When researching security options that are available from Cisco, one of the words that is hard to miss is AnyConnect. Cisco has developed the AnyConnect Secure Mobility Client as a "next generation" Virtual Private Network (VPN) client. AnyConnect is not limited to providing VPN access; it has a number of other capabilities that enable an enterprise to truly secure the endpoint.

Here we'll take a look at the different functions provided by the Cisco AnyConnect Secure Mobility Client and how it can be used to secure an endpoint.

 

Cisco AnyConnect Secure Mobility Client capabilities

To clear up any confusion, there is a Cisco AnyConnect VPN client that exists which provides only endpoint VPN access. The AnyConnect Secure Mobility Client extends these capabilities with a number of available modules; many of these modules were formally wrapped into other packages. See the available modules listed in Table 1.

 

Table 1: Cisco AnyConnect modules

AnyConnect module	Capabilities
Network Access Manager (Formally Cisco Secure Services Client)	This module provides the detection and choice of an optional Layer 2 access network and provides device authentication for access.
Posture assessment	Allows AnyConnect to determine the operating system, antivirus, anti-spyware and firewall software that is installed on the client, before a remote access connection is made. The Host Scan application is the one used to obtain this information.
Telemetry	Can be used to send information about the origin of malicious content detected by the antivirus software. The IronPort Web Security Appliance (WSA) is sent this information and can better secure the network by modifying URL filtering rules based on the information.
Web security	Routes HTTP traffic to the ScanSafe Web Security scanning proxy server for content analysis, malware detection and acceptable use policy review.
Diagnostic and Reporting Tool (DART)	Captures a snapshot of system logs and other diagnostic information of the client which can be used when troubleshooting a problem with Cisco's Technical Assistance Center (TAC).
Start Before Login (SBL)	Can be used to start AnyConnect before a user is able to login, which can force a user to connect to the enterprise infrastructure over a VPN connection before logging in.
Customer Experience Feedback	Used to provide Cisco with client information that is used to give insight into the user experience.

It is important to note that two different product lines that deploy Cisco AnyConnect: the Adaptive Security Appliance (ASA) and supporting IOS devices (e.g. the Integrated Services Routers (ISR)). Support for all the features shown in Table 1 requires a connection through a Cisco ASA. IOS devices are limited and support only the SSL VPN (WebVPN) feature.

 

Cisco AnyConnect licensing

The licensing of AnyConnect is a bit confusing as a number of optional add-ons enable support for different modules. There are a number of combinations available for purchase, all of which need an extensive look at all of these options.

There are two main base licenses which can be selected, one that can be enabled at any given time on an ASA. These main options include the AnyConnect Essentials and AnyConnect Premium licenses. The AnyConnect Essentials licenses offer support for sessions established using the Cisco (legacy) VPN client and full tunneling access to enterprise applications.

The AnyConnect Premium license provides support for Clientless VPN access, Cisco Secure Desktop, Log-in Always-on VPN, Endpoint assessment and Quarantine on top of the AnyConnect supported options. The Network Access Manager module is licensed for use for free on Cisco Access Points (AP), Wireless LAN Controllers (WLC), switches and RADIUS servers. (Note: a SmartNet contract is requires on the specific equipment.) The DART and Customer Feedback modules are provided regardless of license type.

 

Keep endpoints secure

Cisco has taken the time to put together a number of utilities into a single deployable package, which when run with all options can greatly decrease the potential threats that come from internal endpoints (internally and externally located).

Want to know more about endpoint security? Sign up for a free 3-day trial to access TrainSignal's entire library, including Cisco, Microsoft and VMware videos.