Page 1
C97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 1
Ben FischerAnyConnect Product [email protected] Cisco products, service or features identified in this document may not yet be available or may not be available in all areas and may be subject to change without notice. Consult your local Cisco business contact for information on the products or services available in your area. You can find additional information via Cisco’s World Wide Web server at http://www.cisco.com. Actual performance and environmental costs of Cisco products will vary depending on individual customer configurations and conditions.
ASA &AnyConnect Secure Mobility Solution
Secure VPN Connectivity
Page 2
C97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
Forward-Looking Statements
“Many of the products and features described herein remain in varying stages of development and will be offered on a when-and-if-available basis. This roadmap is subject to change at the sole discretion of Cisco, and Cisco will have no liability for delay in the delivery or failure to deliver any of the products or features set forth in this document.”
Page 3
C97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
ASA &AnyConnect
Trends
Overview
AnyConnect
Network Access Manager
Web Security
Mobile
IPv6
Enrollment & Client Deployment
Clientless
Management & Troubleshooting
Telemetry & Quality Improvement
Summary
Secure VPN Connectivity
Page 4
Cisco Public 4C97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved.
Trends
Page 5
C97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Mobility Continues to GrowStrong Growth in Devices, Use, and Connectivity
15 billionnetworked mobiledevices by 2015
3/4of employees using multiple devices
56%of information workers
outside the office
95%of companies allow
personal devices at work
Page 6
C97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Desktops
The Platform Chaos Is Settling DownAndroid Is Tops in Smartphones, and Apple Is Tops in Tablets
23%
72%
51%
11%
32%
7%
92%
Smartphones Tablets
Employees Using Their Own Devices at Work
1%
4%
Other 1%
4%
Other 2%
53% 35% 7%
Page 7
C97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Threats Continue to DevelopMalware Propagates in Vacuum of Neglect by Companies and Users
Dramatic increase in malware-infected apps• Up to 1 million people were affected by Android malware over a 6-month period• Infected Android apps increased from 80 to more than 400 in 6 months
Users slow to update• Half of iPhone users do not regularly sync with iTunes and miss critical security updates
Lack of BYOD policies• 55% of organizations have no acceptable use policy for employee mobile devices• Of those organizations with policies, only 45% enforce their policies
Increasing malware and web threats• Android users are 2.5 times more likely to encounter malware today than 6 months ago• 3 in 10 Android owners will encounter a web-based threat on their Android device each year
Page 8
Cisco Public 8C97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved.
Overview:AnyConnect Secure Mobility Solution
Page 9
C97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Secure VPN ConnectivitySolution Overview
Internationalized• IPv6 support
• UI translated into major languages
• International sales and support
Simplified connectivity• Optimal gateway selection
• Automatic hotspot negotiation
• Enterprise connection enforcement
• VDI support
Next-generation unified security
• User and device identity
• EAP-FAST chaining
• Smartcard SSO
• Posture validation and remediation
• Integrated web security
Flexible deployment• Scalability and high availability
• Low TCO and increased productivity
Branch Office Mobile User Home Office
Secure, Consistent Access
Wired Wi-Fi
Cellular and Wi-Fi
Partner HQ
Site to Site
Cisco® ASA
Corporate HQ
Cisco ASA
Page 10
C97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Broadest support • Microsoft Windows, Mac OS X, Linux,
Apple iOS, Android, etc.
• SSL (TLS and DTLS) or IPsec IKEv2
• Certificates, tokens, 2FA, LDAP, open source, IEEE 802.1X, MAB, and WebAuth
Simple persistent connectivity• Optimized user interface across platforms
• Always-on and transparent connectivity
• Network access manager for wired,wireless, and 3G
Next-generation security• Suite B cryptography and VDI access
Secure Remote AccessThrough Client or Browser
ClientlessCisco AnyConnect™
Broadest support • SSL VPN access using any browser
• Smart tunnels: Broad application support
• TCP/IP application support: RDP, Telnet, and SSH
Security and usability• Single sign-on to many applications
• Dynamic access policies present defined resources to users that users can bookmark
• Citrix Receiver support
Page 11
C97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Cisco ASA:Remote Access Security GatewaysSolutions Ranging from the Branch to the Enterprise
Multiservice (Firewall, VPN, and IPS)
Per
form
ance
and
Sca
labi
lity
Data CenterCampusBranch OfficeSOHO Internet Edge
Firewall and VPN Appliance
Cisco ASA 5555-X 700 Mbps 5000 users
Cisco® ASA 5505
100 Mbps 25 users
Cisco ASA 5515-X
250 Mbps 250 users
Cisco ASA 5525-X
300 Mbps 750 users
Cisco ASA 5545-X
400 Mbps 2500 users
Cisco ASA 5585 SSP-10
1 Gbps 5000 users
Cisco ASA 5585 SSP-202 Gbps
10,000 users
Cisco ASA 5585 SSP-40
3 Gbps 10,000 users
Cisco ASA 5585 SSP-605 Gbps
10,000 users
Cisco ASA 5512-X
200 Mbps 250 users
Page 12
C97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Supported PlatformsMany Choices To Meet Varied Needs
InfrastructureClients
Microsoft Windows
Mac OS X Linux
Desktop
MobileApple iOSiPhone and
iPad
• HTC• Motorola• Samsung• Version
4.0+
• HTC• Lenovo• Motorola• Samsung• Version 4.0+
Clientless
BB10 (future)• Smartphones• Playbook
*Note: Not all features supported on Cisco IOS® Software routers
+
AndroidSmartphones Tablets
Management
ASDM CSMCLI
Secure Connectivity
Cisco ISR*
Cisco® ASA
Cisco ASR*
IEEE 802.1X Switches
Web Security
Cisco WSA
Cisco ISE
Identity and Policy+
Cisco NAC
Cisco CloudWeb Security
Page 13
C97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
ADVANCED ENDPOINT ASSESSMENT
License
MOBILELicense at minimum
cost
MOBILELicense at minimum
cost
Cisco AnyConnect Secure Mobility Licenses
BasicRemote-Access
Connectivity
ESSENTIALS Licenseat minimum cost
Clientless, Always-On, Posture Assessment, Suite B, & Phone VPN
PREMIUM Licenseat minimum cost
Or
Good for Short-Term Periods of High Demand (e.g., Emergencies and Events)
FLEX License
SHARED License
Premium Licenses Shared by Multiple ASAs
Page 14
14C97-711992-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco AnyConnectSecure Mobility Client
Page 15
C97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
AnyConnect Modules
The Cisco AnyConnect® Secure Mobility Client Consists of the Following Modules:
Windows OS X Linux iOS Android
VPN Yes Yes Yes Yes Yes
NAM Yes x x x x
WebSec Yes Yes x x x
Posture Yes x x x x
Telemetry Yes x x x x
DART Yes Yes x x x
Page 16
C97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Cisco ASA and AnyConnect Features
Feature Summary Latest Feature Additions
Cisco AnyConnect® VPN Client
• IPsec and IKEv2• SSL (TLS and DTLS)• Modules: Network Access
Manager and Web Security• Optimal gateway selection• Start Before Logon• Auto reconnect• Captive portal detection• FIPS compliant• Trusted network detection• SCEP
HostScan
• Endpoint assessment and remediation
• Quarantine
• Keystroke logger detection
• Host emulation detection
• Cache cleaner
Clientless
• Rewriter
• Plug-ins
• Smart tunnels
• KCD
• Customizable
• Virtual desktop support
Network Access Manager
• 802.1x
• MACsec
Other
• Dynamic access policies
• Telemetry
• DART
Cisco AnyConnect 3.1
• Common user interface (Windows and OS X)• Deferred update• IPv6• Network Access Manager module
enhancements• Suite B VPN; Suite B Network Access Manager• Quality Improvement Module• Updated FIPS compliance• Web Security module enhancements
Cisco ASA 9.0• ASA-Cisco Cloud Web Security integration• Clientless SSL VPN enhancements• Clientless access using Citrix Receiver• Clustering and Cluster LACP• Custom policy attributes• Easy clientless auto sign-on using capturing
tool and templates• IPv6• Mixed context mode• Multicontext site-to-site VPN• Next-generation encryption (Suite B)• OSPFv3• Routing in security context• SSL VPN SMP acceleration
Page 17
C97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Next Generation Encryption
NSA Suite B Algorithms
ESPv3 with IKEv2
4096-bit RSA key operations
Diffie-Hellman group 24
Enhanced SHA2 message digest support (SHA-256 & SHA-384)
• Via IPsec on AnyConnect
• Premium License required to make AnyConnect Suite B connection
Page 18
C97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Session Persistence
• Auto-reconnect
• Wired Wi-Fi and Wi-Fi 3G
• No reauthentication
• Suspended on headend
• Maximum session timer
• VPN profile
Page 19
C97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Trusted Network Detection
• Auto-connect when out of office
• Auto-disconnect inside office
• Based on default domain name or DNS server IP
• Profile setting under VPN Group Policy
Page 20
C97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Connects to the Most Optimum HeadendHTTPS Request Approximated by Fastest Round-Trip Time
Optimal Gateway Selection
Time = 25 msTime = 23 msTime = 24 ms
Time = 28 msTime = 27 msTime = 25 ms
Time = 33 msTime = 35 msTime = 26 ms
Los AngelesBoston
London
Suspension Time Threshold (hours) Performance Improvement Threshold (%)
Profile Settings:
New York
Page 21
C97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Localization
• Cisco AnyConnect™ GUI and installer can be localized for different languages.
• Cisco AnyConnect is supported through MST (Microsoft Transform) format.
• Supported languages follow:
S Japanese
S French (Canadian)
S German
S Chinese
S Korean
S Spanish (Latin American)
S Czech
S Polish
• Custom localization can be done.
Page 22
22C97-711992-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
Network Access Manager
Page 23
C97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Cisco Network Access Manager
• Enterprise-focused connection manager
– Machine and / or user authentication
– Different credential types for machine and user authentication
– Certificates, tokens, username / password
– Pre-logon or post-logon user authentication
– Single Sign-On
– Locked enterprise profiles for low support cost
– Separate user profiles for easy migration
• Ethernet, WiFi, and mobile broadband (3G/4G) connectivity
• Policy Enforcement
– One connection at a time
– Session resumption
– Credential expiration
– Mobile broadband roaming
Page 24
C97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Cisco Network Access Manager Features On AnyConnect Client 3.1
• Differentiated Device Access (EAP Chaining)
• Mobile broadband (3G) support
• Enterprise Connection Enforcement
• IPv6 support (including dual-stack IPv4 and IPv6)
• Next Generation Encryption
• MACsec (802.1ae) FIPS 140-2 support
• VPN Start-Before-Logon on home networks
• Usability Enhancements
* Full support in future
Page 25
C97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Differentiating Network Access for Corporate / Personal Devices
• Desires:
– End-users want to use the same credentials for corporate and personal devices
– IT would like to authenticate the machine and the user in a single transaction
• Solution:
– Leverage AD machine credential locked to the machine
– EAP-FAST v2 (http://tools.ietf.org/id/draft-zhou-emu-eap-fastv2-00.txt)
• Solution Requirements:
– Cisco® AnyConnect Network Access Manager Version 3.1 or later
– Cisco Identity Services Engine (ISE) System 1.1.1 or later
– Ethernet switch or Wi-Fi access point configured for 802.1X
Page 26
C97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
EAP Chaining
Machine and User Credentials Validated AD DatabaseRADIUS
Machine Credentials
UserCredentials
User Authentication (includes both user and machine identity types )
Machine Authentication
UserAuthentication
AnyConnect™ Network Access Manager
Version. 3.1
Cisco® Identity Service Engine (ISE) 1.1.1 or Later
• EAP Chaining using EAP-FAST protocol extensions is supported
• EAP Chaining ties both the machine and user credentials to the device, thus the "owner" is using a corporate asset
• Machine credentials are authenticated to the network using 802.1X
• When the user logs onto the device, the session information from the machine authentication and user credentials is sent up to the network as part of the same authentication
• If both machine and user credentials are successfully validated, the "owner" is tied to the device, thus deeming it a corporate asset
• If both or either of these credentials fail, restricted or denied network access can be given according to the ISE authorization policy
Page 27
C97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Mobile Broadband (3G) Support
• Problems:
– Separate manager software for mobile broadband / 3G connections
– Difficult to enforce connection policies (priority order, roaming)
• Network Priority Order:
– Ethernet
– Corporate WiFi
– Mobile Broadband (WWAN)
• Solution:
– Cisco® AnyConnect Network Access Manager Version 3.1 or later
– Windows 7
– 3G Adapters supporting Mobile Broadband (NDIS) interface
* Full support in future
Page 28
C97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Enterprise Connection Enforcement
• Prevent Users From:
– Connecting to the corporate guest network
– Surfing Internet by connecting to the 1st floor coffee shop
– Hacking into the competitor’s network on the floor above
– Accessing apartment complex access points across the street
• Permit Users To:
– Connect to their home network
– Connect to Hotspots when traveling
• Desires:
– Connect to the “linksys” SSID at home but not at the office
– Solution that does not have to be managed on a location by location basis
• Solution:
– Connect only to specific corporate SSIDs when in range
– Prefer Ethernet over WiFi
* Full support in future
Page 29
C97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
VPN Start Before Logon On Home Networks
• Needs:
– Support User Group Policies on machines that VPN into the corporate network from home
– Support home WiFi and Ethernet access
• Problems:
– VPN connections are initiated from the desktop (after logon)
– User GPOs are initiated as part of the logon process
– AnyConnect Start Before Logon (SBL) assumes network connectivity when the user logs onto the machine
– Users want to connect to their home networks using WiFi but the native connection manager does not support WiFi connections prior to logon
• Solution:
– Cisco AnyConnect Network Access Manager Version 3.1 or later
– Cisco AnyConnect Start Before Logon Module Version 3.1 or later
Page 30
C97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Next Generation EncryptionFeaturing Suite B Cryptography
• Problem:
– Processors are getting faster making it easier to crack cryptographics
– Defcon 2012: New tool and service can decrypt any PPTP and WPA2 wireless sessions using MS-CHAPv2 authentication (http://www.networkworld.com/news/2012/072912-tools-released-at-defcon-can-261242.html)
• Next Generation Encryption:
– Certificate Keys up to 4,096 bits (previously supported)
– US National Security Agency (NSA) Suite B
• NSA Suite B:
– Elliptic Curve Diffie-Hellman Key Exchange
– Elliptic Curve Digital Signature Algorithm
• Solution:
– Cisco AnyConnect Network Access Manager Version 3.1 or later
* Full support in future
Page 31
C97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Uniform Encryption Across Media Types
• Problem:
– Non-uniform encryption policy across media types (WiFi and VPN encrypted – Ethernet is not)
– Possible data leakage through social engineering
• Desire:
– Encrypt Ethernet data thwarting man in the middle attacks
– MACsec (802.1ae)
– Conveniently support corporate encrypted and home unencrypted networks
• Solution:
– Non-FIPS: Cisco AnyConnect Network Access Manager Version 3.0 or later
– FIPS: Cisco AnyConnect Network Access Manager Version 3.1 or later
– MACsec capable Cisco switch
* Full support in future
Page 32
33C97-711992-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
Web SecurityFeaturing:
Cisco Web SecurityCisco Cloud Web Security
Page 33
C97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Cisco Web Security Appliance
News
Email
Social Networking
Enterprise Software as a Service (SaaS)
Corporate Access DeviceUsers Outside
Network
User Authenticates
Cisco Web Security Appliance
Corporate AD
Cisco® ASA
User Identity
WCCP
Trusted NetworkUntrusted Network
Page 34
C97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Cisco AnyConnect™
Secure Mobility Client
Internet-Bound Web Communications
Internal Communications
Web Security with Cisco Cloud Web Security
Cisco Cloud Web Security
Page 35
C97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Cisco AnyConnectfor Cisco Cloud Web Security
• Cloud service – Always-On and always protected
• Provides
SAcceptable use policies
SMalware threat protection
SApplication usage controls
SUser choice of towers when traveling (eliminates local language problems)
• Can be used in conjunction withCisco® Web Security Appliance or can stand alone
Cisco AnyConnect
Page 36
C97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Cisco AnyConnectfor Cisco Cloud Web Security
• Tunnels HTTP and HTTPS traffic through the Cisco® Cloud Web Security
• Fine-tunable web access policy management available
• Fully localizable and translatable
• Replacement for AnyWhere+ standalone client
Cisco AnyConnect for Cloud Web Security
Page 37
38C97-711992-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
Mobile:Mobile Posture & iOS On-Demand
Page 38
C97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Mobile Posture
• Additional access authorization capabilities based on endpoint
• Cisco® ASA 8.4.2+ and 8.2.5+
• Android 2.4.0 and Apple iOS 2.5.0
• AnyConnect™ 3.1+
Page 39
C97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
On-Demand VPN for Apple iOS
• Auto-launch VPN
• Based on domain
• Certificate Authority only
• Three options:
SAlways-Connect
SConnect-if-needed
SNever-Connect
• Wild-card support
S *.edu, *.net, *.com
Page 40
41C97-711992-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
IPv6
Page 41
C97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
IPv6
*Internal v6 tunneling initially for SSL only
Public tunneling IPv4, IPv6, or dual IPv4 and IPv6
Internal address assignment IPv4, IPv6, or dual IPv4 and IPv6
VPN Protocol support SSL and IPsec* IKEv2
Split tunneling for IPv6 Yes
DNS resolution IPv4 and IPv6
OS support Vista+, OS X 10.6+, and later
Page 42
C97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
IPv4 and IPv6 Supported Configurations
Client IP Assigned IPCisco® ASA Headend SSL and DTLS IKEv2 (IPsec)
IPv4 IPv4 IPv4 Yes Yes
IPv4 IPv6 IPv4 Yes No
IPv4 and IPv6 IPv4 IPv4 and IPv6 Yes Yes
IPv4 and IPv6 IPv6 IPv4 and IPv6 Yes No
IPv4 and IPv6 IPv4 and IPv6 IPv4 and IPv6 Yes No
IPv6 IPv4 IPv6 Yes Yes
IPv6 IPv6 IPv6 Yes No
Page 43
C97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
IPv6: Capabilities
• VPN load balancing and Global Site Selector
• Session roaming (roaming to a network where the ASA resolves to a different IP address may be due to NAT46 or 64)
• Cisco® Secure Desktop HostScan, prelogin check, and open IPv6 ports
• Split tunneling - include and exclude
To Be Supported Not Supported
• Trusted network detection and always-on
• IP Protocol Bypass
• IP Protocol Fallback (Fallback from 4-6 (or 6-4) during the initial connection when the primary ASA address is not reachable)
• IPv6 DNS
• NAT64
• Optimal gateway selection
• Captive portal
• Public proxy
• Private proxy
• WINS (not supported with IPv6)
Supported
Page 44
45C97-711992-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
Device Enrollment &
Cisco AnyConnect Client Deployment
Page 45
C97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
CA ServerClient Device
ASA Forwards the Request to CA Server.CA Issues the Certificate.
Certificate Delivered to the Client
SCEP Request Encrypted in PKCS7
Cisco® ASA
Simple Certificate Enrollment Protocol(SCEP)
• Auto-renewal
• Machine certificate validation
• Requirement that CA must be in auto-grant mode
• Specific settings needed for Windows Server 2008
Page 46
C97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Cisco AnyConnect Client DeploymentTo Deploy Your Way
• Pre-deploy: Standalone software installed after downloading from cisco.com
• Web-deploy: Software pushed down from Cisco® ASA
• Built-in functions to Cisco products
• Third-party stores for mobile devices
Pre-deploy
Web-deploy
Built-In Third-Party Store
App Store
Formerly Android Market
Page 47
C97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Cisco AnyConnect Profile EditorsSimplify Profile Configurations
Web Security
Network Access ManagerVPN
Telemetry
Page 48
49C97-711992-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
Clientless Features
Page 49
C97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Clientless SSO
• Submits user credentials to:
SWeb servers
SCIFS and FTP servers
SPlug-ins
SWindows OS and IE Smart Tunnel apps
• Basic, NTLM, and CIFS
• SSO to bookmarks created with POST parameters
• MS KCD
• SAML
Page 50
C97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Portal Customization
• Minimal or full customization is possible
• Cisco® ASA has a built-in web server
• Homepage can be hosted on the ASA or an external server
Page 51
C97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
• Citrix Mobile Receiver support
SXenApp
SXenDesktop
• Auto-sign-on enhancements
STemplates
STool to capture form parameters
SNew file browser
SProxy server support
SServer certificate validation
SClientless IPv6
• HTML5 rewriter support
New Clientless Enhancements
Page 52
C97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Access Gateway
Firewall
Mobile Receiver Support
User Device Connected Using Citrix Online Plug-
Ins
InternetWeb Interface
Installed Behind the Access Gateway
Server Farm
Published Applications
XML Service
Secure TicketAuthority
Firewall
Cisco® ASA 5525
Supports iOS and Android
Page 53
57C97-711992-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
Management and Troubleshooting
Page 54
C97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Management OptionsProvide Versatility in Managing Your ASAs
• Single device management
• Included with the Cisco® ASA
• Browser-launched, Java-based tool
S Configuration
S Event management
S Health and performance
S License management
S Monitoring
• Scalable multi-device management
• Manage firewall, IPS, VPN, and Cisco IOS® Software
S Threat ID and resolutionS ReportingS ConfigurationS Event managementS Health and performanceS License management
• Single device management
• SSH to the ASA
• Limited, thus recommended only for basic interface configuration and monitoring
• Useful for debugging
Cisco Security Manager (CSM)Adaptive Security Device Manager (ASDM) for ASA Command Line Interface (CLI)
Page 55
C97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Troubleshooting
ASDM Logging
CLI show and debug
CommandsDART
Page 56
60C97-711992-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
Telemetry & Quality Improvement
Page 57
C97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Telemetry
• Telemetry provides greater visibility into how systems are infected by identifying the source and applications of malware.
• Improves effectiveness of Cisco Web Security (CWS) reputation filtering
• Some example of malicious activity include:
– Download of file from a URL browser
– Copying of files from removable media
– Downloading contents from email
– File transfers from infected endpoints
• Reporting:
– Supports AES encryption of file and URL associations
– Exempts white-listed internal domains from report
– Reported URL depends on CWS sender base participation level
Page 58
C97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Quality Improvement Feature
• Benefits
– Cisco AnyConnect™ usage and quality data collected by Cisco
– Enables Cisco to focus more on customer-deployed features
– Improves user experience and quality
• What Gets Reported?
– Cisco AnyConnect™ installations and release number
– Cisco AnyConnect™ modules installed and enabled
– Distribution of OS platforms using Cisco AnyConnect™
– Number of core dumps of each module (by release, date, & OS platform)
– Web threat telemetry data*
• Is My Privacy Protected?
– Yes; no user information, machine name, MAC address, etc. is collected
– Administrator can also turn off this feature
*Requires telemetry module
Page 59
63C97-711992-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
Summary
Page 60
C97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
SummaryMain Points
1User-centric and BYOD enabled• Supports user devices with client or clientless access• Optimal transparent user experience with always-on connectivity• SCEP proxy and predeployment device identification
2
Extensive support• Broad support for desktop and mobile client OSs and clientless
browsers• Broad support for protocols and authentication methods• Broad security gateways (Cisco® ASA, ASR, and ISR)
3Security focused• Broad authentication options (IEEE 802.1X, certificates, and LDAP)• Posture and vault capabilities to secure client devices• Integrates with Cisco WSA or Cisco ScanSafe Web Security
4Enterprise proven• Reliable, proven, scalable, load balanced, and highly available• Strong international presence and 24-hours-a-day support• Over 15 years of experience and frequent SC Magazine award winner
Page 61
C97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Resources
Cisco AnyConnect™
Twitter: http://twitter.com/#!/anyconnect
Facebook: http://www.facebook.com/anyconnect
Cisco® Security
Twitter: http://twitter.com/#!/ciscosecurity
Facebook: http://www.facebook.com/ciscosecurity
Blog: http://blogs.cisco.com/category/security
Cisco Borderless Networks
Blog: http://blogs.cisco.com/category/borderless
YouTube: http://www.youtube.com/user/Cisco
Stay Current on Cisco AnyConnect and Cisco Security
Page 62
Thank you.
Ben FischerAnyConnect Product [email protected]
Page 63
C97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Audience Poll Questions (1-2)Why do we not sell more AnyConnect Premium licenses?
1. What are AnyConnect Premium licenses?
2. AnyConnect Essentials licenses meet all of the customer’s needs.
3. AnyConnect Premium is too expensive compared to competitors?
4. It is hard to convey the value of AnyConnect Premium licenses.
5. Other: ____________
Why does Cisco AnyConnect and the ASA win a Remote Access deal? (choose more than one)
6. Lower Price than competition
7. Superior End User Experience
8. Superior Solution Feature Set (if so, which ones?)
9. Better Administrator experience
10.Customer has preference for Cisco
11. Other: ____________
Page 64
C97-712971-00 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Audience Poll Questions (3-4)Why does Cisco AnyConnect and the ASA lose a Remote Access deal? (choose more than one)
1. Higher Price than competition
2. Weaker End User Experience
3. Missing Key Feature: (if so, which one?) _____________
4. Weak Administrator experience
5. Customer has preference for Competitor
6. Other: ____________
How can Cisco help you sell more AnyConnect Premium licenses?7. Provide marketing collateral describing the benefits of Premium licenses
8. Provide partner training on the value of Premium licenses
9. Make simple bundle SKUs (single SKU) for common quoting configurations
10.Add more Premium only features
11. Other: _______________