Cisco sets the bar for mobile security

By Joel Snyder, Network World |  Security, Cisco, VPN

For example, if you already know how to run Cisco's older VPN 3000 GUI, you'll see that most of the VPN parts have been transplanted into ASDM, Cisco's Java-based ASA appliance management tool Adaptive Security Device Manager.

The ASA appliance can be your source for the VPN client software, and you don't have to build pesky policies that get glued into the AnyConnect client at installation time, so you can have a VPN deployment up and running more quickly than using the old client and old hardware.

The AnyConnect client is also more firewall-friendly, falling back to SSL/TLS encryption over the Secure-HTTP (443) port, which means less frustration for end users on the road. And ASDM includes a VPN wizard, to guide you step-by-step and help automatically glue together the bits and pieces that all have to match to make things work.

Legacy licensing

Well, there's actually one problem that will frustrate VPN 3000 users: licensing. The ASA appliance is really the next generation of PIX firewall, with a merging of the best VPN features from both the PIX and the old VPN 3000. One of the features carried over from the PIX is feature-based licensing, and the ASA licensing can best be described as "you've got to be kidding."

For remote access feature set alone, there are 6 types of licenses, with another half-dozen types for the platform itself. For inexplicable reasons, you need a special license to also use mobile devices with your ASA appliance, although only if you use AnyConnect client software, and not if they use the old client, and don't forget the special license for your IronPort S-series WSA to make it part of the Secure Mobility Solution.

Fortunately, there's a 48-page manual which explains it all — make sure you sit down and read it through a few times before you start. Our only other advice is to be sure to get your strong encryption license (it's free, fast, and online; you just have to promise not to let your ASA slip into the wrong hands) before you start, because encryption profiles will only be correctly set up using the wizards if the strong encryption license is already installed.

Putting the pieces together

Cisco Secure Mobility Solution is not just a VPN toolkit; it's about enforcing enterprise security policy when staff members are both in and out of the office. That means you'll need to spend some time thinking about your security policy before you begin configuration.

Originally published on Network World |  Click here to read the original story.
Join us:






Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Ask a Question