In terms of security, is it better to go with AnyConnect than just using the built in Windows 10 VPN? A colleague was saying it doesn't matter, but I kind of feel like it does matter. Or is using AnyConnect just more of a standard.
Well... how many CVEs do you see for Windows 10 VPN? And how many for AnyConnect?
I had a feeling I was going to get an answer like that, but it's deserved. So my hutch was on the right track.
Cisco AnyConnect it is!!!
How many bugs do you see for Windows 10 VPN ? or Cisco AnyConnect?
Quote from: fsck on November 13, 2018, 04:01:46 PM
I had a feeling I was going to get an answer like that, but it's deserved. So my hutch was on the right track.
Cisco AnyConnect it is!!!
To be fair to you, I just checked the answer to my questions.
That Windows list is very, very long. :problem?:
The Cisco list is shorter than that. :)
From just a security perspective I think it is a toss up. Both are going to use the normal encryption, and stuff to build the VPN tunnel. So it comes down to implementation of those. You can't review the code of either so that is a wash. You can look at historical data as mentioned, but that doesn't mean one or the other won't have an issue in the future. More importantly you can look at how quickly they have patched when something is reported. If one of them takes an average of 90 days to release a patch, and the other takes 30 you can make the assumption that if an issue is found in the future one will patch it quicker than the other. Also you can look at the open bug lists, and see if anything is an issue.
-Otanx
This is exactly why I came here. You guys always give me good insight and help.
If I may ask, what are you guys running in your environments?
I'm using Meraki in my environment, so this is why I'm looking at the ASAv for CAVPN. No AnyConnect support with the MX. :(
I would say it comes down to what fits the environment better. If you already use Meraki (do you already have an MX?) then I would just use the built in VPN client with the MX. I feel that the money spent on an ASAv and AnyConnect licensing isn't worth it unless there is a specific requirement that isn't supported with the MX/Windows client setup.
-Otanx
We do already have an MX, but as deanwebb brought to light, the CVE list for Win10 VPN is quite long. Going down the AnyConnect method seems like it would be a safer path. Cisco AnyClient also integrates with AMP and Umbrella services that we also have, so I thought this was a great plus. And it also boasts for better network visibility, which I myself need to research more what that exactly means.
Great question, OP!
Great responses guys! 8)
think about how you are planning to do the backend AAA, that may help, were mainly a Cisco shop running ASA, anyconnect, have AD and RSA for back end AAA now, but are moving to Cisco ISE, to allow some of those benefits, posturing and such.
Running the font end is pretty simple, some support issues I suppose, varied client host configurations PC, MAC, if they are standard configuration like work issued laptop, much better for testing, if you are allowing users to connect from home, on unknown configured computers, much more difficult on support. you'll need to work out a plan for testing new releases, and to get them pushed out fairly quickly to mitigate vulnerabilities. I forgot to mention policy as well, is there a VPN policy in place, split tunnel, and all that, monitoring etc...
The plan was to have users connect to AWS virtual workspaces, utilizing Cisco DUO for 2FA. AnyConnect would be installed on the AWS workspace, that would establish the VPN connection to the office. I was thinking to do yet another 2FA method prior to AnyConnect connecting.
But using AWS workspaces eliminates the unknown configured computers, well in a way because they still have to use there computer. But this is a little more of a controlled method.
I'm thinking to throw in PacketFence in the mix.
@ristau ISE is a beast, but when you tame it and get it under control it's an epic creature of the network. A few issues with RSA, with policy nodes losing connectivity and you need TAC to login as admin to fix it. Hopefully fixed after ver 2.3 patch 3 which we are running now.
Quote from: fsck on November 16, 2018, 02:17:31 AM
@ristau ISE is a beast, but when you tame it and get it under control it's an epic creature of the network.
[vendor] If you like ISE, have I got a product for you... :smug: [/vendor]
Spill the beans Dean!!! I'm dying to know! ClearPass maybe?
I am betting it is a Belkin product.
-Otanx
Quote from: fsck on November 16, 2018, 10:58:27 AM
Spill the beans Dean!!! I'm dying to know! ClearPass maybe?
Quote from: Otanx on November 16, 2018, 11:14:32 AM
I am betting it is a Belkin product.
-Otanx
No, and no... :smug:
Perhaps you may have heard about "ForeScout CounterACT"? Let me tell you all about it...
Why not just VPN the workspaces VPC back to your office?
Quote from: wintermute000 on November 25, 2018, 05:07:54 AM
Why not just VPN the workspaces VPC back to your office?
So I actually did that as I need to get AD servers up and running up in the cloud. The virtual workspaces reside now in that VPC with a VPN connection back to the office, so now to add security I would utilize Cisco DUO for 2FA. But the users that require VPN access from home, will need to hit the ASA for CAVPN.
@wintermute000 are you working with AWS or Azure these days? Or any other cloud project?