 |
Note: Do not attach the router to a network until the Crypto Officer completes configuration from the local console connection. |
The JUNOS-FIPS software environment is established after the Crypto Officer has successfully installed the JUNOS-FIPS software module. JUNOS-FIPS software is only available from a specific location at the Juniper Networks Web site and can be installed as an upgrade to a functioning Juniper Networks router. Supported routing platforms are the M7i, M10i, M40e, M320, and T320 routers, and the T640 routing node.
You can upgrade to JUNOS-FIPS only from JUNOS Release 6.4 or higher. You should zeroize the system and all AS II FIPS PICs before downgrading to a non-JUNOS-FIPS software version.
Operating the router at FIPS Level 2 requires the use of tamper-evident labels to seal the Routing Engines into the chassis. Removal of either Routing Engine requires entering the FIPS maintenance role. For strict compliance, the module should be zeroized on entry to and exit from the FIPS maintenance role.
Installing JUNOS-FIPS disables many of the usual JUNOS protocols and services. In particular, you cannot configure the following services in JUNOS-FIPS:
Attempts to configure these services, or load configurations with these services configured, result in a configuration syntax error. For an example of these syntax errors, see Configuration Restrictions .
You can use only ssl or tls as a remote access service. Transport Layer Security (TLS) is equivalent to secure sockets layer (SSL) version 3, and JUNOS-FIPS is further restricted to FIPS-approved algorithms.
All passwords established for users after upgrading to JUNOS-FIPS must conform to JUNOS-FIPS specifications. Passwords must be between 10 and 20 characters in length and require the use of at least three of the five defined character sets (uppercase and lowercase letters, digits, punctuation marks, and keyboard characters not included in the other four categories, such as % and &). Attempts to configure passwords that do not conform to these rules will result in an error. All passwords and keys used to authenticate peers must be at least 10 characters in length and in some cases the length must match the digest size (20 for SHA-1). For JUNOS-FIPS user configuration examples, see Crypto Officer and JUNOS-FIPS User Configurations .
|
Note: Do not attach the router to a network until the Crypto Officer completes configuration from the local console connection. |
In dual Routing Engine configurations, the Routing Engines will not communicate until IPSec is properly configured on each Routing Engine. The Crypto Officer should use the console of each Routing Engine for this purpose.
For strict compliance, do not examine core and crash dump information on the local console in JUNOS-FIPS because some CSPs might be shown in plain text.
 | Copyright © 2008, Juniper Networks, Inc. All Rights Reserved. Trademark Notice. | |