Configuring Miscellaneous Security Options
You can use the System > Configuration > Security > Miscellaneous page to configure the following security options:
- Persistent cookie options—Choose whether to preserve or delete persistent cookies when a session is terminated.
- Lockout options—You can configure lockout options to protect the system from denial of service (DoS), distributed denial of service (DDoS), and password-guessing attacks.
- Last login—You can choose whether to show users the time and IP address their user ID was used to sign in.
-
X-Frame-Options protection —You can choose to defend against click-jacking attacks by adding X-Frame-Option header to all the IVE generated pages. If this is not enabled then only welcome.cgi will have this header.
- Slow Post Attack Defence —You can configure to protect against slow-post DOS attacks from non-authenticated users.
To configure cookie and lockout options:
- Select System > Configuration > Security > Miscellaneous to display the configuration page.
Figure 146 shows the configuration page.
- Complete the configuration as described in Table 118.
- Save the configuration.
Figure 146: Miscellaneous Security Options Configuration Page
Table 118: Miscellaneous Security Options Configuration Guidelines
|
Settings |
Guidelines |
|---|---|
|
Delete all cookies at session termination |
|
|
Delete / Preserve |
For convenience, the system sets persistent cookies on the user’s machine to support functions such as multiple sign-in, last associated realm, and the last sign-in URL. For additional security or privacy, you can choose not to set them. |
|
Include Pulse Connect Secure’s session cookie in URL |
|
|
Include / Not Include |
Mozilla 1.6 and Safari may not pass cookies to the Java Virtual Machine, preventing users from running JSAM and Java applets. To support these browsers, the system can include the user session cookie in the URL that launches JSAM or a Java applet. By default, this option is enabled, but if you have concerns about exposing the cookie in the URL, you can disable this feature. |
|
Lockout options |
|
|
Rate |
Specify the number of failed sign-in attempts to allow per minute. |
|
Attempts |
Specify the maximum number of failed sign-in attempts to allow before triggering the initial lockout. The system determines the maximum initial period of time (in minutes) to allow the failed sign-in attempts to occur by dividing the specified number of attempts by the rate. For example, 180 attempts divided by a rate of 3 results in a initial period of 60 minutes. If 180 or more failed sign-in attempts occur within 60 minutes or less, the system locks out the IP address being used for the failed sign-in attempt. |
|
Lockout period |
Specify the length of time (in minutes) the system must lock out the IP address. |
|
Last Login options |
|
|
Time / IP Address |
Display the day and time and IP address the user last logged in to the system. For users, this information appears on their bookmark page. For administrators, this information appears on the System Status Overview page. These settings do not apply to the custom start page option on Role UI Options page. |
|
X-Frame-Options protection |
|
| Enable X-Frame-Options protection | By default the Enable X-Frame-Options is checked. If the admin does not want to have this protection, they can uncheck this option. The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe> or <object>. |
| Slow Post Attack Defence | |
| Timeout | By default the POST body is received within 10 seconds. If the browser is unable to send the POST body with in 10 seconds the connection is eventually dropped. (Configurable from 3 - 60Sec) |
| Maximum Request Size | By default now a connections is directly rejected if it tries to POST more than 4KB in POST body (Configurable from 256 Bytes to 24 KB). |
The following scenario illustrates how lockout settings work. For example, assume the following settings:
- Rate = 3 failed sign-in attempts per minute
- Attempts = 180 maximum allowed in initial period of 60 minutes (180/3)
- Lockout period = 2 minutes
The following sequence illustrates the effect of these settings:
- During a period of 3 minutes, 180 failed sign-in attempts occur from the same IP address. Because the specified value for Attempts occurs in less than the allowed initial period of 60 minutes (180/3), the system locks out the IP address for 2 minutes (fourth and fifth minutes).
- In the sixth minute, the system removes the lock on the IP address and begins maintaining the rate of 3 failed sign-in attempts/minute. In the sixth and seventh minutes, the number of failed sign-in attempts is 2 per minute, so the system does not lock the IP address. However, when the number of failed sign-in attempts increases to 5 in the eighth minute, which is a total of 9 failed sign-in attempts within 3 minutes, the system locks out the IP address for 2 minutes again (ninth and tenth minutes).
- In the eleventh minute, the system removes the lock on the IP address and begins maintaining the rate of 3 failed sign-in attempts per minute again. When the rate remains below an average of 3 per minute for 60 minutes, the system returns to its initial monitoring state.
Related Topics
PDF DOWNLOADS
