Over the past few months I have been beta testing Cisco AnyConnect 3.0, their next generation VPN solution. AnyConnect 3.0 marks a major milestone for Cisco as, for the first time, they bring all of their technologies for remote security / connectivity into one tool. The aim is to enable their vision for a “Borderless Network”, meaning seamless and secure connectivity, any time, anywhere and from any device. Could this be the product every Enterprise has been waiting for?
Before we look at some of the new features in AnyConnect 3.0, let’s take a quick look at the overall SSL VPN market as it stands today. Below is the December 2010 Gartner Magic Quadrant, which shows only two vendors in the “leaders” quadrant. This has been the case for the past few years, with Juniper edging out Cisco.
Although I believe this assessment of the market is fair (as AnyConnect 3.0 was not available for review in December), I fully predict that the 2011 magic quadrant will show that Cisco have significantly closed the gap, if not overtaken Juniper as the market leader.
So let’s take a look at a couple of the major new features of AnyConnect 3.0:
Firstly, AnyConnect 3.0 has been re-written to enable easy customisation, via the use of modules. This means that you no longer need to install the entire AnyConnect package, but instead can pick the modules that you intend to use, resulting in a lightweight and efficient client. The modules available in AnyConnect 3.0 are:
- AnyConnect IPsec/SSL VPN Module (including pre-login)
- AnyConnect Network Access Manager Module
- AnyConnect Posture Module
- AnyConnect Telemetry Module
- AnyConnect Web Security Module
- AnyConnect Diagnostic and Reporting Module
The other great thing about a modular configuration is that you can easily add or remove modules at any time, without impacting the core services. For example, as Cisco continue to improve AnyConnect, new modules will become available. If you decide to take advantage of these new services you can simply add them to your installation, safe in the knowledge that your existing install will continue to operate as expected. Personally I hope that one of the first modules Cisco looks to add is for WAN Optimisation, similar to “ProxyClient” offered by BlueCoat.
The next big change is that for the first time AnyConnect 3.0 brings IPsec/IKEv2 and SSL full tunnel VPN compatibility in the same product. Previously AnyConnect 2.x only supported SSL based VPN and customers had to use the previous generation Cisco VPN Client to get IPsec support. This proved to be a major barrier for businesses who were looking to upgrade to AnyConnect, as although SSL VPN solutions have come a long way, it is still widely accepted in the industry (especially amongst security purists) that IPsec is better optimised for latency-sensitive traffic (such as voice and video).
The final new feature worth mentioning is the web security module. This takes advantage of Cisco’s recent acquisition of ScanSafe, the cloud based web security service for web-virus, malware, content filtering and forensic analysis. This module is essentially a port of the ScanSafe Anywhere+ client, where Internet traffic is sent direct (either without a VPN connection or via split tunnelling), but corporate policies and security is still maintained by the highly configurable ScanSafe cloud service. This service is a key unique selling point for AnyConnect 3.0 as it offers total security, regardless of the traffic’s destination. This is perfect for roaming users that utilise cloud services, such as Google Apps, SalesForce.com or Amazon EC2, as it allows direct Internet access (via ScanSafe), without having to backhaul traffic over VPN through corporate data centres. Finally it is worth noting that you can install the AnyConnect Web Security module as a standalone product. This is useful if you want a robust cloud based web security service, but already have an existing VPN solution form another vendor (I have personally tested it with Juniper Network Connect 7.0). For more information about the web security module I suggest you head over to the ScanSafe Anywhere+ information page, as the product feature set is almost identical.
Overall I believe AnyConnect 3.0 is a significant product release for Cisco. At launch it will be available for Windows XP to 7 (x86 / x64), Mac OS X and Linux as well as Apple iOS (iPhone and iPad). Although it should be noted that not all modules have been ported to the different platforms. Cisco have also promised support for other major mobile platforms such as Google Android (expect to see that release soon). In terms of management, the AnyConnect client (including the modules) is controlled by the Cisco ASA platform, where you can do everything from remote deployment (based on a posture check) and make real time configuration changes. If you just intend to use a standalone module, such as the web security, then you can do so without an ASA, although you would need to rely on another management product (such as Altiris) to deploy and update the software. The final thing worth noting is that even though AnyConnect 3.0 has compatibility for IPsec, it is not compatible with the previous generation 3000 series concentrator, therefore you will need to life cycle these devices to the ASA platform.
As mentioned earlier, I feel that AnyConnect 3.0 is the product that gives Cisco the best remote access solution on the market. The main reason for this is that it delivers the total package of flexibility, simplicity and security, as well as being cross platform. In my experience even Juniper (current market leaders) can’t match this and although visionary products such as Microsoft DirectAccess and Netmotion Mobility XE may have advantages in specific areas, they are not yet suitable for business wide deployment.
For more information on Cisco AnyConnect 3.0, including pricing and licensing options, head over to the Cisco product page.