JITC Mode

Pulse Connect Secure Pulse Policy Secure NDcPP and JITC Certification Deployment Guide

JITC Mode

Prerequisites for enabling JITC Mode

Before enabling the JITC Mode, admin must make sure to import the Trusted Server CAs. If not done yet, perform the following steps before enabling the JITC mode.

Login to PCS/PPS from any Browser: https://a.b.c.d/admin using admin credentials. Note: The admin credentials are configured during the initial setup via console.

1.Import Trusted Server CA. For this, on the administrator web console:

•Navigate to System > Configuration > Certificates > Trusted Server CAs.

•Click on Import Trusted Server CA.

•On the Import Trusted Server CA screen, click on Browser, import the root CA certificate file.

In order to import CA Chain, all Sub CAs must be imported one by one.

•Once CA or CA Chain is imported, click Done.

•The CA Common Name of the imported trusted server CA should be shown in the Trusted Server CA table on screen System > Configuration > Certificates > Trusted Server CAs.

2.Import Device Certificate

•Navigate to System > Configuration > Certificates > Device Certificate.

•Click on Import Certificate & Key.

•On the Import Certificate & Key Page, click on Browse to select the device certificate file having extendedKeyUsage field set for Server Authentication purpose.

•Enter private key protected password in Password Key Textbox and click Import.

•The new certificate is shown in System > Configuration > Certificates -> Device Certificates.

•Click on the certificate name that was created.

•The Certificate Details screen is shown, in the expanded Present certificate on these ports section, select <Internal Port> in the left panel that is labelled Internal Virtual Ports, click on Add > to map it to the new device certificate.

If the <Internal Port> is not available in the left panel that is labelled Internal Virtual Ports, then the internal port is already mapped to a different device certificate, please see NOTE on instructions to remove the internal port from the currently mapped device certificate.

•Click on Save Changes, the selected port in step 11 is shown in the Used by field for the new certificate.

•The Certificate Details screen is shown, in the expanded Present certificate on these ports section, select <External Port> in the left panel that is labelled External Virtual Ports, click on Add > to map it to the new device certificate.

•Click on Save Changes, the selected port in step 6 is shown in the Used by field for the new certificate.

If the internal port is already mapped to a different device certificate, do the following:

•Click the device certificate that is mapped to the internal port and select <Internal Port> from Selected Virtual Ports box

•Click on Remove to unmap the device certificate from the Internal port and Save Changes.

Enabling JITC Mode

1.On the PCS/PPS web console, navigate to System > Configuration > Security > Inbound SSL Options.

Click on Turn on JITC mode checkbox highlighted to make the PCS/PPS common criteria compliant.

Once Turn on JITC mode is enabled, Turn on NDcPP mode and Turn on FIPS mode is also automatically enabled.

Enable Use 2048 bit Diffie-Hellman key exchange checkbox.

Uncheck SSL Legacy Renegotiation Support option.

Click on Save Changes.

At this point, the Turn on JITC mode is enabled for both Inbound SSL Options and Outbound SSL Options and the following is shown:

•Accept only TLS1.0 and later and Accept SSL V3 and TLS (maximize compatibility) are disabled in the JITC mode. Accept only TLS 1.1 and later is selected by default.

•Custom SSL Cipher Selection Allowed Encryption Strength are automatically selected. Click on Show Selected Ciphers displays below 16 Ciphers in the right panel labelled Selected Cipher.

•Select TLS_DHE_RSA_WITH_AES_128_CBC_SHA and TLS_DHE_RSA_WITH_AES_256_CBC_SHA on the right panel, and click “Remove” button to remove it from the “Selected Ciphers”.

•Navigate to System > Configuration > Security > outbound SSL Options.

•Custom SSL Cipher Selection Allowed Encryption Strength are automatically selected. Click on Show Selected Ciphers displays below 16 Ciphers in the right panel labelled Selected Cipher.

•Select TLS_DHE_RSA_WITH_AES_128_CBC_SHA and TLS_DHE_RSA_WITH_AES_256_CBC_SHA on the right panel, and click “Remove” button to remove it from the “Selected Ciphers”.

•Navigate to System > Configuration > Security > Miscellaneous.

•Enable SYN Flood, SMURF, SSL Replay Attack Audit checkbox will be automatically enabled.

Password Strengthening

When JITC is enabled, PCS/PPS does not allow an administrator to configure a password exactly same as previously configured 5 passwords. An error message is displayed in this case.

Configuring JITC IPv6 Settings

To enable IPv6 settings and to configure DSCP value:

1.Navigate to system >network >overview and scroll down to see IPv6 settings.

2.Select both the check boxes under IPv6 settings.

3.Configure the DSCP value by entering the value in the space provided below the check boxes.

4.Click on save changes.

	IPv6 Settings
Disable ICMPv6 echo response for multicast echo	Used toDisable ICMPv6 echo response for multicast echo enable/disable echo reply. If the check box is enabled, the multicast echo request will be dropped in the PCS/PPS.
Disable ICMPv6 destination unreachable response	Used to enable/disable destination unreachable message. If the check box is enabled, a destination unreachable message is dropped in the PCS/PPS.
DSCP Value	Specify the value from 0-63 for the traffic sourced by the device. When applied, all traffic from the PCS/PPS will be using same DSCP value. The specified value is applied to every IPV6 packets originated from the PCS/PPS to the destination.

IPv6 Settings

Disable ICMPv6 echo response for multicast echo

Used toDisable ICMPv6 echo response for multicast echo enable/disable echo reply. If the check box is enabled, the multicast echo request will be dropped in the PCS/PPS.

Disable ICMPv6 destination unreachable response

Used to enable/disable destination unreachable message. If the check box is enabled, a destination unreachable message is dropped in the PCS/PPS.

DSCP Value

Specify the value from 0-63 for the traffic sourced by the device. When applied, all traffic from the PCS/PPS will be using same DSCP value. The specified value is applied to every IPV6 packets originated from the PCS/PPS to the destination.

Audit Logs For JITC Mode

JITC Mode Enable Configuration Admin Logs

Navigate to System > Log/Monitoring > Admin Access > Logs and Check for the logs mentioned in Audit logs

IPv6 Settings to be Verified in Admin Logs

Detection and Prevention of SMURF Attack IPv4 Event Logs

Detection and Prevention of SMURF Attack IPv6 Event Logs

Detection and Prevention of SYN Flood Attack IPv4 Event Logs

Detection and Prevention of SYN Flood Attack IPv6 Event Logs

Detection and Prevention of SSL Replay Attack IPv4 Event Logs:

Detection and Prevention of SSL Replay Attack IPv6 Event Logs:

Notification for Unsuccessful Admin Login Attempts

With JITC Mode on, PCS/PPS shows a banner with the count of unsuccessful login attempt. This includes any change in the admin status that has happened since the last successful login.

Upon clicking the banner, the administrator is directed to the status page, which provides more details about the status or configuration change since last the log-in.

These configuration changes will be cleared before the next login, so that the admin can see different set of configurations changes, if anything has happened from the last login.

Banner for Unsuccessful Admin Login Attempts

Admin Notification for Unsuccessful Admin Login attempts