How it Works
Juniper
Loading...
M
N
O
P
Q
Loading...
Loading...
NS-2G24FE
User Manual
17 pgs178.03 Kb0

Juniper NS-5400-P00A-S00, NS-5400-P00D-S00, NS-5400-P01A-S00, NS-5400-P01D-S00, NS-5000-8G User Manual

...
FIPS 140-2 SECURITY POLICY
Juniper Networks
NetSreen-5400
HW P/N NS-5400 VERSION 3010 FW VERSIONS SCREENOS 5.0.0R9.H, SCREENOS 5.0.0R9A.H AND SCREENOS 5.0.0R9B.H
Juniper NS-5400 Security Policy 1
Copyright Notice
Copyright © 2005 Juniper Networks, Inc. May be reproduced only in its original entirety [without revision]. Juniper Networks, the Juniper Networks logo, NetScreen, NetScreen Technologies, GigaScreen, and the NetScreen logo
FCC Statement
The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. The equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense.
The following information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency energy. If it is not installed in accordance with NetScreen’s installation instructions, it may cause interference with radio and television reception. This equipment has been tested and found to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules. These specifications are designed to provide reasonable protection against such interference in a residential installation. However, there is no guarantee that interference will not occur in a particular installation.
If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures:
Reorient or relocate the receiving antenna. Increase the separation between the equipment and receiver. Consult the dealer or an experienced radio/TV technician for help. Connect the equipment to an outlet on a circuit different from that to which the receiver is connected.
Caution: Changes or modifications to this product could void the user's warranty and authority to operate this device.
Disclaimer
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR NETSCREEN REPRESENTATIVE FOR A COPY.
Juniper NS-5400 Security Policy 2
Table of Contents
A. Scope of Document........................................................................................................ 4
B. Security Level ................................................................................................................ 5
C. Roles and Services ......................................................................................................... 5
D. Interfaces........................................................................................................................ 6
E. Setting FIPS mode.......................................................................................................... 8
F. Other Parameters ......................................................................................................... 10
G. FIPS Certificate Verification ....................................................................................... 14
H. Critical Security Parameter (CSP) Definitions ............................................................14
I. Public Key Definitions .................................................................................................. 14
J. Matrix Creation of Critical Security Parameter (CSP) versus the Services (Roles &
Identity)............................................................................................................................. 15
K. Definitions List ......................................................................................................... 17
Juniper NS-5400 Security Policy 3
A. Scope of Document
The Juniper Networks NetScreen-5400 is an internet security device that integrates firewall, virtual private networking (VPN) and traffic shaping functionalities. The model number is NetScreen-5400 and includes interface options listed in Table 1.
Part Number Model Interface Option Power Supply
NS-5400-P00A-S00 NS-5400 2G24FE SPM AC NS-5400-P00D-S00 NS-5400 2G24FE SPM DC NS-5400-P01A-S00 NS-5400 8G SPM AC NS-5400-P01D-S00 NS-5400 8G SPM DC NS-5000-8G 8G SPM -CARD ONLY- N\A NS-2G24FE 2G SPM -CARD ONLY- N\A
Table 1 – List of 5400 part numbers
Through the VPN, the NetScreen-5400 provides the following:
IPSec standard security
Data security using the Data Encryption Standard (DES), Triple-DES
and Advanced Encryption Standard (AES) algorithms
Note: DES – for legacy systems only; transitional phase only - valid until May 19, 2007.
Manual and automated IKE (ISAKMP)
The use of RSA and DSA certificates
The NetScreen-5400 also provides an interface for users to configure or set policies through the console or network ports.
The general components of the NetScreen-5400 include firmware and hardware. The main hardware components consist of a main processor, memory, flash, ASICs (GigaScreen version 2 and GigaScreen II), 10/100 Mbps ethernet interface, GBIC network interface, console interface, backplane, redundant power supplies and fan tray. The entire case is defined as the cryptographic boundary of the modules. The NetScreen-5400's physical config uration is defined as a multi-chip standalone module.
Juniper NS-5400 Security Policy 4
B. Security Level
The NetScreen-5400 meets the overall requirements applicable to Level 2 security of FIPS 140-2.
Table 2: Module Security Level Specification
Security Requirements Section Level
Cryptographic Module Specification 2 Cryptographic Module Ports and Interfaces 2 Roles, Services, and Authentication 2 Finite State Model 2 Physical Security 2 Operational Environment N/A Cryptographic Key Management 2 EMI/EMC 2 Self-Tests 2 Design Assurance 2 Mitigation of Other Attacks N/A
C. Roles and Services
TheNetScreen-5400 supports five distinct roles:
Cryptographic Officer Role (Root): The module allows one Crypto- Officer. This role is assigned to the first operator who logs on to the module using the default user name and password. Only the Crypto­Officer can create other administrators, and change to FIPS mode.
User Role (Admin): The Admin user can configure specific security policies. These policies provide the module with information on how to operate (for example, configure access policies and VPN encryption with Triple-DES).
Read-Only User Role (Admin): This role can only perform a limited set of services to retrieve information or status. This role cannot perform services to configure the box.
VSYS User Role: This role has the same operations as the User Role above, except that a VSYS user only operates within a particular virtual system. See the NetScreen Concept and Examples ScreenOS Reference Guide for more information about virtual systems.
VSYS Read-Only User Role: This role has the same operations as the Read-Only User Role above, except that a VSYS read-only user only operates within a particular virtual system. See the NetScreen Concept and Examples ScreenOS Reference Guide for more information about virtual systems.
Juniper NS-5400 Security Policy 5
The module allows concurrent Admin users, either in a User Role or in a Read­Only Role.
The root administrator can create a virtual system (vsys) administrator for each vsys, if the device has multiple virtual systems configured. The vsys administrator can function in either the "user" role or "read-only" role. A virtual system is the architecture that enables the device to respond with a different set of configurations for each vsys administrator. Therefore, a single box can appear to be several logical "virtual systems."
The NetScreen-5400 provides the following services:
Clear/Delete: Clear dynamic system info
Exec: Exec system commands
Exit: Exit command console
Get: Get system information
Ping: Ping other host
Reset: Reset system
Save: Save command
Set: Configure system parameters
Trace-route: Trace route
The NetScreen-5400 supports both role-based and identity-based authentication.
D. Interfaces
Unset: Unconfigure system parameters
All roles can be authenticated locally (within NS-5400); optionally,
the module supports authentication via a RADIUS server for only the User role. Authentication by use of the RADIUS server is viewed as role-based authentication; all other methods of authentication are identity-based.
All other forms of authentication (local database) are classified as identity based.
The module supports identity-based authentication for the Crypto­Officer (local database), the User Role (local database), the Read­Only User Role (local database), VSYS User Role, and VSYS Read­Only User Role.
The NetScreen-5400 can accept up to three of two network interface cards.
The network interface card options are:
1. 8GSPM: The 8GSPM provides eight Gigabit Ethernet mini-Gigabit Interface Converter (GBIC) ports (labeled 1-8) using hot-swappable transceivers. The 8GSPM delivers up to 4 Gigabits per-second (Gbps) of firewall and up to 2 Gbps of Virtual Private Network (VPN) capacity.
Juniper NS-5400 Security Policy 6
Loading...
+ 11 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use