Cisco Secure Client
Tailscale and Cisco Secure Client (previously AnyConnect) both provide comprehensive VPN solutions. There are major differences in underlying architecture, investment for initial setup, and commitments to hardware maintenance. Let’s compare the features of each product so you can decide which one would work best for your use case.
Comparison matrix
Here’s a quick visual comparison of where Tailscale and Cisco Secure Client stand on a feature-by-feature basis. We’ll dive more into each feature below.
| Tailscale | Cisco Secure Client | |
|---|---|---|
| Open source | Yes
Tailscale daemon and CLI tool, not the coordination server or GUI for proprietary OS |
No |
| Integrates with identity providers for single sign-on | Yes
Apple, Google, GitHub, Microsoft, Okta, OneLogin, and more with custom identity providers |
Yes |
| Connection type | Mesh-capable VPN | Client-server VPN |
| Encryption type | Node-to-node encryption using the WireGuard protocol | Encryption from client to server using TLS/DTLS (SSL VPN) and IKEv2/IPsec |
| Connection latency | Lower latency and higher throughput with peer-to-peer connections | The client-gateway model increases latency when the client and server are farther apart |
| ACLs and security policies? | Yes (central ACL policy, HuJason format, admins can use GitOPs to manage policy files) | Yes (central policy management via ISE) |
| Forward all traffic through gateway? | Optional (exit nodes) | Optional (via centralized configuration) |
| Auditing and logging? | Yes | Yes |
Cisco Secure Client overview
Cisco Secure Client is a secure endpoint solution that provides VPN connectivity access to corporate networks and devices. It uses a traditional client-server VPN model that requires running a Cisco Adaptive Security Appliance (ASA) or a virtual appliance for cloud networks.
Cisco Secure Client supports secure connectivity via Transport Layer Security/Secure Sockets Layer (TLS/SSL) and IPsec Internet Key Exchange version 2 (IKEv2). The Secure Client software works across Windows, Mac, and Linux operating systems, although there isn’t feature parity across the board. It’s also available on a wide range of mobile devices, including iOS, Android, and Google ChromeOS.
Secure Client supports a number of features, including auto-connect on start, fast user switching, and certificate pinning. It also supports a number of methods for ensuring endpoint security.
Secure Client customers can also integrate other Cisco offerings, such as Umbrella, which provides DNS-layer security. However, such offerings require additional licensing, installation, and configuration.
Use cases for Cisco Secure Client
Cisco Secure Client is a general VPN solution for medium-to-large-sized organizations that need to offer remote connectivity to office workers, especially if there’s a pre-existing investment in Cisco networking hardware.
Via its cloud routers, Cisco also supports connectivity to off-premises networks, such as virtual networks hosted in cloud service providers like Amazon Web Services and Microsoft Azure. Companies can also leverage Cisco Secure Client to connect to client or partner networks and to link servers that are located in disparate networks securely.
Tailscale overview
In contrast to Cisco Secure Client and its product family, Tailscale is a mesh-capable VPN solution that emphasizes ease of deployment and administration. Rather than connect to a VPN server as in a traditional client-server VPN model, Tailscale enables defining a peer-to-peer overlay mesh network called a tailnet, in which nodes on the network connect directly to one another.
Tailscale is built on WireGuard ®, a UDP-based VPN protocol that uses cryptographic keys for secure connectivity between clients. These WireGuard end-to-end encrypted tunnels form the decentralized Tailscale dataplane. This means that Tailscale VPN connections are “always on” and don’t drop when users are roaming or network connectivity is spotty. WireGuard uses state-of-the-art encryption protocols, including ChaCha20 for encryption and Poly1305 for authentication.
Tailscale enables secure connectivity among mesh members via a coordination server that serves as a repository for clients’ public keys. This serves as the control plane, which includes key exchange and coordinating device connections. These connections employ a custom Noise IK-based protocol with X25519 as described in RFC7748.
Tailscale has clients for all major operating systems and devices. Tailscale leaves authentication to the authentication experts with support for a number of authentication providers and protocols. Additionally, Tailscale supports a number of features that simplify VPN network configuration and lower administrative overhead.
Use cases for Tailscale
Tailscale excels at Cisco Secure Client’s base use cases, like providing remote connectivity for employees who are working from home or traveling. It also supports connectivity to cloud networks and site-to-site connectivity.
Additionally, Tailscale makes it easy to establish ad-hoc connectivity on demand. For example, you can use Tailscale to share out a development server securely within your company, or make certain servers or SaaS services available to partners.
Tailscale and Cisco Secure Client features compared
Let’s look at Cisco Secure Client and Tailscale features one by one to see how they compare.
Setup and administration
Setting up Cisco Secure Client can be an involved process. The client itself supports installation methods like via Web Deployment, Cisco’s SecureX Cloud Management Deployment system, or your organization’s software management service. However, there are further infrastructure requirements. An administrator needs to install and configure a VPN headend.
The infrastructure required to support Cisco VPNs is extensive. It generally requires hiring someone who’s certified in Cisco products to install, configure user and device access, and maintain. The necessary VPN headend can be an ASA firewall, a Cisco IOS router with VPN, or Cisco’s newer Secure Firewall or Umbrella Secure Access. Setup involves defining IP address pools, authentication methods, access rules, and installing SSL certificates on the server.
By contrast, Tailscale focuses on simplified installation and administration. There is no hardware to deploy. Tailscale maintains the coordination server to exchange users’ public keys. All you need to get started is to create a Tailscale account (often by logging in with Google/Microsoft), install the client on two devices, and they instantly form a private network. There’s no need to configure IP ranges, firewall rules, or NAT traversal – Tailscale handles all of that automatically.
Network management
Secure Client supports options such as split tunneling, which enables sending only select traffic through the VPN tunnel, as well as split DNS. Cisco also supports dynamic split tunneling, which dynamically queries IP addresses for services with dynamic DNS mapping.
Tailscale also supports multiple DNS features, including split-tunneling. MagicDNS makes it easy for admins to assign short DNS names to IP addresses that resolve across the tailnet.
Tailscale also supports several features that are easier to implement than their Cisco Secure Client counterparts. Subnet routers enable accessing cloud environments and devices without installing a cloud router or even the Tailscale client. And exit nodes make it easy for users to decide whether to route all traffic through a single node on the VPN network.
Authentication, ACLs, and endpoint protection
Cisco Secure Client supports a range of authentication and endpoint protection options. Network Access Manager on Windows enables both Single Sign-On (SSO) and direct logon with existing Windows machine credentials. Secure Endpoint offers advanced endpoint protection across control points via active threat detection. The ISE Posture module enforces security policies on endpoints, ensuring their safety before they connect to the network.
Cisco VPN solutions typically enforce access policy at the gateway. Once connected, a user is often placed into a specific VPN pool or VLAN, and the ASA can apply ACLs to restrict what that VPN client can reach. Dynamic Access Policies (DAP) can change access rights on the fly based on user/device conditions.
Tailscale supports multiple authentication types, including OAuth2, OpenID Connect (OIDC), and multiple SSO identity providers, including Okta, OneLogin, Microsoft, Apple, and Google. Tailscale is designed to hold a minimum amount of your users’ Personally Identifiable Information (PII), which simplifies compliance and data governance. Meshes use end-to-end encryption between node points - Tailscale never sees (and cannot see) your data.
Tailscale approaches segmentation with an identity-based ACL system. Tailscale uses ACL files written in Human JSON for better readability and self-documentation. Administrators can specify policies per user and device name instead of IP addresses. Using groups and tags, administrators can implement Role-Based Access controls (RBACs) easily.
Rather than administrate security ACLs via a separate device, Tailscale admins can store ACLs in GitHub or GitLab and push to Tailscale securely via an API endpoint secured with an access token.
Cisco Secure Client vs. Tailscale: The bottom line
Cisco Secure Client carries a large administrative overhead and upfront cost. By contrast, Tailscale requires no up-front investment and has a flat, per-user licensing scheme. It offers comprehensive end-to-end security with easy setup, low administrative burden, and an easy-to-use client.
Want to see how easy it is to get up and running with Tailscale? Try it for free today.
