Understanding Services for Junos OS in FIPS Mode of Operation
All services implemented by the module are listed in the tables that follow.
Understanding Authenticated Services
Table 1 lists the authenticated services on the device running Junos OS.
Authenticated Services |
Description |
Security Administrator |
User (read-only) |
User (network) |
---|---|---|---|---|
Configure security |
Security relevant configuration |
x |
– |
– |
Configure |
Non-security relevant configuration |
x |
– |
– |
Secure traffic |
IPsec protected routing |
– |
– |
x |
Status |
Display the status |
x |
x |
– |
Zeroize |
Destroy all critical security parameters (CSPs) |
x |
– |
– |
SSH connect |
Initiate SSH connection for SSH monitoring and control (CLI) |
x |
x |
– |
IPsec connect |
Initiate IPsec connection (IKE) |
x |
– |
x |
Console access |
Console monitoring and control (CLI) |
x |
x |
– |
Remote reset |
Software-initiated reset |
x |
– |
– |
Service |
Description |
---|---|
Local reset |
Hardware reset or power cycle |
Traffic |
Traffic requiring no cryptographic services |
Critical Security Parameters
Critical security parameters (CSPs) are security-related information such as cryptographic keys and passwords that can compromise the security of the cryptographic module or the security of the information protected by the module if they are disclosed or modified.
Zeroization of the system erases all traces of CSPs in preparation for operating the device as a cryptographic module.
Table 3 lists the CSP access rights within services.
Service |
CSPs |
|||||
---|---|---|---|---|---|---|
DRBG_Seed |
DRBG_State |
SSH PHK |
SSH DH |
SSH-SEK |
ESP-SEK |
|
Configure security |
– |
E |
G, W |
– |
– |
– |
Configure |
– |
– |
– |
– |
– |
– |
Secure Traffic |
– |
– |
– |
– |
– |
E |
Status |
– |
– |
– |
– |
– |
– |
Zeroize |
Z |
Z |
Z |
Z |
Z |
Z |
SSH connect |
– |
E |
E |
G, E |
G, E |
– |
IPSec connect |
– |
E |
– |
– |
– |
G |
Console access |
– |
– |
– |
– |
– |
– |
Remote reset |
G, E |
G |
– |
Z |
Z |
Z |
Local Reset |
G, E |
G |
– |
Z |
Z |
Z |
Traffic |
– |
– |
– |
– |
– |
– |
Service |
CSPs |
||||
---|---|---|---|---|---|
IKE-PSK |
IKE-Priv |
IKE-SKEYI |
IKE-SKE |
IKE-DH-PRI |
|
Configure security |
W |
G, W |
– |
– |
– |
Configure |
– |
– |
– |
– |
– |
Secure Traffic |
– |
– |
– |
E |
– |
Status |
– |
– |
– |
– |
– |
Zeroize |
Z |
Z |
– |
– |
– |
SSH connect |
– |
– |
– |
– |
– |
IPSec connect |
E |
E |
G |
G |
G |
Console access |
– |
– |
– |
– |
– |
Remote reset |
– |
– |
Z |
Z |
Z |
Local Reset |
– |
– |
Z |
Z |
Z |
Traffic |
– |
– |
– |
– |
– |
Here:
G = Generate: The device generates the CSP.
E = Execute: The device runs using the CSP.
W = Write: The CSP is updated or written to the device.
Z = Zeroize: The device zeroizes the CSP.