Applying Tamper-Evident Seals to the Cryptographic Module
The cryptographic modules physical embodiment is that of a multi-chip standalone device that meets Level 2 physical security requirements. The module is completely enclosed in a rectangular nickel dor clear zinc coated, cold rolled steel, plated steel, and brushed aluminum enclosure. There are no ventilation holes, gaps, slits, cracks, slots, or crevices that would allow for any sort of observation of any component contained within the cryptographic boundary. Tamper-evident seals allow the operator to verify if the enclosure has been breached. These seals are not factory-installed and must be applied by the Cryptographic Officer.
Seals are available for order from Juniper Networks using part number JNPR-FIPS-TAMPER-LBLS.
As a Cryptographic Officer, you are responsible for:
Applying seals to secure the cryptographic module
Controlling any unused seals
Controlling and observing any changes, such as repairs or booting from an external USB drive to the cryptographic module, that require removing or replacing the seals to maintain the security of the module
As per the security inspection guidelines, upon receipt of the cryptographic module, the Cryptographic Officer must check that the labels are free of any tamper evidence.
General Tamper-Evident Seal Instructions
All FIPS-certified switches require a tamper-evident seal on the USB ports. While applying seals, follow these general instructions:
Handle the seals with care. Do not touch the adhesive side. Do not cut or otherwise resize a seal to make it fit.
Make sure all surfaces to which the seals are applied are clean and dry and clear of any residue.
Apply the seals with firm pressure across the seal to ensure adhesion. Allow at least 24 hours for the adhesive to cure.
Applying Tamper-Evident Seals on the SRX1500 Device
On SRX1500 devices, apply 10 tamper-evident seals at the following locations:
The front of the SRX1500 has two slot covers. The slot covers should be secured with two screws each and then two tamper-evident labels must applied to the slots. The tamper-evident labels go from the front of the SRX1500 to the top.
Apply two tamper labels to cover the USB port and two tamper labels to cover the High Availability port.
The rear of the SRX1500 has two tamper-evident seals, the tamper-evident seal at top of the rear-view wraps to the top of the device and covers the fourth screw from the side containing the power supply.
Apply one tamper label on the rear of the SRX1500, on the SSD slot cover, to the bottom of the SRX1500.
Apply two tamper labels to cover the indicated screw on the left and right side of the SRX1500 and wrap to the bottom of the SRX1500.
Applying Tamper-Evident Seals on the SRX4100 and SRX4200 Device
The placement of the tamper evident labels for the SRX4100, SRX4200, and SRX4600 devices is exactly the same.
Apply 11 tamper-evident seals at the following locations:
Apply two tamper-evident labels at the top of the chassis, covering one screw on the top-back left and one screw on the top-back right. The tamper evident labels cover the screws on the top of the chassis and wrap down each side of the chassis.
Apply three tamper-evident labels at the bottom of the chassis, covering three screws that secure the faceplates on the front of the chassis. The three screws are entirely on the bottom of the chassis, they do not wrap around to any other portion of the chassis.
Apply two tamper-evident labels covering the two USB ports on the front of the SRX4100, SRX4200, and SRX4600 devices.
Apply two tamper-evident labels covering the two HA ports and two tamper-evident labels covering the second HA port.
Applying Tamper-Evident Seals on SRX4600 Device
For the front and rear view:
The front of the device has four HA ports, one USB port and two SSD slots that require tamper-evident label application. Four tamper-evident labels are placed over the HA ports. Two tamper-evident labels are placed over the USB port so that the port and the screw are covered. The SSD will each have one tamper-evident label.
The module contains two PSUs that can be swapped. Apply two tamper-evident labels on the two swappable PSUs.
For the left and right view:
On the left side of the device, apply one tamper-evident label over the fourth screw from the front.
The right side of the device, apply one tamper-evident label over the fourth screw from the front.