Part of the difficulty in end-point security within the AnyConnect client is that the policy is spread across different parts of ASDM. For example, you look for the presence of a particular anti-virus package in one part of ASDM, but you look to make sure you're not executing in a virtual machine in a completely different part of the policy.

The ASDM management tool lets you build a posture checking decision tree using traditional flow-chart symbols, a technique that looks suspiciously like the one F5 pioneered in their SSL VPN product. In any case, this configuration approach to end-point posture checking is approximately 10,000% more understandable and scalable than Cisco's old approach based on the ACS RADIUS/TACACS .

The AnyConnect client's end-point security approach represents Cisco's current thinking on how to do both NAC and VPN posture checking in the same client. Cisco is continuing to avoid the Trusted Computing Group's open standards for posture checking, and has forged ahead with a single-vendor solution, incorporating its own Cisco Secure Desktop and OPSWAT's end-point posture checking toolkit together into a single nicely merged solution. (The Oesis Framework, an OPSWAT product, is a software library incorporated in other security products that detects the presence and state of a wide variety of end-point security products.)

Overall, network managers will have to balance the simplicity of Cisco's strategy, which requires only a single client and no particular cooperation from the end-point security vendor, with a lock-in to what Cisco and OPSWAT are willing to support.

Our experience with OPSWAT, which has shown up in both our NAC and SSL VPN security tests for years, has generally been good, although we have had recurrent difficulties getting consistent results when testing against our lab's standard anti-virus package, Sophos. This experience was echoed in this test, where different configurations of the same anti-virus package gave different results in the AnyConnect client. Network managers using the AnyConnect client to do end-point posture checking will want to experiment with their own configuration and end-points to avoid false positive and negative results.