FIPS の動作モードで Junos OS を有効にして設定する方法
セキュリティ管理者は、デバイス上でJunos OSをFIPSモードの操作で有効にして設定できます。デバイスで FIPS モードの動作の有効化と設定を開始する前に、以下を実行してください。
デバイスの安全な配信を確認します。 安全な製品配送の識別を参照してください。
不正開封防止シールを貼ってください。 暗号化モジュールへの不正開封防止シールの適用を参照してください。
Junos OSをFIPSモードの動作で有効にするには、次の手順に従います。
-
FIPS動作モードを有効にする前にデバイスをゼロ化する
user@host>request system zeroize hypervisor -
デバイスの FIPS モードを有効にします。
user@host# set system fips level 2 -
root パスワードを設定します。
user@host# set system root-authentication plain-text-password.パスワードを入力します。
-
コミット チェック時に CSP を削除します。
user@host# commit -
デバイスを再起動した後、モジュールが FIPS モードで動作しているときに整合性と自己テストを実行します。
- IKE や IPSec の暗号化に AES-GCM を使用する場合は、IKEv2 を設定します。
user@host# set security ike proposal <ike_proposal_name> encryption-algorithm ? Possible completions: aes-128-cbc AES-CBC 128-bit encryption algorithm aes-128-gcm AES-GCM 128-bit encryption algorithm aes-192-cbc AES-CBC 192-bit encryption algorithm aes-256-cbc AES-CBC 256-bit encryption algorithm aes-256-gcm AES-GCM 256-bit encryption algorithm user@host# set security ike proposal <ike_proposal_name> encryption-algorithm aes-256-gcm user@host# set security ipsec proposal <ipsec_proposal_name> encryption-algorithm aes-128-gcm user@host# set security ike gateway <gateway_name> version ? Possible completions: v1-only The connection must be initiated using IKE version 1 v2-only The connection must be initiated using IKE version 2 user@host# set security ike gateway <gateway_name> version v2-only user@host# commit commit complete
コマンドを発行 request system snapshot して、ファームウェアのバックアップ・イメージもJUNOS-FIPSイメージであることを確認します。
user@host-srx4200:fips> show version
Hostname: host-srx4200
Model: srx4200
Junos: 22.2R1.9
JUNOS OS Kernel 64-bit [20220607.2c547a1_builder_stable_12_222]
JUNOS OS libs [20220607.2c547a1_builder_stable_12_222]
JUNOS OS runtime [20220607.2c547a1_builder_stable_12_222]
JUNOS OS time zone information [20220607.2c547a1_builder_stable_12_222]
JUNOS network stack and utilities [20220617.153850_builder_junos_222_r1]
JUNOS libs [20220617.153850_builder_junos_222_r1]
JUNOS OS libs compat32 [20220607.2c547a1_builder_stable_12_222]
JUNOS OS 32-bit compatibility [20220607.2c547a1_builder_stable_12_222]
JUNOS libs compat32 [20220617.153850_builder_junos_222_r1]
JUNOS runtime [20220617.153850_builder_junos_222_r1]
Junos vmguest package [20220617.153850_builder_junos_222_r1]
JUNOS py extensions [20220617.153850_builder_junos_222_r1]
JUNOS py base [20220617.153850_builder_junos_222_r1]
JUNOS OS vmguest [20220607.2c547a1_builder_stable_12_222]
JUNOS OS crypto [20220607.2c547a1_builder_stable_12_222]
JUNOS OS boot-ve files [20220607.2c547a1_builder_stable_12_222]
JUNOS na telemetry [22.2R1.9]
JUNOS Web Management Platform Package [20220617.153850_builder_junos_222_r1]
JUNOS srx libs compat32 [20220617.153850_builder_junos_222_r1]
JUNOS srx runtime [20220617.153850_builder_junos_222_r1]
JUNOS Routing mpls-oam-basic [20220617.153850_builder_junos_222_r1]
JUNOS Routing lsys [20220617.153850_builder_junos_222_r1]
JUNOS Routing 32-bit Compatible Version [20220617.153850_builder_junos_222_r1]
JUNOS Routing aggregated [20220617.153850_builder_junos_222_r1]
Redis [20220617.153850_builder_junos_222_r1]
JUNOS probe utility [20220617.153850_builder_junos_222_r1]
JUNOS common platform support [20220617.153850_builder_junos_222_r1]
JUNOS srx platform support [20220617.153850_builder_junos_222_r1]
JUNOS Openconfig [22.2R1.9]
JUNOS mtx network modules [20220617.153850_builder_junos_222_r1]
JUNOS modules [20220617.153850_builder_junos_222_r1]
JUNOS srx modules [20220617.153850_builder_junos_222_r1]
JUNOS srx libs [20220617.153850_builder_junos_222_r1]
JUNOS L2 RSI Scripts [20220617.153850_builder_junos_222_r1]
JUNOS srx Data Plane Crypto Support [20220617.153850_builder_junos_222_r1]
JUNOS ike [20220617.153850_builder_junos_222_r1]
JUNOS daemons [20220617.153850_builder_junos_222_r1]
JUNOS srx daemons [20220617.153850_builder_junos_222_r1]
JUNOS High End AppQos Daemon [20220617.153850_builder_junos_222_r1]
JUNOS Services URL Filter package [20220617.153850_builder_junos_222_r1]
JUNOS Services TLB Service PIC package [20220617.153850_builder_junos_222_r1]
JUNOS Services Telemetry [20220617.153850_builder_junos_222_r1]
JUNOS Services TCP-LOG [20220617.153850_builder_junos_222_r1]
JUNOS Services SSL [20220617.153850_builder_junos_222_r1]
JUNOS Services SOFTWIRE [20220617.153850_builder_junos_222_r1]
JUNOS Services Stateful Firewall [20220617.153850_builder_junos_222_r1]
JUNOS Services RTCOM [20220617.153850_builder_junos_222_r1]
JUNOS Services RPM [20220617.153850_builder_junos_222_r1]
JUNOS Services PCEF package [20220617.153850_builder_junos_222_r1]
JUNOS Services NAT [20220617.153850_builder_junos_222_r1]
JUNOS Services Mobile Subscriber Service Container package [20220617.153850_builder_junos_222_r1]
JUNOS Services MobileNext Software package [20220617.153850_builder_junos_222_r1]
JUNOS Services Logging Report Framework package [20220617.153850_builder_junos_222_r1]
JUNOS Services LL-PDF Container package [20220617.153850_builder_junos_222_r1]
JUNOS Services Jflow Container package [20220617.153850_builder_junos_222_r1]
JUNOS Services Deep Packet Inspection package [20220617.153850_builder_junos_222_r1]
JUNOS Services IPSec [20220617.153850_builder_junos_222_r1]
JUNOS Services IDS [20220617.153850_builder_junos_222_r1]
JUNOS IDP Services [20220617.153850_builder_junos_222_r1]
JUNOS Services HTTP Content Management package [20220617.153850_builder_junos_222_r1]
JUNOS Services DNS Filter package (i386) [20220617.153850_builder_junos_222_r1]
JUNOS Services Crypto [20220617.153850_builder_junos_222_r1]
JUNOS Services Captive Portal and Content Delivery Container package
[20220617.153850_builder_junos_222_r1]
JUNOS Services COS [20220617.153850_builder_junos_222_r1]
JUNOS AppId Services [20220617.153850_builder_junos_222_r1]
JUNOS Services Application Level Gateways [20220617.153850_builder_junos_222_r1]
JUNOS Services AACL Container package [20220617.153850_builder_junos_222_r1]
JUNOS Extension Toolkit [20220617.153850_builder_junos_222_r1]
JUNOS Packet Forwarding Engine Support (wrlinuxlts19) [20220617.153850_builder_junos_222_r1]
JUNOS Packet Forwarding Engine Support (spc3) [20220617.153850_builder_junos_222_r1]
JUNOS Packet Forwarding Engine Support (MX/EX92XX Common) [20220617.153850_builder_junos_222_r1]
JUNOS Packet Forwarding Engine Support (M/T Common) [20220617.153850_builder_junos_222_r1]
JUNOS Packet Forwarding Engine Support (MX Common) [20220617.153850_builder_junos_222_r1] JUNOS Juniper Malware Removal Tool (JMRT) [1.0.0+20220617.153850_builder_junos_222_r1]
JUNOS J-Insight [20220617.153850_builder_junos_222_r1]
JUNOS jfirmware [20220608.110139_builder_junos_222_r1]
JUNOS Online Documentation [20220617.153850_builder_junos_222_r1]
JUNOS jail runtime [20220607.2c547a1_builder_stable_12_222]
JUNOS fips optest [22.2R1.9]
JUNOS FIPS mode utilities [20220617.153850_builder_junos_222_r1]
JUNOS dsa dsa [22.2R1.9]
出力の の横にあるhostnameキーワードはfips、モジュールが Junos ソフトウェア リリース 22.2R1 の SRX1500、SRX4100、SRX4200、および SRX4600 の FIPS モードで動作していることを示します。