Secure Access for the Next Generation

Pulse Policy Secure

Protect Your Network
Manwin Ang
Regional Tech Manager
Content

• Risk enterprises are facing

• Network security initiatives
• Achieving the objectives with Pulse Secure
• Pulse Secure Scenarios
Today’s risks

97% 134
DAYS
ENTERPRISES SUFFERED BEFORE BREACHES
A BREACH WERE DISCOVERED
With Pulse Secure
We reduce breaches by 20% (Average $2-3million)
Source of breaches

Hacking Employee Negligence Accidental Exposure Data on the Move

38% 15% 13% 7%
(up 8%) (doubled)

Physical Theft 10% Subcontractors Insider Theft

9% 10%
Top of your mind

Get visibility into

Enable mobile workforce enterprise information
including BYOD access

Balance business security Protect sensitive data by

with user productivity enforcing compliance
Key Use Cases

• Automated Onboarding • Strong Authentication

• Guest Access Management • Strong Authorization
BYOD Role Based
• On/Off premise BYOD Enablement Policies • Advanced RADIUS Server
• Single Pulse Client • Context-aware policies

• Single Sign-on Security • Visibility

Compliance
Automation
• Coordinated Threat Control • Endpoint Health Checks
• Seamless Integration w/ Top • MDM Integration
Networking Vendors • Reporting
• High scalability
Secure BYOD – Increasing Productivity

• IT is productive by centralizing policy control

across wired, wireless and remote devices

• Users can be productive from corporate owned

or employee owned device

• Increase security by policy following the user, no

matter where they travel and what device they
choose to use
Self-Service Device Onboarding

Automated provisioning of device VPN,

WiFi, Email, and Certificates

Self-service steps guide users through

onboarding without helpdesk support

Available for Windows, Macs,

Smartphones and tablets can be redirected iOS, and Android
to MDM for specialized processing
Integrated Guest Management

Self-service steps guide users through

onboarding without helpdesk support

Quick to deploy with built-in wizards and pre-

defined configurations while customizable with
corporate branding

Interoperates with Cisco and Aruba

wireless infrastructure
User Experience – Day 1

Open Secure

1
3
2
Human behavior leads the new
device to the open (help) SSID

The captive portal presents a link

for onboarding

SSID is configured and the device

is moved to the secure SSID
User Experience – Day 2

Open Secure

1
Device auto- joins on Day 2
Comprehensive Access Control

• Enforce context-based policy to access your network

• Users may access only authorized resources
• Unified policy across wired and wireless connections,
personal and corporate devices, remote and local
access
 Easy to Deploy Access Control
1. Secure Access Control
Off premise:
• Unified client for VPN and NAC Employees, Contractors,
• Unified policy and enforcement and Partners
• Endpoint compliance

2. BYOD Ready PSA

PSA PSA
User Endpoints Pulse Connect Secure Pulse Policy Secure Pulse Secure
• Onboarding Ecosystem
• Guest Management (MDM, SIEM, IPS, etc.)
• On-premise & Off-premise
On premise:
Employees and Guests

3. Turnkey

• WLAN Integration Switches Firewall Protected

• Next-generation Firewall Integration User Unmanaged
and WLAN (optional L4-L7) Resources
Endpoints Endpoints (Phones,
• MDM/IAM Integration Printers, etc.)
• SIEM Integration
• Visibility Integration
Secure Access to Corporate Network and Cloud Resources

Employee/Contractor/Guest? Identity
• Set access policy Correct?

• Enforce policies before Pulse Secure PSA Authentication,

(running Pulse Policy Secure ) Authorization, and
users get fully on the Accounting Server
network Corporate device (Radius or AD)

• Identify who gets Policy Met? Authorized?

access
Personal Device

• Allow access to
authorized resources
Allow/Disallow? Switches Firewall
Protected
and WLAN (optional L4-L7)
Resources
Dynamic Security Enforcement

San Jose, CA Barcelona, Spain

Corporate
Network

Firewall Firewall

Pulse Policy Secure Pulse Connect Secure Pulse Policy Secure Pulse Connect Secure
(SSL VPN) (SSL VPN)

LAN Remote

AGENCY
REMOTE SITE
HQ
User: Adam User: Adam
Role: Finance Role: Finance
Dynamic Security Enforcement

Employee/Contractor/Guest? Unauthorized

• Classify endpoints Behavior!

• Enforce policies based Pulse Secure PSA

(running Pulse Policy Secure )
Network Sensor
(Profiler, SIEM,
IPS, etc.)
on purpose User Endpoints

• Monitor endpoint Initial Access Modify / Deny

behavior Policy Applied Access
Unmanaged Endpoints
• Detect unauthorized (Phones, Printers, etc.)

activity – modify access

Allow/Disallow? Switches Firewall
Protected
and WLAN (optional L4-L7)
Resources
Visibility – Improving Awareness

• Required to understand your environment

• Foundation on which security policies are

built

• Simplifies responding to audits

• Enables detection and investigation of

exceptions / incidents
Local Visibility
On-Device Dashboard and Reporting

• Consolidated view of appliance and

endpoint attributes
• Dashboard with drill down reporting
on connected endpoints
• Historic trending for up to 1, 7, or 30
days
Global Visibility
Centralized enterprise-level visibility for monitoring

• Compliance
• Security alerts
• Appliance health
MDM Integration With Other Partners

Device
• Easy enablement of intelligent Management
mobile-aware security policies
• Starting with Pulse Workspace,
MobileIron and AirWatch
• Consolidated policy Attribute
management, alerting and Mobile Devices Sharing
reporting
Authentication
& Authorization

Pulse Policy Secure

MDM Integration

MDM Partners

MobileIron

AirWatch
Device Classification
Differentiated access
Workspace based on device type.
John on iPad gets different
level of access versus
John on laptop.
Compliance
Query MDM (at admission
and periodically) for device
posture. If non-compliant,
limit access and/or
remediate.
Extended Reporting
Link to MDM from Pulse
Policy Secure for
advanced device level
reporting.
Regulatory Compliance
PPS for most stringent industry/government compliance regulations

• Prevent unauthorized network, application, or

data access

• Dynamically assess and remediate device

security posture pre- and post-admission

• Protect network against infected devices

• Enforce consistent, context-aware, cross-

network access policies

• Apply strong, government-approved encryption

 Pulse Policy Secure
• Unified Pulse client

• Seamless user access

Solution • Flexible access methods

• Common compliance enforcement

Pulse One
• Centralized, scalable management
Mobility-Ready Turn-Key Solution

• Policies enforced on any device entering the network

(laptop, smartphone, tablet)
• Integration with MDM vendors extends NAC policy
enforcement based on information obtained from
MDM.
• Interoperable with existing network infrastructure
(switches, wireless controllers, AD, Firewalls, IDS,
SIEM) and manages security and compliance
• Role, location, time, compliance, and security
information are dynamically analyzed to enforce fine-
grained access policies
Deployment Options

Pulse Policy Secure Pulse Policy Secure

Flexible Hardware Platform Virtual Appliance

• Single gateway runs multiple Pulse Secure offerings  Runs on numerous hardware platforms and
• 4 models for companies of all sizes configurations
• Low power consumption  Enables elastic demand-based scaling
• Enterprise licensing – perpetual or subscription  Supports both VMware and KVM environments

PSA300 PSA3000

PSA5000 PSA7000
How Pulse Secure
Secures - Scenarios
Basic Access Control Enforcement

Imagine an employee returning Policy Secure instructs switch

2 Remediation successful; full
1 from vacation – “Sales” user to quarantine the user/device 3 network access granted
logs in from un-patched device for automatic patch remediation

Pulse Policy Data

Secure

Finance
Switch
Local User

Video

Juniper or PAN
Firewall Apps
Patch Remediation Corporate Data Center

4 • Policy Secure provisions switch VLAN, ACLs, and QoS for session User attempts to access
• Policy Secure enables role-based policy enforcement on firewall
5 “Finance” data, but is blocked
Unmanaged Device Access Control

Endpoint Profiler profiles Unmanaged device connects Policy Secure looks up

1 devices, creates MAC 2 to network, switch sends 3 MAC address in Profiler,
address database MAC-RADIUS query assigns role-based access

AAA – Identity Stores

User Auth
802.1X

MAC Authentication MAC Auth

Switch Pulse Policy Secure Profiler

Endpoints

Attacker spoofs MAC Profiler detects behavior Policy Secure maps endpoint
4 address, attempts to 5 mismatch, signals Policy 6 to new role, applies restrictive
access network Secure via IF-MAP event access control policies
Enterprise-wide Access Control
Imagine an employee on the
road - “Sales” user logs into
1 Connect Secure from un-
patched device
“Sales” user’s device is Remediation successful;
2 3
quarantined for automatic full network access
patch remediation granted via Pulse VPN
tunnel

Federation Data
Server

Finance
Pulse Policy Secure

Mobile User Internet Pulse Connect Secure Video

Juniper
Firewall
Apps
Patch Remediation
Corporate Data Center

4 • VPN session data federated to Policy Secure User attempts to access

• Policy Secure enables role-based policy enforcement on
5 “Finance” data, but is blocked
firewall
Coordinated Threat Control

Imagine an infrastructure device Once connected, device Network sensor (scanner,

1 accessing network resources: 2 attempts unauthorized access 3 IPS, SIEM) detects
printer, VoIP phone, etc. to protected resources unauthorized behavior

Federation Server

Pulse Policy
Secure Profiler

802.1X Switches/APs Firewalls

PPS Enforcement Points

Application
Servers

Sensor signals behavior
change to Policy Secure
4 via IF-MAP
Policy Secure correlates Policy Secure pushes appropriate
the anomalous behavior policy to enforcement points,
5 and network threat to the
6 which take necessary actions
specific device against the device
Mobile Deployment Choices

Supports Native 802.1X client Advanced features supported Cross-platform (desktop &
built-in to Laptops, Tablets, and via Pulse Client for Windows mobile) clientless deployment
Smartphones and Mac OS X option with browser-based
Captive Portal
Differentiators

Built on Proven, Flexible Context- End-to-end

Open Technology aware Security NAC/BYOD solution

Multi-vendor solution Allows context-aware One-stop NAC & BYOD

secures access via any policy enforcement for solution, mobility-ready
802.1X-enabled switch or wired & wireless and easy to deploy.
access point. connections, at admission
and in network, across
desktop & mobile
platforms.
Customer Value

Automated Self-service guides Interoperates Quick to deploy

provisioning of device users through with existing wireless with built-in wizards
VPN, WiFi, Email, onboarding infrastructure and pre-defined
and Certificates configurations
 Secure
Access
Pulse
Pulse
Pulse Workspace
Connect
Pulse
Policy
One
Secure
Secure
 Questions?
Secure Access For the Next Generation
 Managing Mobility With Pulse Secure

Pulse One
Policy Services

Datacenter

Email Server
Datacenter

Applications
Server

Pulse Connect Secure

Containerization Connectivity Compliance