Mobile licence (L-ASA-AC-M-55XX=), as well as either an AnyConnect Essentials (L-ASA-AC-E-55XX=) or AnyConnect Premium Clientless SSL VPN Edition (L-ASA-AC-SSL-YYYY=) license, where XX is the last two digits of your ASA model number and YYYY is the number of simultaneous users. AnyConnect Mobile and Essentials licences are enabled per ASA, there is no per user charge for either of these licences.
Gartner provides other compelling use cases for SSL VPNs.
- Protecting access connections used by contractors, providing selective access to systems on a need-to-know basis.
- Providing secure and private ad hoc connections in the event of business continuity disruptions, such as natural disasters and disease outbreaks.
- Integration with emergency notification systems (ENSs) to facilitate emergency VPN access.
- Increasing opportunities for traditional VPN vendors to compete with vendors in adjacent markets, such as Web application delivery, multichannel access gateways for mobile devices and Web application firewalls.
- Convergence with trusted portable personality devices to develop more-secure portable desktops by use of on-demand security tools originating with SSL VPNs.
- Improvements in WAN optimization via acceleration, load balancing, traffic shaping and caching.
- Increasing uses for on-demand security, for example, malware scans, device and software version checks, user geolocation checks on wider ranges of endpoint devices, and operating systems (OSs), especially user-owned workstations and smartphones.