We are very excited to announce the release of Pulse Policy Secure (PPS) version 9.0R1. This release enables our customers to achieve scalable visibility and secure access in their environment. Below are key highlights of the new release.
Scalable Distributed Profiler
The connection of Internet of Things (IoT) devices to corporate networks demands complete network visibility, compliance and access control. In a distributed network, admins are required to provide centralized endpoint visibility with minimum WAN bandwidth consumption. Pulse Secure Profiler supports profiling endpoints when the endpoints are connected to PPS through a WAN. This is often the case in distributed networks where several “branch” offices connect to a central datacenter. By installing a “Profiler Forwarder” in each of the branches, you can ensure all profiling happens locally in the LAN, and the results are sent to the “remote” Profiler running in the data center.
Profiler Management improvements allow admins to analyze and troubleshoot endpoint contextual information. Pulse Secure Profiler supports browsing and searching through profiles so you can know how a device gets profiled when it attaches itself to the network. Using editing capabilities, admins can modify the profile so the updated profile is instantly applied to all existing endpoints and to new devices that have the same fingerprint.
Endpoint classification is very important for asset management, compliance and access control. In previous releases, the OSX devices were fingerprinted mainly through the DHCP collector. In this release, fingerprinting the OSX endpoints is improved by using the SSH collector.
Export/Import Contextual Information and Profiler Database
You can now import data into the DDR report by using a CSV (comma-separated) file. In addition to just importing the data, you can also define an additional “custom” field that can be used for role-mapping.
SECURE ACCESS CONTROL
Session Federation for PCS sessions to Palo Alto Networks Firewall
When it comes to better user experience and security, admins prefer a Single Sign-on experience for their users to access protected resources without compromising security. Pulse Policy Secure (PPS) integrates with Palo Alto Network’s (PAN) Firewall to provision user’s identity information (user name, roles and IP address) to the PAN firewall using REST API. You can provision Pulse Connect Secure (PCS) user’s identity information to PAN firewall using IF-Map so that access control can be provided for PCS users accessing resources protected by the firewall.
Admission Control based on PAN firewall
Next-generation firewalls can detect any compromised devices at the perimeter level, however, they don’t have control over individual endpoints within the network. If an endpoint is compromised, it may infect other endpoints within the network. In order to isolate endpoints from the network, PPS performs user access control based on threats identified by PAN FW. This solution reduces threat response time from days to seconds with automated admission control policies.
SECURITY AND COMPLIANCE
Guest Access Compliance
As a part of BYOD initiatives, enterprises allow guests and contractors to connect to their network. However, it increases security risk which can be mitigated by compliance checks for BYO devices. PPS supports compliant check enforcement for guest user login (for WLC and Cisco Wired Switch) to implement secure access by checking for up-to-date AV, firewall, applications, etc. during pre- and post-admission control.
PPS now supports network device administration using TACACS+ for central management and secure network devices. TACACS+ is mainly designed for administrator AAA which separates the functions of Authentication, Authorization and Accounting with use of TCP to ensure reliable delivery.
RFC (6218) Cisco Key Wrap Support
PPS supports Advanced Encryption Standard (AES) key wrap for RADIUS to improve security between the Radius Client and Server. It can avoid security risk associated with unencrypted wireless networks and unauthorized access to internal network resources.
Clustering over High Latency Networks
PPS supports clustering on Hyper-V and KVM platforms to achieve high availability in virtual environments. Configuration-sync over high-latency networks has been added to the clustering framework, supporting up to 100ms latencies.
Host Checker Enhancements for Compliance Check
For MAC platforms, Host Checker will check for any missing patches based on categories and remediate if any patch is missing using the SCCM client. In addition, Host Checker enables vulnerability assessment checks for Windows which involves checking the endpoint for specified vulnerabilities (e.g. WannaCry, Petya, etc.).
NDcPP and JITC CAT II Certifications
The fixes and enhancements made to comply with NDcPP and JITC CAT II certifications in v5.3 have been merged in 9.0R1. Customers subject to these compliance mandates can upgrade to 9.0R1 to get the latest enhancements, without compromising their certifications.