Reset Search
 

 
Article

KB29805 - Pulse/Ivanti Connect Secure: Security Configuration Best Practices

Printable View
« Go Back

Information

 
Last Modified Date8/31/2022 9:55 AM
Synopsis
Problem or Goal
This document will act as a security best practices guide. This document will be updated as more information is made available.
Cause
Solution
Updated: April 13th, 2021

Configuration Best Practices

Pulse Connect Secure (PCS) Integrity Assurance Tool
The Ivanti Product Security Incident Response Team (PSIRT) has introduced a new tool to enhance your ability to ensure the full integrity of your Pulse Connect Secure software.  The integrity tool can allow an administrator to verify the PCS Image installed on Virtual or Hardware Appliances This tool checks the integrity of the complete file system and finds any additional/modified file(s).

KB44755 - Pulse Connect Secure (PCS) Integrity Assurance
 

User session security:

  1. Disable roaming session or limit to subnet for non-roaming user roles: This feature ensures that if a session cookie is stolen it cannot be reused by a different IP address than the user who first logged in. This lowers the possibility of a session being stolen and reused by an attacker.  This would require the end user to re-authenticate when the source IP address is changed. 
    1. Users: (Users --> User Roles --> <role name> --> General --> Session Options: Roaming Session, select "Disabled").
    2. Admins: (Administrators --> Admin Roles --> <role name> --> General --> Session Options: Roaming Session, select "Disabled").
  2. Disable persistent sessions: 
    (Users --> User Roles --> <role name> --> General --> Session Options: Persistent Session, select "Disabled")
  3. Remove Browser Session Cookie: 
    (Users --> User Roles --> <role name> --> General --> Session Options: Remove Browser Session Cookie, select "Enabled")
  4. Disable split tunneling: This will help ensure that all traffic is sent though the VPN connection and that the client is unable to accept connections or talk to other hosts on its local subnet. This lowers the possibility of a client system becoming a gateway or proxy into the secure tunnel. (Users --> User Roles --> <role name> --> VPN Tunneling --> Options --> Split Tunneling Options: select "Disable").
  5. Session limits: Ensure that user sessions are limited to a set length. If a session was stolen it would only be active until the session timed out. 24 or 48 hours is a good session length recommendation to start with. (Users --> User Roles --> <role name> --> General --> Session Options: Session lifetime lengths).
  6. Launch Pulse as stand alone: If your deployment is such that you mostly use L3 VPN based access AND don't use a browser to access an application through our client-less (web rewriter technology) then you may want to consider a deployment mode where a browser is not used to login to the Gateway or access any feature of the gateway. By doing so you will eliminate any risks that typically come with accessing an application via a web browser. Administrator may configure additional restrictions to prevent certain browsers or source IPs from accessing the web interface. For more info, lease refer to Access Restrictions under General Access Management guide.
  7. Use the IP lockout option to block brute force password attacks. Caveat: If your users are accessing the Pulse Secure device through a load balancer or proxy, this will not be viable since they may appear to come from the same IP address. Default values are good for most situations. You can define this to your specific needs if the default isn't sufficient. (Security --> Configuration --> Security --> Miscellaneous: Lockout Options)
  8. ESP encryption strength should be set to 256bit. The default is 128bit. (Users --> Resource Policies --> VPN Tunneling --> Connection Profiles --> <profile name> --> Connection Settings: Encryption: select "AES256/SHA256")
  9. Ensure all web bookmarks are using https:// (when applicable).  If user create bookmarks are allowed, administrator will need to educate end user to create resources with https:// or utilize web acl's to block access for tcp port 80.
  10. Web ACL: Remove or change to DENY for the "Initial Policy for Local Resources" (if Web feature is enabled on User Roles)
  11. Selective Rewriting: Remove "Initial Rewrite Policy" (if Web feature is enabled on User Roles)
  12. VPN Tunneling Access Control: Remove or change to DENY for the "Initial VPN Tunneling Policy"
  13. Disable "Allowing saving logon information" and "Dynamic certificate trust" for Connections Setting under Pulse Secure Client.
  14. Enable Server certificate trust enforcement: 
    (System > Configuration > Mobile > Select "Enabled" under Server certificate trust enforcement)
  15. Enable Traffic Enforcement for IPV4 and IPV6 (for L3 tunnel customers)
  16. Enable HTTP Only Device Cookie under User Role. KB16127 

Server side security:

  1. Logging: Enable logging to a syslog server. This should be done for each of the following: Events, User Access, and Admin Access logs. (System --> Log/Monitoring --> "Events" / "User Access / "Admin Access" --> Settings: Syslog Servers).  Please see KB22227 - [SSL VPN] How to configure the Syslog server for more information on this topic.
  2. Configure NTP (Network Time): Ensure that your system's time is correct as it will help during any future logging investigations. (System --> Status --> Overview --> "System Date & Time" --> click "Edit" --> Time Source --> "Use NTP Server": Fill in NTP server configuration).
  3. Disable legacy SSL renegotiation support: (Security --> Configuration --> Security --> SSL Options: Uncheck "SSL Legacy Renegotiation Support option")
  4. Enable Use 2048bit Diffie-Hellman key exchange option : (System --> Configuration --> Security --> Inbound SSL Options --> Key Exchange Options)
  5. Disable clients that only support weak ciphers: (System --> Configuration --> Security --> SSL Options --> Encryption Strength Option --> Enable checkbox for ‘Do not allow connections from browsers that only accept weaker ciphers’.)
  6. Disable 3DES: Please refer to the following KB on how to disable 3DES cipher suites. KB40706 - Disable 3DES cipher suites for Pulse Connect Secure or Pulse Policy Secure
  7. Disable all TLS_RSA ciphers to address Return Of Bleichenbacher's Oracle Threat (ROBOT).
  8. Configure Inbound SSL Settings for "Accept only TLS 1.2 and later"
  9. Enable Perfect Forward Secrecy or configure Ephemeral Diffie Hellman (ECDHE) at the top of the cipher suites list (Configuration > Security > Inbound SSL Options > Select radio button for Perfect Forward Secrecy) 
  10. Starting from 8.2RX / 5.3RX release, granular cipher suites feature was added which allows the administrator to select cutome cipher suites from the admin UI. (Configuration > Security > Inbound SSL Options > Select radio button for Custom SSL Cipher Selection). 
Note: The latest Pulse Connect Secure versions have the following changes by default and have been removed above:
  • HTTP Strict Transport Security (HSTS) and X-Frame Options are enabled o
  • RC4 and SSLV3 are disabled

Device Management:

  1. Lockdown administrative access to internal or management interfaces only.  Disable admin access from external port, which is the default setting. 
Administrators --> Admin Realms --> <realm name> --> Authentication Policy --> Source IP –> Ensure that "Enable administrators to sign in on the External Port" is not enabled.
  1. Disable roaming session or limit to a subnet for admin users.
  2. Add realm level restrictions for admin realms and roles to provide additional protection. For more info, lease refer to Access Restrictions under General Access Management guide.
  3. Lock down serial console access with a password. (This will need to be done from the console port command line interface.)
  4. Encrypt backed up configuration exports and store them securely.
  5. Do not use "admin", "administrator" or other popular administrator login names or passwords. Chose an administrator username that is non-standard and a complex password.
  6. Rename the default admin sign in URL from /admin to something non-standard.
  7. Use two-arm configuration whenever possible. (External and Internal port).  
  8. If the device is using a one-arm configuration (Internal port only) and SNMP is enabled, ensure UDP port 161 is blocked from external access.
  9. Enabling Unauthenticated Request option: By default, these requests are not logged under the VPN appliance until we have the Unauthenticated Request option enabled (Under Log/Monitoring > User Access > Setting) which is off by default. Please configure the Syslog Server along with this option.

Authentication security:

  1. Two factor authentication (2FA): Pulse Secure recommends the use of two factor authentication. A One Time Password (OTP) or Client Certificate Authentication are two good options that are available. 2FA is more secure than the standard user chosen passwords for a number of reasons. An OTP token can only be used a single time and therefore cannot be reused if an attacker was able to capture it. Long, unique, and complex passwords are required for today's security standards, however most users have trouble remembering them which can cause usability issues. Using 2FA can solve both of those issues.
  2. If possible use client certificate authentication with OCSP or a CRL on the server-side with secondary authentication for sign-in realms. (AD/LDAP authentication servers).
  3. LDAP: Enable LDAPS or Start TLS is strongly recommended.
  4. Please ensure that end users are issued distinct certificates.
  5. Active Directory: Active Directory Standard mode is strongly recommended. For more information, refer to KB40251 - Pulse Connect Secure recommended Active Directory authentication server mode.
  6. If local authentication is utilized, use the following settings:
    • Minimum password length: 10
    • Maximum password length: 128
    • Password must have at least 1 digits
    • Password must have at least 2 letters
    • Password must have mix of UPPERCASE and lowercase letters

Endpoint Security:

  1. Host Checker: Pulse Secure recommends using Host Checker to ensure that clients are running antivirus software that is up to date. Host Checker can be used to verify an endpoint for many requirements including having a firewall enabled.
  2. We recommend using a current and updated version of Firefox, Chrome, Edge, or Safari. These browsers support TLS 1.2 and also have a good track record for making quick security updates for vulnerabilities.

Security updates and advisories:

  1. Subscribe to alerts: Ensure that you are subscribed to security advisories to keep yourself up to date on current fixes provided by Pulse Secure. Currently, Pulse is utilizing the TSB system for our security advisories. (This will be an option once we have a new Pulse Secure Security Advisory system online.)
  2. Software updates: We recommend that all customers use Pulse Secure Customer Support Center recommended releases, or newer. This ensures that you have the most reliable and secure software release on your Pulse Secure devices.
Related Links
Attachment 1 
Created ByData Deployment

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255