Anyconnect 3.0 adds support for 802.1AE MAC Security (MACSec), which defines encryption of Ethernet frames. 802.1X, which is part of Anyconnect 3.0, provides the key management and negotiation for MACSec. With MACSec, a client accessing the wired network can get the same connection-oriented encryption and authentication that 802.11 wireless clients have without any hardware changes. Of course, the Ethernet switch has to support MACSec as well. Cisco hasn't incorporated WaaS functionality into its remote access client like Bluecoat and Juniper have, but the company says it is evaluating customer demand. Anyconnect 3.0 will be available in December 2010 starting at $100 for 25 existing ASA customers.
"I think it's great that Cisco is at least attempting to create a security strategy with a security vision behind that," said Penn. "We have not seen that before [from Cisco]. Cisco's classic approach was that bigger boxes are better, and you still see some of that with some of their products, like the 5585X."
In addition to the 5585X, Cisco announced AnyConnect integration with its Scansafe hosted Web security service, which will protect users from Web-based attacks whether they are on or off the corporate network. AnyConnect will route end-user devices through the Scansafe cloud-based security scans. Applying corporate security controls to personally owned devices raises the possibility of concerns from the end-user side, said Penn. He sees this is a general issue, not by any means limited to the Cisco/Scansafe capability.
"How much am I, as as an empowered user, going to put up with?" he said. "Not everything is corporate information. Just because I use the device occasionally to connect to the corporate environment, does that mean I give up my privacy to use that device?"