Understanding the Common Criteria Evaluated Configuration
This document describes the steps required to duplicate the configuration of the device running Junos OS when the device is evaluated. This is referred to as the evaluated configuration. The following list describes the standards to which the device has been evaluated:
These documents are available at https://www.niap-ccevs.org/Profile/PP.cfm?archived=1.
Junos OS Release 19.1R2 is certified for Common Criteria with FIPS mode enabled on MX104 device. For regulatory compliance information about Common Criteria, and FIPS for Juniper Networks products, see the Juniper Networks Compliance Advisor
Target of Evaluation (TOE) is a device or system subjected to evaluation based on Collaborative Protection Profile (cPP).
Understanding Common Criteria
Common Criteria for information technology is an international agreement signed by several countries that permits the evaluation of security products against a common set of standards. In the Common Criteria Recognition Arrangement (CCRA) at https://www.commoncriteriaportal.org/ccra/, the participants agree to mutually recognize evaluations of products performed in other countries. All evaluations are performed using a common methodology for information technology security evaluation.
For more information on Common Criteria, see https://www.commoncriteriaportal.org/.
Supported Platforms and Hardwares
MX104 device in FIPS mode with the following hardware components are used to qualify NDcPPv2 certification with VPN-EP:
Crypto line card: MS-MIC-16G (https://www.juniper.net/documentation/en_US/release-independent/junos/topics/reference/general/mic-mx-series-ms.html)
Identifying Secure Product Delivery
There are several mechanisms provided in the delivery process to ensure that a customer receives a product that has not been tampered with. The customer should perform the following checks upon receipt of a device to verify the integrity of the platform.
Shipping label—Ensure that the shipping label correctly identifies the correct customer name and address as well as the device.
Outside packaging—Inspect the outside shipping box and tape. Ensure that the shipping tape has not been cut or otherwise compromised. Ensure that the box has not been cut or damaged to allow access to the device.
Inside packaging—Inspect the plastic bag and seal. Ensure that the bag is not cut or removed. Ensure that the seal remains intact.
If the customer identifies a problem during the inspection, he or she should immediately contact the supplier. Provide the order number, tracking number, and a description of the identified problem to the supplier.
Additionally, there are several checks that can be performed to ensure that the customer has received a box sent by Juniper Networks and not a different company masquerading as Juniper Networks. The customer should perform the following checks upon receipt of a device to verify the authenticity of the device:
Verify that the device was ordered using a purchase order. Juniper Networks devices are never shipped without a purchase order.
When a device is shipped, a shipment notification is sent to the e-mail address provided by the customer when the order is taken. Verify that this e-mail notification was received. Verify that the e-mail contains the following information:
Purchase order number
Juniper Networks order number used to track the shipment
Carrier tracking number used to track the shipment
List of items shipped including serial numbers
Address and contacts of both the supplier and the customer
Verify that the shipment was initiated by Juniper Networks. To verify that a shipment was initiated by Juniper Networks, you should perform the following tasks:
Compare the carrier tracking number of the Juniper Networks order number listed in the Juniper Networks shipping notification with the tracking number on the package received.
Log on to the Juniper Networks online customer support portal at https://support.juniper.net/support/ to view the order status. Compare the carrier tracking number or the Juniper Networks order number listed in the Juniper Networks shipment notification with the tracking number on the package received.
Understanding Management Interfaces
The following management interfaces can be used in the evaluated configuration:
Local Management Interfaces—The RJ-45 console port on the front panel of a device is configured as RS-232 data terminal equipment (DTE). You can use the command-line interface (CLI) over this port to configure the device from a terminal.
Remote Management Protocols—The device can be remotely managed over any Ethernet interface. SSHv2 is the only permitted remote management protocol that can be used in the evaluated configuration. The remote management protocols J-Web and Telnet are not available for use on the device.