Cisco's New VPN Client for iPhone

Cisco's new AnyConnect Secure Mobility Client for Apple iOS allows IT managers and users to get what both want: a secure, yet flexible, browsing experience.

Allowing mobile devices to access corporate resources requires IT to perform a careful balancing act. One has to maintain an acceptable level of protection while permitting flexible use of corporate resources. This is particularly challenging with mobile workers assuming a greater role in the ownership and operation of their devices, because whether they work from a home office or a remote site, it's increasingly likely that people will want to use the same device for business and personal functions. This requires IT to implement security policies that recognize the context in which a device is used, as well as the wide range of devices that must be accommodated.

Cisco's AnyConnect Secure Mobility Client for Apple iOS does a good job of walking that fine line between intrusive control and insecure use; it is designed to work with head-end VPN servers from Cisco such as the ASA 5500 Series and Cisco's Web security appliances, such as the IronPort S-Series, to provide secure authentication on the one hand and application controls and policy enforcement on the other.

The client software for Apple iOS was released on Sept. 21. It is available for free in Apple's App Store and provides secure VPN connections to any model of Cisco's Adaptive Security Appliance through use of SSL (Secure Sockets Layer) and DTLS (Datagram Transport Layer Security); the latter is an implementation of the TLS protocol that is designed to work with UDP traffic.

The AnyConnect VPN client for Apple iOS requires iOS 4.1 and is currently supported by devices such as the iPhone 3G, iPhone 3GS, iPhone 4 and recent iPod Touch models. Cisco expects to offer it for iPad later this year, when Apple iOS 4.2 is released. Cisco's AnyConnect platform is currently at release level 2.5, but this initial release of the client for Apple iOS was written to the AnyConnect 2.4 code base and does not support features introduced in AnyConnect 2.5 or later versions.

This release of the AnyConnect client for Apple iOS only supports manually generated VPN profiles, imported AnyConnect profiles and configurations generated with Apple's iPhone Configuration Utility. But Apple's utility has its limitations. For example, it cannot create profiles that allow full network roaming. If such roaming is desired, Cisco recommends that VPN provisioning take place through AnyConnect. Although device users can edit some aspects of a configuration that has been installed by the Apple utility or the AnyConnect server, users are locked out of other options. Only one imported AnyConnect profile may exist on the device as well.

The client for Apple iOS provides a similar feature set to Cisco's AnyConnect clients for Linux, Mac OS X and Windows, and setting up VPN access for the AnyConnect client on an iPhone is rather simple. If this is done manually, the user can enter a description for the VPN, followed by the server address, either as a full-qualified domain name or as an IP address. If one's installation uses group-based configuration, that can be specified as part of the server's URL.

AnyConnect for Apple iOS can be configured to use certificate-based authentication; this is required to use the Connect On Demand feature of Apple iOS and is rather useful for directing all traffic to certain resources or domains through a particular VPN connection.

Statistical details and connection logs can be viewed through a tab in the software; basic statistics (status, time connected, client address and sent/received data) are presented along with buttons that provide client logs and further details of the connection. Logging is disabled by default but easily activated; when logging is enabled, the user can quickly e-mail logs from this pane.