AnyConnect vs other

fsck · November 13, 2018, 01:32:34 PM

In terms of security, is it better to go with AnyConnect than just using the built in Windows 10 VPN? A colleague was saying it doesn't matter, but I kind of feel like it does matter. Or is using AnyConnect just more of a standard.

deanwebb · November 13, 2018, 02:57:00 PM

Well... how many CVEs do you see for Windows 10 VPN? And how many for AnyConnect?

fsck · November 13, 2018, 04:01:46 PM

I had a feeling I was going to get an answer like that, but it's deserved. So my hutch was on the right track.

Cisco AnyConnect it is!!!

icecream-guy · November 14, 2018, 05:52:54 AM

How many bugs do you see for Windows 10 VPN ? or Cisco AnyConnect?

deanwebb · November 14, 2018, 07:52:05 AM

Quote from: fsck on November 13, 2018, 04:01:46 PM
I had a feeling I was going to get an answer like that, but it's deserved. So my hutch was on the right track.

Cisco AnyConnect it is!!!

To be fair to you, I just checked the answer to my questions.

That Windows list is very, very long.

The Cisco list is shorter than that.

Otanx · November 14, 2018, 09:32:53 AM

From just a security perspective I think it is a toss up. Both are going to use the normal encryption, and stuff to build the VPN tunnel. So it comes down to implementation of those. You can't review the code of either so that is a wash. You can look at historical data as mentioned, but that doesn't mean one or the other won't have an issue in the future. More importantly you can look at how quickly they have patched when something is reported. If one of them takes an average of 90 days to release a patch, and the other takes 30 you can make the assumption that if an issue is found in the future one will patch it quicker than the other. Also you can look at the open bug lists, and see if anything is an issue.

-Otanx

fsck · November 14, 2018, 11:59:29 AM

This is exactly why I came here. You guys always give me good insight and help.

If I may ask, what are you guys running in your environments?

I'm using Meraki in my environment, so this is why I'm looking at the ASAv for CAVPN. No AnyConnect support with the MX.

Otanx · November 14, 2018, 02:30:49 PM

I would say it comes down to what fits the environment better. If you already use Meraki (do you already have an MX?) then I would just use the built in VPN client with the MX. I feel that the money spent on an ASAv and AnyConnect licensing isn't worth it unless there is a specific requirement that isn't supported with the MX/Windows client setup.

-Otanx

fsck · November 14, 2018, 05:01:01 PM

We do already have an MX, but as deanwebb brought to light, the CVE list for Win10 VPN is quite long. Going down the AnyConnect method seems like it would be a safer path. Cisco AnyClient also integrates with AMP and Umbrella services that we also have, so I thought this was a great plus. And it also boasts for better network visibility, which I myself need to research more what that exactly means.

Dieselboy · November 15, 2018, 12:26:41 AM

Great question, OP!
Great responses guys!

icecream-guy · November 15, 2018, 06:19:35 AM

think about how you are planning to do the backend AAA, that may help, were mainly a Cisco shop running ASA, anyconnect, have AD and RSA for back end AAA now, but are moving to Cisco ISE, to allow some of those benefits, posturing and such.

Running the font end is pretty simple, some support issues I suppose, varied client host configurations PC, MAC, if they are standard configuration like work issued laptop, much better for testing, if you are allowing users to connect from home, on unknown configured computers, much more difficult on support. you'll need to work out a plan for testing new releases, and to get them pushed out fairly quickly to mitigate vulnerabilities. I forgot to mention policy as well, is there a VPN policy in place, split tunnel, and all that, monitoring etc...

fsck · November 16, 2018, 02:17:31 AM

The plan was to have users connect to AWS virtual workspaces, utilizing Cisco DUO for 2FA. AnyConnect would be installed on the AWS workspace, that would establish the VPN connection to the office. I was thinking to do yet another 2FA method prior to AnyConnect connecting.

But using AWS workspaces eliminates the unknown configured computers, well in a way because they still have to use there computer. But this is a little more of a controlled method.

I'm thinking to throw in PacketFence in the mix.

@ristau ISE is a beast, but when you tame it and get it under control it's an epic creature of the network. A few issues with RSA, with policy nodes losing connectivity and you need TAC to login as admin to fix it. Hopefully fixed after ver 2.3 patch 3 which we are running now.

deanwebb · November 16, 2018, 09:10:44 AM

Quote from: fsck on November 16, 2018, 02:17:31 AM

@ristau ISE is a beast, but when you tame it and get it under control it's an epic creature of the network.

[vendor] If you like ISE, have I got a product for you...

[/vendor]

fsck · November 16, 2018, 10:58:27 AM

Spill the beans Dean!!! I'm dying to know! ClearPass maybe?

Otanx · November 16, 2018, 11:14:32 AM

I am betting it is a Belkin product.

-Otanx