Cisco Secure Borderless Network protects beyond the corporate data centre and appears to address many shortcomings in Microsoft’s DirectAccess
At the RSA Conference, held from 1 to 5 March in San Francisco, Cisco Systems finally unveiled its own take on the secured borderless enterprise, which aims to provide mobile workers with seamless, always-on secured connections to protected enterprise data and application – whether those applications are internally hosted or part of a cloud strategy. Even more specifically, Cisco wants to make clear that its technology is everything that Microsoft’s take on the borderless enterprise is not.
Based on my own experiences with Microsoft’s DirectAccess and its necessary extenders, I’ve found the technology to be interesting, innovative and pretty cool, but disappointingly limited – particularly in its native incarnation.
Cleaning up DirectAccess problems
There’s a laundry list of problems with basic DirectAccess: It only works with Windows 7 clients (Ultimate or Enterprise SKUs); it requires critical back-end network services and applications run atop Windows Server 2008 R2 or Service Pack 2 due to DirectAccess’ reliance on IPv6; it can’t scale across multiple access servers for either performance or management purposes; its clients utilise split tunneling, which protects transmissions to corporate resources but not cloud-based applications; and it doesn’t support down-level virtualised client instances used for application compatibility.
It’s abundantly clear that DirectAccess is functionally useless for broad-scale enterprise deployment without adding Microsoft’s Forefront UAG (Unified Access Gateway) 2010 to the mix, as the latter resolves several of DirectAccess’ inherent shortcomings (particularly scaling and legacy OS support in the data centre). And while UAG also adds support for non-Windows 7 clients through traditional SSL (Secure Sockets Layer) VPN trunks, this workaround hardly provides an always-on experience.
I have to wonder whether Microsoft has the wherewithal to implement DirectAccess for any other client instance. Adding DirectAccess to Windows Phone 7 Series would seem to be the logical next step, extending the perimeter-free enterprise to Microsoft’s own next-generation mobile platform, but I have yet to see any indication of whether that feature is actually in the works.
Cisco, on the other hand, is looking for ubiquity on the client end of the Secure Borderless Network. The company has modified its familiar AnyConnect client (now Version 2.5)—which should be available for Windows, Mac and Linux—to provide a persistent secured connection, even across different network connections, once the user and machine are both authorised. And Cisco has already partnered with Samsung to extend such access to some Samsung Windows Mobile-based devices, with support for other devices and mobile platforms promised to follow in the near future.
Cisco’s solution doesn’t rely on IPv6, so there should not be interoperability problems with legacy servers and applications in the data centre. Indeed, with the Secure Borderless Network, Cisco looks to extend its always on-connectivity and security beyond the data centre to cloud-based resources like Salesforce—in the process unifying authentication between SaaS (software as a service) applications and the corporate directory, while securing and analysing the data flow to and from those sites.
DirectAccess simply isn’t designed to extend beyond the corporate domain. Cloud services are outside the domain, so a remote client goes there directly via split tunneling, instead of through the DirectAccess tunnel. With Cisco’s approach, the concept of split tunneling goes out the window—unless expressly permitted by rule for administrator-defined sites. Cisco wants to funnel all traffic through the AnyConnect client to its head-end resources so as to be able to analyse the traffic stream for malicious or unpermitted traffic and applications via the company’s Web Security Appliances. Since the Cisco client is now always on, this will mean a big bump in traffic delivered through the VPN, so Cisco also offers its ScanSafe cloud services as an alternative proxy, parsing much of that traffic before affecting precious corporate bandwidth.
I have yet to get hands-on with these products, or even to see a live demonstration (rather than a canned demonstration on the RSA show floor), so time and testing will tell if this is actually the case. But at this point, Cisco’s solution sounds more appealing and certainly more feasible than Microsoft’s.