FIPS 140-2 and IPv6 Enhancements in Latest Pulse Release

By Elevate posted 12-19-2013 15:14



The funny thing about new features is that different people value different features.

available now.jpg

Juniper Networks recently introduced our Pulse Secure Access Service 8.0 and Pulse Access Control Service 5.0 solutions.  While this was covered in a press release and in other blogs, these releases and blogs focused primarily on the very cool new MDM integration functionality but did not mention some new functionality I think very important to our US Government customers.  The complete list of new functionality is contained in Product Bulletin Number 800004- Updates for Junos Pulse Access Control Service and Secure Access Service


I have written in the past how FIPS 140-2 validation is important for encryption.  Federal Government policy requires Government systems that perform encryption to use FIPS 140-2 validated cryptographic modules.


Pulse Desktop 5.0 now uses a FIPS validated encryption module- the Juniper Networks Pulse Cryptographic Module.  This module has FIPS validation certificate #2012.  This is the same cryptographic module used in Secure Access 7.4 and later and ACS 4.4 and later.    


In the case of the Access Control Service Application the Pulse Desktop client now provides FIPS compliant EAP-TTLS, EAP-TLS, and EAP-PEAP protocol support.  For the first time, the single Pulse desktop client can meet the FIPS needs of our US Government customers and provide both Network Access Control as well as Layer 3 VPN functionality in the same client.


The Pulse Secure Access and Access Control Service solutions have also expanded cipher-suite support for ephemeral keys.  New ephemeral key cipher suites include: TLS_DHE_RSA_WITH_AES128_CBC_SHA and TLS_DHE_RSA_WITH_AES_256_CBC_SHA.  These suites provide the perfect forward secrecy benefits of ephemeral keys, without requiring Elliptic Curve generated key pairs.


IPv6 support is also important to our Federal Government customers.  The Office of Management and Budget has mandated that Federal Networks update internal services to native IPv6 support by Sep 30, 2014.  The Pulse Secure Access Service solution expands on existing IPv6 functionality and adds support for IPv6 for active/passive clusters and adds support for IPv6-in-IPv6 tunneling.  Now Federal Government customers on IPv6 only devices, can securely access their IPv6 only networks.