Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Understanding Junos OS in FIPS Mode of Operation

 

Federal Information Processing Standards (FIPS) 140-2 defines security levels for hardware and software that perform cryptographic functions. Junos-FIPS is a version of the Junos operating system (Junos OS) that complies with Federal Information Processing Standard (FIPS) 140-2.

Operating vSRX 3.0 in a FIPS 140-2 Level 1 environment requires enabling and configuring FIPS mode of operation on the device from the Junos OS command-line interface (CLI).

The Cryptographic Officer enables FIPS mode of operation in Junos OS Release 19.2R1 and sets up keys and passwords for the system and other FIPS users who can view the configuration. Both user types can also perform normal configuration tasks on the device (such as modify interface types) as individual user configuration allows.

The cryptographic module is defined as multiple-chip standalone software module. The module executes Junos FIPS software on a VMware ESXi Hypervisor on the hardware platforms identified in Table 1.

Table 1: Cryptographic Module Tested Configurations

Model

Software Version

Processor

HypervisorESXi

Hardware Platform

vSRX 3.0

Junos OS 19.2R1

Intel Xeon E5

ESXi 6.5

HP ProLiant DL380 Gen9 Server

vSRX 3.0

Junos OS 19.2R1

Intel Xeon D

ESXi 6.5

PacStar 451 Server

vSRX 3.0

Junos OS 19.2R1

Intel Corei5

ESXi 6.5

PacStar 451 Server

About the Cryptographic Boundary on Your Device

FIPS 140-2 compliance requires a defined cryptographic boundary around each cryptographic module on a device. Junos OS in FIPS mode of operation prevents the cryptographic module from running any software that is not part of the FIPS-certified distribution, and allows only FIPS-approved cryptographic algorithms to be used. No critical security parameters (CSPs), such as passwords and keys, can cross the cryptographic boundary of the module by, for example, being displayed on a console or written to an external log file.

How FIPS Mode of Operation Differs from Non-FIPS Mode of Operation

Unlike Junos OS in non-FIPS mode of operation, Junos OS in FIPS mode of operation is a nonmodifiable operational environment. In addition, Junos OS in FIPS mode of operation differs in the following ways from Junos OS in non-FIPS mode of operation:

  • Self-tests of all cryptographic algorithms are performed at startup.

  • Self-tests of random number and key generation are performed continuously.

  • Weak cryptographic algorithms such as Data Encryption Standard (DES) and MD5 are disabled.

  • Weak or unencrypted management connections must not be configured.

  • Passwords must be encrypted with strong one-way algorithms that do not permit decryption.

  • Junos-FIPS administrator passwords must be at least 10 characters long.

  • Cryptographic keys must be encrypted before transmission.

  • Note

    In all other ways, Junos-FIPS behaves identically to the standard Junos OS image.

The FIPS 140-2 standard is available for download from the National Institute of Standards and Technology (NIST) at http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf.

Validated Version of Junos OS in FIPS Mode of Operation

Juniper Networks submits one Junos OS release per year—Junos OS Release 19.2R1, for example—to the National Institute of Standards and Technology (NIST) for validation. To determine whether a Junos OS release is NIST-validated, see the software download page on the Juniper Networks Web site (https://www.juniper.net/) or the National Institute of Standards and Technology site.