On the surface, Cisco Secure Borderless Network appears to address many shortcomings in Microsoft's competing DirectAccess.
At the RSA Conference held March 1 to 5
in San Francisco, Cisco Systems finally unveiled its own take on the secured
borderless enterprise, which aims to provide mobile workers with seamless,
always-on secured connections to protected enterprise data and
applications-whether those applications are internally hosted or part of a
cloud strategy. Even more specifically, Cisco wants to make clear that its
technology is everything that Microsoft's take on the borderless enterprise is
Based on my own experiences with Microsoft's
and its necessary
I've found the technology to be interesting, innovative and pretty
cool, but disappointingly limited-particularly in its native incarnation.
There's a laundry list of problems with basic DirectAccess: It only works
with Windows 7 clients (Ultimate or Enterprise SKUs); it requires critical
back-end network services and applications run atop Windows Server 2008 R2 or
Service Pack 2 due to DirectAccess' reliance on IPv6; it can't scale across
multiple access servers for either performance or management purposes; its
clients utilize split tunneling, which protect transmissions to corporate
resources but not cloud-based applications; and it doesn't support down-level
virtualized client instances used for application compatibility.
It's abundantly clear that DirectAccess is functionally useless for broad-scale
enterprise deployment without adding Microsoft's Forefront UAG
(Unified Access Gateway) 2010 to the mix, as the latter resolves several of
DirectAccess' inherent shortcomings (particularly scaling and legacy OS support
in the data center). And while UAG also adds
support for non-Windows 7 clients through traditional SSL
(Secure Sockets Layer) VPN trunks, this workaround hardly provides an always-on
I have to wonder whether Microsoft has the wherewithal to implement
DirectAccess for any other client instance. Adding DirectAccess to Windows
Phone 7 Series would seem to be the logical next step, extending the perimeter-free
enterprise to Microsoft's own next-generation mobile platform, but I have yet
to see any indication of whether that feature is actually in the works.
Cisco, on the other hand, is looking for ubiquity on the client end of the Secure
The company has modified its familiar AnyConnect client
(now Version 2.5)-which should be available for Windows, Mac and Linux-to
provide a persistent secured connection, even across different network
connections, once the user and machine are both authorized. And Cisco has
already partnered with Samsung to extend such access to some Samsung Windows
Mobile-based devices, with support for other devices and mobile platforms
promised to follow in the near future.
Cisco's solution doesn't rely on IPv6, so there should not be
interoperability problems with legacy servers and applications in the data
center. Indeed, with the Secure Borderless Network, Cisco looks to extend its
always on-connectivity and security beyond the data center to cloud-based
resources like Salesforce-in the process unifying authentication between SAAS (software
as a service) applications and the corporate directory, while securing and
analyzing the data flow to and from those sites.
DirectAccess simply isn't designed to extend beyond the corporate domain.
Cloud services are outside the domain, so a remote client goes there directly
via split tunneling, instead of through the DirectAccess tunnel. With Cisco's
approach, the concept of split tunneling goes out the window-unless expressly
permitted by rule for administrator-defined sites. Cisco wants to funnel all
traffic through the AnyConnect client to its head-end resources so as to be
able to analyze the traffic stream for malicious or unpermitted traffic and
applications via the company's Web Security Appliances. Since the Cisco client
is now always on, this will mean a big bump in traffic delivered through the
VPN, so Cisco also offers its ScanSafe cloud services as an alternative proxy,
parsing much of that traffic before affecting precious corporate bandwidth.
I have yet to get hands-on with these products, or even to see a live
demonstration (rather than a canned demonstration on the RSA
show floor), so time and testing will tell if this is actually the case. But at
this point, Cisco's solution sounds more appealing and certainly more feasible