Understanding Junos OS in FIPS Mode
Federal Information Processing Standards (FIPS) 140-2 defines security levels for hardware and software that perform cryptographic functions. By meeting the applicable overall requirements within the FIPS standard, the Juniper Networks NFX150 device running the Juniper Networks Junos operating system (Junos OS) in FIPS mode comply with the FIPS 140-2 Level 1 standard.
Operating NFX Series in a FIPS 140-2 Level 1 environment requires enabling and configuring FIPS mode on the NFX150 device from the Junos OS command-line interface (CLI).
The Crypto Officer enables FIPS mode and sets up keys and passwords for the system and other FIPS users who can view the configuration.
About the Cryptographic Boundary on Your Device
FIPS 140-2 compliance requires a defined cryptographic boundary around each cryptographic module on NFX150 device. Junos OS in FIPS mode prevents the cryptographic module from executing any software that is not part of the FIPS-certified distribution, and allows only FIPS-approved cryptographic algorithms to be used. No critical security parameters (CSPs), such as passwords and keys, can cross the cryptographic boundary of the module by, for example, being displayed on a console or written to an external log file.
How FIPS Mode Differs from Non-FIPS Mode
Unlike Junos OS in non-FIPS mode, Junos OS in FIPS mode is a non-modifiable operational environment. In addition, Junos OS in FIPS mode differs in the following ways from Junos OS in non-FIPS mode:
Self-tests of all cryptographic algorithms are performed at startup.
Self-tests of random number and key generation are performed continuously.
Weak cryptographic algorithms such as Data Encryption Standard (DES) and MD5 are disabled.
Weak or unencrypted management connections must not be configured.
Passwords must be encrypted with strong one-way algorithms that do not permit decryption.
Administrator passwords must be at least 10 characters long.
Validated Version of Junos OS in FIPS Mode
To determine whether a Junos OS release is NIST-validated, see the compliance advisor page on the Juniper Networks Web site (https://apps.juniper.net/compliance/).