Cisco's new AnyConnect Secure Mobility Client for Apple iOS allows IT managers and users to get what both want: a secure, yet flexible, browsing experience.
Allowing mobile devices to access corporate resources
requires IT to perform a careful balancing act. One has to maintain an
acceptable level of protection while permitting flexible use of corporate
resources. This is particularly challenging with mobile workers assuming a
greater role in the ownership and operation of their devices, because whether they
work from a home office or a remote site, it's increasingly likely that people will
want to use the same device for business and personal functions. This requires
IT to implement security policies that recognize the context in which a device
is used, as well as the wide range of devices that must be accommodated.
Cisco's AnyConnect Secure Mobility Client for Apple iOS does a good job of walking that fine line between intrusive control and
insecure use; it is designed to work with head-end VPN servers from Cisco such
as the ASA 5500 Series and Cisco's Web security appliances, such as the IronPort
S-Series, to provide secure authentication on the one hand and application
controls and policy enforcement on the other.
The client software for Apple iOS was released on Sept.
21. It is available for free in Apple's App Store and provides secure
VPN connections to any model of Cisco's Adaptive Security Appliance through use
of SSL (Secure Sockets Layer) and DTLS (Datagram Transport Layer Security); the latter is an implementation
of the TLS protocol that is designed to work with UDP traffic.
The AnyConnect VPN client for Apple iOS requires iOS 4.1
and is currently supported by devices such as the iPhone 3G, iPhone 3GS, iPhone
4 and recent iPod Touch models. Cisco expects to offer it for iPad later this
year, when Apple iOS 4.2 is released. Cisco's AnyConnect platform is currently
at release level 2.5, but this initial release of the client for Apple iOS was
written to the AnyConnect 2.4 code base and does not support features introduced
in AnyConnect 2.5 or later versions.
This release of the AnyConnect client for Apple iOS only
supports manually generated VPN profiles, imported AnyConnect profiles and
configurations generated with Apple's iPhone Configuration Utility. But Apple's
utility has its limitations. For example, it cannot create profiles that allow
full network roaming. If such roaming is desired, Cisco recommends that VPN
provisioning take place through AnyConnect. Although device users can edit some
aspects of a configuration that has been installed by the Apple utility or the
AnyConnect server, users are locked out of other options. Only one imported
AnyConnect profile may exist on the device as well.
The client for Apple iOS provides a similar feature set to
Cisco's AnyConnect clients for Linux, Mac OS X and Windows, and setting up VPN
access for the AnyConnect client on an iPhone is rather simple. If this is done
manually, the user can enter a description for the VPN, followed by the server
address, either as a full-qualified domain name or as an IP address. If one's
installation uses group-based configuration, that can be specified as part of
the server's URL.
AnyConnect for Apple iOS can be configured to use
certificate-based authentication; this is required to use the Connect
On Demand feature of Apple iOS and is rather useful for directing all
certain resources or domains through a particular VPN connection.
Statistical details and connection logs can be viewed through
a tab in the software; basic statistics (status, time connected, client
address and sent/received data) are presented along with buttons that provide
client logs and further details of the connection. Logging is disabled by
default but easily activated; when logging is enabled, the user can quickly
e-mail logs from this pane.
P. J. Connolly began writing for IT publications in 1997 and has a lengthy track record in both news and reviews. Since then, he's built two test labs from scratch and earned a reputation as the nicest skeptic you'll ever meet. Before taking up journalism, P. J. was an IT manager and consultant in San Francisco with a knack for networking the Apple Macintosh, and his love for technology is exceeded only by his contempt for the flavor of the month. Speaking of which, you can follow P. J. on Twitter at pjc415, or drop him an email at firstname.lastname@example.org.