Cisco Cisco AnyConnect Secure Mobility Client v2.x White Paper
© 2011 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 3 of 5
Pitfalls of Enterprise Mobility Enablement
The VPN Opening
—While providing flexibility for mobile workers, the VPN is perceived as one of the biggest
security holes in enterprises today. After companies spend countless sums on fortifying their Internet edge
perimeters, they fail to realize that laptops now form part of that edge. When Internet activity is channeled through
the corporate network, additional web proxy technology can block out harmful sites. Most VPN clients on the
market today can be cumbersome for end users, often requiring repetitive tasks for initiating sessions. This fact, as
well as bandwidth considerations, causes end users to roam freely on the Internet without the VPN initiated. The
effective split tunnel caused by non-protected Internet surfing introduces the opportunity for malware to infect an
endpoint and later propagate itself on the corporate network once that device is allowed back on.
The Cisco AnyConnect Secure Mobility Solution helps plug legacy VPN openings. In 2010, Cisco became the first
vendor to introduce a cross-platform solution for PCs (Windows, Mac, and Linux) that included a configurable,
persistent VPN plus integrated web security. When running in “always on” mode, the AnyConnect solution
persistent VPN plus integrated web security. When running in “always on” mode, the AnyConnect solution
facilitates consistent usage and a security policy enforced through the Cisco IronPort
®
Web Security Appliance.
Cisco AnyConnect client authentication credentials apply specific web usage policies and security that can vary
based on the location the user is connecting from (inside or outside the physical corporate perimeter).
The “Dark Web”—Given the explosive growth of web domains, most of the Internet remains unclassified. And
most PC endpoint infection today is propagated through malicious websites. Correlation or active scanning are
vehicles for more accurate classification of IP addresses that are part of the Dark Web. Cisco uses its industry-
leading web reputation filtering and dynamic on-the-fly classification technology to make sense of these websites.
Over time, Cisco’s Security Intelligence Operations (SIO) center enacts global correlation of the IP information
gained from most of Cisco’s security appliances and products.
Over time, Cisco’s Security Intelligence Operations (SIO) center enacts global correlation of the IP information
gained from most of Cisco’s security appliances and products.
The Port 80 Portal
—Despite years of acknowledging TCP-based applications such as instant messaging as ripe
grounds for endpoint security infection, the problem has only gotten worse. With today’s Web 2.0 applications
fostering new levels of fast communication and social interaction, the potential for malicious links and security
threats has never been greater.
AnyConnect Secure Mobility solution ensures that all endpoint traffic traversing port 80 is deeply inspected for
malicious content. In addition, a consistent security policy based on user or group identity can be applied, which
allows or denies access to specific web applications.
The SaaS Leak
—An adjunct trend that has helped accelerate mobility has been the movement of corporate
applications outside of the internal data center. Applications that live on the web can be accessed from any device
that supports an Internet connection and provides access to a browser. Due to this trend, corporate data is
increasingly sitting behind public Internet sites that host software-as-a-service (SaaS) business applications. IT
groups may even be unaware of the full extent of use of SaaS applications within their corporate installed base.
Even for sanctioned and supported SaaS applications, the ability to monitor and manage access to these
distributed applications can be daunting. AnyConnect Secure Mobility solution uses Security Assertion Markup
Language (SAML) to create a single point of authentication revocation and management for SaaS applications. For
supported applications, end users benefit from not needing to remember yet another password and seamlessly
entering key SaaS applications if their IT group has not disabled their access.
Device Loss
—A lost or stolen smartphone or tablet can be devastating to its owner, causing loss of money, loss of
personal and corporate information, and loss of productivity. However, the operational challenges and potential
legal ramifications for the business are much worse. The loss and potential misuse of sensitive information stored