Juniper EX4650-48Y, QFX5120-32C, QFX5120-48T, QFX5120-48Y, QFX5200-48Y User Manual
...
®
Published
2021-03-14
Junos
OS
Common Criteria Evaluated Configuration
Guide for EX4650-48Y, QFX5120-32C,
QFX5120-48T, QFX5120-48Y,
QFX5200-48Y, and QFX5210-64C Devices
Release
20.2R1-S1
Juniper Networks, Inc.
1133 Innovation Way
Sunnyvale, California 94089
USA
408-745-2000
www.juniper.net
Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. in
the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks
are the property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right
to change, modify, transfer, or otherwise revise this publication without notice.
Junos®OS Common Criteria Evaluated Configuration Guide for EX4650-48Y, QFX5120-32C, QFX5120-48T, QFX5120-48Y,
QFX5200-48Y, and QFX5210-64C Devices
20.2R1-S1
Copyright © 2021 Juniper Networks, Inc. All rights reserved.
ii
The information in this document is current as of the date on the title page.
YEAR 2000 NOTICE
Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related
limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.
END USER LICENSE AGREEMENT
The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with)
Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement
(“EULA”) posted at https://support.juniper.net/support/eula/. By downloading, installing or using such software, you
agree to the terms and conditions of that EULA.
Table of Contents
1
2
About the Documentation | vii
Documentation and Release Notes | vii
Documentation Conventions | vii
Documentation Feedback | x
Requesting Technical Support | x
Self-Help Online Tools and Resources | xi
Creating a Service Request with JTAC | xi
Overview
Understanding the Common Criteria Evaluated Configuration | 13
Understanding Common Criteria | 13
iii
Supported Platforms | 13
Understanding Junos OS in FIPS Mode | 14
About the Cryptographic Boundary on Your EX and QFX Series Switchs | 14
How FIPS Mode Differs from Non-FIPS Mode | 15
Validated Version of Junos OS in FIPS Mode | 15
Understanding Common Criteria and FIPS Terminology and Supported Cryptographic
Algorithms | 16
Terminology | 16
Supported Cryptographic Algorithms | 17
Identifying Secure Product Delivery | 19
Understanding Management Interfaces | 20
Configuring Roles and Authentication Methods
Understanding Roles and Services for Junos OS in Common Criteria and FIPS | 22
Security Administrator Role and Responsibilities | 23
FIPS User Role and Responsibilities | 24
What Is Expected of All FIPS Users | 24
Understanding the Operational Environment for Junos OS in FIPS Mode | 25
Hardware Environment for Junos OS in FIPS Mode | 25
Software Environment for Junos OS in FIPS Mode | 25
Critical Security Parameters | 26
Understanding Password Specifications and Guidelines for Junos OS in FIPS Mode | 29
Downloading Software Packages from Juniper Networks | 30
Installing Software on EX and QFX Series devices with a Single Routing Engine | 31
Understanding Zeroization to Clear System Data for FIPS Mode | 33
Why Zeroize? | 33
When to Zeroize? | 34
iv
Zeroizing the System | 35
Establishing Root Password Access | 36
Enabling FIPS Mode | 38
Configuring Security Administrator and FIPS User Identification and Access | 45
Configuring Security Administrator Login Access | 45
Configuring FIPS User Login Access | 47
Configuring Administrative Credentials and Privileges
3
4
5
6
Understanding the Associated Password Rules for an Authorized Administrator | 50
Authentication Methods in FIPS Mode of Operation | 51
Username and Password Authentication over the Console and SSH | 52
Username and Public Key Authentication over SSH | 52
Configuring a Network Device collaborative Protection Profile for an Authorized
Administrator | 53
Customizing Time | 55
Configuring Inactivity Timeout Period, and Terminating Local and Remote Idle
Session | 55
Configuring Session Termination | 56
Sample Output for Local Administrative Session Termination | 57
v
Sample Output for Remote Administrative Session Termination | 57
Sample Output for User Initiated Termination | 58
Configuring SSH and Console Connection
Configuring a System Login Message and Announcement | 60
Configuring SSH on the Evaluated Configuration for NDcPPv2.1 | 61
Limiting the Number of User Login Attempts for SSH Sessions | 63
Configuring the Remote Syslog Server
Syslog Server Configuration on a Linux System | 66
Configuring Event Logging to a Local File | 67
Configuring Event Logging to a Remote Server | 67
Configuring Event Logging to a Remote Server when Initiating the Connection from the Remote
Server | 67
Configuring Audit Log Options
Configuring Audit Log Options in the Evaluated Configuration | 73
Configuring Audit Log Options for EX4650-48Y, QFX5120-32C, QFX5120-48T, QFX5120-48Y,
QFX5200-48Y, and QFX5210-64C devices | 73
Sample Code Audits of Configuration Changes | 74
Configuring Event Logging
7
8
9
10
Event Logging Overview | 90
Configuring Event Logging to a Local File | 91
Interpreting Event Messages | 91
Logging Changes to Secret Data | 92
Login and Logout Events Using SSH | 94
Logging of Audit Startup | 95
Performing Self-Tests on a Device
Understanding FIPS Self-Tests | 97
Performing Power-On Self-Tests on the Device | 97
vi
Configuration Statements
fips | 101
level | 102
Operational Commands
request system zeroize | 104
About the Documentation
IN THIS SECTION
Documentation and Release Notes | vii
Documentation Conventions | vii
Documentation Feedback | x
Requesting Technical Support | x
Use this guide to configure and evaluate EX4650-48Y, QFX5120-32C, QFX5120-48T, QFX5120-48Y,
QFX5200-48Y, and QFX5210-64C devices for Common Criteria (CC) compliance. Common Criteria for
information technology is an international agreement signed by several countries that permit the evaluation
of security products against a common set of standards.
vii
Documentation and Release Notes
To obtain the most current version of all Juniper Networks®technical documentation, see the product
documentation page on the Juniper Networks website at https://www.juniper.net/documentation/.
If the information in the latest release notes differs from the information in the documentation, follow the
product Release Notes.
Juniper Networks Books publishes books by Juniper Networks engineers and subject matter experts.
These books go beyond the technical documentation to explore the nuances of network architecture,
deployment, and administration. The current list can be viewed at https://www.juniper.net/books.
Documentation Conventions
Table 1 on page viii defines notice icons used in this guide.
Table 1: Notice Icons
viii
DescriptionMeaningIcon
Indicates important features or instructions.Informational note
Caution
Indicates a situation that might result in loss of data or hardware
damage.
Alerts you to the risk of personal injury or death.Warning
Alerts you to the risk of personal injury from a laser.Laser warning
Indicates helpful information.Tip
Alerts you to a recommended use or implementation.Best practice
Table 2 on page viii defines the text and syntax conventions used in this guide.
Table 2: Text and Syntax Conventions
ExamplesDescriptionConvention
Fixed-width text like this
Italic text like this
Represents text that you type.Bold text like this
Represents output that appears on
the terminal screen.
Introduces or emphasizes important
•
new terms.
Identifies guide names.
•
Identifies RFC and Internet draft
•
titles.
To enter configuration mode, type
the configure command:
user@host> configure
user@host> show chassis alarms
No alarms currently active
A policy term is a named structure
•
that defines match conditions and
actions.
Junos OS CLI User Guide
•
RFC 1997, BGP Communities
•
Attribute
Table 2: Text and Syntax Conventions (continued)
ix
ExamplesDescriptionConvention
Italic text like this
Text like this
< > (angle brackets)
| (pipe symbol)
Represents variables (options for
which you substitute a value) in
commands or configuration
statements.
Represents names of configuration
statements, commands, files, and
directories; configuration hierarchy
levels; or labels on routing platform
components.
variables.
Indicates a choice between the
mutually exclusive keywords or
variables on either side of the symbol.
The set of choices is often enclosed
in parentheses for clarity.
Configure the machine’s domain
name:
[edit]
root@# set system domain-name
domain-name
To configure a stub area, include
•
the stub statement at the [edit
protocols ospf area area-id]
hierarchy level.
The console port is labeled
•
CONSOLE.
stub <default-metric metric>;Encloses optional keywords or
broadcast | multicast
(string1 | string2 | string3)
# (pound sign)
[ ] (square brackets)
Indention and braces ( { } )
; (semicolon)
GUI Conventions
Indicates a comment specified on the
same line as the configuration
statement to which it applies.
Encloses a variable for which you can
substitute one or more values.
Identifies a level in the configuration
hierarchy.
Identifies a leaf statement at a
configuration hierarchy level.
rsvp { # Required for dynamic MPLS
only
community name members [
community-ids ]
[edit]
routing-options {
static {
route default {
nexthop address;
retain;
}
}
}
Table 2: Text and Syntax Conventions (continued)
x
ExamplesDescriptionConvention
Bold text like this
> (bold right angle bracket)
Represents graphical user interface
(GUI) items you click or select.
Separates levels in a hierarchy of
menu selections.
In the Logical Interfaces box, select
•
All Interfaces.
To cancel the configuration, click
•
Cancel.
In the configuration editor hierarchy,
select Protocols>Ospf.
Documentation Feedback
We encourage you to provide feedback so that we can improve our documentation. You can use either
of the following methods:
Online feedback system—Click TechLibrary Feedback, on the lower right of any page on the Juniper
•
Networks TechLibrary site, and do one of the following:
Click the thumbs-up icon if the information on the page was helpful to you.
•
Click the thumbs-down icon if the information on the page was not helpful to you or if you have
•
suggestions for improvement, and use the pop-up form to provide feedback.
E-mail—Send your comments to techpubs-comments@juniper.net. Include the document or topic name,
•
URL or page number, and software version (if applicable).
Requesting Technical Support
Technical product support is available through the Juniper Networks Technical Assistance Center (JTAC).
If you are a customer with an active Juniper Care or Partner Support Services support contract, or are
covered under warranty, and need post-sales technical support, you can access our tools and resources
online or open a case with JTAC.
JTAC policies—For a complete understanding of our JTAC procedures and policies, review the JTAC User
•
Guide located at https://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.
Product warranties—For product warranty information, visit https://www.juniper.net/support/warranty/.
•
JTAC hours of operation—The JTAC centers have resources available 24 hours a day, 7 days a week,
•
365 days a year.
Self-Help Online Tools and Resources
For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called
the Customer Support Center (CSC) that provides you with the following features:
Find CSC offerings: https://www.juniper.net/customers/support/
•
Search for known bugs: https://prsearch.juniper.net/
•
xi
Find product documentation: https://www.juniper.net/documentation/
•
Find solutions and answer questions using our Knowledge Base: https://kb.juniper.net/
•
Download the latest versions of software and review release notes:
•
https://www.juniper.net/customers/csc/software/
Search technical bulletins for relevant hardware and software notifications:
•
https://kb.juniper.net/InfoCenter/
Join and participate in the Juniper Networks Community Forum:
•
https://www.juniper.net/company/communities/
Create a service request online: https://myjuniper.juniper.net
•
To verify service entitlement by product serial number, use our Serial Number Entitlement (SNE) Tool:
https://entitlementsearch.juniper.net/entitlementsearch/
Creating a Service Request with JTAC
You can create a service request with JTAC on the Web or by telephone.
Visit https://myjuniper.juniper.net.
•
Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
•
For international or direct-dial options in countries without toll-free numbers, see
https://support.juniper.net/support/requesting-support/.
1
CHAPTER
Overview
Understanding the Common Criteria Evaluated Configuration | 13
Understanding Junos OS in FIPS Mode | 14
Understanding Common Criteria and FIPS Terminology and Supported Cryptographic
Algorithms | 16
Identifying Secure Product Delivery | 19
Understanding Management Interfaces | 20
Understanding the Common Criteria Evaluated Configuration
This document describes the steps required to configure the device running Junos OS when the device is
evaluated. This is referred to as the evaluated configuration. The device has been evaluated based on
collaborative Protection Profile for Network Devices, Version 2.1, 24 September 2018 (NDcPP Version2.1).
This document is available at https://www.commoncriteriaportal.org/files/ppfiles/CPP_ND_V2.1.pdf.
NOTE: On EX4650-48Y, QFX5120-32C, QFX5120-48T, QFX5120-48Y, QFX5200-48Y, and
QFX5210-64C devices, Junos OS Release 20.2R1-S1 is certified for Common Criteria with FIPS
mode enabled on the devices.
For regulatory compliance information about Common Criteria, and FIPS for Juniper Networks
products, see the Juniper Networks Compliance Advisor.
13
Understanding Common Criteria
Common Criteria for information technology is an international agreement signed by several countries
that permits the evaluation of security products against a common set of standards. In the Common Criteria
Recognition Arrangement (CCRA) at https://www.commoncriteriaportal.org/ccra/, the participants agree
to mutually recognize evaluations of products performed in other countries. All evaluations are performed
using a common methodology for information technology security evaluation.
For more information on Common Criteria, see https://www.commoncriteriaportal.org/.
Target of Evaluation (TOE) is a device or a system subjected to evaluation based on the Collaborative
Protection Profile (cPP).
Supported Platforms
For the features described in this document, the following platforms are supported:
The NDcPP Version 2.1 applies to EX4650-48Y, QFX5120-32C, QFX5120-48T, QFX5120-48Y,
•
QFX5200-48Y, and QFX5210-64C devices.
RELATED DOCUMENTATION
Identifying Secure Product Delivery | 19
Understanding Junos OS in FIPS Mode
IN THIS SECTION
About the Cryptographic Boundary on Your EX and QFX Series Switchs | 14
14
How FIPS Mode Differs from Non-FIPS Mode | 15
Validated Version of Junos OS in FIPS Mode | 15
Federal Information Processing Standards (FIPS) 140-2 defines security levels for hardware and software
that perform cryptographic functions. By meeting the applicable overall requirements within the FIPS
standard, Juniper Networks EX and QFX Series devices running the Juniper Networks Junos operating
system (Junos OS) in FIPS mode comply with the FIPS 140-2 Level 1 standard.
Operating EX and QFX Series devices in a FIPS 140-2 Level 1 environment requires enabling and configuring
FIPS mode on the devices from the Junos OS CLI.
The Security Administrator enables FIPS mode in Junos OS and sets up keys and passwords for the system
and other FIPS users who can view the configuration. Both Security Administrator and user can perform
normal configuration tasks on the switch (such as modify interface types) as individual user configuration
allows.
About the Cryptographic Boundary on Your EX and QFX Series Switchs
FIPS 140-2 compliance requires a defined cryptographic boundary around each cryptographic module on a
switch. Junos OS in FIPS mode prevents the cryptographic module from executing any software that is
not part of the FIPS-certified distribution, and allows only FIPS-approved cryptographic algorithms to be
used. No critical security parameters (CSPs), such as passwords and keys, can cross the cryptographic
boundary of the module by, for example, being displayed on a console or written to an external log file.
CAUTION: Virtual Chassis features are not supported in FIPS mode. Do not configure
a Virtual Chassis in FIPS mode.
How FIPS Mode Differs from Non-FIPS Mode
Unlike Junos OS in non-FIPS mode, Junos OS in FIPS mode is a non-modifiable operational environment. In
addition, Junos OS in FIPS mode differs in the following ways from Junos OS in non-FIPS mode:
Self-tests of all cryptographic algorithms are performed at startup.
•
Self-tests of random number and key generation are performed continuously.
•
15
Weak cryptographic algorithms such as Data Encryption Standard (DES) and Message Digest 5 (MD5)
•
are disabled.
Weak or unencrypted management connections must not be configured.
•
Passwords must be encrypted with strong one-way algorithms that do not permit decryption.
•
Administrator passwords must be at least 10 characters long.
•
Validated Version of Junos OS in FIPS Mode
To determine whether a Junos OS release is NIST-validated, see the software download page on the
Juniper Networks Web site (https://www.juniper.net/) or the National Institute of Standards and Technology
site.
RELATED DOCUMENTATION
Identifying Secure Product Delivery | 19
Understanding Common Criteria and FIPS Terminology and Supported Cryptographic Algorithms
IN THIS SECTION
Terminology | 16
Supported Cryptographic Algorithms | 17
Use the definitions of Common Criteria and FIPS terms, and supported algorithms to help you understand
Junos OS.
16
Terminology
Common Criteria—Common Criteria for information technology is an international agreement signed by
several countries that permits the evaluation of security products against a common set of standards.
Security Administrator—For Common Criteria, user accounts in the TOE have the following attributes:
user identity (user name), authentication data (password), and role (privilege). The Security Administrator
is associated with the defined login class “security-admin”, which has the necessary permission set to
permit the administrator to perform all tasks necessary to manage the Junos OS.
NDcPP—Collaborative Protection Profile for Network Devices, Version 2.1, dated 05 May 2017.
Critical security parameter (CSP)—Security-related information—for example, secret and private
cryptographic keys and authentication data such as passwords and personal identification numbers
(PINs)—whose disclosure or modification can compromise the security of a cryptographic module or
the information it protects. For details, see “Understanding the Operational Environment for Junos
OS in FIPS Mode” on page 25.
Cryptographic module—The set of hardware, software, and firmware that implements approved security
functions (including cryptographic algorithms and key generation) and is contained within the
cryptographic boundary. For fixed-configuration switches, the cryptographic module is the switch
case. For modular switches, the cryptographic module is the Routing Engine.
FIPS—Federal Information Processing Standards. FIPS 140-2 specifies requirements for security and
cryptographic modules. Junos OS in FIPS mode complies with FIPS 140-2 Level 1.
FIPS maintenance role—The role the Security Administrator assumes to perform physical maintenance or
logical maintenance services such as hardware or software diagnostics. For FIPS 140-2 compliance,
the Security Administrator zeroizes the Routing Engine on entry to and exit from the FIPS maintenance
role to erase all plain-text secret and private keys and unprotected CSPs.
NOTE: The FIPS maintenance role is not supported on Junos OS in FIPS mode.
KATs—Known answer tests. System self-tests that validate the output of cryptographic algorithms approved
for FIPS and test the integrity of some Junos OS modules. For details, see “Understanding FIPS
Self-Tests” on page 97.
SSH—A protocol that uses strong authentication and encryption for remote access across a nonsecure
network. SSH provides remote login, remote program execution, file copy, and other functions. It is
intended as a secure replacement for rlogin, rsh, and rcp in a UNIX environment. To secure the
information sent over administrative connections, use SSHv2 for CLI configuration. In Junos OS, SSHv2
is enabled by default, and SSHv1, which is not considered secure, is disabled.
17
Zeroization—Erasure of all CSPs and other user-created data on a switch before its operation as a FIPS
cryptographic module—or in preparation for repurposing the switch for non-FIPS operation. The
Security Administrator can zeroize the system with a CLI operational command. For details, see
“Understanding Zeroization to Clear System Data for FIPS Mode” on page 33.
Supported Cryptographic Algorithms
The following cryptographic algorithms are supported in FIPS mode. Symmetric methods use the same
key for encryption and decryption, while asymmetric methods use different keys for encryption and
decryption.
AES—The Advanced Encryption Standard (AES), defined in FIPS PUB 197. The AES algorithm uses keys
of 128, 192, or 256 bits to encrypt and decrypt data in blocks of 128 bits.
Diffie-Hellman—A method of key exchange across a nonsecure environment (such as the Internet). The
Diffie-Hellman algorithm negotiates a session key without sending the key itself across the network
by allowing each party to pick a partial key independently and send part of that key to the other. Each
side then calculates a common key value. This is a symmetrical method—keys are typically used only
for a short time, discarded, and regenerated.
ECDH—Elliptic Curve Diffie-Hellman. A variant of the Diffie-Hellman key exchange algorithm that uses
cryptography based on the algebraic structure of elliptic curves over finite fields. ECDH allows two
parties, each having an elliptic curve public-private key pair, to establish a shared secret over an insecure
channel. The shared secret can be used either as a key or to derive another key for encrypting
subsequent communications using a symmetric key cipher.
ECDSA—Elliptic Curve Digital Signature Algorithm. A variant of the Digital Signature Algorithm (DSA) that
uses cryptography based on the algebraic structure of elliptic curves over finite fields. The bit size of
the elliptic curve determines the difficulty of decrypting the key. The public key believed to be needed
for ECDSA is about twice the size of the security strength, in bits. ECDSA uses the P-256, P-384, and
P-521 curves that can be configured under OpenSSH.
HMAC—Defined as “Keyed-Hashing for Message Authentication” in RFC 2104, HMAC combines hashing
algorithms with cryptographic keys for message authentication.
SHA-256, SHA-384, and SHA-512—Secure hash algorithms (SHA) belonging to the SHA-2 standard defined
in FIPS PUB 180-2. Developed by NIST, SHA-256 produces a 256-bit hash digest, SHA-384 produces
a 384-bit hash digest, and SHA-512 produces a 512-bit hash digest.
AES-CMAC—AES-CMAC provides stronger assurance of data integrity than a checksum or an error-detecting
code. The verification of a checksum or an error-detecting code detects only accidental modifications
of the data, while CMAC is designed to detect intentional, unauthorized modifications of the data, as
well as accidental modifications.
18
RELATED DOCUMENTATION
Understanding FIPS Self-Tests | 97
Understanding Zeroization to Clear System Data for FIPS Mode | 33
Identifying Secure Product Delivery
There are several mechanisms provided in the delivery process to ensure that a customer receives a product
that has not been tampered with. The customer should perform the following checks upon receipt of a
device to verify the integrity of the platform.
Shipping label—Ensure that the shipping label correctly identifies the correct customer name and address
•
as well as the device.
Outside packaging—Inspect the outside shipping box and tape. Ensure that the shipping tape has not
•
been cut or otherwise compromised. Ensure that the box has not been cut or damaged to allow access
to the device.
Inside packaging—Inspect the plastic bag and seal. Ensure that the bag is not cut or removed. Ensure
•
that the seal remains intact.
If the customer identifies a problem during the inspection, he or she should immediately contact the
supplier. Provide the order number, tracking number, and a description of the identified problem to the
supplier.
19
Additionally, there are several checks that can be performed to ensure that the customer has received a
box sent by Juniper Networks and not a different company masquerading as Juniper Networks. The
customer should perform the following checks upon receipt of a device to verify the authenticity of the
device:
Verify that the device was ordered using a purchase order. Juniper Networks devices are never shipped
•
without a purchase order.
When a device is shipped, a shipment notification is sent to the e-mail address provided by the customer
•
when the order is taken. Verify that this e-mail notification was received. Verify that the e-mail contains
the following information:
Purchase order number
•
Juniper Networks order number used to track the shipment
•
Carrier tracking number used to track the shipment
•
List of items shipped including serial numbers
•
Address and contacts of both the supplier and the customer
•
Verify that the shipment was initiated by Juniper Networks. To verify that a shipment was initiated by
•
Juniper Networks, you should perform the following tasks:
Compare the carrier tracking number of the Juniper Networks order number listed in the Juniper
•
Networks shipping notification with the tracking number on the package received.
Log on to the Juniper Networks online customer support portal at https://support.juniper.net/support/
•
to view the order status. Compare the carrier tracking number or the Juniper Networks order number
listed in the Juniper Networks shipment notification with the tracking number on the package received.
RELATED DOCUMENTATION
Understanding the Common Criteria Evaluated Configuration | 13
Understanding Management Interfaces
The following management interfaces can be used in the evaluated configuration:
Local Management Interfaces—The RJ-45 console port on the rear panel of a device is configured as
•
RS-232 data terminal equipment (DTE). You can use the command-line interface (CLI) over this port to
configure the device from a terminal.
20
Remote Management Protocols—The device can be remotely managed over any Ethernet interface.
•
SSHv2 is the only permitted remote management protocol that can be used in the evaluated configuration.
The remote management protocols J-Web and Telnet are not available for use on the device.
RELATED DOCUMENTATION
Understanding the Common Criteria Evaluated Configuration | 13
2
CHAPTER
Configuring Roles and Authentication
Methods
Understanding Roles and Services for Junos OS in Common Criteria and FIPS | 22
Understanding the Operational Environment for Junos OS in FIPS Mode | 25
Understanding Password Specifications and Guidelines for Junos OS in FIPS
Mode | 29
Downloading Software Packages from Juniper Networks | 30
Installing Software on EX and QFX Series devices with a Single Routing Engine | 31
Understanding Zeroization to Clear System Data for FIPS Mode | 33
Zeroizing the System | 35
Establishing Root Password Access | 36
Enabling FIPS Mode | 38
Configuring Security Administrator and FIPS User Identification and Access | 45
Understanding Roles and Services for Junos OS in Common Criteria and FIPS
IN THIS SECTION
Security Administrator Role and Responsibilities | 23
FIPS User Role and Responsibilities | 24
What Is Expected of All FIPS Users | 24
For Common Criteria, user accounts in the TOE have the following attributes: user identity (user name),
authentication data (password), and role (privilege). The Security Administrator is associated with the
defined login class “security-admin”, which has the necessary permission set to allow the administrator to
perform all tasks necessary to manage the Junos OS. Administrative users (Security Administrator) must
provide unique identification and authentication data before any administrative access to the system is
granted.
22
Security Administrator roles and responsibilities are as follows:
1. Security Administrator can administer the TOE locally and remotely.
2. Create, modify, and delete administrator accounts, including configuration of authentication failure
parameters.
3. Re-enable an Administrator account.
4. Responsible for the configuration and maintenance of cryptographic elements related to the
establishment of secure connections to and from the evaluated product.
The Juniper Networks Junos operating system (Junos OS) running in non-FIPS mode allows a wide range
of capabilities for users, and authentication is identity-based. In contrast, the FIPS 140-2 standard defines
two user roles: Security Administrator and FIPS user. These roles are defined in terms of Junos OS user
capabilities.
All other user types defined for Junos OS in FIPS mode (read-only, administrative user, and so on) must
fall into one of the two categories: Security Administrator or FIPS user. For this reason, user authentication
in Junos is identity based with role based authorization.
In addition to their FIPS roles, both Security Administrator and user can perform normal configuration
tasks on the switch as individual user configuration allows.
Crypto Officers and FIPS users perform all FIPS-mode-related configuration tasks and issue all statements
and commands for Junos OS in FIPS mode. Security Administrator and FIPS user configurations must
follow the guidelines for Junos OS in FIPS mode.
For details, see:
Security Administrator Role and Responsibilities
The Security Administrator is the person responsible for enabling, configuring, monitoring, and maintaining
Junos OS in FIPS mode on a switch. The Security Administrator securely installs Junos OS on the switch,
enables FIPS mode, establishes keys and passwords for other users and software modules, and initializes
the switch before network connection.
23
BEST PRACTICE: We recommend that the Security Administrator administer the system in a
secure manner by keeping passwords secure and checking audit files.
The permissions that distinguish the Security Administrator from other FIPS users are secret, security,
maintenance, and control. For FIPS compliance, assign the Security Administrator to a login class that
contains all of these permissions. A user with the Junos OS maintenance permission can read files containing
critical security parameters (CSPs).
NOTE: Junos OS in FIPS mode does not support the FIPS 140-2 maintenance role, which is
different from the Junos OS maintenance permission.
Among the tasks related to Junos OS in FIPS mode, the Security Administrator is expected to:
Set the initial root password.
•
Reset user passwords for FIPS-approved algorithms during upgrades from Junos OS.
•
Examine log and audit files for events of interest.
•
Erase user-generated files and data on (zeroize) the switch.
•
FIPS User Role and Responsibilities
All FIPS users, including the Security Administrator, can view the configuration. Only the user assigned as
the Security Administrator can modify the configuration.
The permissions that distinguish Crypto Officers from other FIPS users are secret, security, maintenance,
and control. For FIPS compliance, assign the FIPS user to a class that contains none of these permissions.
FIPS users configure networking features on the switch and perform other tasks that are not specific to
FIPS mode. FIPS users who are not Crypto Officers can view status output.
What Is Expected of All FIPS Users
All FIPS users, including the Security Administrator, must observe security guidelines at all times.
All FIPS users must:
24
Keep all passwords confidential.
•
Store switches and documentation in a secure area.
•
Deploy switches in secure areas.
•
Check audit files periodically.
•
Conform to all other FIPS 140-2 security rules.
•
Follow these guidelines:
•
Users are trusted.
•
Users abide by all security guidelines.
•
Users do not deliberately compromise security.
•
Users behave responsibly at all times.
•
RELATED DOCUMENTATION
Zeroizing the System | 35
Configuring Security Administrator and FIPS User Identification and Access | 45
Understanding the Operational Environment for Junos OS in FIPS Mode
IN THIS SECTION
Hardware Environment for Junos OS in FIPS Mode | 25
Software Environment for Junos OS in FIPS Mode | 25
Critical Security Parameters | 26
EX and QFX Series devices running the Junos operating system (Junos OS) in FIPS mode forms a special
type of hardware and software operational environment that is different from the environment of a switch
in non-FIPS mode:
25
Hardware Environment for Junos OS in FIPS Mode
Junos OS in FIPS mode establishes a cryptographic boundary in the switch that no critical security
parameters (CSPs) can cross using plain text. Each hardware component of the switch that requires a
cryptographic boundary for FIPS 140-2 compliance is a separate cryptographic module.
For more information about the cryptographic boundary on your switch, see “Understanding Junos OS in
FIPS Mode” on page 14.
Communications involving CSPs between these secure environments must take place using encryption.
Cryptographic methods are not a substitute for physical security. The hardware must be located in a secure
physical environment. Users of all types must not reveal keys or passwords, or allow written records or
notes to be seen by unauthorized personnel.
Software Environment for Junos OS in FIPS Mode
EX and QFX Series Series devices running Junos OS in FIPS mode forms a special type of non-modifiable
operational environment. To achieve this environment on the switch, the system prevents the execution
of any binary file that was not part of the certified Junos OS distribution. When a switch is in FIPS mode,
it can run only Junos OS.
FIPS mode on EX and QFX Series devices are available starting with Junos OS Release 20.2R1-S1. The
Junos OS in FIPS mode software environment is established after the Security Administrator successfully
enables FIPS mode on a EX and QFX Series switch.
For FIPS 140-2 compliance, we recommend deleting all user-created files and data from (zeroizing) the
system immediately after enabling FIPS mode.
NOTE: Do not attach the switch to a network until you, the Security Administrator, complete
the configuration from the local console connection.
Critical Security Parameters
Critical security parameters (CSPs) are security-related information such as cryptographic keys and
passwords that can compromise the security of the cryptographic module or the security of the information
protected by the module if they are disclosed or modified.
26
Zeroization of the system erases all traces of CSPs in preparation for operating the switch or Routing Engine
as a cryptographic module.
Table 3 on page 27 lists CSPs on switches running Junos OS.
Table 3: Critical Security Parameters
Zeroization
methodDescriptionCSP
27
Use
SSH-2 private host
key
SSH-2 session key
User
authentication key
generated the first time SSH is configured.
RSA key used to identify the host, generated
the first time SSH is configured.
Session key used with SSH-2. and as a
Diffie-Hellman private key.
Encryption: AES-128, AES-256.
MACs: HMAC-SHA-1, HMAC SHA-256,
HMAC SHA-512.
Key exchange: DH Group exchange (2048 ≤
key ≤ 8192), ECDH: ECDH-sha2-nistp256,
ECDH-sha2-nistp384, and
ECDH-sha2-nistp521.
SHA-512.
Power cycle and
terminate session.
Zeroize command.Hash of the user’s password: SHA-256,
Used to identify the host.Zeroize command.ECDSA key used to identify the host,
Symmetric key used to
encrypt data between host
and client.
Used to authenticate a user
to the cryptographic
module.
Security
Administrator
authentication key
HMAC DRBG
seed
HMAC DRBG V
value
HMAC DRBG key
value
NDRNG entropy
password: SHA-256, SHA-512.
Seed for deterministic randon bit generator
(DRBG).
in bits, which is updated each time another
outlen bits of output are produced.
which is updated at least once each time that
the DRBG mechanism generates
pseudorandom bits.
DRBG.
Zeroize command.Hash of the Security Administrator’s
by the
cryptographic
module.
Power cycle.The value (V) of output block length (outlen)
Power cycle.The current value of the outlen-bit key,
Power cycle.Used as entropy input string to the HMAC
Used to authenticate the
Security Administrator to
the cryptographic module.
Used for seeding DRBG.Seed is not stored
A critical value of the
internal state of DRBG.
A critical value of the
internal state of DRBG.
A critical value of the
internal state of DRBG.
In Junos OS in FIPS mode, all CSPs must enter and leave the cryptographic module in encrypted form. Any
CSP encrypted with a non-approved algorithm is considered plain text by FIPS.
BEST PRACTICE: For FIPS compliance, configure the switch over SSH connections because
these are encrypted connections.
Local passwords are hashed with the secure hash algorithm SHA-256, or SHA-512. Password recovery is
not possible in Junos OS in FIPS mode. Junos OS in FIPS mode cannot boot into single-user mode without
the correct root password.
RELATED DOCUMENTATION
Understanding Password Specifications and Guidelines for Junos OS in FIPS Mode | 29
Understanding Zeroization to Clear System Data for FIPS Mode | 33
28
Understanding Password Specifications and Guidelines for Junos OS in FIPS Mode
Ensure that the switch is in FIPS mode before you configure the Security Administrator or any users. All
passwords established for users by the Security Administrator must conform to the following Junos OS
in FIPS mode requirements. Attempts to configure passwords that do not conform to the following
specifications result in an error.
Length. Passwords must contain between 10 and 20 characters.
•
Character set requirements. Passwords must contain at least three of the following five defined character
•
sets:
Uppercase letters
•
Lowercase letters
•
Digits
•
29
Punctuation marks
•
Keyboard characters not included in the other four sets—such as the percent sign (%) and the ampersand
•
(&)
Authentication requirements. All passwords and keys used to authenticate peers must contain at least
•
10 characters, and in some cases the number of characters must match the digest size—for example,
20 characters for SHA-1 authentication.
Guidelines for strong passwords. Strong, reusable passwords can be based on letters from a favorite phrase
or word and then concatenated with other unrelated words, along with added digits and punctuation. In
general, a strong password is:
Easy to remember so that users are not tempted to write it down.
•
Made up of mixed alphanumeric characters and punctuation. For FIPS compliance include at least one
•
change of case, one or more digits, and one or more punctuation marks.
Changed periodically.
•
Not divulged to anyone.
•
Characteristics of weak passwords. Do not use the following weak passwords:
Words that might be found in or exist as a permuted form in a system files such as /etc/passwd.
•
The hostname of the system (always a first guess).
•
Any word or phrase that appears in a dictionary or other well-known source, including dictionaries and
•
thesauruses in languages other than English; works by classical or popular writers; or common words
and phrases from sports, sayings, movies or television shows.
Permutations on any of the above—for example, a dictionary word with letters replaced with digits (root)
•
or with digits added to the end.
Any machine-generated password. Algorithms reduce the search space of password-guessing programs
•
and so must not be used.
RELATED DOCUMENTATION
Understanding the Operational Environment for Junos OS in FIPS Mode | 25
Downloading Software Packages from Juniper Networks
30
You can download the following Junos OS software packages for EX and QFX Series devices from the
Juniper Networks website:
Junos OS for EX4650-48Y, QFX5120-32C, QFX5120-48T, QFX5120-48Y, QFX5200-48Y, and
•
QFX5210-64C devices, Release 20.2R1-S1
Before you begin to download the software, ensure that you have a Juniper Networks Web account and
a valid support contract. To obtain an account, complete the registration form at the Juniper Networks
website: https://www.juniper.net/registration/Register.jsp.
NOTE: For EX4650-48Y, QFX5120-32C, QFX5120-48T, QFX5120-48Y, QFX5200-48Y, and
QFX5210-64C devices, FIPS is supported only on non-flex image. You have to upgrade to the
non-flex image to enable FIPS mode.
To download software packages from Juniper Networks:
1. Using a Web browser, follow the links to the download URL on the Juniper Networks webpage.
https://www.juniper.net/support/downloads/junos.html
2. Log in to the Juniper Networks authentication system using the username (generally your e-mail address)
and password supplied by Juniper Networks representatives.
3. Select the software package that you want to download. You can select software that supports a specific
platform or technology.:
Loading...