Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Understanding Network Director in FIPS Mode

 

Federal Information Processing Standards (FIPS) 140-2 defines security levels for hardware and software that perform cryptographic functions. By meeting the applicable overall requirements within the FIPS standard, Network Director complies with the FIPS 140-2 Level 1 standard.

Operating Network Director in a FIPS 140-2 Level 1 environment requires enabling FIPS mode in Junos Space. If FIPS mode is enabled in Junos Space, then Network Director automatically supports FIPS mode.

For regulatory compliance information about FIPS for Juniper Networks products, see the Juniper Networks Compliance Advisor.

About the Cryptographic Boundary on Network Director

FIPS 140-2 compliance requires a defined cryptographic boundary around each cryptographic module on a device. Junos Space in FIPS mode prevents the cryptographic module from executing any software that is not part of the FIPS-certified distribution, and allows only FIPS-approved cryptographic algorithms to be used. No critical security parameters (CSPs), such as passwords and keys, can cross the cryptographic boundary of the module by, for example, being displayed on a console or written to an external log file.

Cryptographic boundary is determined by different configurations. For example, you can configure Junos Space with Network Director or Junos Space with Security Director and Network Director.

How FIPS Mode Differs from Non-FIPS Mode

Unlike Junos Space Network Director in non-FIPS mode, Junos Space Network Director in FIPS mode is a non-modifiable operational environment. In addition, Junos Space Network Director in FIPS mode differs in the following ways from Junos Space in non-FIPS mode:

  • Self-tests of all cryptographic algorithms are performed at Junos Space startup.

  • Self-tests of random number and key generation are performed continuously.

  • Weak cryptographic algorithms such as Data Encryption Standard (DES) and Message Digest 5 (MD5) are disabled.

  • Weak or unencrypted management connections must not be configured.

  • Passwords must be encrypted with strong one-way algorithms that do not permit decryption.

  • Administrator passwords must be at least 10 characters.

Validated Version of Network Director in FIPS Mode

To determine whether a Junos OS release is FIPS 140-2 1 or FIPS 140-3 1 certified, see the compliance page on the Juniper Networks Web site (https://apps.juniper.net/compliance/fips.html).