Securing DOD Web Applications with a Scalable Web

WHITE PAPER

Securing DOD Web Applications with a Scalable Web Application Firewall Architecture Introduction In the Department of Defense (DOD) dramatic growth of web applications, and the move to cloud technologies, has been accompanied by the rise of new security threats. Advanced persistent threats (APT) and insider threats are the two most acute security threats. These threats not only cause significant damage to national security, but also impact organizational momentum and have enormous cleanup costs. For example, the widely-publicized US Navy Iran APT incident impacted operations for over four months following a SQL injection attack, and required around $10m to clean up.1

When we consider the massive scale Software-based distributed web Flexible Deployment and breadth of DOD web applications, application firewalls are a game Pulse Secure Virtual supports the dealing with the web application- changing approach that arms DOD full range of deployment options layer attack surface in an efficient, with the means to get ahead of enabling you to choose the best fit effective, and scalable manner is these new, rapidly evolving risks. for your architecture and application daunting. There is growing recognition risk profile. Pulse Secure vWAF can be within the DOD that better data and Securing DoD Web deployed physically on the web server, application security is required to Applications physically as a network appliance adequately manage these new risks. Securing today’s complex mission- or virtually as a virtual appliance DOD IT organizations also need to critical applications requires a in a customer data center or cloud adapt to new challenges, such as: combination of both network and provider—or even as an integrated ··Security of distributed host-based tools. Pulse Secure® Virtual package with Pulse Secure Virtual applications across the DOD Web App Firewall (Pulse Secure vWAF) Traffic Manager for enhanced security Information Network (DODIN) has a distributed, three tier, massively and control of complex applications. scalable security capability, which can Integration with cloud technologies Policy Version History ·· be deployed across the full range of and Change Control Extreme scale hosting environments (physical, virtual ·· Pulse Secure vWAF stores policies and cloud). In addition, Pulse Secure ··Centralized control with and change history in an integrated offers virtual and cloud optimized delegated administration version control system, allowing roll- licensing options that allow you to Custom security policies for multiple back to previous rulesets with just ·· manage costs based on the volume of applications with differing risk profiles one click, making it easy to revert to data protected (gigabits per second) known policy sets if a new ruleset Variance in contractor rather than traditional per-instance ·· interferes with an application. secure coding practices or per-appliance licensing models. In high-security environments where Rapidly changing threats Dual Active Protect/ ·· server certificate sharing exposes and application attacks Detect Policies an unacceptable risk, Pulse Secure Continuous improvement and Interworking with existing security ·· vWAF can be installed as a plug-in on iteration of policies is made easy by architectures and policies popular web server platforms, giving running two active parallel rulesets: With program offices under pressure massive scalability for distributed one ruleset runs in Protect mode to meet deadlines, operate on applications. Designed for massive for blocking malicious traffic and tighter budgets and deal with lowest scalability, security policies can be protecting your application; the priced technically acceptable (LPTA) managed centrally, while enforcement other ruleset runs in Detect mode acquisition policy the risk of application is distributed across your applications. for evaluating new policies. security vulnerabilities is very high.

1 http://online.wsj.com/news/articles/SB10001424052702304732804579423611224344876

2 No Need to Store Copies of SSL Keys You can choose whether Pulse Secure vWAF manages your SSL termination: in a distributed architecture, it will not store copies of your SSL keys, and needs no changes to your PKI architecture, avoiding a potential target for man-in-the-middle attacks.

Pure Software Form Factor Pulse Secure vWAF gives you the choice of either a virtual appliance or a pure software form factor. With true portability across clouds, and flexible integration with orchestration Figure 1: Defense in Depth: Pulse Secure Virtual Web Application Firewall provides platforms, you can run on Windows multiple layers of protection. and Linux systems, secure clouds, or traditional data centers. Unmatched Scale and applications; they need to determine Powerful Scripting Engine Performance whether custom integration projects The Python-based scripting engine Pulse Secure vWAF provides Layer might also compromise security allows your security professionals to 7 application security at massive of their own or other applications. change and secure every part of an scale and resilience for the largest Identifying and solving a security application’s HTTP request/response applications, by allowing your security loophole can take significant time flow. Complex flaws in applications like infrastructure to scale up and cluster and resources in order to bring broken authentication models can be out. And because the software can run a patch or solution to market. fixed inside Pulse Secure vWAF, without on commodity compute servers and While some application vulnerabilities needing to change the application itself. cloud platforms, you are not restricted can be solved quickly with a patch to a fixed appliance form factor. in a third-party component or OS Comprehensive User/ Rights Management module, it is not unusual for logic Application Security—a flaws or data leaks to take months Users and Groups can be assigned Critical Component to to solve in production systems— access rights to view or modify specific leaving doors open for hackers to elements of the security configuration, Risk Management enter through. Some off-the-shelf so that policies can be restricted to Every year, thousands of new applications can go unpatched for closely-defined security groups. vulnerabilities are reported in web applications, and it is clear that it is a year or more, depending on the Start Small, But Scale becoming a major challenge to keep priorities of the application vendors, to Meet Demand pace with the growing threat. With so and the perception of risk. Pulse Secure vWAF can be scaled many new vulnerabilities reported each Pulse Secure Virtual Web Application to meet transactions demands year, many organizations find it difficult Firewall is a massively scalable with a simple license key upgrade. to secure, maintain and enhance solution for application-level security, Start small today, without over- applications due to the complexities both for off-the-shelf solutions, provisioning, and then incrementally of security analysis and testing. and complex custom applications add more processing power and Applications vendors themselves have including third-party frameworks. license keys as demand grows for a similar problem: not only do they Pulse Secure vWAF can apply business transactions and throughput. need to remain alert to identify new rules to HTTP(S) traffic, inspecting vulnerabilities supported in their own and blocking attacks such as SQL injection and Cross-Site scripting,

3 while filtering outgoing traffic to mask benefits of interoperability and shorter Microsoft Azure, Autonomic Resources, personal identifiable information development time, but patching as well as private DOD clouds such like social security numbers, and to solve security vulnerabilities as DISA’s MilCloud. There are many help maintain compliance with risk becomes more complex. A flaw in security challenges involved in management frameworks such as one component of code must be developing web applications in a cloud, NIST SP 800-53 rev 4, FedRAMP, DISA patched for each instance it is used such as parameter validation, session Security Technical Implementation throughout each application in which it management, and access control, Guides (STIG) and PCI-DSS. is used. In Platform-as-a-Service (PaaS) which are key “hotspots” for attackers. scenarios, with dynamic infrastructure Developers without experience of Cloud Applications are and application frameworks, this can application security are more likely Exposed to a Wider become very difficult to manage or may to create/develop applications Range of Threats be out of the client’s direct control. that have security problems. Accessing cloud technologies Applications developed specifically Mitigating web application-level attacks requires a thin-client, typically a for a cloud are often very complex, requires a WAF. Given the complexity web browser, and security budgets designed for access speed, scalability of today’s applications, these WAFs are have previously focused on network and flexibility for third-party often aligned to specific applications firewalls and antivirus solutions. development through an open API. and configured to mitigate the specific However, more recently the primary For example, Salesforce.com, Google threats to these applications. In large target for attacks has shifted from the Docs, Twitter, and Digital Common scale data centers or cloud hosting network layer to the application layer, Ground Systems (DCGS) are good services, there will be hundreds of because the operating systems and examples of APIs exposed to allow applications, each potentially with a service interfaces available to cloud access from custom applications. dedicated WAF. The costs and time to applications have been hardened These ‘as a Service’ applications are procure and manage large numbers to expose a reduced profile. As a developed in two ways today: (1) of physical appliance-based WAFs or result, it is now much easier to target by moving on-premise applications WAFs licensed per virtual appliance the application logic or application to a cloud (whether private, public can become a significant portion of framework than the actual server or tactical), and (2) by developing an applications budget. Virtual can be behind the hardened network and operating applications in licensed based on the volume of traffic perimeter. Most DOD applications are an elastic dynamic cloud. it is protecting, allowing for any number of virtual WAF appliances or on-host created in-house or by a contractor, Applications that migrate out of WAF implementations as needed but application security is rarely a the DODIN and into a public cloud without generating additional costs. core developer skill, which leads infrastructure carry the risks of to a range of security problems exposing protected software to Pulse Secure vWAF provides you the throughout the application lifecycle. external threats that they were not most cost-effective solution to arm Furthermore, wider adoption of cloud designed to combat. Common security your application with exceptional computing means that attack vectors threats include SQL injection attacks, application-layer protection methods continue to increase, as applications cross-site scripting, and cross-site that can keep up with an APT’s leverage external hosting and request forgery. These often have attack velocity, and naturally scale delivering infrastructure, platform and to be open to the general public and with elasticity in your cloud. software. It is increasingly common for are a key entry point for an APT. web applications to be built on open- There are a variety of FedRAMP source components or prebuilt web approved public cloud frameworks, frameworks. This approach has clear such as Amazon Web Services,

4 OWASP Top Ten— Why a Traditional Web hardware. Each of these cloud operator Managing Risks in Application Firewall clients adds a unique layer of policy Is Not Enough settings, use-cases and administrative Web Applications Previously, web application firewalls enforcement requirements. For the OWASP, the Open Web Application (WAF) and other security solutions cloud or DOD datacenter, security Security Project, is the leading open were limited to hardware appliances quickly becomes very complex. The source community group in web or virtual machines, which created average provider may have hundreds application security, and regularly a serious bottleneck for cloud or thousands of clients relying on publishes an annual “Top Ten” report environments and massively scalable its service, each with varied policy showing the most common security DOD core datacenters. These legacy settings for individual groups within challenges to web applications, WAFs were often aligned to specific the client. The service provider now has ranging from business policy to applications due to concerns about to manage application filter settings application vulnerabilities. the risks associated with delegated for each and every client application. For example, in their report of July administration within a single WAF When you consider robust end-to- 2013, OWASP noted that “Injection appliance. As a result, cloud service end encryption and authentication Flaws” had risen to the highest risk: providers or DOD datacenters were policies in DOD successfully injecting because of the risk of high-value data often forced to have racks full of a web application firewall appliance leakage, this kind of vulnerability dedicated WAF appliances—one as a man-in-the-middle to inspect can give rapid access to sensitive per client or application—that traffic is difficult to impossible. enterprise information, hence the take up unnecessary space and In an ideal world, applications would be need for a solution which is able resources. The high costs associated designed from the ground up to meet to validate inputs against business with these dedicated WAF services the challenges of virtual and cloud policies, and screen outgoing data often become a barrier to the architectures. However, it is critically for suspected data leakage, in a way efficiency of a fully virtualized cloud important to implement affordable, which is independent of the underlying environments driving higher hosting scalable solutions to mitigate impacts application architecture. In the US costs and decreased usage. of application based attacks. Pulse Navy’s Iran incident, a SQL injection In a cloud, the infrastructure and Secure vWAF is the industry leader in was the specific method initially used the services are shared between delivering to these complex, virtual and to compromise the environment, clients, meaning many organizations cloud based hosting environments. an attack vector easily addressed or even individuals use one set of by a web application firewall.

All of these risks can compromise data A2. Broken A3. Cross Site Scripting A4. Insecure Direct A1. Injection Flaws Authentication and and application security, but each Session Management (XSS) Object Reference year new tools and techniques are used by would-be attackers to identify new gaps and loopholes that could A5. Security A6. Sensitive Data A7. Missing Function A8. Cross Site Misconﬁguration Exposure Level Access Control Request Forgery be exploited, so a solution needs to (CSRF) be agile enough to adapt to changing risk priorities, as well as robust enough to handle large-scale attacks A9. Using Components A10. Unvalidated with Known Redirects And on high-throughput web applications Vulnerabilities Forwards processing millions of concurrent transactions across many locations with tens of thousands of servers. Figure 2: OWASP.org “Top Ten” Report 2013 shows how attack vectors change over time. .

5 Defining the Distributed as a virtual software appliance, a Detection and Protection Web Application Firewall plug-in, SaaS or be able to integrate Foundation security using black, with existing bare-metal hardware. white and grey listings for application (dWAF) for Cloud Security Flexibility with minimal integration requests and responses must be A solution for web application with the existing environment is possible. To make sure pre-set policy security in DOD has to be massively essential for broad adoption and enforcements are not activated or scalable, flexible, adaptable low total cost of ownership. deactivated without approval from and efficient to manage: an administrator, deployment and Distributed and Delegated policy refinement through establishing Massive Scalability Management rulesets must be possible in a shadow A distributed WAF (dWAF) must be A web-based user interface must allow monitoring or detection-only mode. able to dynamically scale across CPU, DOD users to easily administrate their Once the shadow monitoring ruleset is computer, server rack and location applications. Configuration should stable, only then should it be allowed boundaries, customized to the be based on the applications under to deploy in an enforcement mode demands of individual customers, protection, not defined by a singular on the dWAF. This allows complete without being limited to discrete host, allowing far more granular transparency for the administrator hardware form factors. Resource settings for each application. Ruleset into the real-world effect of this consumption of this dWAF must configuration must be simple, and ruleset, while at the same time be minimal, and scale in line with supported by setup wizards and DISA allowing layered rulesets to be tested detection / prevention throughput STIG compliant templates so best without compromising existing policy rather than consuming increasingly practices, as well as compliance, are enforcement. Avoiding false positives high levels of dedicated CPU inherited immediately. Statistics, and validation of changes in rulesets resources. Clouds come in all sizes logging, and reporting must to be are essential for a real-world, usable and shapes, and the WAF needs to intuitive, easy-to-use and must dWAF in a hybrid cloud environment. be flexible as well. Scale from mini integrate seamlessly into other tactical footprints forward deployed systems. Most importantly for a dWAF, Automated learning and ruleset to massive public clouds is critical. robust multi-administrator privileges suggestions based on intelligent must be available and flexible enough algorithms or recommendations from Cross Platform Portability to effectively manage diverse policy a static source code analyzer or web The dWAF must be able to live in a enforcement schemes required by vulnerability scanner are also desirable wide variety of components to be global organizations. DOD must deliver from a manageability view. Again, this effective, without adding undue a set of core protection templates, only holds true if the administrator complexity for DOD. Today’s cloud with the ability to delegate policy for retains full control over activation/ service providers, DOD datacenters individual clients and applications to deactivation of each ruleset. Without and tactical sites use a variety of operate and refine. This approach this level of control, legitimate traffic traditional and virtual technologies leverages the velocity of a DEVOPS may become blocked and policy to operate their web applications, so culture while ensuring central settings would become compromised, the ideal dWAF should accommodate policy visibility and collaboration. which in turn will negatively impact the a mixed environment and be available adoption of a web application firewall.

6 Application Shielding a WAF appliance as a man-in-the- ensure even early prototypes are Proactive security functions are middle is even more difficult. Where extremely secure, easily meet DISA highly recommended to reinforce as a software-based dWAF plugin can Application Security STIG requirements any application in a cloud. Detection natively running in the web server, and are central administered and is simply not enough for today’s after the encryption and authentication monitored at the enterprise-level. web application security. Features have already taken place, provides like transparent secure session an easy to deploy alternative. Integration with Existing Technology management, URL encryption and This software-based dWAF plugin Avoiding vendor-lock-in is a best- form-field virtualization provide requires no changes to encryption practice for both networking and strong deterrence to attack, while or authentication, no private key application security. Any technology saving application development and sharing, no man-in-the-middle, no that is added to an infrastructure, deployment time. These features are manpower to rack-and-stack hardware platform or application itself must effective because session management, and low cost automation-based connect as seamlessly as possible URL encryption and form-field deployments make WAF adoption in with existing technology and DOD virtualization are done at the dWAF DOD faster, lower risk, more secure, processes. Security technologies level and not in the application itself. lower cost and centrally administered with delegated local control. must be layered to create the best Integration with End-to-End possible protection, so a dWAF must Encryption and Authentication A Cost-saving GOTS-like tightly integrate with security incident DOD Public Key Infrastructure (PKI) Security Alternative event management systems (SIEMs), policies and new JIE standards are Application contracts often include ICAP-compliant malware detection rapidly moving towards private complex and costly application security systems, threat databases, automated key storage in hardware security development requirements. A high mitigation systems and have APIs for modules, coupled with end-to-end degree of variation in quality results custom integration efforts. It must also authentication and authorization using from thousands of different developers be open and extensible so it may be mutually authenticated TLS v1.2 with interpreting and implementing modified as the DOD mission requires. Message Authentication Codes (MAC). the requirements differently. Not This prevents the private key from to mention the additional develop being shared with a WAF appliance, effort and costs that add no real as well as preventing a man-in-the- value to ultimate mission. If the DOD middle from decrypting the traffic. This furnished the dWAF plug-in to the prevents a traditional WAF appliance developer to integrate as the front-end from being able to decrypt the HTTPS application security asset significant traffic, keeping it from being able to costs savings would be captured, conduct its primary role. As DOD layers along with a repeatable high-quality in content-based and attribute-based security capability with no variation authorization via Security Assertion between applications. This would Markup Language (SAML) injecting allow application security teams to

7 Pulse Secure WAF 1. Enforcer—Policy part of the solution, and the workload Solutions Enforcement Point on the Decider depends on the load The Enforcer is a small plug-in, which of the web infrastructure behind it. Pulse Secure Virtual Web Application can be installed into any kind of device. The more traffic generated by the Firewall is a pure software web A device can be a web server or proxy end users, the more CPU resources application firewall designed to support (Apache, MS IIS, etc), a network firewall are used in the Decider. In small these best practices. Due to its modular (like MS ISA) or integrated into a environments the Enforcer and Decider construction, it can be deployed software load balancer or ADC (such as may be deployed on the same host. very easily in a cloud-computing Pulse Secure Virtual Traffic Manager). environment, making it a scalable The Enforcer sends request and 3. Administration Interface— solution for application-level security. response data to a component called Policy Management Service Pulse Secure vWAF can apply business The administration system can the Decider and also modifies requests rules to HTTP(S) traffic, inspecting and be deployed decentralized or as a and responses if needed. The Enforcer blocking attacks such as SQL injection single server. In a cluster installation is an adapter for the dWAF to get the and Cross-Site scripting, while filtering every cluster node can be used to data it needs to enforce the policy. outgoing traffic to mask sensitive data, administrate applications and their and help meet compliance mandates 2. Decider—Policy policies. This decentralized architecture for NIST RMF, DISA STIG, PCI-DSS Decision Point is very robust against node failures, and HIPAA. The product consists The policy engine checks the data from and allows a large group of web of three scalable components: the Enforcer module and decides what application security administrators across many sites to work on individual 1. Enforcer to do with the request/response. The Decider’s unique architecture allows it application policies. In addition, it 2. Decider to scale from one to many CPU cores provides verbose central monitoring 3. Administration Interface and is also capable of running on and alerting functions. Its open nature multiple machines to scale horizontally. allows for it to be easily integrated These three elements can be The Decider is the compute-intensive with other security solutions. configured either as a pre-packaged WAF solution, such as an add-on module for Pulse Secure Virtual Traffic Manager to manage a cluster of applications, or as a fully distributed solution using plugins across hundreds of web servers and many sites for maximum scalability and performance. The same distributed management interface can be used to protect both types of deployment, or even in a shared services environment.

Figure 3: Pulse Secure vWAF consists of three scalable components.

8 Pulse Secure Virtual Traffic Manager

Figure 4: Pulse Secure vWAF as an add-on to Pulse Secure Virtual Traffic Manager.

Stand-alone Platform as a Service (PaaS) provides be provisioned, started and added Implementation organizations with virtual databases, to the Decider cluster. If the cluster- storage and programming models wide CPU usage of the Decider In stand-alone environments, Pulse to build custom applications. AWS, service drops below 40 percent, the Secure vWAF software is licensed as Microsoft Azure and DISA MilCloud Decider instances will automatically an add-on for Virtual Traffic Manager, are examples of PaaS environments be removed from the cluster to and can be deployed either on a server available to DOD. This type of service release resources back to the cloud. appliance, or on a VM in virtual or provides scalable resources behind This ensures a DOD application, or cloud infrastructure. Enforcers and the platform and allows customers to cloud, has a truly elastic application Deciders are co-resident inside the grow throughout the lifetime of the security architecture with unlimited Traffic Manager package, administered application. It is an effective solution scale, zero-touch elasticity, and zero as a single platform. The Admin GUI for organizations of all sizes, and physical footprint. If an enemy attacks is accessed via the standard Pulse is often billed on a usage model. Secure Virtual Traffic Manager console. with a massive Distributed Denial of In a shared cloud (PaaS and SaaS) Service (DDoS) attack the dWAF will PaaS and SaaS environment, many Enforcer plug-ins scale elastically with the web server Implementation deployed in software load balancers infrastructure, requiring no physical or natively in web servers could intervention to achieve the scale Software as a Service (SaaS) offers communicate with an elastic Decider benefits. This unique deployment user access to virtualized applications cluster. If the first virtual machine architecture supports the JIE tenants through a thin-client, usually any of this Decider service reaches 80 of efficient, effective and secure—at standard web browser. The benefit percent of the available CPU resources, lower total costs to legacy physical or for users is access to software without a new virtual machine on a different virtual Application Firewall appliances. any of the headaches of owning the instance of a cloud will automatically programs—scaling and resources, and patching and upgrades are all taken care of. SaaS applications are usually billed on a per-user/per-use basis.

9 Figure 5: Pulse Secure vWAF in a distributed deployment for a single application.

IaaS Implementation Pulse Secure vWAF can be deployed similarly on an IaaS in a cloud. Each Infrastructure as a service (IaaS) organization can have a private allows access to large-scale resources instance of all three modules, which are to build and manage a complete not shared between organizations, or virtual network. Organizations can even applications if desired. As before, commission and decommission virtual many instances can be clustered resources depending on their need, together to scale up to meet DOD-scale as application workloads change over traffic demands. Cloud providers can time. Customers select from a range also provide automatic scaling within of infrastructure components and the cloud infrastructure to follow the service level agreements to match lifecycle of individual applications. their application requirements, matching their infrastructure usage costs to their service requirements.

10 Very Large Scale 1. Global Load Balancing: In this automatic spin up and spin Applications example, Traffic Manager software down of web servers as required serves incoming DNS requests to service your application For the very largest applications using Global Load Balancing, effectively using Traffic Manager’s deployed in public clouds, a distributed and routes network traffic to Auto-scaling capability. application firewall needs to scale the closest cloud data center. dynamically to the very highest traffic 5. Application Firewall—Decider: levels, and adapt to meet the changing 2. HTTP Distribution: Traffic Manager A scalable group of Pulse Secure transaction demands of public-facing handles incoming HTTP requests, vWAF Deciders processes the applications. For example, Pulse which are distributed across HTTP requests and responses Secure vWAF can be deployed in a multiple web servers in different to ensure compliance with distributed cloud architecture from availability zones. In addition to security policy. Pulse Secure a FedRAMP cloud service provider. fine-grained health checks in the vWAF provides a hybrid security Since Pulse Secure vWAF is pure application layer, Pulse Secure policy model combining traffic software it clearly ports into any software can provide SSL Offload, signatures and positive security FedRAMP certified cloud service Compression, Caching, and postures to prevent HTTP provider, or multiple hybrid clouds, Layer 7 based request routing. based security attacks. with no re-tooling. Providing DOD 3. Application Firewall—Enforcer: 6. Load-Balancing and Health- true cloud portability, freeing them In this example, the Pulse Secure Checks: Traffic Manager provides from provider lock-in and enabling vWAF Enforcers are installed as a granular application health seemly multi-cloud burstability plug-in on the web servers. The checking and layer 7 load balancing without application-layer security Enforcer traps HTTP requests and into the application tier. compromises. Cloud-portability isn’t response data and sends it to 7. Cross-Zone Availability: Traffic available with physical or traditional the cluster of Pulse Secure vWAF Manager works seamlessly WAF appliance approaches. Deciders for security processing. across multiple Availability The components of a highly 4. Auto-scaling of Web Servers: Zones, multiple regions or across scalable web application firewall Traffic Manager manages the multiple clouds, for the ultimate in cloud high availability.

11 Discover Pulse Secure vADC with a Free Trial It’s easy to test all of the capabilities available in the Pulse Secure vADC product family. Download the Pulse Secure Virtual Traffic Manager Developer Edition today to find out how to realize greater ROI from data center consolidation and transformation programs.

The Pulse Secure vADC Developer Edition, available either as pure software, or as a virtual appliance, makes the complete ADC technology platform available to every application developer in your organization, enabling them to develop applications faster, test them in a production- identical environment, and bring them to market more quickly. Find out More To find out more about Pulse Secure Virtual Web Application Firewall, or to arrange a demonstration or product evaluation, please visit http:// www.pulsesecure.net/vadc/vwaf

Corporate and Sales Headquarters Pulse Secure LLC 2700 Zanker Rd. Suite 200 San Jose, CA 95134 www.pulsesecure.net

Copyright 2017 Pulse Secure, LLC. All rights reserved. Pulse Secure and the Pulse Secure logo are registered trademarks or Pulse Secure, LLC. All trademarks, service marks, registered marks, or registered service marks are the property of their respective owners. Pulse Secure assumes no responsibility for any inaccuracies in this document. Pulse Secure reserves the right to change, modify, transfer, or otherwise revise this publication without notice.