Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Understanding Roles and Services for Junos OS in FIPS Mode

 

The Security Administrator is associated with the defined login class “security-admin”, which has the necessary permission set to permit the administrator to perform all tasks necessary to manage Junos OS. Administrative users (Security Administrator) must provide unique identification and authentication data before any administrative access to the system is granted.

Security Administrator roles and responsibilities are as follows:

  1. Security Administrator can administer locally and remotely.

  2. Create, modify, delete administrator accounts, including configuration of authentication failure parameters.

  3. Re-enable an Administrator account.

  4. Responsible for the configuration and maintenance of cryptographic elements related to the establishment of secure connections to and from the evaluated product.

The Juniper Networks Junos operating system (Junos OS) running in non-FIPS mode allows a wide range of capabilities for users, and authentication is identity-based.

Security Administrator performs all FIPS-mode-related configuration tasks and issue all statements and commands for Junos OS in FIPS mode.

Security Administrator Role and Responsibilities

The Security Administrator is the person responsible for enabling, configuring, monitoring, and maintaining Junos OS in FIPS mode on a router. The Security Administrator securely installs Junos OS on the router, enables FIPS mode, establishes keys and passwords for other users and software modules, and initializes the router before network connection.

Best Practice

We recommend that the Security Administrator administer the system in a secure manner by keeping passwords secure and checking audit files.

The permissions that distinguish the Security Administrator from other FIPS users are secret, security, maintenance, and control. For FIPS compliance, assign the Security Administrator to a login class that contains all of these permissions.

Note

Junos OS in FIPS mode does not support the FIPS 140-2 maintenance role, which is different from the Junos OS maintenance permission.

Among the tasks related to Junos OS in FIPS mode, the Security Administrator is expected to:

  • Set the initial root password. The length of the password should be atleast 10 characters.

  • Reset user passwords with FIPS-approved algorithms.

  • Examine log and audit files for events of interest.

  • Erase user-generated files, keys, and data by zeroizing the router.

FIPS User Role and Responsibilities

All FIPS users, including the Security Administrator , can view the configuration. Only the user assigned as the Security Administrator can modify the configuration.

FIPS user can view status output but cannot reboot or zeroize the device.

What Is Expected of All FIPS Users

All FIPS users, including the Security Administrator , must observe security guidelines at all times.

All FIPS users must:

  • Keep all passwords confidential.

  • Store routers and documentation in a secure area.

  • Deploy routers in secure areas.

  • Check audit files periodically.

  • Conform to all other FIPS 140-2 security rules.

  • Follow these guidelines:

    • Users are trusted.

    • Users abide by all security guidelines.

    • Users do not deliberately compromise security.

    • Users behave responsibly at all times.

Related Documentation