All ASA appliances have SSL VPN features, including reverse proxying (gatewaying Web applications at the application layer) and application tunneling (using encrypted tunnels to expose single applications through the VPN device), although we didn't focus on those features during this test. We spent most of our testing looking at network extension, bringing remote devices onto the corporate LAN, and Cisco's approach to securing those remote devices — what is now the traditional remote access use case. (Read Proxy configurations: The lesser of two evils.)
Next comes the client software
The next key component of a Cisco remote access solution is its new AnyConnect Secure Mobility client. The AnyConnect client has the basic feature set that one would expect in a mature product: end-point security detection and control, simplified deployment and policy downloading directly from the VPN gateway, wide-ranging user authentication options, and remote user policy enforcement features.
Cisco offers the AnyConnect client as an installed package available for all Windows versions back to XP, Mac OS X 10.5 and 10.6, Intel-based Linux distributions with the 2.6 kernel, Apple iOS 4 (the iPhone and iPad operating system), and Windows Mobile versions 5 and 6.
The AnyConnect VPN client is not required to make a VPN connection to an ASA appliance — you can still use the built-in VPN clients in Windows and Mac OS X, Nokia's Symbian phones, iPhones, iPads and iPods, as well as Cisco's older multiplatform Cisco VPN client, and a host of third-party clients.
However, you give up a lot of performance, functionality and features if you don't use it. For example, the AnyConnect client can use IPSec, SSL/TLS, or DTLS (SSL/TLS run over UDP instead of the normal TCP). We found that shifting from SSL/TLS (TCP) to DTLS (UDP) with the AnyConnect client gave us between 40% and 45% increase in total performance, depending on the characteristics of the Internet connection. DTLS and traditional IPSec had similar performance characteristics. In our testing, traditional IPSec edged out DTLS by a few percentage points in most tests, but the performance difference was difficult to perceive.