Cisco is a powerhouse in network technology, but how does its AnyConnect VPN product stack up to today’s remote working demands?
Despite first being introduced as technologies more than two decades ago, the humble VPN has continued to be a prominent part of almost every single organization’s remote working backbone. Originally designed as a way to access on-site resources from elsewhere in a secure way, today the demands of modern working are far greater than this simple functionality. Events in 2020 have demonstrated that most companies are simply not ready to move away from using VPNs – they’re going to be around for a long time yet. What has changed is the emerging consensus that tunneling all traffic back to your corporate network is less desirable than employing a VPN that is there when you need it, and absent when you don’t.
IT leaders may look to some of the biggest names in the VPN space, such as Palo Alto Global Protect, Pulse Secure or Microsoft’s Direct Access. A large number of organizations may also rely on solutions offered by Cisco, meaning its AnyConnect remote access product might be an obvious choice.
Cisco AnyConnect is a popular VPN that co-exists effectively with other Cisco products. Designed in an era when remote access was primarily done on smaller scales in fixed environments, it is well suited to a vast number of organizations that have simple, hardware-based VPN requirements – but it’s not a good fit for everyone.
Richard Hicks, VPN and network technology expert
Here’s a quick overview of Cisco AnyConnect and factors you should consider when implementing or expanding your use of VPNs.
Architecture
AnyConnect offers a desktop client (SSL or IPSec), a clientless portal, and a solution for mobile phones and tablets. Like many legacy Cisco products, it requires purpose-built hardware and is often bundled with other appliances, such as those used for firewall products. That does mean pricing can become more complicated with additional costs for backup, load balancing, administration, maintenance and capacity planning. IT leaders should also ensure they have robust upgrading strategies, as future proofing these products will require additional investment as updates are introduced and hardware begins to age.
Much like any hardware-based technology, delivery and installation is never instant so admins should account for lengthy implementation cycles to get AnyConnect configured. Reliance on physical appliances also means challenges when scaling a VPN across an organization. If fluctuations in workers requiring VPNs are expected, IT teams should instead look to software-based VPNs, which can be installed on any physical server or even in the cloud, such as in Azure or AWS, allowing for significantly more flexibility.
When to choose AnyConnect
- Cisco AnyConnect is ideal for well-resourced IT teams with existing Cisco hardware, operating in environments unlikely to change for the foreseeable future.
When to choose something better
- Cisco AnyConnect is poorly suited for organizations with limited IT management resource, especially those that require simpler, swifter deployments and have unpredictable scaling requirements. In these instances, leaders should look for a software-based VPN solution instead.
Employee experience
Ultimately any product that the IT team expects its end-users to work with must be at the very least unobtrusive to the worker. VPNs have, sadly, a reputation for being annoying to have to use. There is a well-founded perception that VPN clients actively degrade the user experience, drain the battery life, struggle with video connections, slow down network speeds and constantly demand reauthentication. Applications sessions will be restarted when network conditions change (such as switching from 4G to WiFi) and will disconnect entirely when coverage is weak.
Combined, these problems will make the average employee shudder when told to switch on their VPN. Cisco AnyConnect relies on legacy SSL and IPSec VPN technologies, meaning it is among those that are vulnerable to these end-user experience issues. Many security and IT products are for the great benefit of the company but the productivity and morale of workers can suffer. This can be seen in the relatively low user app store ratings and many public online complaints about using AnyConnect, despite largely favorable reviews from administrators.
When to choose AnyConnect
- Cisco AnyConnect is a solid choice for organizations with workers operating in fixed environments on reliable networks and where employee experience is a low priority. Examples include organizations that do not anticipate large-scale remote working periods, or those without mobile/field employees.
When to choose something better
- Cisco AnyConnect is not recommended for environments in which network performance is unstable, slow or unpredictable. It also actively degrades the user experience, making it unsuitable for industries with high value employees or a mission-critical remote workforce. In these instances, leaders should look for a mobile-first, optimized VPN that improves the employee experience.
Visibility and policy
At the most basic level, VPNs like AnyConnect are designed to create a tunnel from a device operating outside the corporate perimeter straight into the network, allowing it to operate as if it were connected directly to it. AnyConnect offers a number of features that go beyond this, granting admins with extended visibility and control of workers. Among these features is Network Access Control (NAC), which is available via the AnyConnect FirePower module, allowing for traffic flow analysis once the device is connected. It also provides IP-based policy capabilities, meaning connections can be blocked and access restricted.
The functionality is limited however, as it is unable to manipulate traffic at the application level and is not network-aware, which means policy cannot be based on the conditions of the request. More intelligent policy engines can factor in the strength and security of a network, the configuration of the device, the application being used and even the category and risk profile of a website that a user is visiting. Cisco AnyConnect does not gather any of this data and does not allow for granular or context-sensitive policy controls.
When to choose AnyConnect
- Cisco AnyConnect offers a simple, effective VPN with basic NAC controls for reducing an organization’s risk surface. It meets a standard requirement for remote access in companies already using SDP, ZTNA and CASB solutions to administer usage policies outside the perimeter.
When to choose something better
- Cisco AnyConnect provides extremely limited policy controls for organizations concerned about access to sensitive data. It has almost no insight into the nature of each connection – making it unsuited to risk-averse environments or workplaces in need of a robust acceptable usage policy for remote workers. In these instances, IT leaders should seek a solution that includes more a powerful, context-aware policy engine.
Diagnostics and analytics
When employees are working inside an office or a location in close proximity to the IT team, using corporate-managed networks and on company-owned devices, troubleshooting is relatively straightforward. Network problems can be diagnosed, devices can be updated and issues identified. Challenges emerge for remote workers, however. Working on rapidly-changing networks, from home WiFi to cellular connections, means that helpdesk are often entirely unable to help remote workers figure out solutions to the problems they might encounter.
While not a traditional component of a VPN, some are able to provide rich data into the configuration of the device, the performance of the network and hundreds of other potential causes of issues as they emerge – such as employees struggling with ccaptive portals on public WiFi or misconfigured SIM cards. Equipped with these insights, IT support is able to understand employee problems much more swiftly and effectively, enabling remote workforces to be more productive and happier overall. Unfortunately Cisco AnyConnect does not feature any diagnostics, visibility or analytics functionality, leaving remote workers at the mercy of their own ability to troubleshoot IT issues.
When to choose AnyConnect
- Cisco AnyConnect, like most VPNs, delivers simple remote access for organizations that do not regularly rely on remote working, or those that have flexible, well-tooled and conveniently-located IT support to help employees working from home.
When to choose something better
- Cisco AnyConnect cannot assist the helpdesk team in diagnosing issues that remote workers encounter, making it a poor choice for companies looking for a VPN that can support significant numbers of remote workers. In these instances, IT leaders should look for a solution that provides insights into each connection, device and session, enabling employees outside the office stay happy and productive.
Summary
Cisco AnyConnect is in widespread use and is frequently bundled alongside other Cisco deployments. All kinds of companies get great value from their AnyConnect investments, and it will continue to be a reliable, straightforward choice for many.
The reality today, however, is that most workplaces have changed dramatically since this technology was first designed. A growing volume of organizations are instead turning to mobile-first software solutions that offer a better experience, richer analytics and a more robust policy engine.
NetMotion has become the premier choice in the VPN market, with hundreds of its customers making the switch from other solutions as remote and mobile working become increasingly important. It today supports over 3000 organizations and one million workers that cannot afford to compromise when it comes to user experience, including 7 of the top 10 largest airlines and powers three quarters of first responders in North America. Organizations wishing to test the products in a head-to-head capacity can do so for free by getting in touch with one of our experts.
