You are here: Pulse Connect Secure > Pulse Connect Secure Administration Guide > System Management > Network and Host Administration > Configuring Miscellaneous Security Options

Configuring Miscellaneous Security Options

You can use the System > Configuration > Security > Miscellaneous page to configure the following security options:

To configure cookie and lockout options:

  1. Select System > Configuration > Security > Miscellaneous to display the configuration page.

    Figure 146 shows the configuration page.

  1. Complete the configuration as described in Table 118.
  2. Save the configuration.

    Figure 146: Miscellaneous Security Options Configuration Page

Table 118: Miscellaneous Security Options Configuration Guidelines

Settings

Guidelines

Delete all cookies at session termination

Delete / Preserve

For convenience, the system sets persistent cookies on the user’s machine to support functions such as multiple sign-in, last associated realm, and the last sign-in URL. For additional security or privacy, you can choose not to set them.

Include Pulse Connect Secure’s session cookie in URL

Include / Not Include

Mozilla 1.6 and Safari may not pass cookies to the Java Virtual Machine, preventing users from running JSAM and Java applets. To support these browsers, the system can include the user session cookie in the URL that launches JSAM or a Java applet. By default, this option is enabled, but if you have concerns about exposing the cookie in the URL, you can disable this feature.

Lockout options

Rate

Specify the number of failed sign-in attempts to allow per minute.

Attempts

Specify the maximum number of failed sign-in attempts to allow before triggering the initial lockout. The system determines the maximum initial period of time (in minutes) to allow the failed sign-in attempts to occur by dividing the specified number of attempts by the rate. For example, 180 attempts divided by a rate of 3 results in a initial period of 60 minutes. If 180 or more failed sign-in attempts occur within 60 minutes or less, the system locks out the IP address being used for the failed sign-in attempt.

Lockout period

Specify the length of time (in minutes) the system must lock out the IP address.

Last Login options

Time / IP Address

Display the day and time and IP address the user last logged in to the system. For users, this information appears on their bookmark page. For administrators, this information appears on the System Status Overview page. These settings do not apply to the custom start page option on Role UI Options page.

X-Frame-Options protection

Enable X-Frame-Options protection By default the Enable X-Frame-Options is checked. If the admin does not want to have this protection, they can uncheck this option. The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe> or <object>.
Slow Post Attack Defence
Timeout By default the POST body is received within 10 seconds. If the browser is unable to send the POST body with in 10 seconds the connection is eventually dropped. (Configurable from 3 - 60Sec)
Maximum Request Size By default now a connections is directly rejected if it tries to POST more than 4KB in POST body (Configurable from 256 Bytes to 24 KB).

The following scenario illustrates how lockout settings work. For example, assume the following settings:

The following sequence illustrates the effect of these settings:

  1. During a period of 3 minutes, 180 failed sign-in attempts occur from the same IP address. Because the specified value for Attempts occurs in less than the allowed initial period of 60 minutes (180/3), the system locks out the IP address for 2 minutes (fourth and fifth minutes).
  2. In the sixth minute, the system removes the lock on the IP address and begins maintaining the rate of 3 failed sign-in attempts/minute. In the sixth and seventh minutes, the number of failed sign-in attempts is 2 per minute, so the system does not lock the IP address. However, when the number of failed sign-in attempts increases to 5 in the eighth minute, which is a total of 9 failed sign-in attempts within 3 minutes, the system locks out the IP address for 2 minutes again (ninth and tenth minutes).
  3. In the eleventh minute, the system removes the lock on the IP address and begins maintaining the rate of 3 failed sign-in attempts per minute again. When the rate remains below an average of 3 per minute for 60 minutes, the system returns to its initial monitoring state.

Related Topics