如何在 FIPS 操作模式下启用和配置 Junos OS
作为密码官,您可以在设备上的 FIPS 操作模式下启用和配置 Junos OS。开始在设备上启用和配置 FIPS 操作模式之前:
验证设备的安全交付。请参阅 识别安全交付。
使用防篡改封条。请参阅 对密码模块应用防篡改印章。
要启用 FIPS 操作模式中的 Junos OS,请执行以下步骤:
在启用 FIPS 操作模式之前将设备归零
user@host> request system zerioze
在设备上启用 FIPS 模式。
user@host# set system fips level 2
在提交检查时移除 CSP,然后重新启动设备。
user@host# commit
当模块在 FIPS 模式下工作时,对设备开机运行完整性和自我测试。
当 AES-GCM 用于加密 IKE 和/或 IPSec 时,配置 IKEv2。
user@host# set security ike proposal <ike_proposal_name> encryption-algorithm ? Possible completions: 3des-cbc 3DES-CBC encryption algorithm aes-128-cbc AES-CBC 128-bit encryption algorithm aes-128-gcm AES-GCM 128-bit encryption algorithm aes-192-cbc AES-CBC 192-bit encryption algorithm aes-256-cbc AES-CBC 256-bit encryption algorithm aes-256-gcm AES-GCM 256-bit encryption algorithm user@host# set security ike proposal <ike_proposal_name> encryption-algorithm aes-256-gcm user@host# set security ipsec proposal <ipsec_proposal_name> encryption-algorithm ? Possible completions: 3des-cbc 3DES-CBC encryption algorithm aes-128-cbc AES-CBC 128-bit encryption algorithm aes-128-gcm AES-GCM 128-bit encryption algorithm aes-192-cbc AES-CBC 192-bit encryption algorithm aes-192-gcm AES-GCM 192-bit encryption algorithm aes-256-cbc AES-CBC 256-bit encryption algorithm aes-256-gcm AES-GCM 256-bit encryption algorithm user@host# set security ipsec proposal <ipsec_proposal_name> encryption-algorithm aes-128-gcm user@host# set security ike gateway <gateway_name> version ? Possible completions: v1-only The connection must be initiated using IKE version 1 v2-only The connection must be initiated using IKE version 2 user@host# set security ike gateway <gateway_name> version v2-only user@host# commit commit complete
发出
request system snapshot
命令,确保固件的备份映像也是 JUNOS-FIPS 映像。
注意:
show configuration security ike
和show configuration security ipsec
命令显示在 FIPS 批准模式下运行的设备的已批准和配置的 IKE/IPsec 配置。
user@host:fips> show version Hostname: host-srx380 Model: srx380-poe-ac Junos: 20.2R1 JUNOS Software Release [20.2R1]
fips
输出中的关键词旁边的hostname
关键字表示该模块正在 Junos 软件 20.2R1 版的 FIPS 模式下运行。
user@host:fips> show configuration security ike proposal ike-proposal1 { authentication-method pre-shared-keys; dh-group group14; encryption-algorithm aes-256-gcm; } policy ike-policy1 { mode main; proposals ike-proposal1; pre-shared-key ascii-text "$9$Hq.5zF/tpBUj9Au0IRdbwsaZ"; ## SECRET-DATA } gateway gw1 { ike-policy ike-policy1; address 198.51.100.0; local-identity inet 203.0.113.0; external-interface ge-0/0/3; version v2-only; }
user@host:fips> show configuration security ipsec proposal ipsec-proposal1 { protocol esp; encryption-algorithm aes-128-gcm; } policy ipsec-policy1 { perfect-forward-secrecy { keys group14; } proposals ipsec-proposal1; } vpn vpn1 { bind-interface st0.0; ike { gateway gw1; ipsec-policy ipsec-policy1; } }