Cisco

C97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 1

Ben FischerAnyConnect Product [email protected] Cisco products, service or features identified in this document may not yet be available or may not be available in all areas and may be subject to change without notice. Consult your local Cisco business contact for information on the products or services available in your area. You can find additional information via Cisco’s World Wide Web server at http://www.cisco.com. Actual performance and environmental costs of Cisco products will vary depending on individual customer configurations and conditions.

ASA &AnyConnect Secure Mobility Solution

Secure VPN Connectivity

http://www.cisco.com/


Forward-Looking Statements

“Many of the products and features described herein remain in varying stages of development and will be offered on a when-and-if-available basis. This roadmap is subject to change at the sole discretion of Cisco, and Cisco will have no liability for delay in the delivery or failure to deliver any of the products or features set forth in this document.”


ASA &AnyConnect

Trends

Overview

AnyConnect

Network Access Manager

Web Security

Mobile

IPv6

Enrollment & Client Deployment

Clientless

Management & Troubleshooting

Telemetry & Quality Improvement

Summary

Secure VPN Connectivity

Cisco Public 4C97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved.

Trends


Mobility Continues to GrowStrong Growth in Devices, Use, and Connectivity

15 billionnetworked mobiledevices by 2015

3/4of employees using multiple devices

56%of information workers

outside the office

95%of companies allow

personal devices at work


Desktops

The Platform Chaos Is Settling DownAndroid Is Tops in Smartphones, and Apple Is Tops in Tablets

23%

72%

51%

11%

32%

7%

92%

Smartphones Tablets

Employees Using Their Own Devices at Work

1%

4%

Other 1%

4%

Other 2%

53% 35% 7%


Threats Continue to DevelopMalware Propagates in Vacuum of Neglect by Companies and Users

Dramatic increase in malware-infected apps• Up to 1 million people were affected by Android malware over a 6-month period• Infected Android apps increased from 80 to more than 400 in 6 months

Users slow to update• Half of iPhone users do not regularly sync with iTunes and miss critical security updates

Lack of BYOD policies• 55% of organizations have no acceptable use policy for employee mobile devices• Of those organizations with policies, only 45% enforce their policies

Increasing malware and web threats• Android users are 2.5 times more likely to encounter malware today than 6 months ago• 3 in 10 Android owners will encounter a web-based threat on their Android device each year

Cisco Public 8C97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved.

Overview:AnyConnect Secure Mobility Solution


Secure VPN ConnectivitySolution Overview

Internationalized• IPv6 support

• UI translated into major languages

• International sales and support

Simplified connectivity• Optimal gateway selection

• Automatic hotspot negotiation

• Enterprise connection enforcement

• VDI support

Next-generation unified security

• User and device identity

• EAP-FAST chaining

• Smartcard SSO

• Posture validation and remediation

• Integrated web security

Flexible deployment• Scalability and high availability

• Low TCO and increased productivity

Branch Office Mobile User Home Office

Secure, Consistent Access

Wired Wi-Fi

Cellular and Wi-Fi

Partner HQ

Site to Site

Cisco® ASA

Corporate HQ

Cisco ASA


Broadest support • Microsoft Windows, Mac OS X, Linux,

Apple iOS, Android, etc.

• SSL (TLS and DTLS) or IPsec IKEv2

• Certificates, tokens, 2FA, LDAP, open source, IEEE 802.1X, MAB, and WebAuth

Simple persistent connectivity• Optimized user interface across platforms

• Always-on and transparent connectivity

• Network access manager for wired,wireless, and 3G

Next-generation security• Suite B cryptography and VDI access

Secure Remote AccessThrough Client or Browser

ClientlessCisco AnyConnect™

Broadest support • SSL VPN access using any browser

• Smart tunnels: Broad application support

• TCP/IP application support: RDP, Telnet, and SSH

Security and usability• Single sign-on to many applications

• Dynamic access policies present defined resources to users that users can bookmark

• Citrix Receiver support


Cisco ASA:Remote Access Security GatewaysSolutions Ranging from the Branch to the Enterprise

Multiservice (Firewall, VPN, and IPS)

Per

form

ance

and

Sca

labi

lity

Data CenterCampusBranch OfficeSOHO Internet Edge

Firewall and VPN Appliance

Cisco ASA 5555-X 700 Mbps 5000 users

Cisco® ASA 5505

100 Mbps 25 users

Cisco ASA 5515-X

250 Mbps 250 users

Cisco ASA 5525-X

300 Mbps 750 users

Cisco ASA 5545-X

400 Mbps 2500 users

Cisco ASA 5585 SSP-10

1 Gbps 5000 users

Cisco ASA 5585 SSP-202 Gbps

10,000 users

Cisco ASA 5585 SSP-40

3 Gbps 10,000 users

Cisco ASA 5585 SSP-605 Gbps

10,000 users

Cisco ASA 5512-X

200 Mbps 250 users


Supported PlatformsMany Choices To Meet Varied Needs

InfrastructureClients

Microsoft Windows

Mac OS X Linux

Desktop

MobileApple iOSiPhone and

iPad

• HTC• Motorola• Samsung• Version

4.0+

• HTC• Lenovo• Motorola• Samsung• Version 4.0+

Clientless

BB10 (future)• Smartphones• Playbook

*Note: Not all features supported on Cisco IOS® Software routers

+

AndroidSmartphones Tablets

Management

ASDM CSMCLI

Secure Connectivity

Cisco ISR*

Cisco® ASA

Cisco ASR*

IEEE 802.1X Switches

Web Security

Cisco WSA

Cisco ISE

Identity and Policy+

Cisco NAC

Cisco CloudWeb Security


ADVANCED ENDPOINT ASSESSMENT

License

MOBILELicense at minimum

cost

MOBILELicense at minimum

cost

Cisco AnyConnect Secure Mobility Licenses

BasicRemote-Access

Connectivity

ESSENTIALS Licenseat minimum cost

Clientless, Always-On, Posture Assessment, Suite B, & Phone VPN

PREMIUM Licenseat minimum cost

Or

Good for Short-Term Periods of High Demand (e.g., Emergencies and Events)

FLEX License

SHARED License

Premium Licenses Shared by Multiple ASAs

14C97-711992-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cisco AnyConnectSecure Mobility Client


AnyConnect Modules

The Cisco AnyConnect® Secure Mobility Client Consists of the Following Modules:

Windows OS X Linux iOS Android

VPN Yes Yes Yes Yes Yes

NAM Yes x x x x

WebSec Yes Yes x x x

Posture Yes x x x x

Telemetry Yes x x x x

DART Yes Yes x x x


Cisco ASA and AnyConnect Features

Feature Summary Latest Feature Additions

Cisco AnyConnect® VPN Client

• IPsec and IKEv2• SSL (TLS and DTLS)• Modules: Network Access

Manager and Web Security• Optimal gateway selection• Start Before Logon• Auto reconnect• Captive portal detection• FIPS compliant• Trusted network detection• SCEP

HostScan

• Endpoint assessment and remediation

• Quarantine

• Keystroke logger detection

• Host emulation detection

• Cache cleaner

Clientless

• Rewriter

• Plug-ins

• Smart tunnels

• KCD

• Customizable

• Virtual desktop support


• 802.1x

• MACsec

Other

• Dynamic access policies

• Telemetry

• DART

Cisco AnyConnect 3.1

• Common user interface (Windows and OS X)• Deferred update• IPv6• Network Access Manager module

enhancements• Suite B VPN; Suite B Network Access Manager• Quality Improvement Module• Updated FIPS compliance• Web Security module enhancements

Cisco ASA 9.0• ASA-Cisco Cloud Web Security integration• Clientless SSL VPN enhancements• Clientless access using Citrix Receiver• Clustering and Cluster LACP• Custom policy attributes• Easy clientless auto sign-on using capturing

tool and templates• IPv6• Mixed context mode• Multicontext site-to-site VPN• Next-generation encryption (Suite B)• OSPFv3• Routing in security context• SSL VPN SMP acceleration


Next Generation Encryption

NSA Suite B Algorithms

ESPv3 with IKEv2

4096-bit RSA key operations

Diffie-Hellman group 24

Enhanced SHA2 message digest support (SHA-256 & SHA-384)

• Via IPsec on AnyConnect

• Premium License required to make AnyConnect Suite B connection


Session Persistence

• Auto-reconnect

• Wired Wi-Fi and Wi-Fi 3G

• No reauthentication

• Suspended on headend

• Maximum session timer

• VPN profile


Trusted Network Detection

• Auto-connect when out of office

• Auto-disconnect inside office

• Based on default domain name or DNS server IP

• Profile setting under VPN Group Policy


Connects to the Most Optimum HeadendHTTPS Request Approximated by Fastest Round-Trip Time

Optimal Gateway Selection

Time = 25 msTime = 23 msTime = 24 ms



Los AngelesBoston

London

Suspension Time Threshold (hours) Performance Improvement Threshold (%)

Profile Settings:

New York


Localization

• Cisco AnyConnect™ GUI and installer can be localized for different languages.

• Cisco AnyConnect is supported through MST (Microsoft Transform) format.

• Supported languages follow:

S Japanese

S French (Canadian)

S German

S Chinese

S Korean

S Spanish (Latin American)

S Czech

S Polish

• Custom localization can be done.




Cisco Network Access Manager

• Enterprise-focused connection manager

– Machine and / or user authentication

– Different credential types for machine and user authentication

– Certificates, tokens, username / password

– Pre-logon or post-logon user authentication

– Single Sign-On

– Locked enterprise profiles for low support cost

– Separate user profiles for easy migration

• Ethernet, WiFi, and mobile broadband (3G/4G) connectivity

• Policy Enforcement

– One connection at a time

– Session resumption

– Credential expiration

– Mobile broadband roaming


Cisco Network Access Manager Features On AnyConnect Client 3.1

• Differentiated Device Access (EAP Chaining)

• Mobile broadband (3G) support

• Enterprise Connection Enforcement

• IPv6 support (including dual-stack IPv4 and IPv6)

• Next Generation Encryption

• MACsec (802.1ae) FIPS 140-2 support

• VPN Start-Before-Logon on home networks

• Usability Enhancements

* Full support in future


Differentiating Network Access for Corporate / Personal Devices

• Desires:

– End-users want to use the same credentials for corporate and personal devices

– IT would like to authenticate the machine and the user in a single transaction

• Solution:

– Leverage AD machine credential locked to the machine

– EAP-FAST v2 (http://tools.ietf.org/id/draft-zhou-emu-eap-fastv2-00.txt)

• Solution Requirements:

– Cisco® AnyConnect Network Access Manager Version 3.1 or later

– Cisco Identity Services Engine (ISE) System 1.1.1 or later

– Ethernet switch or Wi-Fi access point configured for 802.1X

http://tools.ietf.org/id/draft-zhou-emu-eap-fastv2-00.txt

http://tools.ietf.org/id/draft-zhou-emu-eap-fastv2-00.txt


EAP Chaining

Machine and User Credentials Validated AD DatabaseRADIUS

Machine Credentials

UserCredentials

User Authentication (includes both user and machine identity types )

Machine Authentication

UserAuthentication

AnyConnect™ Network Access Manager

Version. 3.1

Cisco® Identity Service Engine (ISE) 1.1.1 or Later

• EAP Chaining using EAP-FAST protocol extensions is supported

• EAP Chaining ties both the machine and user credentials to the device, thus the "owner" is using a corporate asset

• Machine credentials are authenticated to the network using 802.1X

• When the user logs onto the device, the session information from the machine authentication and user credentials is sent up to the network as part of the same authentication

• If both machine and user credentials are successfully validated, the "owner" is tied to the device, thus deeming it a corporate asset

• If both or either of these credentials fail, restricted or denied network access can be given according to the ISE authorization policy


Mobile Broadband (3G) Support

• Problems:

– Separate manager software for mobile broadband / 3G connections

– Difficult to enforce connection policies (priority order, roaming)

• Network Priority Order:

– Ethernet

– Corporate WiFi

– Mobile Broadband (WWAN)

• Solution:

– Cisco® AnyConnect Network Access Manager Version 3.1 or later

– Windows 7

– 3G Adapters supporting Mobile Broadband (NDIS) interface



Enterprise Connection Enforcement

• Prevent Users From:

– Connecting to the corporate guest network

– Surfing Internet by connecting to the 1st floor coffee shop

– Hacking into the competitor’s network on the floor above

– Accessing apartment complex access points across the street

• Permit Users To:

– Connect to their home network

– Connect to Hotspots when traveling

• Desires:

– Connect to the “linksys” SSID at home but not at the office

– Solution that does not have to be managed on a location by location basis

• Solution:

– Connect only to specific corporate SSIDs when in range

– Prefer Ethernet over WiFi



VPN Start Before Logon On Home Networks

• Needs:

– Support User Group Policies on machines that VPN into the corporate network from home

– Support home WiFi and Ethernet access

• Problems:

– VPN connections are initiated from the desktop (after logon)

– User GPOs are initiated as part of the logon process

– AnyConnect Start Before Logon (SBL) assumes network connectivity when the user logs onto the machine

– Users want to connect to their home networks using WiFi but the native connection manager does not support WiFi connections prior to logon

• Solution:

– Cisco AnyConnect Network Access Manager Version 3.1 or later

– Cisco AnyConnect Start Before Logon Module Version 3.1 or later


Next Generation EncryptionFeaturing Suite B Cryptography

• Problem:

– Processors are getting faster making it easier to crack cryptographics

– Defcon 2012: New tool and service can decrypt any PPTP and WPA2 wireless sessions using MS-CHAPv2 authentication (http://www.networkworld.com/news/2012/072912-tools-released-at-defcon-can-261242.html)

• Next Generation Encryption:

– Certificate Keys up to 4,096 bits (previously supported)

– US National Security Agency (NSA) Suite B

• NSA Suite B:

– Elliptic Curve Diffie-Hellman Key Exchange

– Elliptic Curve Digital Signature Algorithm

• Solution:

– Cisco AnyConnect Network Access Manager Version 3.1 or later


http://www.networkworld.com/news/2012/072912-tools-released-at-defcon-can-261242.html

http://www.networkworld.com/news/2012/072912-tools-released-at-defcon-can-261242.html


Uniform Encryption Across Media Types

• Problem:

– Non-uniform encryption policy across media types (WiFi and VPN encrypted – Ethernet is not)

– Possible data leakage through social engineering

• Desire:

– Encrypt Ethernet data thwarting man in the middle attacks

– MACsec (802.1ae)

– Conveniently support corporate encrypted and home unencrypted networks

• Solution:

– Non-FIPS: Cisco AnyConnect Network Access Manager Version 3.0 or later

– FIPS: Cisco AnyConnect Network Access Manager Version 3.1 or later

– MACsec capable Cisco switch



Web SecurityFeaturing:

Cisco Web SecurityCisco Cloud Web Security


Cisco Web Security Appliance

News

Email

Social Networking

Enterprise Software as a Service (SaaS)

Corporate Access DeviceUsers Outside

Network

User Authenticates

Cisco Web Security Appliance

Corporate AD

Cisco® ASA

User Identity

WCCP

Trusted NetworkUntrusted Network


Cisco AnyConnect™

Secure Mobility Client

Internet-Bound Web Communications

Internal Communications

Web Security with Cisco Cloud Web Security

Cisco Cloud Web Security


Cisco AnyConnectfor Cisco Cloud Web Security

• Cloud service – Always-On and always protected

• Provides

SAcceptable use policies

SMalware threat protection

SApplication usage controls

SUser choice of towers when traveling (eliminates local language problems)

• Can be used in conjunction withCisco® Web Security Appliance or can stand alone

Cisco AnyConnect


Cisco AnyConnectfor Cisco Cloud Web Security

• Tunnels HTTP and HTTPS traffic through the Cisco® Cloud Web Security

• Fine-tunable web access policy management available

• Fully localizable and translatable

• Replacement for AnyWhere+ standalone client

Cisco AnyConnect for Cloud Web Security


Mobile:Mobile Posture & iOS On-Demand


Mobile Posture

• Additional access authorization capabilities based on endpoint

• Cisco® ASA 8.4.2+ and 8.2.5+

• Android 2.4.0 and Apple iOS 2.5.0

• AnyConnect™ 3.1+


On-Demand VPN for Apple iOS

• Auto-launch VPN

• Based on domain

• Certificate Authority only

• Three options:

SAlways-Connect

SConnect-if-needed

SNever-Connect

• Wild-card support

S *.edu, *.net, *.com


IPv6


IPv6

*Internal v6 tunneling initially for SSL only

Public tunneling IPv4, IPv6, or dual IPv4 and IPv6

Internal address assignment IPv4, IPv6, or dual IPv4 and IPv6

VPN Protocol support SSL and IPsec* IKEv2

Split tunneling for IPv6 Yes

DNS resolution IPv4 and IPv6

OS support Vista+, OS X 10.6+, and later


IPv4 and IPv6 Supported Configurations

Client IP Assigned IPCisco® ASA Headend SSL and DTLS IKEv2 (IPsec)

IPv4 IPv4 IPv4 Yes Yes

IPv4 IPv6 IPv4 Yes No

IPv4 and IPv6 IPv4 IPv4 and IPv6 Yes Yes

IPv4 and IPv6 IPv6 IPv4 and IPv6 Yes No

IPv4 and IPv6 IPv4 and IPv6 IPv4 and IPv6 Yes No

IPv6 IPv4 IPv6 Yes Yes

IPv6 IPv6 IPv6 Yes No


IPv6: Capabilities

• VPN load balancing and Global Site Selector

• Session roaming (roaming to a network where the ASA resolves to a different IP address may be due to NAT46 or 64)

• Cisco® Secure Desktop HostScan, prelogin check, and open IPv6 ports

• Split tunneling - include and exclude

To Be Supported Not Supported

• Trusted network detection and always-on

• IP Protocol Bypass

• IP Protocol Fallback (Fallback from 4-6 (or 6-4) during the initial connection when the primary ASA address is not reachable)

• IPv6 DNS

• NAT64

• Optimal gateway selection

• Captive portal

• Public proxy

• Private proxy

• WINS (not supported with IPv6)

Supported


Device Enrollment &

Cisco AnyConnect Client Deployment


CA ServerClient Device

ASA Forwards the Request to CA Server.CA Issues the Certificate.

Certificate Delivered to the Client

SCEP Request Encrypted in PKCS7

Cisco® ASA

Simple Certificate Enrollment Protocol(SCEP)

• Auto-renewal

• Machine certificate validation

• Requirement that CA must be in auto-grant mode

• Specific settings needed for Windows Server 2008


Cisco AnyConnect Client DeploymentTo Deploy Your Way

• Pre-deploy: Standalone software installed after downloading from cisco.com

• Web-deploy: Software pushed down from Cisco® ASA

• Built-in functions to Cisco products

• Third-party stores for mobile devices

Pre-deploy

Web-deploy

Built-In Third-Party Store

App Store

Formerly Android Market


Cisco AnyConnect Profile EditorsSimplify Profile Configurations

Web Security

Network Access ManagerVPN

Telemetry


Clientless Features


Clientless SSO

• Submits user credentials to:

SWeb servers

SCIFS and FTP servers

SPlug-ins

SWindows OS and IE Smart Tunnel apps

• Basic, NTLM, and CIFS

• SSO to bookmarks created with POST parameters

• MS KCD

• SAML


Portal Customization

• Minimal or full customization is possible

• Cisco® ASA has a built-in web server

• Homepage can be hosted on the ASA or an external server


• Citrix Mobile Receiver support

SXenApp

SXenDesktop

• Auto-sign-on enhancements

STemplates

STool to capture form parameters

SNew file browser

SProxy server support

SServer certificate validation

SClientless IPv6

• HTML5 rewriter support

New Clientless Enhancements


Access Gateway

Firewall

Mobile Receiver Support

User Device Connected Using Citrix Online Plug-

Ins

InternetWeb Interface

Installed Behind the Access Gateway

Server Farm

Published Applications

XML Service

Secure TicketAuthority

Firewall

Cisco® ASA 5525

Supports iOS and Android


Management and Troubleshooting


Management OptionsProvide Versatility in Managing Your ASAs

• Single device management

• Included with the Cisco® ASA

• Browser-launched, Java-based tool

S Configuration

S Event management

S Health and performance

S License management

S Monitoring

• Scalable multi-device management

• Manage firewall, IPS, VPN, and Cisco IOS® Software

S Threat ID and resolutionS ReportingS ConfigurationS Event managementS Health and performanceS License management

• Single device management

• SSH to the ASA

• Limited, thus recommended only for basic interface configuration and monitoring

• Useful for debugging

Cisco Security Manager (CSM)Adaptive Security Device Manager (ASDM) for ASA Command Line Interface (CLI)


Troubleshooting

ASDM Logging

CLI show and debug

CommandsDART


Telemetry & Quality Improvement


Telemetry

• Telemetry provides greater visibility into how systems are infected by identifying the source and applications of malware.

• Improves effectiveness of Cisco Web Security (CWS) reputation filtering

• Some example of malicious activity include:

– Download of file from a URL browser

– Copying of files from removable media

– Downloading contents from email

– File transfers from infected endpoints

• Reporting:

– Supports AES encryption of file and URL associations

– Exempts white-listed internal domains from report

– Reported URL depends on CWS sender base participation level


Quality Improvement Feature

• Benefits

– Cisco AnyConnect™ usage and quality data collected by Cisco

– Enables Cisco to focus more on customer-deployed features

– Improves user experience and quality

• What Gets Reported?

– Cisco AnyConnect™ installations and release number

– Cisco AnyConnect™ modules installed and enabled

– Distribution of OS platforms using Cisco AnyConnect™

– Number of core dumps of each module (by release, date, & OS platform)

– Web threat telemetry data*

• Is My Privacy Protected?

– Yes; no user information, machine name, MAC address, etc. is collected

– Administrator can also turn off this feature

*Requires telemetry module


Summary


SummaryMain Points

1User-centric and BYOD enabled• Supports user devices with client or clientless access• Optimal transparent user experience with always-on connectivity• SCEP proxy and predeployment device identification

2

Extensive support• Broad support for desktop and mobile client OSs and clientless

browsers• Broad support for protocols and authentication methods• Broad security gateways (Cisco® ASA, ASR, and ISR)

3Security focused• Broad authentication options (IEEE 802.1X, certificates, and LDAP)• Posture and vault capabilities to secure client devices• Integrates with Cisco WSA or Cisco ScanSafe Web Security

4Enterprise proven• Reliable, proven, scalable, load balanced, and highly available• Strong international presence and 24-hours-a-day support• Over 15 years of experience and frequent SC Magazine award winner


Resources

Cisco AnyConnect™

Twitter: http://twitter.com/#!/anyconnect

Facebook: http://www.facebook.com/anyconnect

Cisco® Security

Twitter: http://twitter.com/#!/ciscosecurity

Facebook: http://www.facebook.com/ciscosecurity

Blog: http://blogs.cisco.com/category/security

Cisco Borderless Networks

Blog: http://blogs.cisco.com/category/borderless

YouTube: http://www.youtube.com/user/Cisco

Stay Current on Cisco AnyConnect and Cisco Security

Thank you.

Ben FischerAnyConnect Product [email protected]


Audience Poll Questions (1-2)Why do we not sell more AnyConnect Premium licenses?

1. What are AnyConnect Premium licenses?

2. AnyConnect Essentials licenses meet all of the customer’s needs.

3. AnyConnect Premium is too expensive compared to competitors?

4. It is hard to convey the value of AnyConnect Premium licenses.

5. Other: ____________

Why does Cisco AnyConnect and the ASA win a Remote Access deal? (choose more than one)

6. Lower Price than competition

7. Superior End User Experience

8. Superior Solution Feature Set (if so, which ones?)

9. Better Administrator experience

10.Customer has preference for Cisco

11. Other: ____________


Audience Poll Questions (3-4)Why does Cisco AnyConnect and the ASA lose a Remote Access deal? (choose more than one)

1. Higher Price than competition

2. Weaker End User Experience

3. Missing Key Feature: (if so, which one?) _____________

4. Weak Administrator experience

5. Customer has preference for Competitor

6. Other: ____________

How can Cisco help you sell more AnyConnect Premium licenses?7. Provide marketing collateral describing the benefits of Premium licenses

8. Provide partner training on the value of Premium licenses

9. Make simple bundle SKUs (single SKU) for common quoting configurations

10.Add more Premium only features

11. Other: _______________

Cisco

Technology

cisco andor

cisco public

gbps cisco asa

gbps5000 users cisco

sole discretion of cisco

x cisco asa 5000mbps700users

mbps5525x2500 users

local cisco business