3
Open Standards
Pulse Secure is a strong supporter of open standards, including
those of the Trusted Computing Group’s (TCG) Trusted Network
Connect (TNC) Work Group, which ensure interoperability with a
host of network and security oerings. Through its support of the
TNC standard Statement of Health (SOH) protocol, Pulse Policy
Secure with optional SOH license interoperates with the Microsoft
Windows SOH and embedded Microsoft Network Access Protection
(NAP) Agents, enabling you to use existing Microsoft Windows
10, Windows 8.1, Windows 8, Windows 7, Windows RT, and/or
Windows Vista. Pulse Policy Secure also supports the TNC’s open
standard Interface for Metadata Access Point (IF-MAP) through a
license option, enabling integration with third-party network and
security devices—including nearly any device that supports the
IF-MAP standard and collects information about the happenings
on, or status of, your network. The Pulse Policy Secure can leverage
this data when formulating access control decisions, taking any
necessary and appropriate actions.
Quick, Easy Deployment
Network access control with Pulse Policy Secure is deployed quickly
and easily. It includes an optional “step-by-step” conguration wizard
to aid administrators in conguring common network access control
(NAC) deployment scenarios. Pulse Policy Secure also allows you
and your users to ease into policy enforcement by enabling access
control to be phased in, as well as allowing it to be run in audit
mode. Light-touch deployment wizards are available to support
best practices guidelines. Also, Juniper SRX Series gateways can
be deployed in transparent mode with Pulse Policy Secure, simply
acting as a “bump in the wire” (BITW), eliminating the need to modify
your network’s routing topology. Mobile Device Management
(MDM) systems such as those from MobileIron and Airwatch can be
leveraged to transparently deploy and congure Pulse Secure clients
to Android and iOS devices facilitating deployment eorts to remote
devices. And lastly, it has also been tested to work with select Cisco
and HP Aruba Network Wireless LAN equipment.
Architecture and Key Components
Pulse Policy Secure uses three core components to deliver a context
(who, what, where, when, etc) aware network and application
access control:
PSA Series, MAG Series, or Virtual Machines
Pulse Policy Secure is the network and application access control
software which runs on the Pulse PSA Series or MAG Series
Appliances, as well as a virtual machine over KVM or VMWare
hypervisors. Pulse PSA Series or MAG Series Appliances are
purpose-built, centralized policy management hardware that work
with the Pulse Secure Client or in clientless mode to obtain user
authentication, device security posture, and device location data
from a user’s endpoint device.
This data creates dynamic policies that are propagated to policy
enforcement points throughout the distributed network worldwide.
Pulse Policy Secure leverages the policy control engine from Pulse
Connect Secure, as well as their ability to seamlessly integrate with
existing authorization, authentication,and accounting (AAA) and identity
and access management (IAM) infrastructure. It also integrates RADIUS
capabilities and enhanced services from Pulse Secure’s SBR (Steel-Belted
Radius) Enterprise Series Servers, to support an 802.1X transaction when
a mobile or non-mobile device attempts network connection. Pulse Policy
Secure and Pulse PSA or MAG Series Appliances may also be licensed as
standalone RADIUS servers.
You may simply deploy a single Pulse PSA or MAG Series Appliance
running Pulse Policy Secure with your existing vendor-agnostic
802.1X switches or wireless access points.
Pulse Secure Client and Clientless Mode Deployments
Pulse Secure Client is our integrated, multifunction enabling interface,
which can be dynamically downloaded and provisioned to endpoint
devices in real time. It provides the user interface to Pulse Policy
Secure, as well as other Pulse Secure services. The same Pulse Secure
client can be used in wired, wireless, or combined deployments.
Pulse Policy Secure also provides a clientless mode for circumstances
where software downloads are not feasible. Pulse Policy Secure can
be delivered based on role, linking client-based or clientless access
dynamically to user or device identity.
Pulse Client or clientless mode collects user and device credentials, and
assesses the device’s security state. It leverages and integrates with
the native 802.1X supplicant available within Microsoft Windows to
deliver comprehensive L2 access control. Pulse Client can also support
native 802.1X supplicants on Apple Mac OS X and iOS, and Google
Android devices for L2 authentication. Pulse Client, along with Pulse
Policy Secure, also provides L3 authentication and IPsec tunneling with
any Juniper rewall, including the SRX Series, as an optional secure
transport to enable encryption from the endpoint to a rewall for
session integrity and privacy, as well as single sign-on (SSO) to Microsoft
Active Directory and silent provisioning to SRX Series gateways.
Pulse client includes our Host Checker functionality, enabling you to
dene policy that scans both mobile and non-mobile devices attempting
to connect to your network for a variety of security applications and
states both through the Pulse client and leveraging attributes from
Mobile Device Management (MDM) systems from AirWatch and
MobileIron and others. For Windows and Mac OS X based devices, Host
Checker scans for active antivirus, anti-malware, and personal rewalls. It
also enables custom checks of elements such as registry and port status
for Windows-based devices, and can perform a Message Digest 5 (MD5)
checksum to verify application validity. Mobile devices running Apple iOS
or Android initially connect to a Pulse Connect Secure (SSL VPN) which
runs Host Checker on the mobile device to check its security posture. This
host check includes device and OS identication, detection of jail broken
or rooted devices, device type, and more. It can also leverage integration
with MDM systems to execute health check and set policy based on
a wider set of attributes for Apple iOS and Android-based devices. If
the mobile device passes the host check and the user is authenticated,
appropriate network access is granted. At that time, the user’s session
information is shared between Pulse Connect Secure and the Pulse
Policy Secure via the TNC IF-MAP protocol. Pulse Secure then pushes the
appropriate access policies for the user and mobile device to the Juniper
SRX, Palo Alto Networks or Fortinet rewall.