Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Understanding Junos OS in FIPS Mode

 

Federal Information Processing Standards (FIPS) 140-2 defines security levels for hardware and software that perform cryptographic functions. By meeting the applicable overall requirements within the FIPS standard, Juniper Networks QFX Series switches running the Juniper Networks Junos operating system (Junos OS) in FIPS mode comply with the FIPS 140-2 Level 1 standard.

Operating QFX Series switches in a FIPS 140-2 Level 1 environment requires enabling and configuring FIPS mode on the switches from the Junos OS CLI.

The Crypto Officer enables FIPS mode in Junos OS and sets up keys and passwords for the system and other FIPS users who can view the configuration. Both Crypto Officer and user can perform normal configuration tasks on the switch (such as modify interface types) as individual user configuration allows.

About the Cryptographic Boundary on Your QFX Series Switch

FIPS 140-2 compliance requires a defined cryptographic boundary around each cryptographic module on a switch. Junos OS in FIPS mode prevents the cryptographic module from executing any software that is not part of the FIPS-certified distribution, and allows only FIPS-approved cryptographic algorithms to be used. No critical security parameters (CSPs), such as passwords and keys, can cross the cryptographic boundary of the module by, for example, being displayed on a console or written to an external log file.

For the Juniper Networks QFX Series switches that are certified at FIPS-140-2 Level 1, the cryptographic boundary of the module is determined by the chassis type. For a list of FIPS-certified switches and the cryptographic boundary of each switch, see Table 1.

Table 1: Cryptographic Boundaries on FIPS-Certified QFX Series Switches

Switch

Chassis Type

Cryptographic Boundary

QFX10002 switch

Fixed configuration

Switch case

QFX10008 switch with any line card configuration

Modular configuration

Chassis boundary

QFX10016 switch with any line card configuration

Modular configuration

Chassis boundary

To physically secure the cryptographic module, all QFX Series switches require a tamper-evident seal on the USB. QFX10008, and QFX10016 switches require a tamper-evident seal on Four SFP+ ports located at control board.

How FIPS Mode Differs from Non-FIPS Mode

Unlike Junos OS in non-FIPS mode, Junos OS in FIPS mode is a non-modifiable operational environment. In addition, Junos OS in FIPS mode differs in the following ways from Junos OS in non-FIPS mode:

  • Self-tests of all cryptographic algorithms are performed at startup.

  • Self-tests of random number and key generation are performed continuously.

  • Weak cryptographic algorithms such as Data Encryption Standard (DES) and Message Digest 5 (MD5) are disabled.

  • Weak or unencrypted management connections must not be configured.

  • Passwords must be encrypted with strong one-way algorithms that do not permit decryption.

  • Administrator passwords must be at least 10 characters long.

Validated Version of Junos OS in FIPS Mode

On QFX10002, QFX10008, and QFX10016 devices, Junos OS Release 18.1R1 is certified for FIPS. To determine whether a Junos OS release is NIST-validated, see the software download page on the Juniper Networks Web site (http://www.juniper.net/) or the National Institute of Standards and Technology site.