Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Configuring Roles and Authentication Methods

 

Understanding Roles and Services for Junos OS in FIPS Mode

The Security Administrator is associated with the defined login class “security-admin”, which has the necessary permission set to permit the administrator to perform all tasks necessary to manage Junos OS. Administrative users (Security Administrator) must provide unique identification and authentication data before any administrative access to the system is granted.

Security Administrator roles and responsibilities are as follows:

  1. Security Administrator can administer locally and remotely.

  2. Create, modify, delete administrator accounts, including configuration of authentication failure parameters.

  3. Re-enable an Administrator account.

  4. Responsible for the configuration and maintenance of cryptographic elements related to the establishment of secure connections to and from the evaluated product.

The Juniper Networks Junos operating system (Junos OS) running in non-FIPS mode allows a wide range of capabilities for users, and authentication is identity-based.

Security Administrator performs all FIPS-mode-related configuration tasks and issue all statements and commands for Junos OS in FIPS mode.

Security Administrator Role and Responsibilities

The Security Administrator is the person responsible for enabling, configuring, monitoring, and maintaining Junos OS in FIPS mode on a router. The Security Administrator securely installs Junos OS on the router, enables FIPS mode, establishes keys and passwords for other users and software modules, and initializes the router before network connection.

Best Practice

We recommend that the Security Administrator administer the system in a secure manner by keeping passwords secure and checking audit files.

The permissions that distinguish the Security Administrator from other FIPS users are secret, security, maintenance, and control. For FIPS compliance, assign the Security Administrator to a login class that contains all of these permissions.

Note

Junos OS in FIPS mode does not support the FIPS 140-2 maintenance role, which is different from the Junos OS maintenance permission.

Among the tasks related to Junos OS in FIPS mode, the Security Administrator is expected to:

  • Set the initial root password. The length of the password should be atleast 10 characters.

  • Reset user passwords with FIPS-approved algorithms.

  • Examine log and audit files for events of interest.

  • Erase user-generated files, keys, and data by zeroizing the router.

FIPS User Role and Responsibilities

All FIPS users, including the Security Administrator , can view the configuration. Only the user assigned as the Security Administrator can modify the configuration.

FIPS user can view status output but cannot reboot or zeroize the device.

What Is Expected of All FIPS Users

All FIPS users, including the Security Administrator , must observe security guidelines at all times.

All FIPS users must:

  • Keep all passwords confidential.

  • Store routers and documentation in a secure area.

  • Deploy routers in secure areas.

  • Check audit files periodically.

  • Conform to all other FIPS 140-2 security rules.

  • Follow these guidelines:

    • Users are trusted.

    • Users abide by all security guidelines.

    • Users do not deliberately compromise security.

    • Users behave responsibly at all times.

Understanding the Operational Environment for Junos OS in FIPS Mode

A Juniper Networks device running the Juniper Networks Junos operating system (Junos OS) in FIPS mode forms a special type of hardware and software operational environment that is different from the environment of a device in non-FIPS mode:

Hardware Environment for Junos OS in FIPS Mode

Junos OS in FIPS mode establishes a cryptographic boundary in the device that no critical security parameters (CSPs) can cross using plain text. Each hardware component of the device that requires a cryptographic boundary for FIPS 140-2 compliance is a separate cryptographic module. There are two types of hardware with cryptographic boundaries in Junos OS in FIPS mode: one for each Routing Engine and one for entire chassis which includes encryption services PIC (MS-MIC).

Cryptographic methods are not a substitute for physical security. The hardware must be located in a secure physical environment. Users of all types must not reveal keys or passwords, or allow written records or notes to be seen by unauthorized personnel.

Software Environment for Junos OS in FIPS Mode

A Juniper Networks device running Junos OS in FIPS mode forms a special type of nonmodifiable operational environment. To achieve this environment on the device, the system prevents the execution of any binary file that was not part of the certified Junos OS in FIPS mode distribution. When a device is in FIPS mode, it can run only Junos OS.

FIPS mode on MX104 device is available in Junos OS Release 19.1R2 and later. The Junos OS in FIPS mode software environment is established after the Security Administrator successfully enables FIPS mode on a device. The Junos OS Release 19.1R2 image that includes FIPS mode is available on the Juniper Networks website and can be installed on a functioning device.

For FIPS 140-2 compliance, we recommend that you delete all user-created files and data by zeroizing the device before enabling FIPS mode.

Enabling FIPS mode disables many of the usual Junos OS protocols and services. In particular, you cannot configure the following services in Junos OS in FIPS mode:

  • finger

  • ftp

  • rlogin

  • telnet

  • tftp

  • xnm-clear-text

Attempts to configure these services, or load configurations with these services configured, result in a configuration syntax error.

You can use only SSH as a remote access service.

All passwords established for users after upgrading to Junos OS in FIPS mode must conform to Junos OS in FIPS mode specifications. Passwords must be between 10 and 20 characters in length and require the use of at least three of the five defined character sets (uppercase and lowercase letters, digits, punctuation marks, and keyboard characters, such as % and &, not included in the other four categories). The default password format in FIPS mode is SHA512. Attempts to configure passwords that do not conform to these rules result in an error. All passwords and keys used to authenticate peers must be at least 10 characters in length, and in some cases the length must match the digest size.

Note

Do not attach the device to a network until the Security Administrator completes configuration from the local console connection.

For strict compliance, do not examine core and crash dump information on the local console in Junos OS in FIPS mode because some CSPs might be shown in plain text.

Critical Security Parameters

Critical security parameters (CSPs) are security-related information such as cryptographic keys and passwords that can compromise the security of the cryptographic module or the security of the information protected by the module if they are disclosed or modified.

Zeroization of the system erases all traces of CSPs in preparation for operating the device or Routing Engine as a cryptographic module.

Table 1 lists CSPs on devices running Junos OS.

Table 1: Critical Security Parameters

CSP

Description

Zeroize

Use

SSHv2 private host key

ECDSA / RSA key used to identify the host, generated the first time SSH is configured.

Zeroize command.

Used to identify the host.

SSHv2 session keys

Session key used with SSHv2 and as a Diffie-Hellman private key.

Encryption: AES-128, AES-256.

MACs: HMAC-SHA-1, HMAC-SHA-2-256, HMAC-SHA2-512.

Key exchange: dh-group14-sha1, ECDH-sha2-nistp256, ECDH-sha2-nistp384, and ECDH-sha2-nistp521.

Power cycle and terminate session.

Symmetric key used to encrypt data between host and client.

User authentication key

Hash of the user’s password: SHA256, SHA512.

Zeroize command.

Used to authenticate a user to the cryptographic module.

Security Administrator authentication key

Hash of the Security Administrator’s password: SHA256, SHA512.

Zeroize command.

Used to authenticate the Security Administrator to the cryptographic module.

HMAC DRBG seed

Seed for deterministic randon bit generator (DRBG).

Seed is not stored by the cryptographic module.

Used for seeding DRBG.

HMAC DRBG V value

The value (V) of output block length (outlen) in bits, which is updated each time another outlen bits of output are produced.

Power cycle.

A critical value of the internal state of DRBG.

HMAC DRBG key value

The current value of the outlen-bit key, which is updated at least once each time that the DRBG mechanism generates pseudorandom bits.

Power cycle.

A critical value of the internal state of DRBG.

NDRNG entropy

Used as entropy input string to the HMAC DRBG.

Power cycle.

A critical value of the internal state of DRBG.

In Junos OS in FIPS mode, all CSPs must enter and leave the cryptographic module in encrypted form. Any CSP encrypted with a non-approved algorithm is considered plain text by FIPS.

Local passwords are encrypted with the SHA256 or SHA512 algorithm. Password recovery is not possible in Junos OS in FIPS mode. Junos OS in FIPS mode cannot boot into single-user mode without the correct root password.

Understanding Password Specifications and Guidelines for Junos OS

All passwords established for users by the Security Administrator must conform to the following Junos OS in FIPS mode requirements. Attempts to configure passwords that do not conform to the following specifications result in an error.

  • Length. Passwords must contain between 10 and 20 characters.

  • Character set requirements. Passwords must contain at least three of the following five defined character sets:

    • Uppercase letters

    • Lowercase letters

    • Digits

    • Punctuation marks

    • Keyboard characters not included in the other four sets—such as the percent sign (%) and the ampersand (&)

  • Authentication requirements. All passwords and keys used to authenticate peers must contain at least 10 characters, and in some cases the number of characters must match the digest size.

  • Password encryption. To change the default encryption method (SHA512) include the format statement at the [edit system login password] hierarchy level.

Guidelines for strong passwords. Strong, reusable passwords can be based on letters from a favorite phrase or word and then concatenated with other unrelated words, along with added digits and punctuation. In general, a strong password is:

  • Easy to remember so that users are not tempted to write it down.

  • Made up of mixed alphanumeric characters and punctuation. For FIPS compliance include at least one change of case, one or more digits, and one or more punctuation marks.

  • Changed periodically.

  • Not divulged to anyone.

Characteristics of weak passwords. Do not use the following weak passwords:

  • Words that might be found in or exist as a permuted form in a system files such as /etc/passwd.

  • The hostname of the system (always a first guess).

  • Any word or phrase that appears in a dictionary or other well-known source, including dictionaries and thesauruses in languages other than English; works by classical or popular writers; or common words and phrases from sports, sayings, movies or television shows.

  • Permutations on any of the above—for example, a dictionary word with letters replaced with digits (r00t) or with digits added to the end.

  • Any machine-generated password. Algorithms reduce the search space of password-guessing programs and so must not be used.

Downloading Software Packages from Juniper Networks

For MX104 router, download the following packages from the Juniper Networks website:

  • jinstall-ppc-19.1R2.8-signed.tgz

  • fips-mode-powerpc-19.1R2.8-signed.tgz

  • jpfe-fips-powerpc-19.1R2.8-signed.tgz

Before you begin to download the software, ensure that you have a Juniper Networks Web account and a valid support contract. To obtain an account, complete the registration form at the Juniper Networks website: https://userregistration.juniper.net/entitlement/setupAccountInfo.do.

To download software packages from Juniper Networks:

  1. Using a Web browser, follow the links to the download URL on the Juniper Networks webpage.

    https://support.juniper.net/support/downloads/

  2. Log in to the Juniper Networks authentication system using the username (generally your e-mail address) and password supplied by Juniper Networks representatives.
  3. Download the software. See Downloading Software

Installing Software on a Device

You can use this procedure to upgrade Junos OS on device with a single Routing Engine.

To install software upgrades on a device with a single Routing Engine:

  1. Download the software package as described in Downloading Software Packages from Juniper Networks.
  2. If you have not already done so, connect to the console port on the device from your management device, and log in to the Junos OS CLI.
  3. (Optional) Back up the current software configuration to a second storage option. See the Junos OS Installation and Upgrade Guide for instructions on performing this task.
  4. (Optional) Copy the software package to the device.

    This step is optional because Junos OS can also be upgraded when the software image is stored at a remote location. These instructions describe the software upgrade process for both scenarios.

  5. Install the new Junos OS image on the device:

    Replace package with one of the following paths:

    Note

    Trusted update with delayed activation is not supported by TOE.

    • For a software package in a local directory on the device, use /var/tmp/package.tgz.

    • For a software package on a remote server, use one of the following paths, replacing package with the software package name—for example, jinstall-ppc-19.1R2.8-signed.tgz.

      • ftp://hostname/pathname/package.tgz

      • http://hostname/pathname/package.tgz

  6. Reboot the device to load the installation:
  7. Once the router comes up with 19.1R2 build, copy and install fips-mode and jpfe-fips packages using request system software add fips-mode-powerpc-19.1R2.8-signed.tgz and request system software add jpfe-fips-powerpc-19.1R2.8-signed.tgz commands. Verify that the packages are successfully installed using show version command.

Understanding Zeroization to Clear System Data

Zeroization completely erases all configuration information on the Routing Engines, including all plain-text passwords, secrets, and private keys for SSH, local encryption, and local authentication.

The Security Administrator initiates the zeroization process by entering the request system zeroize operational command for MX104 devices from the CLI after enabling FIPS mode. Use of this command is restricted to the Security Administrator. (To zeroize the system before enabling FIPS mode, use the request system zeroize command to completely wipe-out older CSPs and scrub memory.)

In reference to cryptographic key destruction, TOE does not support delayed key destruction.

Caution

Perform system zeroization with care. After the zeroization process is complete, no data is left on the Routing Engine. The device is returned to the factory default state, without any configured users or configuration files.

Zeroization can be time-consuming. Although all configurations are removed in a few seconds, the zeroization process goes on to overwrite all media, which can take considerable time depending on the size of the media.

Why Zeroize?

Your device is not considered a valid FIPS cryptographic module until all critical security parameters (CSPs) have been entered—or reentered—while the device is in FIPS mode.

For FIPS 140-2 compliance, you must zeroize the system to remove sensitive information before disabling FIPS mode on the device.

When to Zeroize?

As Security Administrator, perform zeroization in the following situations:

  • Before enabling FIPS mode of operation: To prepare your device for operation as a FIPS cryptographic module, perform zeroization before enabling FIPS mode and before FIPS operation.

  • Before disabling FIPS mode of operation: To begin repurposing your device for non-FIPS operation, perform zeroization before disabling FIPS mode on the device.

    Note

    Juniper Networks does not support installing non-FIPS software in a FIPS environment, but doing so might be necessary in certain test environments. Be sure to zeroize the system first.

Zeroizing the System

As Security Administrator, you run the request system zeroize command to remove all user-created files from a device and replace the user data with zeros. This command completely erases all configuration information on the Routing Engines, including all rollback configuration files and plain-text passwords, secrets, and private keys for SSH, local encryption, local authentication, and IPsec.

Note

Zeroization is required on MX104 device before you upgrade in FIPS mode.

To zeroize your device:

  1. From the CLI, enter
  2. To initiate the zeroization process, type yes at the prompt:

    The entire operation can take considerable time depending on the size of the media, but all critical security parameters (CSPs) are removed within a few seconds. The physical environment must remain secure until the zeroization process is complete.

Enabling FIPS Mode

As Security Administrator, you must establish a root password conforming to the FIPS password requirements in Understanding Password Specifications and Guidelines for Junos OS. When you enable FIPS mode in Junos OS on the device, you cannot configure passwords unless they meet this standard.

Local passwords are encrypted with the secure hash algorithm SHA256 or SHA512. Password recovery is not possible in Junos OS in FIPS mode. Junos OS in FIPS mode cannot boot into single-user mode without the correct root password.

To enable FIPS mode in Junos OS on the device:

  1. Zeroize the device to delete all CSPs before entering FIPS mode. Refer to Understanding Zeroization to Clear System Data section for details.
  2. After the device comes up in ’Amnesiac mode’, login using username root and password "" (blank).
  3. Configure root authentication with at least 10 characters or more.
  4. Load configuration onto device and commit new configuration. Configure security-administrator and login using security-administrator credentials.
  5. Install fips-mode package needed for Routing Engine Known Answer Tests (KATS).
  6. Install jpfe-fips package needed for MS-MIC Known Answer Tests (KATS).
  7. Configure chassis boundary fips by setting set system fips chassis level 1 and commit.

    Device might display the Encrypted-password must be re-configured to use FIPS compliant hash warning to delete older CSP in loaded configuration.

  8. After deleting and reconfiguring CSPs, commit will go through and device needs reboot to enter FIPS mode.
  9. After rebooting the device, FIPS self-tests will run and device enters FIPS mode.

Configuring Security Administrator and FIPS User Identification and Access

Security Administrators and FIPS users perform all configuration tasks for Junos OS in FIPS mode and issue all Junos OS in FIPS mode statements and commands. Security Administrator and FIPS user configurations must follow Junos OS in FIPS mode guidelines.

Configuring Security Administrator Access

Junos OS in FIPS mode offers a finer granularity of user permissions than those mandated by FIPS 140-2.

For FIPS 140-2 compliance, any FIPS user with the secret, security, maintenance, and control permission bits set is a Security Administrator. In most cases the super-user class suffices for the Security Administrator.

To configure login access for a Security Administrator:

  1. Log in to the device with the root password if you have not already done so, and enter configuration mode:
  2. Name the user security-administrator and assign the Security Administrator a user ID (for example, 6400, which must be a unique number associated with the login account in the range of 100 through 64000) and a class (for example, super-user). When you assign the class, you assign the permissions—for example, secret, security, maintenance, and control.

    For a list of permissions, see Understanding Junos OS Access Privilege Levels.

    For example:

  3. Following the guidelines in Understanding Password Specifications and Guidelines for Junos OS, assign the Security Administrator a plain-text password for login authentication. Set the password by typing a password after the prompts New password and Retype new password.

    For example:

  4. Optionally, display the configuration:
  5. If you are finished configuring the device, commit the configuration and exit:

Configuring FIPS User Login Access

A fips-user is defined as any FIPS user that does not have the secret, security, maintenance, and control permission bits set.

As the Security Administrator you set up FIPS users. FIPS users cannot be granted permissions normally reserved for the Security Administrator—for example, permission to zeroize the system.

To configure login access for a FIPS user:

  1. Log in to the device with your Security Administrator password if you have not already done so, and enter configuration mode:
  2. Give the user, a username, and assign the user a user ID (for example, 6401, which must be a unique number in the range of 1 through 64000) and a class. When you assign the class, you assign the permissions—for example, clear, network, resetview, and view-configuration.

    For a list of permissions, see Understanding Junos OS Access Privilege Levels.

    For example:

  3. Following the guidelines in Understanding Password Specifications and Guidelines for Junos OS, assign the FIPS user a plain-text password for login authentication. Set the password by typing a password after the prompts New password and Retype new password.

    For example:

  4. Optionally, display the configuration:
  5. If you are finished configuring the device, commit the configuration and exit: