Junos® OS
Common Criteria Evaluated Configuration Guide for EX4650-48Y, QFX5120-32C, QFX5120-48T, QFX5120-48Y, QFX5200-48Y,andQFX5210-64CDevices
Published
Release
2021-03-14
20.2R1-S1
ii
Juniper Networks, Inc. 1133 Innovation Way Sunnyvale, California 94089 USA
408-745-2000 www.juniper.net
JuniperNetworks,theJuniperNetworkslogo,Juniper,andJunosareregisteredtrademarksofJuniperNetworks,Inc. in theUnitedStatesandothercountries. Allothertrademarks,servicemarks,registeredmarks,orregisteredservicemarks are the property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
Junos® OSCommonCriteriaEvaluatedConfigurationGuideforEX4650-48Y,QFX5120-32C,QFX5120-48T,QFX5120-48Y, QFX5200-48Y,andQFX5210-64CDevices
20.2R1-S1
Copyright © 2021 Juniper Networks, Inc. All rights reserved.
The information in this document is current as of the date on the title page.
YEAR 2000 NOTICE
Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.
END USER LICENSE AGREEMENT
TheJuniperNetworksproductthatisthesubjectofthistechnicaldocumentationconsistsof(orisintendedforusewith) JuniperNetworkssoftware.UseofsuchsoftwareissubjecttothetermsandconditionsoftheEndUserLicenseAgreement (“EULA”) posted at https://support.juniper.net/support/eula/. By downloading, installing or using such software, you agree to the terms and conditions of that EULA.
iii
About the Documentation | vii
Documentation and Release Notes | vii
Documentation Conventions | vii
Documentation Feedback | x
Requesting Technical Support | x
Self-Help Online Tools and Resources | xi
Creating a Service Request with JTAC | xi
1Overview
Understanding the Common Criteria Evaluated Configuration | 13
Understanding Common Criteria | 13
Supported Platforms | 13
Understanding Junos OS in FIPS Mode | 14
About the Cryptographic Boundary on Your EX and QFX Series Switchs | 14
How FIPS Mode Differs from Non-FIPS Mode | 15
Validated Version of Junos OS in FIPS Mode | 15
Understanding Common Criteria and FIPS Terminology and Supported Cryptographic
Algorithms | 16
Terminology | 16
Supported Cryptographic Algorithms | 17
Identifying Secure Product Delivery | 19
Understanding Management Interfaces | 20
2Configuring Roles and Authentication Methods
Understanding Roles and Services for Junos OS in Common Criteria and FIPS | 22
Security Administrator Role and Responsibilities | 23
FIPS User Role and Responsibilities | 24
iv
What Is Expected of All FIPS Users | 24
Understanding the Operational Environment for Junos OS in FIPS Mode | 25
Hardware Environment for Junos OS in FIPS Mode | 25
Software Environment for Junos OS in FIPS Mode | 25
Critical Security Parameters | 26
Understanding Password Specifications and Guidelines for Junos OS in FIPS Mode | 29 Downloading Software Packages from Juniper Networks | 30
Installing Software on EX and QFX Series devices with a Single Routing Engine | 31 Understanding Zeroization to Clear System Data for FIPS Mode | 33
Why Zeroize? | 33
When to Zeroize? | 34
Zeroizing the System | 35
Establishing Root Password Access | 36
Enabling FIPS Mode | 38
Configuring Security Administrator and FIPS User Identification and Access | 45
Configuring Security Administrator Login Access | 45
Configuring FIPS User Login Access | 47
v
3Configuring Administrative Credentials and Privileges
Understanding the Associated Password Rules for an Authorized Administrator | 50
Authentication Methods in FIPS Mode of Operation | 51
Username and Password Authentication over the Console and SSH | 52
Username and Public Key Authentication over SSH | 52
Configuring a Network Device collaborative Protection Profile for an Authorized
Administrator | 53
Customizing Time | 55
Configuring Inactivity Timeout Period, and Terminating Local and Remote Idle
Session | 55
Configuring Session Termination | 56
Sample Output for Local Administrative Session Termination | 57
Sample Output for Remote Administrative Session Termination | 57
Sample Output for User Initiated Termination | 58
4Configuring SSH and Console Connection
Configuring a System Login Message and Announcement | 60
Configuring SSH on the Evaluated Configuration for NDcPPv2.1 | 61
Limiting the Number of User Login Attempts for SSH Sessions | 63
5Configuring the Remote Syslog Server
Syslog Server Configuration on a Linux System | 66
Configuring Event Logging to a Local File | 67
Configuring Event Logging to a Remote Server | 67
ConfiguringEventLoggingtoaRemoteServerwhenInitiatingtheConnectionfromtheRemote
Server | 67
6Configuring Audit Log Options
Configuring Audit Log Options in the Evaluated Configuration | 73
ConfiguringAuditLogOptionsforEX4650-48Y,QFX5120-32C,QFX5120-48T,QFX5120-48Y,
QFX5200-48Y, and QFX5210-64C devices | 73
Sample Code Audits of Configuration Changes | 74
vi
7Configuring Event Logging
Event Logging Overview | 90
Configuring Event Logging to a Local File | 91
Interpreting Event Messages | 91
Logging Changes to Secret Data | 92
Login and Logout Events Using SSH | 94
Logging of Audit Startup | 95
8Performing Self-Tests on a Device
Understanding FIPS Self-Tests | 97
Performing Power-On Self-Tests on the Device | 97
9Configuration Statements
|
fips | 101 |
|
level | 102 |
10 |
Operational Commands |
|
request system zeroize | 104 |
vii
IN THIS SECTION
Documentation and Release Notes | vii
Documentation Conventions | vii
Documentation Feedback | x
Requesting Technical Support | x
Use this guide to configure and evaluate EX4650-48Y, QFX5120-32C, QFX5120-48T, QFX5120-48Y, QFX5200-48Y, and QFX5210-64C devices for Common Criteria (CC) compliance. Common Criteria for informationtechnologyisaninternationalagreementsignedbyseveralcountriesthatpermittheevaluation of security products against a common set of standards.
To obtain the most current version of all Juniper Networks® technical documentation, see the product documentation page on the Juniper Networks website at https://www.juniper.net/documentation/.
Iftheinformationinthelatestreleasenotesdiffersfromtheinformationinthedocumentation,followthe product Release Notes.
Juniper Networks Books publishes books by Juniper Networks engineers and subject matter experts. These books go beyond the technical documentation to explore the nuances of network architecture, deployment, and administration. The current list can be viewed at https://www.juniper.net/books.
Table 1 on page viii defines notice icons used in this guide.
viii
Table 1: Notice Icons |
|
|
Icon |
Meaning |
Description |
|
Informational note |
Indicates important features or instructions. |
|
Caution |
Indicates a situation that might result in loss of data or hardware |
|
|
damage. |
|
Warning |
Alerts you to the risk of personal injury or death. |
|
Laser warning |
Alerts you to the risk of personal injury from a laser. |
|
Tip |
Indicates helpful information. |
|
Best practice |
Alerts you to a recommended use or implementation. |
Table 2 on page viii defines the text and syntax conventions used in this guide.
Table 2: Text and Syntax Conventions
Convention |
Description |
Examples |
Bold text like this |
Represents text that you type. |
To enter configuration mode, type |
|
|
the configure command: |
|
|
user@host> configure |
Fixed-width text like this |
Represents output that appears on |
user@host> show chassis alarms |
|
the terminal screen. |
No alarms currently active |
|
|
Italictextlikethis |
• Introducesoremphasizesimportant |
|
new terms. |
|
• Identifies guide names. |
|
• Identifies RFC and Internet draft |
|
titles. |
•A policy term is a named structure that defines match conditions and actions.
•JunosOSCLIUserGuide
•RFC 1997, BGPCommunities Attribute
ix
Table 2: Text and Syntax Conventions (continued)
Convention |
Description |
Italictextlikethis |
Represents variables (options for |
|
which you substitute a value) in |
|
commands or configuration |
|
statements. |
Examples
Configure the machine’s domain name:
[edit]
root@# set system domain-name domain-name
Text like this |
Represents names of configuration |
|
statements, commands, files, and |
|
directories; configuration hierarchy |
|
levels; or labels on routing platform |
|
components. |
•To configure a stub area, include the stub statement at the [edit protocols ospf area area-id] hierarchy level.
•The console port is labeled
CONSOLE.
< > (angle brackets) |
Encloses optional keywords or |
|
variables. |
| (pipe symbol) |
Indicates a choice between the |
|
mutually exclusive keywords or |
|
variablesoneithersideofthesymbol. |
|
The set of choices is often enclosed |
|
in parentheses for clarity. |
stub <default-metric metric>;
broadcast | multicast
(string1 | string2 | string3)
# (pound sign)
[ ] (square brackets)
Indention and braces ( { } )
; (semicolon)
Indicatesacommentspecifiedonthe |
rsvp{#RequiredfordynamicMPLS |
same line as the configuration |
only |
statement to which it applies. |
|
Enclosesavariableforwhichyoucan |
community name members [ |
substitute one or more values. |
community-ids ] |
Identifies a level in the configuration |
[edit] |
hierarchy. |
routing-options { |
|
static { |
Identifies a leaf statement at a |
route default { |
configuration hierarchy level. |
nexthop address; |
|
retain; |
|
} |
|
} |
|
} |
GUI Conventions
x
Table 2: Text and Syntax Conventions (continued) |
|
|
Convention |
Description |
Examples |
Bold text like this |
Represents graphical user interface |
• IntheLogicalInterfacesbox,select |
|
(GUI) items you click or select. |
All Interfaces. |
|
|
• To cancel the configuration, click |
|
|
Cancel. |
> (bold right angle bracket) |
Separates levels in a hierarchy of |
Intheconfigurationeditorhierarchy, |
|
menu selections. |
select Protocols>Ospf. |
We encourage you to provide feedback so that we can improve our documentation. You can use either of the following methods:
•Online feedback system—Click TechLibrary Feedback, on the lower right of any page on the Juniper Networks TechLibrary site, and do one of the following:
•Click the thumbs-up icon if the information on the page was helpful to you.
•Click the thumbs-down icon if the information on the page was not helpful to you or if you have suggestions for improvement, and use the pop-up form to provide feedback.
•E-mail—Sendyourcommentstotechpubs-comments@juniper.net.Includethedocumentortopicname, URL or page number, and software version (if applicable).
TechnicalproductsupportisavailablethroughtheJuniperNetworksTechnicalAssistanceCenter(JTAC). If you are a customer with an active Juniper Care or Partner Support Services support contract, or are
xi
covered under warranty, and need post-sales technical support, you can access our tools and resources online or open a case with JTAC.
•JTACpolicies—ForacompleteunderstandingofourJTACproceduresandpolicies,reviewtheJTACUser Guide located at https://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.
•Productwarranties—Forproductwarrantyinformation,visithttps://www.juniper.net/support/warranty/.
•JTAC hours of operation—The JTAC centers have resources available 24 hours a day, 7 days a week, 365 days a year.
Forquickandeasyproblemresolution,JuniperNetworkshasdesignedanonlineself-serviceportalcalled the Customer Support Center (CSC) that provides you with the following features:
•Find CSC offerings: https://www.juniper.net/customers/support/
•Search for known bugs: https://prsearch.juniper.net/
•Find product documentation: https://www.juniper.net/documentation/
•Find solutions and answer questions using our Knowledge Base: https://kb.juniper.net/
•Download the latest versions of software and review release notes: https://www.juniper.net/customers/csc/software/
•Search technical bulletins for relevant hardware and software notifications: https://kb.juniper.net/InfoCenter/
•Join and participate in the Juniper Networks Community Forum: https://www.juniper.net/company/communities/
•Create a service request online: https://myjuniper.juniper.net
To verify service entitlement by product serial number, use our Serial Number Entitlement (SNE) Tool: https://entitlementsearch.juniper.net/entitlementsearch/
You can create a service request with JTAC on the Web or by telephone.
•Visit https://myjuniper.juniper.net.
•Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
For international or direct-dial options in countries without toll-free numbers, see https://support.juniper.net/support/requesting-support/.
1
CHAPTER
Understanding the Common Criteria Evaluated Configuration | 13
Understanding Junos OS in FIPS Mode | 14
UnderstandingCommonCriteriaandFIPSTerminologyandSupportedCryptographic
Algorithms | 16
Identifying Secure Product Delivery | 19
Understanding Management Interfaces | 20
13
Understanding the Common Criteria Evaluated
Configuration
This document describes the steps required to configure the device running Junos OS when the device is evaluated. This is referred to as the evaluated configuration. The device has been evaluated based on collaborativeProtectionProfileforNetworkDevices,Version2.1,24September2018(NDcPPVersion2.1).
This document is available at https://www.commoncriteriaportal.org/files/ppfiles/CPP_ND_V2.1.pdf.
NOTE: On EX4650-48Y, QFX5120-32C, QFX5120-48T, QFX5120-48Y, QFX5200-48Y, and QFX5210-64Cdevices,JunosOSRelease20.2R1-S1iscertifiedforCommonCriteriawithFIPS mode enabled on the devices.
For regulatory compliance information about Common Criteria, and FIPS for Juniper Networks products, see the Juniper Networks Compliance Advisor.
Common Criteria for information technology is an international agreement signed by several countries thatpermitstheevaluationofsecurityproductsagainstacommonsetofstandards.IntheCommonCriteria RecognitionArrangement(CCRA)at https://www.commoncriteriaportal.org/ccra/,theparticipantsagree tomutuallyrecognizeevaluationsofproductsperformedinothercountries.Allevaluationsareperformed using a common methodology for information technology security evaluation.
For more information on Common Criteria, see https://www.commoncriteriaportal.org/.
Target of Evaluation (TOE) is a device or a system subjected to evaluation based on the Collaborative Protection Profile (cPP).
For the features described in this document, the following platforms are supported:
14
•The NDcPP Version 2.1 applies to EX4650-48Y, QFX5120-32C, QFX5120-48T, QFX5120-48Y, QFX5200-48Y, and QFX5210-64C devices.
RELATED DOCUMENTATION
Identifying Secure Product Delivery | 19
IN THIS SECTION
About the Cryptographic Boundary on Your EX and QFX Series Switchs | 14
How FIPS Mode Differs from Non-FIPS Mode | 15
Validated Version of Junos OS in FIPS Mode | 15
Federal Information Processing Standards (FIPS) 140-2 defines security levels for hardware and software that perform cryptographic functions. By meeting the applicable overall requirements within the FIPS standard, Juniper Networks EX and QFX Series devices running the Juniper Networks Junos operating system (Junos OS) in FIPSmode comply with the FIPS 140-2 Level 1 standard.
OperatingEXandQFXSeriesdevicesinaFIPS140-2Level1environmentrequiresenablingandconfiguring FIPS mode on the devices from the Junos OS CLI.
The SecurityAdministrator enablesFIPSmodeinJunosOSandsetsupkeysandpasswordsforthesystem and other FIPSusers who can view the configuration. Both Security Administrator and user can perform normal configuration tasks on the switch (such as modify interface types) as individual user configuration allows.
FIPS 140-2 compliance requires a defined cryptographicboundary around each cryptographicmodule on a switch. Junos OS in FIPS mode prevents the cryptographic module from executing any software that is not part of the FIPS-certified distribution, and allows only FIPS-approved cryptographic algorithms to be
15
used. No critical security parameters (CSPs), such as passwords and keys, can cross the cryptographic boundary of the module by, for example, being displayed on a console or written to an external log file.
CAUTION: VirtualChassisfeaturesarenotsupportedinFIPSmode.Donotconfigure a Virtual Chassis in FIPS mode.
Unlike Junos OS in non-FIPS mode, Junos OS in FIPS mode is a non-modifiableoperationalenvironment. In addition, Junos OS in FIPS mode differs in the following ways from Junos OS in non-FIPS mode:
•Self-tests of all cryptographic algorithms are performed at startup.
•Self-tests of random number and key generation are performed continuously.
•Weak cryptographic algorithms such as Data Encryption Standard (DES) and Message Digest 5 (MD5) are disabled.
•Weak or unencrypted management connections must not be configured.
•Passwords must be encrypted with strong one-way algorithms that do not permit decryption.
•Administrator passwords must be at least 10 characters long.
To determine whether a Junos OS release is NIST-validated, see the software download page on the JuniperNetworksWebsite(https://www.juniper.net/)ortheNationalInstituteofStandardsandTechnology site.
RELATED DOCUMENTATION
Identifying Secure Product Delivery | 19
16
UnderstandingCommonCriteriaandFIPSTerminology
and Supported Cryptographic Algorithms
IN THIS SECTION
Terminology | 16
Supported Cryptographic Algorithms | 17
UsethedefinitionsofCommonCriteriaandFIPSterms,andsupportedalgorithmstohelpyouunderstand
Junos OS.
Common Criteria—Common Criteria for information technology is an international agreement signed by severalcountriesthatpermitstheevaluationofsecurityproductsagainstacommonsetofstandards.
Security Administrator—For Common Criteria, user accounts in the TOE have the following attributes: useridentity(username),authenticationdata(password),androle(privilege).TheSecurityAdministrator is associated with the defined login class “security-admin”, which has the necessary permission set to permit the administrator to perform all tasks necessary to manage the Junos OS.
NDcPP—Collaborative Protection Profile for Network Devices, Version 2.1, dated 05 May 2017.
Critical security parameter (CSP)—Security-related information—for example, secret and private cryptographic keys and authentication data such as passwords and personal identification numbers (PINs)—whose disclosure or modification can compromise the security of a cryptographic module or the information it protects. For details, see “Understanding the Operational Environment for Junos OS in FIPS Mode” on page 25.
Cryptographic module—The set of hardware, software, and firmware that implements approved security functions (including cryptographic algorithms and key generation) and is contained within the cryptographic boundary. For fixed-configuration switches, the cryptographic module is the switch case. For modular switches, the cryptographic module is the Routing Engine.
FIPS—Federal Information Processing Standards. FIPS 140-2 specifies requirements for security and cryptographic modules. Junos OS in FIPS mode complies with FIPS 140-2 Level 1.
17
FIPSmaintenancerole—TheroletheSecurityAdministratorassumestoperformphysicalmaintenanceor logical maintenance services such as hardware or software diagnostics. For FIPS 140-2 compliance, theSecurityAdministratorzeroizestheRoutingEngineonentrytoandexitfromtheFIPSmaintenance role to erase all plain-text secret and private keys and unprotected CSPs.
NOTE: The FIPS maintenance role is not supported on Junos OS in FIPS mode.
KATs—Knownanswertests.Systemself-teststhatvalidatetheoutputofcryptographicalgorithmsapproved for FIPS and test the integrity of some Junos OS modules. For details, see “Understanding FIPS Self-Tests” on page 97.
SSH—A protocol that uses strong authentication and encryption for remote access across a nonsecure network. SSH provides remote login, remote program execution, file copy, and other functions. It is intended as a secure replacement for rlogin, rsh, and rcp in a UNIX environment. To secure the informationsentoveradministrativeconnections,useSSHv2forCLIconfiguration.InJunosOS,SSHv2 is enabled by default, and SSHv1, which is not considered secure, is disabled.
Zeroization—Erasure of all CSPs and other user-created data on a switch before its operation as a FIPS cryptographic module—or in preparation for repurposing the switch for non-FIPS operation. The Security Administrator can zeroize the system with a CLI operational command. For details, see “Understanding Zeroization to Clear System Data for FIPS Mode” on page 33.
The following cryptographic algorithms are supported in FIPS mode. Symmetric methods use the same key for encryption and decryption, while asymmetric methods use different keys for encryption and decryption.
AES—The Advanced Encryption Standard (AES), defined in FIPS PUB 197. The AES algorithm uses keys of 128, 192, or 256 bits to encrypt and decrypt data in blocks of 128 bits.
Diffie-Hellman—A method of key exchange across a nonsecure environment (such as the Internet). The Diffie-Hellman algorithm negotiates a session key without sending the key itself across the network byallowingeachpartytopickapartialkeyindependentlyandsendpartofthatkeytotheother. Each side then calculates a common key value. This is a symmetrical method—keys are typically used only for a short time, discarded, and regenerated.
ECDH—Elliptic Curve Diffie-Hellman. A variant of the Diffie-Hellman key exchange algorithm that uses cryptography based on the algebraic structure of elliptic curves over finite fields. ECDH allows two parties,eachhavinganellipticcurvepublic-privatekeypair,toestablishasharedsecretoveraninsecure
18
channel. The shared secret can be used either as a key or to derive another key for encrypting subsequent communications using a symmetric key cipher.
ECDSA—EllipticCurveDigitalSignatureAlgorithm. AvariantoftheDigitalSignatureAlgorithm(DSA)that uses cryptography based on the algebraic structure of elliptic curves over finite fields. The bit size of theellipticcurvedeterminesthedifficultyofdecryptingthekey.Thepublickeybelievedtobeneeded forECDSAisabouttwicethesizeofthesecuritystrength,inbits. ECDSAusestheP-256,P-384,and P-521 curves that can be configured under OpenSSH.
HMAC—Definedas“Keyed-HashingforMessageAuthentication”inRFC2104,HMACcombineshashing
algorithms with cryptographic keys for message authentication.
SHA-256,SHA-384,andSHA-512—Securehashalgorithms(SHA)belongingtotheSHA-2standarddefined inFIPSPUB180-2. DevelopedbyNIST,SHA-256producesa256-bithashdigest,SHA-384produces a 384-bit hash digest, and SHA-512 produces a 512-bit hash digest.
AES-CMAC—AES-CMACprovidesstrongerassuranceofdataintegritythanachecksumoranerror-detecting code. Theverificationofachecksumoranerror-detectingcodedetectsonlyaccidentalmodifications of the data, while CMAC is designed to detect intentional, unauthorized modifications of the data, as well as accidental modifications.
RELATED DOCUMENTATION
Understanding FIPS Self-Tests | 97
Understanding Zeroization to Clear System Data for FIPS Mode | 33
19
Thereareseveralmechanismsprovidedinthedeliveryprocesstoensurethatacustomerreceivesaproduct that has not been tampered with. The customer should perform the following checks upon receipt of a device to verify the integrity of the platform.
•Shippinglabel—Ensurethattheshippinglabelcorrectlyidentifiesthecorrectcustomernameandaddress as well as the device.
•Outside packaging—Inspect the outside shipping box and tape. Ensure that the shipping tape has not been cut or otherwise compromised. Ensure that the box has not been cut or damaged to allow access to the device.
•Inside packaging—Inspect the plastic bag and seal. Ensure that the bag is not cut or removed. Ensure that the seal remains intact.
If the customer identifies a problem during the inspection, he or she should immediately contact the supplier. Provide the order number, tracking number, and a description of the identified problem to the supplier.
Additionally, there are several checks that can be performed to ensure that the customer has received a box sent by Juniper Networks and not a different company masquerading as Juniper Networks. The customer should perform the following checks upon receipt of a device to verify the authenticity of the device:
•Verifythatthedevicewasorderedusingapurchaseorder. JuniperNetworksdevicesarenevershipped without a purchase order.
•Whenadeviceisshipped,ashipmentnotificationissenttothee-mailaddressprovidedbythecustomer whentheorderistaken. Verifythatthise-mailnotificationwasreceived. Verifythatthee-mailcontains the following information:
•Purchase order number
•Juniper Networks order number used to track the shipment
•Carrier tracking number used to track the shipment
•List of items shipped including serial numbers
•Address and contacts of both the supplier and the customer
•Verify that the shipment was initiated by Juniper Networks. To verify that a shipment was initiated by Juniper Networks, you should perform the following tasks:
•Compare the carrier tracking number of the Juniper Networks order number listed in the Juniper Networks shipping notification with the tracking number on the package received.
20
•LogontotheJuniperNetworksonlinecustomersupportportalathttps://support.juniper.net/support/ toviewtheorderstatus. ComparethecarriertrackingnumberortheJuniperNetworksordernumber listedintheJuniperNetworksshipmentnotificationwiththetrackingnumberonthepackagereceived.
RELATED DOCUMENTATION
Understanding the Common Criteria Evaluated Configuration | 13
The following management interfaces can be used in the evaluated configuration:
•Local Management Interfaces—The RJ-45 console port on the rear panel of a device is configured as RS-232 data terminal equipment (DTE). You can use the command-line interface (CLI) over this port to configure the device from a terminal.
•Remote Management Protocols—The device can be remotely managed over any Ethernet interface. SSHv2istheonlypermittedremotemanagementprotocolthatcanbeusedintheevaluatedconfiguration. The remote management protocols J-Web and Telnet are not available for use on the device.
RELATED DOCUMENTATION
Understanding the Common Criteria Evaluated Configuration | 13
2
CHAPTER
Configuring Roles and Authentication
Methods
Understanding Roles and Services for Junos OS in Common Criteria and FIPS | 22
Understanding the Operational Environment for Junos OS in FIPS Mode | 25
Understanding Password Specifications and Guidelines for Junos OS in FIPS Mode | 29
Downloading Software Packages from Juniper Networks | 30
InstallingSoftwareonEXandQFXSeriesdeviceswithaSingleRoutingEngine | 31
Understanding Zeroization to Clear System Data for FIPS Mode | 33
Zeroizing the System | 35
Establishing Root Password Access | 36
Enabling FIPS Mode | 38
Configuring Security Administrator and FIPS User Identification and Access | 45
22
IN THIS SECTION
Security Administrator Role and Responsibilities | 23
FIPS User Role and Responsibilities | 24
What Is Expected of All FIPS Users | 24
For Common Criteria, user accounts in the TOE have the following attributes: user identity (user name), authentication data (password), and role (privilege). The Security Administrator is associated with the definedloginclass“security-admin”,whichhasthenecessarypermissionsettoallowtheadministratorto perform all tasks necessary to manage the Junos OS. Administrative users (Security Administrator) must provide unique identification and authentication data before any administrative access to the system is granted.
Security Administrator roles and responsibilities are as follows:
1.Security Administrator can administer the TOE locally and remotely.
2.Create, modify, and delete administrator accounts, including configuration of authentication failure parameters.
3.Re-enable an Administrator account.
4.Responsible for the configuration and maintenance of cryptographic elements related to the establishment of secure connections to and from the evaluated product.
The Juniper Networks Junos operating system (Junos OS) running in non-FIPS mode allows a wide range ofcapabilitiesforusers,andauthenticationisidentity-based. Incontrast,theFIPS140-2standarddefines two user roles: SecurityAdministrator and FIPSuser. These roles are defined in terms of Junos OS user capabilities.
All other user types defined for Junos OS in FIPS mode (read-only, administrative user, and so on) must fallintooneofthetwocategories:SecurityAdministratororFIPSuser.Forthisreason,userauthentication in Junos is identity based with role based authorization.
23
In addition to their FIPS roles, both Security Administrator and user can perform normal configuration tasks on the switch as individual user configuration allows.
CryptoOfficersandFIPSusersperformallFIPS-mode-relatedconfigurationtasksandissueallstatements and commands for Junos OS in FIPS mode. Security Administrator and FIPS user configurations must follow the guidelines for Junos OS in FIPS mode.
For details, see:
TheSecurityAdministratoristhepersonresponsibleforenabling,configuring,monitoring,andmaintaining Junos OS in FIPS mode on a switch. The Security Administrator securely installs Junos OS on the switch, enables FIPS mode, establishes keys and passwords for other users and software modules, and initializes the switch before network connection.
BEST PRACTICE: We recommend that the Security Administrator administer the system in a secure manner by keeping passwords secure and checking audit files.
The permissions that distinguish the Security Administrator from other FIPS users are secret, security, maintenance, and control. For FIPS compliance, assign the Security Administrator to a login class that containsallofthesepermissions.AuserwiththeJunosOSmaintenancepermissioncanreadfilescontaining critical security parameters (CSPs).
NOTE: Junos OS in FIPS mode does not support the FIPS140-2maintenancerole, which is different from the Junos OS maintenance permission.
Among the tasks related to Junos OS in FIPS mode, the Security Administrator is expected to:
•Set the initial root password.
•Reset user passwords for FIPS-approved algorithms during upgrades from Junos OS.
•Examine log and audit files for events of interest.
•Erase user-generated files and data on (zeroize) the switch.
24
AllFIPSusers,includingtheSecurityAdministrator,canviewtheconfiguration. Onlytheuserassignedas the Security Administrator can modify the configuration.
ThepermissionsthatdistinguishCryptoOfficersfromotherFIPSusersare secret, security, maintenance, and control. For FIPS compliance, assign the FIPS user to a class that contains none of these permissions.
FIPS users configure networking features on the switch and perform other tasks that are not specific to FIPS mode. FIPS users who are not Crypto Officers can view status output.
All FIPS users, including the Security Administrator, must observe security guidelines at all times.
All FIPS users must:
•Keep all passwords confidential.
•Store switches and documentation in a secure area.
•Deploy switches in secure areas.
•Check audit files periodically.
•Conform to all other FIPS 140-2 security rules.
•Follow these guidelines:
•Users are trusted.
•Users abide by all security guidelines.
•Users do not deliberately compromise security.
•Users behave responsibly at all times.
RELATED DOCUMENTATION
Zeroizing the System | 35
Configuring Security Administrator and FIPS User Identification and Access | 45
25
UnderstandingtheOperationalEnvironmentforJunos
OS in FIPS Mode
IN THIS SECTION
Hardware Environment for Junos OS in FIPS Mode | 25
Software Environment for Junos OS in FIPS Mode | 25
Critical Security Parameters | 26
EX and QFX Series devices running the Junos operating system (Junos OS) in FIPS mode forms a special typeofhardwareandsoftwareoperationalenvironmentthatisdifferentfromtheenvironmentofaswitch in non-FIPS mode:
Junos OS in FIPS mode establishes a cryptographic boundary in the switch that no critical security parameters (CSPs) can cross using plain text. Each hardware component of the switch that requires a cryptographic boundary for FIPS 140-2 compliance is a separate cryptographic module.
For more information about the cryptographic boundary on your switch, see “Understanding Junos OS in FIPS Mode” on page 14.
Communications involving CSPs between these secure environments must take place using encryption.
Cryptographicmethodsarenotasubstituteforphysicalsecurity.Thehardwaremustbelocatedinasecure physical environment. Users of all types must not reveal keys or passwords, or allow written records or notes to be seen by unauthorized personnel.
EX and QFX Series Series devices running Junos OS in FIPS mode forms a special type of non-modifiable operational environment. To achieve this environment on the switch, the system prevents the execution of any binary file that was not part of the certified Junos OS distribution. When a switch is in FIPS mode, it can run only Junos OS.
26
FIPS mode on EX and QFX Series devices are available starting with Junos OS Release 20.2R1-S1. The JunosOSinFIPSmodesoftwareenvironmentisestablishedaftertheSecurityAdministratorsuccessfully enables FIPS mode on a EX and QFX Series switch.
For FIPS 140-2 compliance, we recommend deleting all user-created files and data from (zeroizing) the system immediately after enabling FIPS mode.
NOTE: Do not attach the switch to a network until you, the Security Administrator, complete the configuration from the local console connection.
Critical security parameters (CSPs) are security-related information such as cryptographic keys and passwordsthatcancompromisethesecurityofthecryptographicmoduleorthesecurityoftheinformation protected by the module if they are disclosed or modified.
ZeroizationofthesystemerasesalltracesofCSPsinpreparationforoperatingtheswitchorRoutingEngine as a cryptographic module.
Table 3 on page 27 lists CSPs on switches running Junos OS.
27
Table 3: Critical Security Parameters |
|
|
|
|
|
Zeroization |
|
CSP |
Description |
method |
Use |
SSH-2privatehost |
ECDSA key used to identify the host, |
Zeroize command. |
Used to identify the host. |
key |
generated the first time SSH is configured. |
|
|
|
RSAkeyusedtoidentifythehost,generated |
|
|
|
the first time SSH is configured. |
|
|
SSH-2sessionkey Session key used with SSH-2. and as a Diffie-Hellman private key.
Encryption: AES-128, AES-256.
MACs: HMAC-SHA-1, HMAC SHA-256,
HMAC SHA-512.
Keyexchange:DHGroupexchange(2048≤ key ≤ 8192), ECDH: ECDH-sha2-nistp256, ECDH-sha2-nistp384, and ECDH-sha2-nistp521.
User |
Hash of the user’s password: SHA-256, |
authenticationkey |
SHA-512. |
Power cycle and |
Symmetric key used to |
terminate session. |
encrypt data between host |
|
and client. |
Zeroize command. Usedtoauthenticateauser to the cryptographic module.
Security |
Hash of the Security Administrator’s |
Administrator |
password: SHA-256, SHA-512. |
authenticationkey |
|
Zeroize command. Used to authenticate the Security Administrator to the cryptographic module.
HMAC DRBG |
Seed for deterministic randon bit generator |
Seed is not stored |
Used for seeding DRBG. |
seed |
(DRBG). |
by the |
|
|
|
cryptographic |
|
|
|
module. |
|
HMAC DRBG V |
Thevalue(V)ofoutputblocklength(outlen) |
Power cycle. |
A critical value of the |
value |
in bits, which is updated each time another |
|
internal state of DRBG. |
|
outlen bits of output are produced. |
|
|
HMAC DRBG key |
The current value of the outlen-bit key, |
Power cycle. |
A critical value of the |
value |
whichisupdatedatleastonceeachtimethat |
|
internal state of DRBG. |
|
the DRBG mechanism generates |
|
|
|
pseudorandom bits. |
|
|
NDRNG entropy |
Used as entropy input string to the HMAC |
Power cycle. |
A critical value of the |
|
DRBG. |
|
internal state of DRBG. |
28
InJunosOSinFIPSmode,allCSPsmustenterandleavethecryptographicmoduleinencryptedform.Any CSP encrypted with a non-approved algorithm is considered plain text by FIPS.
BEST PRACTICE: For FIPS compliance, configure the switch over SSH connections because these are encrypted connections.
Local passwords are hashed with the secure hash algorithm SHA-256, or SHA-512. Password recovery is notpossibleinJunosOSinFIPSmode. JunosOSinFIPSmodecannotbootintosingle-usermodewithout the correct root password.
RELATED DOCUMENTATION
Understanding Password Specifications and Guidelines for Junos OS in FIPS Mode | 29
Understanding Zeroization to Clear System Data for FIPS Mode | 33
29
UnderstandingPasswordSpecificationsandGuidelines for Junos OS in FIPS Mode
Ensure that the switch is in FIPS mode before you configure the Security Administrator or any users. All passwords established for users by the Security Administrator must conform to the following Junos OS in FIPS mode requirements. Attempts to configure passwords that do not conform to the following specifications result in an error.
•Length. Passwords must contain between 10 and 20 characters.
•Charactersetrequirements.Passwordsmustcontainatleastthreeofthefollowingfivedefinedcharacter sets:
•Uppercase letters
•Lowercase letters
•Digits
•Punctuation marks
•Keyboardcharactersnotincludedintheotherfoursets—suchasthepercentsign(%)andtheampersand
(&)
•Authentication requirements. All passwords and keys used to authenticate peers must contain at least 10 characters, and in some cases the number of characters must match the digest size—for example, 20 characters for SHA-1 authentication.
Guidelinesforstrongpasswords.Strong,reusablepasswordscanbebasedonlettersfromafavoritephrase or word and then concatenated with other unrelated words, along with added digits and punctuation. In general, a strong password is:
•Easy to remember so that users are not tempted to write it down.
•Made up of mixed alphanumeric characters and punctuation. For FIPS compliance include at least one change of case, one or more digits, and one or more punctuation marks.
•Changed periodically.
•Not divulged to anyone.
Characteristics of weak passwords. Do not use the following weak passwords:
•Words that might be found in or exist as a permuted form in a system files such as /etc/passwd.
•The hostname of the system (always a first guess).
•Any word or phrase that appears in a dictionary or other well-known source, including dictionaries and thesauruses in languages other than English; works by classical or popular writers; or common words and phrases from sports, sayings, movies or television shows.
30
•Permutationsonanyoftheabove—forexample,adictionarywordwithlettersreplacedwithdigits(root) or with digits added to the end.
•Anymachine-generatedpassword. Algorithmsreducethesearchspaceofpassword-guessingprograms and so must not be used.
RELATED DOCUMENTATION
Understanding the Operational Environment for Junos OS in FIPS Mode | 25
Downloading Software Packages from Juniper
Networks
You can download the following Junos OS software packages for EX and QFX Series devices from the Juniper Networks website:
•Junos OS for EX4650-48Y, QFX5120-32C, QFX5120-48T, QFX5120-48Y, QFX5200-48Y, and QFX5210-64C devices, Release 20.2R1-S1
Before you begin to download the software, ensure that you have a Juniper Networks Web account and a valid support contract. To obtain an account, complete the registration form at the Juniper Networks website: https://www.juniper.net/registration/Register.jsp.
NOTE: For EX4650-48Y, QFX5120-32C, QFX5120-48T, QFX5120-48Y, QFX5200-48Y, and QFX5210-64C devices, FIPS is supported only on non-flex image. You have to upgrade to the non-flex image to enable FIPS mode.
To download software packages from Juniper Networks:
1.Using a Web browser, follow the links to the download URL on the Juniper Networks webpage. https://www.juniper.net/support/downloads/junos.html
2.LogintotheJuniperNetworksauthenticationsystemusingtheusername(generallyyoure-mailaddress) and password supplied by Juniper Networks representatives.
3.Selectthesoftwarepackagethatyouwanttodownload.Youcanselectsoftwarethatsupportsaspecific platform or technology.: