Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Cisco sets the bar for mobile security

Joel Snyder | March 21, 2011
Combination of always-on client, VPN/firewall and Web security gateway provides secure access for mobile end users.

Cisco could have done a much better job in ASDM of making things consistent and usable. In the VPN part of the GUI alone, there are dozens of options and a confusing and contradictory set of terms. This makes it easy to make mistakes, or build a less-secure deployment because you didn't get everything done correctly.

For example, split tunneling can be done with a much higher level of granularity than was available previously, a great security improvement. But digging out the different features and getting them properly configured involves multiple screens and "Advanced" tabs that have to be opened. The result is that it's easier to not use this new feature, and have a less secure deployment.

While much of the VPN feature set can be configured using the command-line interface (CLI), making full use of the feature set requires you to use ASDM. The basic encryption and tunneling tools are all CLI-based and CLI-debuggable, but some parts of the client-side policy configuration rely on hidden files on the internal flash that are best left to ASDM to keep straight.

We built a basic ASA firewall using the CLI, and then we stuck entirely with ASDM. Once we got all of the licensing pieces worked out, our final configuration with RADIUS authentication, end-point security checking, and Web-based downloading of the AnyConnect client from the ASA appliance only took about an hour.

But that configuration was done with the help of one of Cisco's trainers. The solution has a lot of moving parts, and without hands-on guidance, we could have spent days covering the same territory. If you can possibly afford the time, sit down and read through the documentation or take some training.

Happy end users

The good news is that while the Secure Mobility Solution can be complex for network managers, it's a fantastic experience for end users. Think of yourself as throwing yourself on your sword to help everyone who's actually going to use the remote access VPN. No matter what platform we tested — Mac, Windows, and iPhone were in our lab — getting the client installed and operational was simple. If end users liked the old Cisco VPN client, they'll love AnyConnect, which has a modern feel and brings benefits beyond just VPN tunnels.

For example, on the Windows platform, AnyConnect client includes Network Access Manager (NAM), which is a full-fledged 802.1X supplicant for wired and wireless networks. Since AnyConnect client is meant to be used both on the corporate network and while roaming, integration of 802.1X features lets a single client package handle end-point security and connectivity.

 

Previous Page  1  2  3  4  5  6  7  8  9  Next Page 

Sign up for Computerworld eNewsletters.