FIPS の動作モードで Junos OS を有効にして設定する方法
セキュリティ管理者は、デバイス上でJunos OSをFIPSモードの操作で有効にして設定できます。デバイスで FIPS モードの動作の有効化と設定を開始する前に、以下を実行してください。
デバイスの安全な配信を確認します。 安全な製品配送の識別を参照してください。
不正開封防止シールを貼ってください。 暗号化モジュールへの不正開封防止シールの適用を参照してください。
Junos OSをFIPSモードの動作で有効にするには、次の手順に従います。
-
FIPS動作モードを有効にする前にデバイスをゼロ化する
user@host>
request system zeroize hypervisor
-
デバイスの FIPS モードを有効にします。
user@host# set system fips level 2
-
root パスワードを設定します。
user@host# set system root-authentication plain-text-password.
パスワードを入力します。
-
コミット チェック時に CSP を削除します。
user@host# commit
-
デバイスを再起動した後、モジュールが FIPS モードで動作しているときに整合性と自己テストを実行します。
- IKE や IPSec の暗号化に AES-GCM を使用する場合は、IKEv2 を設定します。
user@host# set security ike proposal <ike_proposal_name> encryption-algorithm ? Possible completions: aes-128-cbc AES-CBC 128-bit encryption algorithm aes-128-gcm AES-GCM 128-bit encryption algorithm aes-192-cbc AES-CBC 192-bit encryption algorithm aes-256-cbc AES-CBC 256-bit encryption algorithm aes-256-gcm AES-GCM 256-bit encryption algorithm user@host# set security ike proposal <ike_proposal_name> encryption-algorithm aes-256-gcm user@host# set security ipsec proposal <ipsec_proposal_name> encryption-algorithm aes-128-gcm user@host# set security ike gateway <gateway_name> version ? Possible completions: v1-only The connection must be initiated using IKE version 1 v2-only The connection must be initiated using IKE version 2 user@host# set security ike gateway <gateway_name> version v2-only user@host# commit commit complete
コマンドを発行 request system snapshot
して、ファームウェアのバックアップ・イメージもJUNOS-FIPSイメージであることを確認します。
user@host-srx4200:fips> show version Hostname: host-srx4200 Model: srx4200 Junos: 22.2R1.9 JUNOS OS Kernel 64-bit [20220607.2c547a1_builder_stable_12_222] JUNOS OS libs [20220607.2c547a1_builder_stable_12_222] JUNOS OS runtime [20220607.2c547a1_builder_stable_12_222] JUNOS OS time zone information [20220607.2c547a1_builder_stable_12_222] JUNOS network stack and utilities [20220617.153850_builder_junos_222_r1] JUNOS libs [20220617.153850_builder_junos_222_r1] JUNOS OS libs compat32 [20220607.2c547a1_builder_stable_12_222] JUNOS OS 32-bit compatibility [20220607.2c547a1_builder_stable_12_222] JUNOS libs compat32 [20220617.153850_builder_junos_222_r1] JUNOS runtime [20220617.153850_builder_junos_222_r1] Junos vmguest package [20220617.153850_builder_junos_222_r1] JUNOS py extensions [20220617.153850_builder_junos_222_r1] JUNOS py base [20220617.153850_builder_junos_222_r1] JUNOS OS vmguest [20220607.2c547a1_builder_stable_12_222] JUNOS OS crypto [20220607.2c547a1_builder_stable_12_222] JUNOS OS boot-ve files [20220607.2c547a1_builder_stable_12_222] JUNOS na telemetry [22.2R1.9] JUNOS Web Management Platform Package [20220617.153850_builder_junos_222_r1] JUNOS srx libs compat32 [20220617.153850_builder_junos_222_r1] JUNOS srx runtime [20220617.153850_builder_junos_222_r1] JUNOS Routing mpls-oam-basic [20220617.153850_builder_junos_222_r1] JUNOS Routing lsys [20220617.153850_builder_junos_222_r1] JUNOS Routing 32-bit Compatible Version [20220617.153850_builder_junos_222_r1] JUNOS Routing aggregated [20220617.153850_builder_junos_222_r1] Redis [20220617.153850_builder_junos_222_r1] JUNOS probe utility [20220617.153850_builder_junos_222_r1] JUNOS common platform support [20220617.153850_builder_junos_222_r1] JUNOS srx platform support [20220617.153850_builder_junos_222_r1] JUNOS Openconfig [22.2R1.9] JUNOS mtx network modules [20220617.153850_builder_junos_222_r1] JUNOS modules [20220617.153850_builder_junos_222_r1] JUNOS srx modules [20220617.153850_builder_junos_222_r1] JUNOS srx libs [20220617.153850_builder_junos_222_r1] JUNOS L2 RSI Scripts [20220617.153850_builder_junos_222_r1] JUNOS srx Data Plane Crypto Support [20220617.153850_builder_junos_222_r1] JUNOS ike [20220617.153850_builder_junos_222_r1] JUNOS daemons [20220617.153850_builder_junos_222_r1] JUNOS srx daemons [20220617.153850_builder_junos_222_r1] JUNOS High End AppQos Daemon [20220617.153850_builder_junos_222_r1] JUNOS Services URL Filter package [20220617.153850_builder_junos_222_r1] JUNOS Services TLB Service PIC package [20220617.153850_builder_junos_222_r1] JUNOS Services Telemetry [20220617.153850_builder_junos_222_r1] JUNOS Services TCP-LOG [20220617.153850_builder_junos_222_r1] JUNOS Services SSL [20220617.153850_builder_junos_222_r1] JUNOS Services SOFTWIRE [20220617.153850_builder_junos_222_r1] JUNOS Services Stateful Firewall [20220617.153850_builder_junos_222_r1] JUNOS Services RTCOM [20220617.153850_builder_junos_222_r1] JUNOS Services RPM [20220617.153850_builder_junos_222_r1] JUNOS Services PCEF package [20220617.153850_builder_junos_222_r1] JUNOS Services NAT [20220617.153850_builder_junos_222_r1] JUNOS Services Mobile Subscriber Service Container package [20220617.153850_builder_junos_222_r1] JUNOS Services MobileNext Software package [20220617.153850_builder_junos_222_r1] JUNOS Services Logging Report Framework package [20220617.153850_builder_junos_222_r1] JUNOS Services LL-PDF Container package [20220617.153850_builder_junos_222_r1] JUNOS Services Jflow Container package [20220617.153850_builder_junos_222_r1] JUNOS Services Deep Packet Inspection package [20220617.153850_builder_junos_222_r1] JUNOS Services IPSec [20220617.153850_builder_junos_222_r1] JUNOS Services IDS [20220617.153850_builder_junos_222_r1] JUNOS IDP Services [20220617.153850_builder_junos_222_r1] JUNOS Services HTTP Content Management package [20220617.153850_builder_junos_222_r1] JUNOS Services DNS Filter package (i386) [20220617.153850_builder_junos_222_r1] JUNOS Services Crypto [20220617.153850_builder_junos_222_r1] JUNOS Services Captive Portal and Content Delivery Container package [20220617.153850_builder_junos_222_r1] JUNOS Services COS [20220617.153850_builder_junos_222_r1] JUNOS AppId Services [20220617.153850_builder_junos_222_r1] JUNOS Services Application Level Gateways [20220617.153850_builder_junos_222_r1] JUNOS Services AACL Container package [20220617.153850_builder_junos_222_r1] JUNOS Extension Toolkit [20220617.153850_builder_junos_222_r1] JUNOS Packet Forwarding Engine Support (wrlinuxlts19) [20220617.153850_builder_junos_222_r1] JUNOS Packet Forwarding Engine Support (spc3) [20220617.153850_builder_junos_222_r1] JUNOS Packet Forwarding Engine Support (MX/EX92XX Common) [20220617.153850_builder_junos_222_r1] JUNOS Packet Forwarding Engine Support (M/T Common) [20220617.153850_builder_junos_222_r1] JUNOS Packet Forwarding Engine Support (MX Common) [20220617.153850_builder_junos_222_r1] JUNOS Juniper Malware Removal Tool (JMRT) [1.0.0+20220617.153850_builder_junos_222_r1] JUNOS J-Insight [20220617.153850_builder_junos_222_r1] JUNOS jfirmware [20220608.110139_builder_junos_222_r1] JUNOS Online Documentation [20220617.153850_builder_junos_222_r1] JUNOS jail runtime [20220607.2c547a1_builder_stable_12_222] JUNOS fips optest [22.2R1.9] JUNOS FIPS mode utilities [20220617.153850_builder_junos_222_r1] JUNOS dsa dsa [22.2R1.9]
出力の の横にあるhostname
キーワードはfips
、モジュールが Junos ソフトウェア リリース 22.2R1 の SRX1500、SRX4100、SRX4200、および SRX4600 の FIPS モードで動作していることを示します。