Pulse Secure is an established tool for secure access from devices to enterprise apps and services, but do its vulnerabilities outweigh its strengths?
Despite some vocal detractors, the VPN has established itself as a crucial ingredient in supporting and securing distributed workforces; especially as a growing number of organizations look to improve user experience, drive cloud migrations and modernize secure access strategies.
Thanks to the pandemic and its subsequent restrictions, however, organizations have realized that many of the legacy technologies that they relied on to enforce security and enable remote working are actually in desperate need of an upgrade. Primarily, IT leaders discovered that they must enhance and optimize the employee experience without sacrificing security, though threading that needle is certainly not as simple as it may first appear.
Navigating the secure access landscape can be a challenge, and selecting a suitable VPN or zero trust network access (ZTNA) tool can be a lengthy process. A typical list of incumbents includes Cisco’s AnyConnect, Palo Alto’s Global Protect and Microsoft’s DirectAccess, all of which are facing increasing pressure from more modern alternatives.
Here we analyze the strengths and weaknesses of Pulse Secure (now part of Ivanti) and highlight the most important factors to consider before making the switch to another secure remote access solution.
Architecture
Pulse Secure’s architecture is typically set up as a traditional VPN, with a hardware appliance required as a server. Its complementary ZTNA solution is sold separately and operates on two different “planes” requiring a controller and a gateway. When a user attempts to access a specific resource or application, that request is made to the controller to assess if the traffic should be permitted through. This creates a degree of latency because decision-making has to take place in the cloud rather than at the edge. It’s also worth keeping in mind that Connect Secure is limited to private, manual configuration in either managed data centers (on-premise) or in private cloud instances (IaaS).
| When to choose Pulse Secure | When to choose something better |
| Pulse’s architecture is preferable to some organizations with larger IT teams, who have the time and resources to deal with multiple products and complex deployments. Pulse is a good fit for those with requirements for dedicated hardware appliances. | Pulse is poorly suited for organizations looking to move to the cloud, or for those that have a strong emphasis on the employee experience. Leaders should seek a solution that performs real-time analyses of employee requests and can direct traffic at the edge. |
Security
Pulse Secure adopts the principles of zero trust in its ZTNA product. It embraces the “verification before trust” approach so that only authorized users and devices are able to access company resources and “hides” them to unwanted visitors. Pulse ZTNA works as an alternative to its VPN functionality.
Pulse has encountered several high-profile security vulnerabilities that have been exploited by bad actors. Most recently, a maximum-severity authentication bypass vulnerability was discovered “that can allow an unauthenticated user to perform RCE (remote code-execution) on the Pulse Connect Secure gateway.” It is the latest and most extreme example in a long series of concerning security risks, and organizations should exercise caution when considering the implementation of Pulse technologies.
“The vulnerabilities in Pulse Connect Secure… include one that hackers had been actively exploiting before it was known to Ivanti, the maker of the product. The flaw… carries a severity rating of 10 out of a possible 10. The authentication bypass vulnerability allows untrusted users to remotely execute malicious code on Pulse Secure hardware, and from there, to gain control of other parts of the network where it’s installed.”
Dan Goodin, Ars Technica
| When to choose Pulse Secure | When to choose something better |
| Connect Secure is an adequate solution for those seeking to expand existing VPN deployments with add-on ZTNA functionality, though major question marks remain over its ability to remain secure. | Do not use Pulse Secure if security is a paramount priority, or when an integration between VPN and ZTNA is required. IT leaders should invest in a solution that can give them peace of mind and has no history of security breaches. |
Employee experience
Pulse Secure is one of the most widely used VPNs, often deployed for its cost-effective ability to provide remote access. When it comes to the employee experience however, there are some compromises. Pulse Secure does not offer any traffic optimization or connection persistence functionality, though an optional policy add-on module allows for basic split tunneling to avoid tunneling 100% of employee device traffic.
| When to choose Pulse Secure | When to choose something better |
| Pulse Secure is a solid choice for organizations with workers operating in fixed environments on reliable networks. Examples include organizations that do not anticipate large-scale remote working periods, or those without mobile/field employees. | Pulse Secure is not recommended for organizations with large, distributed workforces, or those with environments where network performance can be slow, unstable or unpredictable. In these instances, leaders should looks for a mobile-first, optimized VPN that improves the employee experience. |
Visibility and control
To ensure maximum security, some organizations might set policies to force all employee traffic through the VPN tunnel. This presents latency and usability challenges, but ensures the IT team is able to see, manage and secure all of the network traffic.
Pulse Secure allows configurations that split-tunnel the traffic for specific resources. While this will improve performance, any traffic diverted outside of Pulse’s gateway or VPN becomes invisible. By doing so, admins will lose data that could potentially provide insights to make informed decisions about which policies to set in order to enhance the employee experience. Effectively, Pulse Secure customers are forced to choose between better security, with visibility and control, or a better experience for employees, with neither.
| When to choose Pulse Secure | When to choose something better |
| Pulse Secure is a sensible choice for businesses that prefer to operate with an ‘always on’ approach to remote access, meaning remote workers stay connected to the VPN at all times. | Pulse Secure is a sub-optimal choice for organizations that need a VPN or ZTNA, but are unwilling to tunnel all traffic. Leaders should look into solution that provides a secure tunnel when it’s required, but can still maintain complete visibility and control over all traffic when it’s not being used. |
With a strong market presence and well-established footprint in the appliance-based VPN sector, Pulse Secure will continue to be one of the more popular, go-to choices for organizations requiring a traditional VPN solution.
As the marketplace emerges from a pandemic-impacted landscape, organizations are going to need a secure remote access solution that provides a balance between an optimized employee experience with the security components so crucial to IT teams: robust visibility and a zero-trust security posture. For those seeking a solution to meet these requirements, NetMotion is an ideal choice for customers looking to upgrade their Pulse Secure deployments to a more modern alternative.
NetMotion has become the premier choice in the VPN market, with hundreds of its customers making the switch from other solutions as remote and mobile working become increasingly common. The company today supports over 3,000 organizations and in excess of one million workers who cannot afford to compromise when it comes to user experience, including 7 of the top 10 largest airlines and powers three quarters of first responders in North America. Organizations wishing to test the products in a head-to-head capacity can do so for free by getting in touch with one of our experts.
