Strict Security

When the Strict Security mode is selected on the Administration > Appliance Security > Security Compliance page, the appliance:

  • Disables the use of certain features.

  • Selects enhanced password protection.

  • Restricts access to the appliance.

Disabled features

The Strict Security mode prevents the use of the following features:

  • Reporting API access control list – the ACL section of the Administration > Integration > API Authorization page is disabled. This prevents scripts from bypassing the login requirements when accessing the reporting API. Tools that must access the reporting API while the appliance is in the Strict Security mode must be able to handle the login page.

  • Vulnerability scanning setup – the Administration > Integration > Vulnerability Scanning setup page is disabled and not displayed. The appliance cannot access any vulnerability scanners while it is in the Strict Security mode.

  • Mitigation – All Administration > Mitigation pages are disabled and not displayed.

  • ODBC DB Access – the Administration > Account Management > ODBC DB Access page is disabled and not displayed.

Password protection

The Strict Security mode automatically selects the following global password protection options. Some settings can be manually overridden to provide a higher level of security, but not a lower level. Other settings, as noted below, cannot be changed while the appliance is in the Strict Security mode.

  • Minimum number of characters: 8;  Can be set to a number greater than 8, but not lower than 8.

  • Require mixed case;  Cannot be changed while the Strict Security mode.

  • Require non-alphanumeric characters;  Cannot be changed while the Strict Security mode.

  • Remember 12 prior passwords;  Can be set to a number greater than 12, but not lower than 12.

  • Enable password aging; Cannot be changed while the Strict Security mode.

  • Number of days before password expiration: 60;  Can be set to a number lower than 60, but not greater than 60.

  • Force password change on first log-in;  Cannot be changed while the Strict Security mode.

  • Number of attempts before account locked: 3; Can be set to a number lower than 3, but not greater than 3.

  • Number of minutes to keep account locked: 30;  Can be set to a number greater than 30, but not lower than 30.

These settings can be viewed on the Administration > Appliance Security > Password Security page. They are also visible when you click Settings on the Administration > Account Management > User Accounts page.

The Strict Security mode also automatically sets the inactivity time out for RADIUS and TACACS+ users to 10 minutes. This cannot be changed while the appliance is in the Strict Security mode.

Access restrictions

The Strict Security mode also automatically:

  • Sets the inactivity time out for sessions on the console port and SSH connections to the Primary port to 10 minutes and limits login attempts to these ports to 3.

  • Disables Ctrl+Alt+Delete on the console.

  • Implements additional firewall rules restricting source routed packets and some ICMP requests.

Security compliance

Appliance security