SSL VPN

i am looking into install the SSL VPN on the ASA 5510 and was looking for your thoughts on how you like it and how secure? hardware requirenments for the ASA? Any other info you can provide?
LVL 1
HubmanAsked:
Who is Participating?
 
lrmooreConnect With a Mentor Commented:
Several flavors of SSL VPN
Clientless SSL VPN - where end user never has to download any client. End user can be presented with a portal page with bookmark hyperlinks to access internal services. Great for end users that simply need access to a couple of resources like RDP to their PC, or http:// to a web server (or Citrix web front end), or to grab a shared file.

AnyConnect VPN Client - this is the new paradigm for VPN clients. You can use the clientless portal page to distribute the client. Once the client is installed on the remote user's PC, they only use it next time. This client provides full network access (or restricted access, whatever is appropriate).
Now, the licensing is also tricky.
You have AnyConnect Essentials - this is a per-appliance license and enables the clientless SSL VPN and basic AnYConnect VPN client connections. About $150 per appliance.
Then you have AnyConnect Premium license. About $150 per USER. This license allows you to take advantage of Secure Remote Desktop and have a tremendous amount of control over the remote end device. Things like keylog checker, cache flush, Antivirus OK?, Firewall on?
Then you have AnyConnect Mobile which is also per-appliance for about $150 which enables mobile clients like iPhone, windows phones to use the AnyConnect client.
Bottom line -
SSL/AnyConnect gives you total control over the end device, but costs some $
IPSEC VPN gives you only end-user authentication, but at $0 additional cost
SSL/Clientless web portal gives you an easy way to provide limited access to end users.
SSL/Anyconnect is best for road warriors because it is more 'friendly" to remote location firewalls. IPSEC client sometimes gets blocked/limited at remote locations (i.e. some hotels)..
0
 
mahrens007Connect With a Mentor Commented:
I like the SSL webVPN.  Depending how complex your network is, you can create multiple portable pages for different users.  Once logged in, the user will be prompted to install the client the first time.  

The anyConnect can run on windows, MAC and linux.  Here are the hardware requirements: http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect22/release/notes/anyconnect22rn.html


0
 
MikeKaneConnect With a Mentor Commented:
A few other items I'll toss in here.  

Anyconnect VPN works much better than IPSEC for others behind NAT devices or other firewalls.   Since the AnyConnect works over port 443, most companies and home routers will already have this configured so there are no extra steps.   Even Hotels with wifi will aloow this outbound.        This is much different than IPSEC where you had to worry about NAT-T , extra UDP.TCP ports, and whetever else.       Even though it does cost more, it takes care of a lot of the headaches associated with the original IPSEC client.  


0
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

 
HubmanAuthor Commented:
Any Connect VPN is a one time cost of $150? can this be configured to allow groups different access to different network resoucres?
0
 
lrmooreCommented:
AnyConnect "Essentials", yes. One time license cost of $150 (List, for 5510 appliance)
ASA-AC-E-5510=  AnyConnect Essentials VPN License - ASA 5510 (250 Users)  B  USD 150.00  

Yes, you can setup multiple groups with different levels of access just like with the IPSEC client.
0
 
HubmanAuthor Commented:
Does Cisco have a online demo
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.