Another key feature of the AnyConnect client not found in Cisco's older IPSec clients is end-point security checking, remediation, and control. Taking a cue from the SSL VPN and NAC worlds, Cisco has folded its Cisco Secure Desktop into the AnyConnect client (for a price — there is a license fee), and has merged desktop security management into the VPN concentrator, tremendously simplifying the task of linking desktop and VPN security policies and avoiding the potential for things to drop between the cracks.
Web security is the final piece
The last major piece of Cisco's remote access solution is a new addition: the Cisco IronPort S-series Web Security Appliance. The IronPort S-series is a secure Web gateway, with the primary goals of protecting Web-browsing end-users from malware and enforcing access controls on where people can browse.
We didn't do a full evaluation of the product, focusing only on its integration with the ASA and VPN clients. But the IronPort S-series has the expected feature set for a Web security gateway: malware scanning using multiple engines, URL filtering to avoid bad neighborhoods and enforce acceptable use policies, bandwidth management, and the ability to look at content to enforce general security policies, such as blocking PowerPoint attachments.
The IronPort S-Series includes "man-in-the-middle" SSL decryption, which lets it scan both encrypted and un-encrypted connections, and leverages the IronPort reputation service to do reputation-based lookup of URLs and Web servers. This feature set makes it a fairly complete Web security gateway, not all that different from the other market-leading products.
We focused on integrating the IronPort S-series with the ASA appliance, and applying Web security gateway policies to remote access VPN users. A cynic might say that Cisco requires network managers to buy a whole separate box — and an expensive one at that — because they don't have built-in Web security in the firewall. That's true, of course, but it's also true that the Web security in the IronPort S-series is more powerful than what you can get with the Web security feature built-in to unified threat management firewalls.
Kicking it Old School
Even if you're satisfied with your current VPN deployment and are on an upgrade cycle, with no plans to turn on any new features, you'll be happy with the new products because they make life a little easier.