Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Applying Tamper-Evident Seals to the Cryptographic Module

 

The cryptographic modules physical embodiment is that of a multi-chip standalone device that meets Level 2 physical security requirements. The module is completely enclosed in a rectangular nickel or clear zinc coated, cold rolled steel, plated steel, and brushed aluminum enclosure. There are no ventilation holes, gaps, slits, cracks, slots, or crevices that would allow for any sort of observation of any component contained within the cryptographic boundary. Tamper-evident seals allow the operator to verify if the enclosure has been breached. These seals are not factory-installed and must be applied by the Cryptographic Officer.

Note

Seals are available for order from Juniper Networks using part number JNPR-FIPS-TAMPER-LBLS.

As a Cryptographic Officer, you are responsible for:

  • Applying seals to secure the cryptographic module

  • Controlling any unused seals

  • Controlling and observing any changes, such as repairs or booting from an external USB drive to the cryptographic module, that require removing or replacing the seals to maintain the security of the module

As per the security inspection guidelines, upon receipt of the cryptographic module, the Cryptographic Officer must check that the labels are free of any tamper evidence.

General Tamper-Evident Seal Instructions

All FIPS-certified switches require a tamper-evident seal on the USB ports. While applying seals, follow these general instructions:

  • Handle the seals with care. Do not touch the adhesive side. Do not cut or otherwise resize a seal to make it fit.

  • Make sure all surfaces to which the seals are applied are clean and dry and clear of any residue.

  • Apply the seals with firm pressure across the seal to ensure adhesion. Allow at least 1 hour for the adhesive to cure.

The following sections describe the tamper-evident seal application method for all the SRX Series devices.

SRX100 and SRX110 Device Tamper-Evident Seal Application

On SRX100 and SRX110 devices, apply one tamper-evident seal on top of the chassis, covering one of the chassis screws.

SRX210 Device Tamper-Evident Seal Application

On SRX210 devices, apply three tamper-evident seals at the following locations:

  • The top of the chassis, covering one of the chassis screws.

  • The I/O slot - Two seals, horizontally across the right and left edges of the interface card or cover plate.

SRX220 Device Tamper-Evident Seal Application

On SRX220 device, apply five tamper-evident seals at the following locations:

  • Front pane:

  • Apply one seal horizontally across the left edge of the leftmost installed interface card or cover plate.

  • Apply one seal horizontally across the right edge of the leftmost installed interface card or cover plate, and extending on to the edge of the rightmost installed interface card or cover plate.

  • Apply one seal vertically across both the rightmost installed interface card or cover plate and the CompactFlash card slot below it, extending on to the top and bottom of the chassis.

  • Apply one seal on the left and right sides of the module. Apply the seals starting from the top of the device and extending to the bottom of the chassis.

SRX240 Device Tamper-Evident Seal Application

On SRX240 devices, apply eight tamper-evident seals at the following locations:

  • On the front of the module, apply one seal vertically across each of the installed interface cards, or slot cover plates, extending on to the top and bottom of the chassis of the module.

  • Apply one seal on the left and right sides of the module, extending from the top of the chassis to the bottom.

SRX550 Device Tamper-Evident Seal Application

On SRX550 device, apply 19 tamper-evident seals at the following locations:

  • Front pane:

  • Apply four seals horizontally across the corner between the front plate and the right side. Three of the seals should be directly below the extending screws. The fourth seal should be near the top of the screws.

  • Apply one seal vertically, immediately to the left of the lower three seals previously mentioned. This seal should cover all three of the subplates and reach around to the bottom plate as well.

  • Apply one seal vertically, immediately to the left of RJ-45 jacks 16 and 17. Position the seal so that it sticks to the subplate the two RJ-45 jacks, to the subplate immediately below the jacks, and to the top plate as well.

  • Apply one seal vertically, to the right of and beneath (adjacent corner) RJ-45 jack 15. RJ45 jacks 15. Position the seal so that it sticks to the subplate containing jack 15, to the two subplates below the jack, and to the bottom plate as well.

  • Apply one seal horizontally, attached to the two subplates directly below the subplate containing RJ-45 jacks 0-15.

  • Apply one seal vertically, attaching it below RJ-45 jacks 0 - 3. Position the seal between jacks 4 and 5. Make sure the seal sticks to the subplate for jacks 0 - 3, as well as to the two subplates below.

  • Apply one seal horizontally, touching corners with RJ-45 jack 1. Position the seal so that it sticks to the jack 1 subplate and to the subplate to the left. Be careful not to interfere with the jack below and to the left of the CONSOLE USB-MiniB receptacle.

  • Apply one seal horizontally, directly above the RJ-45 jack to the left of the CONSOLE USB-MiniB receptacle. Position the seal so that it sticks to the jack 1 subplate and to the subplate to the left.

  • On the right side of the module, apply four seals horizontally to the far-left side of the plate located on the right.

  • Apply one seal vertically on the far right side of the module. Position the seal so that it extends downward and sticks to the bottom plate.

  • Apply one seal vertically on the left side of the module. Position the seal in the middle, ensuring that it extends downward and sticks to the bottom plate.

  • Rear pane:

  • Apply two seals vertically, placing one on the subplate holding the power input and the other above the input. Each seal should extend to the vertically adjacent plate (so both seals touch both plates) and to the top (upper seal) and bottom (lower seal) plates.

  • Apply two seals vertically; placing one on the black subplate and the second on the small silver subplate. The second seal should extend to touch the black subplate as well. Both seals should touch either the black subplate or the silver subplate

  • Apply two seals vertically, on the far-right subplate. Position the seals so that one sticks to the top subplate and the other sticks to the bottom subplate.

Note

The IOCs on the SRX550 device are considered non-security relevant and are excluded from the requirements of FIPS 140-2. They do not perform cryptography and a malfunction cannot cause other components to malfunction, disclose CSPs, or output plaintext data.

SRX650 Device Tamper-Evident Seal Application

The IOCs on the SRX650 device are considered non-security relevant and are excluded from the requirements of FIPS 140-2. They do not perform cryptography, and a malfunction cannot cause other components to malfunction, disclose CSPs, or output plaintext data.

On SRX650 devices, apply 19 tamper-evident seals at the following locations:

  • Front Pane:

  • Apply two seals vertically across the center part of each of the installed interface cards (or slot cover plates) numbered 1 through 4, extending to the top and bottom of the chassis of the module.

  • Apply two seals vertically across the center part of each of the installed interface cards (or slot cover plates) numbered 5 through 8, extending to the top and bottom of the chassis of the module.

  • Apply one seal vertically, across the left edge of the slot covers marked 3 and 4, extending from the bottom of the chassis to the bottom of the slot cover marked 2.

  • Apply four seals horizontally, across the right edge of the slot covers marked 5 - 8, extending on to the right side of the chassis.

  • Apply two seals horizontally, across the right edge of the slot covers marked 1 and 2, extending to the left front face of the chassis.

  • Apply two seals, one on the left side of the module and one on the right side. Position the seals so that they extend from the side of the chassis to the bottom.

  • Back Pane:

  • Apply two seals vertically across the central part of each of the installed interface cards (or slot cover plates), extending to the top and bottom of the chassis of the module.

  • Apply two seals vertically across each of the installed power supplies or cover plates, extending to the top and bottom of the chassis of the module.

  • Apply two seals vertically across the air filter cover plate, extending to the top and bottom of the chassis of the module.

SRX1400 Device Tamper-Evident Seal Application

On SRX1400 devices, apply 16 tamper-evident seals at the following locations:

  • Front Pane:

  • Apply four seals horizontally, connecting to the far left subpane and one of the three adjacent subpanes. The bottom two subpanes must have one seal each, while the top one should have two.

  • Apply one seal vertically, spanning the three subpanes adjacent to the far-left sub-pane. Should go about 1 cm to the left of the nearby RJ45 jack (labelled “AUX”).

  • One seal, vertical, applied around 3-5 cm to the left of the power input. Should wrap around and stick to the bottom pane.

  • One seal, vertical, on the top sub-pane. Should be in the vicinity of the “CONSOLE” RJ45 jack, and extend to the middle-right sub-pane and the top pane.

  • One seal, horizontal, sticking to both middle panes (the ones with RJ45 jacks).

  • Two seals, vertical, on the two bottom-right sub-panes. One should be immediately to the right of the power input, and the other layed across the blank far-right-bottom sub-pane. Both should stick to the bottom pane.

  • Three seals, horizontal. Two stick to the top-right sub-pane, the other to the middle-right sub-pane. All three should wrap around and stick to the right of the module.

  • One the right side of the module, ensure there are three seals wrapping around from the front of the module

  • Rear Pane:

  • Two seals, vertical, above and below the screw-hole on the right-ish side of the module. The upper one should touch the top pane; the lower one should touch the bottom pane.

  • No seals needed on the left side of the module.

SRX3400 Device Tamper-Evident Seal Application

On SRX3400 devices, apply 16 tamper-evident seals at the following locations:

SRX3600 Device Tamper-Evident Seal Application

On SRX3600 devices, apply 13 tamper-evident seals at the following locations:

SRX5400 Device Tamper-Evident Seal Application

On SRX5400 devices, apply 13 tamper-evident seals at the following locations:

  • Front Pane:

  • Apply two seals vertically, connecting them to the topmost (non-honeycomb) subpane. Position the seals so that they extend to the thin pane below and the honeycomb panel above.

  • Apply one seal vertically across the thin pane, extending to the blank pane below and the subpane above.

  • Apply three seals vertically, one on each “long” horizontal subpane. Position each seal so that it attaches to the subpane above and the one below (or to the chassis, if it is bottommost subpane). Ensure that one of the seals extends to the left subpane below the thin subpane.

  • Back Pane:

  • Apply four seals vertically, one on each of the top four subpanes, extending to the large chassis plate below.

  • Apply one seal vertically on the horizontal screwed-in plate that rests on the large central chassis. Position the seal so that it extends to the chassis in both directions.

  • Apply two seals horizontally on the low side of the subpanes. Position the seals so that they extend to the large central chassis area and wrap around to the neighboring side panes.

SRX5600 Device Tamper-Evident Seal Application

On SRX5600 devices, apply 17 tamper-evident seals at the following locations:

  • Front Pane:

  • Apply 11 seals vertically, one for each horizontal subpane (excluding the honeycomb plate on the top and the thin subpane below), one for the top (non-honeycomb) subpane, and one for the bottom. Position the seals so that they attach to vertically adjacent subpanes. Position the bottom seal so that it attaches to the lowermost subpane and wraps around, attaching to the bottom pane. Ensure that one of the seals spans across the thin plate with ample extra distance on each side.

  • Back Pane:

  • Apply four seals vertically, one on each of the top four subpanes, extending to the large chassis plate below.

  • Apply two seals horizontally, one on each of the vertical side subpanes, extending to both the large central plate and the side panes.

SRX5800 Device Tamper-Evident Seal Application

On SRX5800 devices, apply 24 tamper-evident seals at the following locations:

  • Front Pane:

  • Apply two seals vertically, connected to the topmost (non-honeycomb) subpane. Position the seals so that they extend to the thin pane below and the honeycomb panel above.

  • Apply one seal vertically, across the thin pane. Position the seal so that it extends to the blank pane below and the subpane above.

  • Apply three seals vertically, one on each long horizontal subpane. Position each seal so that it attaches to the subpane above and the one below (or to the chassis, if it is the bottommost subpane). Ensure that one of the seals extends to the left subpane below the thin subpane.

  • Back Pane:

  • Apply four seals vertically, one on each of the top four subpanes, extending to the large chassis plate below.

  • Apply one seal vertically on the horizontal screwed-in plate that rests on the large central chassis. Position the seal so that it extends to the chassis in both directions.

  • Apply two seals horizontally. Position them on the low side subpanes, extending to the large central chassis area and wrapping around to the neighboring side panes.