Configuration Best Practices
User session security:
- Disable session roaming: This feature ensures that if a session cookie is stolen it cannot be reused by a different IP address than the user who first logged in. This lowers the possibility of a session being stolen and reused by an attacker.
Users: (Users --> User Roles --> <role name> -->
General --> Session Options: Roaming Session, select "Disabled").
Admins: (Administrators --> Admin Roles --> <role name> -->
General --> Session Options: Roaming Session, select "Disabled").
Disable persistent sessions: (Users --> User Roles --> <role name> -->
General --> Session Options: Persistent Session, select "Disabled")
Remove Browser Session Cookie: (Users --> User Roles --> <role name> -->
General --> Session Options: Remove Browser Session Cookie
, select "Enabled")
- Disable split tunneling: This will help ensure that all traffic is sent though the VPN connection and that the client is unable to accept connections or talk to other hosts on its local subnet. This lowers the possibility of a client system becoming a gateway or proxy into the secure tunnel. (
Users --> User Roles --> <role name> --> VPN Tunneling --> Options --> Split Tunneling Options: select "Disable").
- Session limits: Ensure that user sessions are limited to a set length. If a session was stolen it would only be active until the session timed out. 24 or 48 hours is a good session length recommendation to start with. (
Users --> User Roles --> <role name> --> General --> Session Options: Session lifetime lengths).
- Launch Pulse as stand alone: If your deployment is such that you mostly use L3 VPN based access AND don't use a browser to access an application through our client-less (web rewriter technology) then you may want to consider a deployment mode where a browser is not used to login to the Gateway or access any feature of the gateway. By doing so you will eliminate any risks that typically come with accessing an application via a web browser.
- Use the IP lockout option to block brute force password attacks. Caveat: If your users are accessing the Pulse Secure device through a load balancer or proxy, this will not be viable since they may appear to come from the same IP address. Default values are good for most situations. You can define this to your specific needs if the default isn't sufficient. (
Security --> Configuration --> Security --> Miscellaneous: Lockout Options)
- ESP encryption strength should be set to 256bit. The default is 128bit. (
Users --> Resource Policies --> VPN Tunneling --> Connection Profiles --> <profile name> --> Connection Settings: Encryption: select "AES256/SHA1")
- Ensure all web bookmarks are using https:// (when applicable). If user create bookmarks are allowed, administrator will need to educate end user to create resources with https:// or utilize web acl's to block access for tcp port 80.
Server side security:
- HTTP Strict Transport Security (HSTS) Support: We recommend upgrading to 8.1R12 or 8.2R6 and above to enable support for HSTS. If the upgrade is not possible, we recommend putting the Pulse Secure Connect Secure device behind a firewall and only allowing needed ports such as 443/TCP and 4500/UDP to the device. Issues such as SSLStrip prey on port 80–>443 redirects, see KB13903 - Mitigating SSLStrip attack methods on the Secure Access SSL VPN. The caveat is that some users do not know that they need to first type in https:// before the devices domain name and thus must be trained to do this.
- Disable SSLv3: Please see the following TSB for more information about disabling SSLv3: TSB16540 - UPDATED: Connect Secure (SA / SSL VPN) / Policy Secure (IC / UAC) : How to disable SSLv3 to mitigate any potential risks from the ‘Poodle’ vulnerability (CVE-2014-3566).
- Logging: Enable logging to a syslog server. This should be done for each of the following: Events, User Access, and Admin Access logs. (
System --> Log/Monitoring --> "Events" / "User Access / "Admin Access" --> Settings: Syslog Servers). Please see KB22227 - [SSL VPN] How to configure the Syslog server for more information on this topic.
- Configure NTP (Network Time): Ensure that your system's time is correct as it will help during any future logging investigations. (
System --> Status --> Overview --> "System Date & Time" --> click "Edit" --> Time Source --> "Use NTP Server": Fill in NTP server configuration).
- Disable legacy SSL renegotiation support: (
Security --> Configuration --> Security --> SSL Options: Uncheck "SSL Legacy Renegotiation Support option")
- Disable clients that only support weak ciphers: (System --> Configuration --> Security --> SSL Options --> Encryption Strength Option --> Enable checkbox for ‘Do not allow connections from browsers that only accept weaker ciphers’.)
- Disable RC4: Please refer to the following KB on how to disable RC4 cipher suites. KB30342 - [Pulse Connect Secure] How to disable RC4 cipher suites on a Pulse Connect Secure device
- Lock down administrative login to only internal or management interfaces. Administrators should not be allowed to login from the internet. The default is to have external port admin logins disabled. (
Administrators --> Admin Realms --> <realm name> --> Authentication Policy --> Source IP –> Ensure that "Enable administrators to sign in on the External Port" is not enabled).
- Add realm level restrictions for admin realms and roles.
- Lock down serial console access with a password. (You'll need to do this from the console port command line interface.)
- Encrypt backed up configuration exports, store them securely.
- Do not use "admin", "administrator" or other popular administrator login names. Chose an administrator username that is non-standard.
- Rename the default admin sign in URL from /admin to something non-standard.
- Use two-arm configuration (External and Internal port). If the device is using a one-arm configuration (Internal port) and SNMP is enabled, ensure UDP port 161 is blocked from external access.
- Two factor authentication (2FA): We recommend the use of two factor authentication. A One Time Password (OTP) or Client Certificate Authentication are two good options that are available. 2FA is more secure than the standard user chosen passwords for a number of reasons. An OTP token can only be used a single time and therefore are not able to be reused if an attacker was able to capture one. Long, unique, and complex passwords are required to be secure today, however most users have trouble remembering them which causes usability issues. Using 2FA can solve both of those issues.
- If possible use client certificate authentication with OCSP or a CRL on the server-side with secondary authentication for sign-in realms. (AD/LDAP authentication servers).
- Active Directory: Legacy mode is no longer recommended. For more information, refer to KB40251 - Pulse Connect Secure recommended Active Directory authentication server mode.
- Host Checker: We recommend using Host Checker to ensure that clients are running antivirus software that is up to date. Host Checker can be used to verify an endpoint for many requirements including having a firewall enabled.
- We recommend using a current and updated version Firefox, Chrome, Internet Explorer, or Safari. These browsers support TLS 1.2 and also have a good track record for making quick security updates for vulnerabilities.
Security updates and advisories:
- Subscribe to alerts: Ensure that you are subscribed to security advisories to keep yourself up to date on current fixes provided by Pulse Secure. Currently, Pulse is utilizing the TSB system for our security advisories. (This will be an option once we have a new Pulse Secure Security Advisory system online.)
- Software updates: We recommend that all customers use Pulse Secure Customer Support Center recommended releases, or newer. This ensures that you have the most reliable and secure software release on your Pulse Secure devices.