Why Cisco AnyConnect is Not Just a VPN Client
Cisco AnyConnect is a logical development of the Cisco VPN Client, which for many years has not only been Russified, but also enriched with many different functions and capabilities for secure remote access to corporate or cloud infrastructure using one of three protocols – TLS, DTLS and IPSec (also supported FlexVPN). The first one is quite traditional for VPN clients and uses TCP as a transport for its work. However, tunneling through TLS means that TCP-based applications will duplicate it (once for organizing TLS, the second for its work already inside TLS). And UDP-based protocols will … use TCP anyway. This can lead to certain delays, for example, for multimedia applications, which are very popular for remote work. The solution to this problem was the development of the DTLS protocol, which instead of TCP uses UDP for TLS. AnyConnect supports both TLS implementations – based on TCP and UDP, which allows them to be used flexibly depending on the conditions of remote work. Typically, TCP / 443 or UDP / 443 are allowed on firewalls or proxies, and so using TLS and DTLS is not a big problem. But in some cases, you may need to use the IPSec protocol, which is also supported by AnyConnect (IPSec / IKEv2).
And on which devices can the VPN tunnel created by AnyConnect be terminated? I will simply list them:
- Cisco ASA 5500 and Cisco ASA 5500-X Firewalls
- Cisco Firepower All-In-One Protective Devices
- Cisco ASAv and Cisco ASAv Virtual ITUs in AWS and Azure
- Cisco ISR 800/1000/4000 and ASR 1000 Routers with Cisco IOS or Cisco IOS XE Network OS
- Cisco CSR 1000v Virtual Routers.
It can be noted that with a very high probability, you already have something mentioned above on the perimeter of your corporate or departmental network and you can use these devices to organize secure remote access (the main thing is that they cope with the increasing load). Moreover, Cisco now has a free AnyConnect license offer.
Interestingly, unlike many other VPN clients, you have many options for installing Cisco AnyConnect on your personal computer or mobile device. If you give them such devices from your own inventory or specifically buy laptops for employees, then you can simply pre-install the protective client instead of the rest of the software required for remote work. But what to do for users who are far from corporate IT professionals and cannot provide them with their laptop to install the necessary software? You can, of course, use specialized software such as SMS, SCCM or Microsoft Installer, but Cisco AnyConnect has another installation method – when accessing the mentioned VPN gateway, the client itself is downloaded to the user’s computer running Windows, Linux or macOS. This allows you to quickly deploy a VPN network, even on personal devices of workers sent to remote work. Mobile users can simply download Cisco AnyConnect from the Apple AppStore or Google Play.
But as I wrote above, Cisco AnyConnect is not just a VPN client, it is much more. But I would not want to rewrite the documentation on it here, but try to describe the key functions in the mode of questions and answers to them (FAQ).
And how can I guarantee that a home user does not pick up anything on the Internet?
AnyConnect has such a feature – Always-On VPN, which prevents direct access to the Internet if the user is not in the so-called trusted network, which can be your corporate infrastructure. But note that this feature works very flexibly. If the user is on the corporate network, the VPN is automatically disconnected, and when it leaves (for example, if the user is working from a laptop, tablet or smartphone), the VPN is turned on again; moreover transparent and invisible to the user. Thus, the user will always be protected by corporate security tools installed on the perimeter – firewalls, intrusion prevention systems, anomaly analysis systems, proxies, etc. Many companies, issuing corporate devices to remote workers, set the condition for using them only for business purposes. And to control the implementation of this requirement, AnyConnect includes settings that prohibit the user from accessing the Internet directly.
But can I encrypt not all traffic, but only corporate?
The Always-On VPN function is very useful for protecting remote access from the devices you have issued, but far from always we can force the user to do what we want, especially when it comes to his personal computer on which we cannot set our own rules. And the user will not want his personal traffic to go through the corporate perimeter and your administrators will monitor what sites the user visits during home work. As the saying goes, “it’s difficult to talk about morality with the administrator who saw the logs of your proxy” 🙂
In this case, you can enable the split tunneling feature on Cisco AnyConnect, that is, tunnel separation. Some types of traffic, for example, to the corporate infrastructure and working clouds, traffic will be encrypted, and traffic to social networks or online movie theaters will go as usual, without protection from AnyConnect. This allows you to take into account the interests of both the company and its employees who are forced to share the personal computer of the employee between two areas of life – personal and business. But it is worth remembering that the split tunneling function can reduce the security of your network, since the user can pick up some kind of infection on the Internet, and then it will get into the company via a secure channel.
Can I encrypt the traffic of certain, for example, corporate, applications?
In addition to trust / untrusted traffic separation, Cisco AnyConnect supports the Per App VPN feature, which allows encrypting the traffic of individual applications (even on mobile devices). This allows you to encrypt (read, launch on the corporate network) only certain applications, for example, 1C, SAP, Sharepoint, Oracle, and let Facebook, LinkedIn or personal Office365 go around the corporate perimeter. In this case, for different groups of remote devices or users may have their own security rules.
But the user can pick up malware on a home computer, which then gets into the corporate network. How to deal with it?
On the one hand, Cisco AnyConnect can check whether you have Cisco AMP for Endpoints and install it if you don’t. But perhaps the user has already installed their own antivirus or this antivirus was already installed by you when transferring employees to remote work. However, we all know that antivirus today catches very few serious threats and it would be nice to supplement it with more advanced solutions to detect malware, anomalies and other attacks. If Cisco Stealthwatch is deployed in your corporate infrastructure, you can easily integrate Cisco AnyConnect agents installed on your employees’ home computers with it. AnyConnect integrates a special Network Visibility Module (NVM) module that translates node activity into the nvzFlow protocol specially developed for this task, which supplements it with additional information and transfers it to the Netflow collector, which can be either Cisco Stealthwatch Enterprise or any SIEM, for example, Splunk. Among other things, the NVM-module can transmit the following information, on the basis of which it is possible to detect abnormal and malicious activity on the home computer, which has remained invisible to the installed antivirus:
- network activity data in a format similar to IPFIX
- device id, address and name
- Username
- user account type
- names and identifiers of running processes and applications, including data on their “parents”.
This functionality is essentially a lightweight UEBA (User Entity Behavior Analytics), a new technology for analyzing the behavior of users and applications / processes launched on their behalf.
How do I authenticate users?
When users work on corporate computers, they usually authenticate in Active Directory or another LDAP directory. I would like to get the same opportunity with remote access and Cisco AnyConnect allows it to be realized by supporting authentication by login / password, including one-time passwords, user or machine certificates, hardware tokens (for example, smart cards or Yubikey), and even biometrics and other multi-factor authentication methods. All of these options can be easily integrated with your authentication and authentication management solutions using the RADIUS, RSA SecurID, SAML, Kerberos, etc. protocols.
And if I use cloud platforms, for example, Amazon AWS or MS Azure, then how can I protect home users access to them?
Cisco has a Cisco CSR 1000 virtual router that can be deployed in cloud environments, such as Amazon AWS or MS Azure, and that can terminate VPN tunnels created by Cisco AnyConnect.
If a user works from a personal device, then how can I increase the security of my network with this access?
Let’s try to figure out what a user can do bad or wrong on a computer while working remotely? Install software that contains vulnerabilities, or simply do not fix them in a timely manner with patches. Do not update your antivirus or do not have it at all. Use weak passwords. Install software with malicious functionality. This is something that could put your corporate network at risk and no VPN will protect you from it. But Cisco AnyConnect can, due to the conformity assessment function, which allows you to check all the necessary and required IT / IB policies for settings — availability of patches, up-to-date software versions, updated antivirus, security features, and the correct password length before providing remote computer access to corporate resources , hard drive encryption, certain registry settings, etc. This feature is implemented either using the Host Scan function (for this you need Cisco ASA as a remote access gateway), or using the System Scan function, which is provided using the Cisco ISE network access control system.
And if I work with a tablet or smartphone and constantly move. Will my VPN connection break down and will I need to re-establish it each time?
No, don’t. Cisco AnyConnect has a special roaming module that allows you to not only automatically and transparently reconnect the VPN when switching between different types of connections (3G / 4G, Wi-Fi, etc.), but also automatically protect your mobile (because you’re unlikely to carry a stationary home computer) device using the Cisco Umbrella solution, which will inspect all DNS traffic for access to phishing sites, team servers, botnets, etc. Connection to Umbrella is required if you have enabled the user split tunneling and he can connect to various Internet resources directly, bypassing the remote access gateway.
And your AnyConnect will not reduce the quality of video and voice teleconferences?
Not. As I described above, Cisco AnyConnect supports the DTLS protocol, which is specifically aimed at protecting multimedia traffic.
In fact, Cisco AnyConnect has a lot more features. It can work in stealth mode, dynamically select the most optimal remote access gateway, supports IPv6, has a built-in personal firewall, is remotely monitored, provides access control, supports RDP, etc. It is also Russified so that users do not have questions regarding those rare messages that Cisco AnyConnect can issue. So Cisco AnyConnect is not just a VPN client, but a much more interesting solution for providing secure remote access, which in recent weeks has begun to gain popularity due to the coronavirus pandemic, forcing employers to transfer certain categories of their employees to a remote location.
