Understanding Junos OS in FIPS Mode
Federal Information Processing Standards (FIPS) 140-2 defines security levels for hardware and software that perform cryptographic functions. By meeting the applicable overall requirements within the FIPS standard, the Juniper Networks RE-1800 Routing Engine on Juniper Networks MX Series 3D Universal Edge Routers running the Juniper Networks Junos operating system (Junos OS) in FIPS mode comply with the FIPS 140-2 Level 1 standard.
For regulatory compliance information about FIPS for Juniper Networks products, see the Juniper Networks Compliance Advisor.
About the Cryptographic Boundary on Your router
FIPS 140-2 compliance requires a defined cryptographic boundary around each cryptographic module on a router. Junos OS in FIPS mode prevents the cryptographic module from executing any software that is not part of the FIPS-certified distribution, and allows only FIPS-approved cryptographic algorithms to be used. No critical security parameters (CSPs), such as passwords and keys, can cross the cryptographic boundary of the module in unencrypted format.
Virtual Chassis features are not supported in FIPS mode—they have not been tested by Juniper Networks. Do not configure a Virtual Chassis in FIPS mode.
How FIPS Mode Differs from Non-FIPS Mode
Unlike Junos OS in non-FIPS mode, Junos OS in FIPS mode is a nonmodifiable operational environment. In addition, Junos OS in FIPS mode differs in the following ways from Junos OS in non-FIPS mode:
Self-tests of all cryptographic algorithms are performed at startup.
Self-tests of random number and key generation are performed continuously.
Weak cryptographic algorithms such as Data Encryption Standard (DES) and MD5 are disabled.
Weak or unencrypted management connections must not be configured.
Passwords must be encrypted with strong one-way algorithms that do not permit decryption.
Administrator passwords must be at least 10 characters long.
For specific configuration limitations and restrictions, see Understanding Configuration Limitations and Restrictions on Junos OS in FIPS Mode.
Validated Version of Junos OS in FIPS Mode
To determine whether a Junos OS release is NIST-validated, see the compliance page on the Juniper Networks Web site (https://apps.juniper.net/compliance).
Supported Platforms and Hardwares
For the features described in this document, below hardware components are used for FIPS certification.
Routing Engine: RE-S-1800X4 on MX240, MX480, and MX960 devices: RE-S-1800x4
Routing Engine Description RE-S-1800 Routing Engine Descriptionl
Routing Engine: RE-MX2000-1800X4 on MX2010, and MX2020 devices: RE-MX2000-1800X4
Routing Engine Description RE-MX2000-1800x4 CB-RE Description
Crypto line card: MS-MPC on MX240, MX480, MX960, MX2010, and MX2020 devices:
Multiservices MPC Multiservices MPC
Non-crypto line card: MIC-3D-20GE-SFP on MX240, MX480, MX960, MX2010, and MX2020 devices: Gigabit Ethernet MIC with SFP Gigabit Ethernet MIC with SFP