Client-based remote access VPNs come in handy when entities from remote locations must access company services over an untrusted network, such as the internet.
Those entities — whether they be mobile users, telecommuters or business partners — need secure access on demand to protect the sensitive data exchanged between them and the VPN gateway located on the other side of the tunnel.
In today’s information age, it’s crucial to keep your company’s sensitive data safe and secured: nearly 8 in 10 consumers choose to do business with organizations based on their reputation for information security, according to Security Magazine.
But where to start, and how best to implement a client-based remote access VPN that you can trust?
In this article, we will:
Looking for other ways to protect your company’s sensitive information? Try these articles:
Remote access VPNs are divided into two different categories (or types) of VPNs: full client VPNs — also known as client-based remote access VPNs — and clientless VPNs.
Clientless VPNs are also known as Cisco clientless SSL VPNs when using Cisco equipment. They require users to use only a web browser to access the protected company resources behind the VPN gateway. As a result, this approach provides flexibility but lacks support for full access.
In contrast, the client-based remote VPN (also known as Cisco AnyConnect VPN) requires users to install a Cisco VPN client to establish a VPN to the other side. This VPN client is called Cisco AnyConnect and is the most commonly used VPN client when deploying remote access VPNs.
For data protection, it supports both the IPsec and SSL technologies, even though SSL VPNs are preferred over IPsec VPNs because they can easily bypass most firewalls and NAT-enabled devices in the routing path.
Keep in mind that even though the SSL name is used when discussing security in general, it is an obsolete technology and replaced with TLS. So in reality, we always use TLS instead of SSL.
The Cisco AnyConnect VPN solution can be implemented on both the Cisco ASA firewall and the Cisco Firepower NGFW firewall.
Although the Cisco Firepower NGFW firewall is a newer firewall system, it lacks some features and services supported on the ASA firewall. However, this limitation is actually software-based instead of hardware-based, so it is only a matter of time until those limitations are overcome.
Since our focus is on client-based VPN, the Cisco AnyConnect client plays a key role and it is extremely important to understand how it functions.
Several methods can be used to deploy the Cisco AnyConnect client to remote users:
A typical remote access VPN solution consists of several components — the user, the VPN gateway (or the headend) and possibly an external authentication server. Each remote user must have a copy of the Cisco AnyConnect client installed on the endpoint required for the VPN deployment process.
On the headquarters or the branch office on the other side, there is typically a firewall, also known as a “headend”, that functions as a VPN gateway and terminates connections from remote clients. A Cisco router can also be used.
During the VPN establishment phase, both the client and the VPN gateway authenticate to each other. Based on the figure above, Cisco ASA proves its identity to the client with an identity certificate while the users authenticate by providing username and password credentials. Additionally, Cisco ASA can also authenticate the machine. This is done by providing a digital certificate.
After the authentication is successfully finished, Cisco ASA applies a set of authorization and accounting rules to the user session, so the user can start securely sending data through the TLS tunnel and be protected from outside threats.
_________________
If you're having any issues with the configuration of your Cisco ASA firewall or AnyConnect TLS VPN, be sure to contact us for immediate assistance.
_________________
Because the VPN gateway must identify itself to the remote user, Cisco ASA must own an identity certificate that will be presented during the authentication process. This identity certificate can be created in two different ways.
The first option is a self-signed certificate, meaning Cisco ASA will sign its own certificate. Although this is the fastest and cheapest solution, a general recommendation is for this approach to be avoided because the user will not be able to verify the signature in the certificate and will need to blindly accept the identity certificate provided by Cisco ASA.
Additionally, the ASA can generate a permanent self-signed certificate, so it won’t change after a reboot. As a result, the certificate needs to be accepted as trusted only once by the remote user instead of every single time Cisco ASA identifies itself. This approach is suitable for smaller deployments with only a few remote users in play.
The second and preferred option is for Cisco ASA to use an identity certificate signed by a trusted third-party Certificate Authority (CA), such as GoDaddy or any other public CA. This allows the remote user to easily verify the signature of the ASA’s identity certificate without getting any warning messages about trust-related issues.
The way the remote user is authenticated against Cisco ASA depends on the firewall’s configuration. The default approach is to prompt the user for a username and password, which after being provided, are compared against the credentials stored in the local database. When there is a match, the authentication passes. Otherwise, the VPN deployment process stops.
Additionally, an external authentication server such as Cisco ISE or Active Directory can be used to verify the provided credentials. This is a more suitable solution for large and complex deployments, such as in enterprises with many employees, or when a user database already exists in the system.
For the remote user to be able to access resources beyond the VPN gateway, it must be assigned an IP address. It is used on the virtual network interface adapter of the client endpoint. This IP address provided by Cisco ASA is private and allows the user to access any segments of the internal network behind the VPN gateway.
This part of the VPN deployment can be done in several different ways on Cisco ASA, but the most common one is by configuring an IP address pool and assigning it to the default or custom connection profile that will be applied to the remote user’s session.
The deployment of a basic AnyConnect TLS VPN on a Cisco ASA consists of several steps that must be correctly approached so that the remote VPN users can successfully establish VPN sessions to the VPN gateway:
The remote access VPN deployment process offers many additional features and tuning parameter settings. But what’s been covered above is more than enough to understand Cisco AnyConnect VPN and its benefits, as well as how to approach the configuration process on Cisco ASA.
If you're looking for more advanced configurations, let our team of engineers help you out with our EXTEND SmartHands offering. We offer you global access to engineers, to locally access your infrastructure. They take on a range of responsibilities to extend your IT team, without the added overhead of hiring a full-time engineer.
Our engineers are your ticket to global hands and feet as they collaborate with your engineering teams to resolve issues and take on projects, creating the most efficient and effective network that meets your business needs.