Is Cisco AnyConnect the right VPN choice for remote working?

Cisco is a powerhouse in network technology, but how does its AnyConnect VPN product stack up to today’s remote working demands?

Despite first being introduced as technologies more than two decades ago, the humble VPN has continued to be a prominent part of almost every single organization’s remote working backbone. Originally designed as a way to access on-site resources from elsewhere in a secure way, today the demands of modern working are far greater than this simple functionality. Events in 2020 have demonstrated that most companies are simply not ready to move away from using VPNs – they’re going to be around for a long time yet. What has changed is the emerging consensus that tunneling all traffic back to your corporate network is less desirable than employing a VPN that is there when you need it, and absent when you don’t.

IT leaders may look to some of the biggest names in the VPN space, such as Palo Alto Global Protect, Pulse Secure or Microsoft’s Direct Access. A large number of organizations may also rely on solutions offered by Cisco, meaning its AnyConnect remote access product might be an obvious choice.

Cisco AnyConnect is a popular VPN that co-exists effectively with other Cisco products. Designed in an era when remote access was primarily done on smaller scales in fixed environments, it is well suited to a vast number of organizations that have simple, hardware-based VPN requirements – but it’s not a good fit for everyone.

Richard Hicks, VPN and network technology expert

Here’s a quick overview of Cisco AnyConnect and factors you should consider when implementing or expanding your use of VPNs.

Architecture

AnyConnect offers a desktop client (SSL or IPSec), a clientless portal, and a solution for mobile phones and tablets. Like many legacy Cisco products, it requires purpose-built hardware and is often bundled with other appliances, such as those used for firewall products. That does mean pricing can become more complicated with additional costs for backup, load balancing, administration, maintenance and capacity planning. IT leaders should also ensure they have robust upgrading strategies, as future proofing these products will require additional investment as updates are introduced and hardware begins to age.

Much like any hardware-based technology, delivery and installation is never instant so admins should account for lengthy implementation cycles to get AnyConnect configured. Reliance on physical appliances also means challenges when scaling a VPN across an organization. If fluctuations in workers requiring VPNs are expected, IT teams should instead look to software-based VPNs, which can be installed on any physical server or even in the cloud, such as in Azure or AWS, allowing for significantly more flexibility.

---

---

Employee experience

Ultimately any product that the IT team expects its end-users to work with must be at the very least unobtrusive to the worker. VPNs have, sadly, a reputation for being annoying to have to use. There is a well-founded perception that VPN clients actively degrade the user experience, drain the battery life, struggle with video connections, slow down network speeds and constantly demand reauthentication. Applications sessions will be restarted when network conditions change (such as switching from 4G to WiFi) and will disconnect entirely when coverage is weak.

Combined, these problems will make the average employee shudder when told to switch on their VPN. Cisco AnyConnect relies on legacy SSL and IPSec VPN technologies, meaning it is among those that are vulnerable to these end-user experience issues. Many security and IT products are for the great benefit of the company but the productivity and morale of workers can suffer. This can be seen in the relatively low user app store ratings and many public online complaints about using AnyConnect, despite largely favorable reviews from administrators.

---

---

Visibility and policy

At the most basic level, VPNs like AnyConnect are designed to create a tunnel from a device operating outside the corporate perimeter straight into the network, allowing it to operate as if it were connected directly to it. AnyConnect offers a number of features that go beyond this, granting admins with extended visibility and control of workers. Among these features is Network Access Control (NAC), which is available via the AnyConnect FirePower module, allowing for traffic flow analysis once the device is connected. It also provides IP-based policy capabilities, meaning connections can be blocked and access restricted.

The functionality is limited however, as it is unable to manipulate traffic at the application level and is not network-aware, which means policy cannot be based on the conditions of the request. More intelligent policy engines can factor in the strength and security of a network, the configuration of the device, the application being used and even the category and risk profile of a website that a user is visiting. Cisco AnyConnect does not gather any of this data and does not allow for granular or context-sensitive policy controls.

---

---

Diagnostics and analytics

When employees are working inside an office or a location in close proximity to the IT team, using corporate-managed networks and on company-owned devices, troubleshooting is relatively straightforward. Network problems can be diagnosed, devices can be updated and issues identified. Challenges emerge for remote workers, however. Working on rapidly-changing networks, from home WiFi to cellular connections, means that helpdesk are often entirely unable to help remote workers figure out solutions to the problems they might encounter.

While not a traditional component of a VPN, some are able to provide rich data into the configuration of the device, the performance of the network and hundreds of other potential causes of issues as they emerge – such as employees struggling with ccaptive portals on public WiFi or misconfigured SIM cards. Equipped with these insights, IT support is able to understand employee problems much more swiftly and effectively, enabling remote workforces to be more productive and happier overall. Unfortunately Cisco AnyConnect does not feature any diagnostics, visibility or analytics functionality, leaving remote workers at the mercy of their own ability to troubleshoot IT issues.

---

---

Summary

Cisco AnyConnect is in widespread use and is frequently bundled alongside other Cisco deployments. All kinds of companies get great value from their AnyConnect investments, and it will continue to be a reliable, straightforward choice for many.

The reality today, however, is that most workplaces have changed dramatically since this technology was first designed. A growing volume of organizations are instead turning to mobile-first software solutions that offer a better experience, richer analytics and a more robust policy engine.

NetMotion has become the premier choice in the VPN market, with hundreds of its customers making the switch from other solutions as remote and mobile working become increasingly important. It today supports over 3000 organizations and one million workers that cannot afford to compromise when it comes to user experience, including 7 of the top 10 largest airlines and powers three quarters of first responders in North America. Organizations wishing to test the products in a head-to-head capacity can do so for free by getting in touch with one of our experts.

• Verified IT and security leaders reveal highest-rated ZTNA platforms in new G2 Grids
• Best practices in finance IT: Sven Goelles from Lincoln International
• Inside NetMotion: A security engineer’s view of SASE
• Best practices in public safety: Alex Bowen of the UK’s National Enabling Programmes
• Accountancy firms look for best practices in a “work-from-anywhere” world