 | Copyright © 2008, Juniper Networks, Inc. All Rights Reserved. Trademark Notice. | |
A Juniper Networks router running JUNOS-FIPS forms a special type of environment. JUNOS-FIPS establishes several cryptographic boundaries in the router and no CSPs can cross these boundaries using plain text. There are two types of hardware with cryptographic boundaries in JUNOS-FIPS: one for each Routing Engine and one for each AS II FIPS PIC. Each component forms a separate cryptographic module. Communications involving CSPs between these secure environments must take place using encryption.
The JUNOS-FIPS hardware environment has limitations that apply to cryptographic boundaries. The PCMCIA slot might have to be secured with a tamper-evident seal. For FIPS Level 2 operation, the Routing Engine must be sealed into the chassis using tamper-evident labels. On some models, tamper-evident labels must be applied to other components as well. See the FIPS Level 2 Label Installation Instructions for details. The label kit must be ordered separately and the labels applied according to the instructions included in the kit.
Hardware configurations with two Routing Engines use IP Security () and a private routing instance for communications between them. Encryption is also used for communications between the Routing Engines and the AS II FIPS PICs. If the AS II FIPS PIC is used for IPSec connections to other systems, the AS II FIPS PIC must be enabled first. For more information about the AS II FIPS PIC, see the AS II FIPS PIC Hardware Guide.
Cryptographic methods are not a substitute for physical security. The hardware must be located in a secure physical environment and users of all types should not reveal keys or passwords, or allow written records or notes to be seen by unauthorized personnel.
| Copyright © 2008, Juniper Networks, Inc. All Rights Reserved. Trademark Notice. | |