Introduction

Why is it that when users are accessing the Internet from their corporate office, their traffic is checked by aproxy-server for Acceptable Use Policy (AUP) controls, but when the same corporate computers connect fromusers' homes, no traffic filtering is performed? On the left of Figure 1, a user's web traffic is analyzed by thesecure web gateway when he is at the office. On the right, the traffic from the same user, using the same laptopis reaching directly to the web server.

Laptops of these roaming users could catch malware while visiting harmful sites. These same users would plugthese laptops back in the corporate infrastructure the day after, and potentially infect other resources.

Cisco offers a solution that extends UAP controls to roaming users through the synergy achieved by using:

Cisco Adaptive Security Appliance (ASA) as VPN head-end device
Cisco IronPort Web Security Appliance (WSA) as secure web gateway
Cisco AnyConnect Secure Mobility as a client on remote devices

Cisco ASA

Cisco ASA supports multiple types of VPN connection scenarios; of which the most common are shown in Figure2. This white paper focuses on remote access using Cisco AnyConnect client.

Cisco IronPort WSA

Cisco IronPort WSA is the world-leading Secure Web Gateway accordingto Gartner. Secure Web Gateways are used to boost performance and tosecure user traffic to and from the internet. The WSA boosts the performanceby caching web responses which are fed to subsequent requeststo the same site within a short period of time. Performance is an importantmotivation for organizations to invest in Web Secure Gateway;, butof equal to more importance is securing their infrastructure with the bestweb secure gateway (web proxy)on their network, the Cisco IronPortWSA.

As shown on the left of Figure 3, when a user makes a HTTP, or HTTPS,or FTP request to the internet (step 1), the WSA authenticates the user and matches the request against thecorporate UAP for, among other things, URL category of the site requested (objectionable content?), time-of-day(peak business hours?), type of traffic (video? mp3?), reputation of website (black-listed?), type of informationuploaded (is company confidential material being posted?), etc. If the request is allowed to go through (steps 2and 3), then the reply (steps 4 and 5) is scanned by the WSA integrated anti-phishing and anti-malware engines prior to passing the response to the user (step 6). The resulting effect is that web traffic generated by the userrequest and its reply are completely in accordance with the UAP of the organization.

Cisco AnyConnect Secure Mobility

Cisco AnyConnect Secure Mobility, also referred to as Cisco AnyConnect 3.0, is best known as the latest versionof Cisco's SSL VPN full client, which provides VPN features needed for Secure Mobility.

Building on the example mentioned in the introduction, how could we provide the same level of host security toroaming users as we do to our internal clients? AnyConnect Security Mobility can force all traffic generated froma roaming laptop back to the Head Office using a VPN tunnel, as shown on the right of Figure 3. The VPN trafficreceived by the ASA (step 1), is unencrypted and passed to WSA (step 2) for AUP analysis prior to sending the user's traffic out to the internet (steps 3 and 4) for its intended destination. The return traffic will go through theprocess in reverse, as shown in steps 5 to 8. In Figure 3, our roaming user, using his corporate laptop, gets the same protection and restriction as if he were connecting via the office LAN shown on the left of Figure 3.

The features covered in this white paper that enable secure roaming clients are:

Always-on VPN
Trusted Network Detection
Captive Portal Detection

Always-On VPN

The always-on VPN guarantees that the user is always connected to the corporate network. The user does notneed to initiate the VPN connection; it comes up automatically upon successful login to the Window 7, WindowsVista, or Mac OS computer. To do so, AnyConnect must be configured with the IP address or hostname of VPNhead-end devices.

The VPN session stays up until the user logs out or until the session timer expires. With Always-On, the usercan't opt out of having a VPN tunnel build towards the head office. If the client loses its network connection, AnyConnect Always-On continues to try to re-establish the VPN session. In other words, it's compulsory VPN anytime the user is outside of the corporate network.

Related Courses

VPN 2.0 - Deploying Cisco ASA VPN Solutions
ASVPN - Cisco Advanced SSL VPN
SWSA - Securing the Web with Cisco Web Security Appliance
ASAE v2.0 - ASA Essentials v2.0
ASACAMP - ASA Lab Camp
IINS 2.0 - Implementing Cisco IOS Network Security