This document will act as a security best practices guide. This document will be updated as more information is made available.

Updated: April 30th, 2019

Configuration Best Practices

User session security:

1. Disable roaming session or limit to subnet for non-roaming user roles: This feature ensures that if a session cookie is stolen it cannot be reused by a different IP address than the user who first logged in. This lowers the possibility of a session being stolen and reused by an attacker.  This would require the end user to re-authenticate when the source IP address is changed.

   1. Users: (Users --> User Roles --> <role name> --> General --> Session Options: Roaming Session, select "Disabled").

   2. Admins: (Administrators --> Admin Roles --> <role name> --> General --> Session Options: Roaming Session, select "Disabled").
      

2. Session limits: Ensure that user sessions are limited to a set length. If a session was stolen it would only be active until the session timed out. 24 or 48 hours is a good session length recommendation to start with. (Users --> User Roles --> <role name> --> General --> Session Options: Session lifetime lengths).
3. Launch Pulse as stand alone: If your deployment is such that you mostly use L3 VPN based access AND don't use a browser to access an application through our client-less (web rewriter technology) then you may want to consider a deployment mode where a browser is not used to login to the Gateway or access any feature of the gateway. By doing so you will eliminate any risks that typically come with accessing an application via a web browser. Administrator may configure additional restrictions to prevent certain browsers or source IPs from accessing the web interface. For more info, lease refer to Access Restrictions under General Access Management guide.
4. Use the IP lockout option to block brute force password attacks. Caveat: If your users are accessing the Pulse Secure device through a load balancer or proxy, this will not be viable since they may appear to come from the same IP address. Default values are good for most situations. You can define this to your specific needs if the default isn't sufficient. (Security --> Configuration --> Security --> Miscellaneous: Lockout Options)
5. Disable "Allowing saving logon information" and "Dynamic certificate trust" for Connections Setting under Pulse Secure Client.

Server side security:

1. Logging: Enable logging to a syslog server. This should be done for each of the following: Events, User Access, and Admin Access logs. (System --> Log/Monitoring --> "Events" / "User Access / "Admin Access" --> Settings: Syslog Servers).  Please see KB22227 - [SSL VPN] How to configure the Syslog server for more information on this topic.
2. Configure NTP (Network Time): Ensure that your system's time is correct as it will help during any future logging investigations. (System --> Status --> Overview --> "System Date & Time" --> click "Edit" --> Time Source --> "Use NTP Server": Fill in NTP server configuration).
3. Disable legacy SSL renegotiation support: (Security --> Configuration --> Security --> SSL Options: Uncheck "SSL Legacy Renegotiation Support option")
4. Disable clients that only support weak ciphers: (System --> Configuration --> Security --> SSL Options --> Encryption Strength Option --> Enable checkbox for ‘Do not allow connections from browsers that only accept weaker ciphers’.)
5. Disable 3DES: Please refer to the following KB on how to disable 3DES cipher suites. KB40706 - Disable 3DES cipher suites for Pulse Connect Secure or Pulse Policy Secure
6. Disable all TLS_RSA ciphers to address Return Of Bleichenbacher's Oracle Threat (ROBOT).
7. Configure Inbound SSL Settings for "Accept only TLS 1.2 and later"
8. Enable Perfect Forward Secrecy or configure Ephemeral Diffie Hellman (ECDHE) at the top of the cipher suites list:

   (Configuration > Security > Inbound SSL Options > Select radio button for Perfect Forward Secrecy)

Note: The latest Pulse Policy Secure versions have the following changes by default and have been removed above:

• HTTP Strict Transport Security (HSTS) and X-Frame Options are enabled
• RC4 and SSLV3 are disabled

Device Management:

1. Lock down administrative access to internal or management interfaces only.  Disable admin access from external port, which is the default setting. 

Administrators --> Admin Realms --> <realm name> --> Authentication Policy --> Source IP –> Ensure that "Enable administrators to sign in on the External Port" is not enabled.

2. Disable roaming session or limit to a subnet for admin users.
3. Add realm level restrictions for admin realms and roles to provide additional protection. For more info, lease refer to Access Restrictions under General Access Management guide.
4. Lock down serial console access with a password. (This will need to be done from the console port command line interface.)
5. Encrypt backed up configuration exports and store them securely.
6. Do not use "admin", "administrator" or other popular administrator login names or passwords. Chose an administrator username that is non-standard and a complex password.
7. Rename the default admin sign in URL from /admin to something non-standard.
8. Use two-arm configuration whenever possible. (External and Internal port).  
9. If the device is using a one-arm configuration (Internal port only) and SNMP is enabled, ensure UDP port 161 is blocked from external access.

Authentication security:

1. Two factor authentication (2FA): Pulse Secure recommends the use of two factor authentication. A One Time Password (OTP) or Client Certificate Authentication are two good options that are available. 2FA is more secure than the standard user chosen passwords for a number of reasons. An OTP token can only be used a single time and therefore cannot be reused if an attacker was able to capture it. Long, unique, and complex passwords are required for today's security standards, however most users have trouble remembering them which can cause usability issues. Using 2FA can solve both of those issues.
2. If possible use client certificate authentication with OCSP or a CRL on the server-side with secondary authentication for sign-in realms. (AD/LDAP authentication servers).
3. LDAP: Enable LDAPS or Start TLS is strongly recommended.
4. Active Directory: Active Directory Standard mode is strongly recommended. For more information, refer to KB40251 - Pulse Connect Secure recommended Active Directory authentication server mode.
5. If local authentication is utilized, use the following settings:
   • Minimum password length: 10
   • Maximum password length: 128
   • Password must have at least 1 digits
   • Password must have at least 2 letters
   • Password must have mix of UPPERCASE and lowercase letters

Endpoint Security:

1. Host Checker: Pulse Secure recommends using Host Checker to ensure that clients are running antivirus software that is up to date. Host Checker can be used to verify an endpoint for many requirements including having a firewall enabled.
2. We recommend using a current and updated version Firefox, Chrome, Internet Explorer, or Safari. These browsers support TLS 1.2 and also have a good track record for making quick security updates for vulnerabilities.

Security updates and advisories:

1. Subscribe to alerts: Ensure that you are subscribed to security advisories to keep yourself up to date on current fixes provided by Pulse Secure. Currently, Pulse is utilizing the TSB system for our security advisories. (This will be an option once we have a new Pulse Secure Security Advisory system online.)
2. Software updates: We recommend that all customers use Pulse Secure Customer Support Center recommended releases, or newer. This ensures that you have the most reliable and secure software release on your Pulse Secure devices.