Understanding Junos OS in FIPS Mode
Federal Information Processing Standards (FIPS) 140-2 defines security levels for hardware and software that perform cryptographic functions. By meeting the applicable overall requirements within the FIPS standard, Juniper Networks NFX250 Network Services Platform running the Juniper Networks Junos operating system (Junos OS) in FIPS mode comply with the FIPS 140-2 Level 1 standard.
Operating NFX250 Network Services Platform in a FIPS 140-2 Level 1 environment requires enabling and configuring FIPS mode on the NFX250 device from the Junos OS CLI.
The Crypto Officer enables FIPS mode in Junos OS and sets up keys and passwords for the system and other FIPS users who can view the configuration. Both user types can also perform normal configuration tasks on the NFX250 device (such as modify interface types) as individual user configuration allows.
About the Cryptographic Boundary on Your NFX250 Network Services Platform
FIPS 140-2 compliance requires a defined cryptographic boundary around each cryptographic module on an NFX250 device. Junos OS in FIPS mode prevents the cryptographic module from executing any software that is not part of the FIPS-certified distribution, and allows only FIPS-approved cryptographic algorithms to be used. No critical security parameters (CSPs), such as passwords and keys, can cross the cryptographic boundary of the module by, for example, being displayed on a console or written to an external log file.
For the NFX250 Network Services Platform that are certified at FIPS-140-2 Level 1, the cryptographic boundary of the module is determined by the chassis type. For a list of FIPS-certified NFX250 Network Services Platform and the cryptographic boundary of each NFX250 device, see Table 1.
Table 1: Cryptographic Boundaries on FIPS-Certified NFX250 Network Services Platform
How FIPS Mode Differs from Non-FIPS Mode
Unlike Junos OS in non-FIPS mode, Junos OS in FIPS mode is a nonmodifiable operational environment. In addition, Junos OS in FIPS mode differs in the following ways from Junos OS in non-FIPS mode:
Self-tests of all cryptographic algorithms are performed at startup.
Self-tests of random number and key generation are performed continuously.
Weak cryptographic algorithms such as Data Encryption Standard (DES) and Message Digest 5 (MD5) are disabled.
Weak or unencrypted management connections must not be configured.
Passwords must be encrypted with strong one-way algorithms that do not permit decryption.
Administrator passwords must be at least 10 characters long.
Junos FIPS mode is a software package that must be installed in order to enable FIPS mode on NFX250 Network Services Platform. The Junos-FIPS image is a optional package included within Junos OS image available for NFX250 Network Services Platform.
Junos FIPS mode is available only on the NFX250 Network Services Platform listed in Table 1 that are running Junos OS Release 20.1R1.
Access to the NFX250 device is through FIPS approved Junos Control Plane (JCP) only. There is no external access to JDM or hypervisor.
VNFs configurations should not be configured.
For specific configuration limitations and restrictions, see Understanding Configuration Limitations and Restrictions on Junos OS in FIPS Mode.
Validated Version of Junos OS in FIPS Mode
Juniper Networks submits one Junos OS release per year—Junos OS Release 20.1R1, for example—to the National Institute of Standards and Technology (NIST) for validation. To determine whether a Junos OS release is NIST-validated, see the software download page on the Juniper Networks Web site (https://www.juniper.net/) or the National Institute of Standards and Technology site.