Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Understanding Roles and Services for Junos OS in FIPS Mode of Operation

The Juniper Networks Junos operating system (Junos OS) running in non-FIPS mode of operation allows a wide range of capabilities for users, and authentication is identity-based. In contrast, the FIPS 140-3 standard defines two user roles: Security Administrator and FIPS user. These roles are defined in terms of Junos OS user capabilities.

Administrative users (Security Administrator) must provide unique identification and authentication data before any administrative access to the system is granted.

All other user types defined for Junos OS in FIPS mode of operation (operator, administrative user, and so on) must fall into one of the two categories: Security Administrator or FIPS user. For this reason, user authentication in FIPS mode of operation is role-based rather than identity-based.

In addition to their FIPS roles, both user types can perform normal configuration tasks on the device as individual user configuration allows.

Security Administrators and FIPS users perform all FIPS-related configuration tasks and issue all statements and commands for Junos OS in FIPS mode of operation. Security Administrator and FIPS user configurations must follow the guidelines for Junos OS in FIPS mode of operation.

Security Administrator Role and Responsibilities

The Security Administrator is the person responsible for enabling, configuring, monitoring, and maintaining Junos OS in FIPS mode of operation on a device. The Security Administrator securely installs Junos OS on the device, enables FIPS mode of operation, establishes keys and passwords for other users and software modules, and initializes the device before network connection. The Security Administrator can configure and monitor the module through a console or SSH connection.

Best Practice:

We recommend that the Security Administrator administer the system in a secure manner by keeping passwords secure and checking audit files.

The permissions that distinguish the Security Administrator from other FIPS users are secret, security, maintenance, and control. For FIPS compliance, assign the Security Administrator to a login class that contains all of these permissions. A user with the Junos OS maintenance permission can read files containing critical security parameters (CSPs).

Note:

Junos OS in FIPS mode of operation does not support the FIPS 140-3 maintenance role, which is different from the Junos OS maintenance permission.

Among the tasks related to Junos OS in FIPS mode of operation, the Security Administrator is expected to:

  • Set the initial root password.

  • Reset user passwords for FIPS-approved algorithms during upgrades from Junos OS.

  • Set up manual IPsec SAs for configuration with dual Routing Engines.

  • Examine log and audit files for events of interest.

  • Erase user-generated files and data on (zeroize) the device.

FIPS User Role and Responsibilities

All FIPS users, including the Security Administrator, can view the configuration. Only the user assigned as the Security Administrator can modify the configuration.

The permissions that distinguish Security Administrators from other FIPS users are secret, security, maintenance, and control. For FIPS compliance, assign the FIPS user to a class that contains none of these permissions.

FIPS users configure networking features on the device and perform other tasks that are not specific to FIPS mode of operation. FIPS users who are not Security Administrators can perform reboots and view status output.

What Is Expected of All FIPS Users

All FIPS users, including the Security Administrator, must observe security guidelines at all times.

All FIPS users must:

  • Keep all passwords confidential.

  • Store devices and documentation in a secure area.

  • Deploy devices in secure areas.

  • Check audit files periodically.

  • Conform to all other FIPS 140-3 security rules.

  • Follow these guidelines:

    • Users are trusted.

    • Users abide by all security guidelines.

    • Users do not deliberately compromise security.

    • Users behave responsibly at all times.

Loading Firmware on the Device

The Junos OS 22.2R2 FIPS images only accept the firmware signed with ECDSA and rejects any firmware signed with RSA + SHA1. You cannot downgrade to images that are signed with RSA + SHA1 from ECDSA signed only images. In this scenario, the vSRX device does not load the firmware. The load also fails if the embedded certificates in the firmware image are not valid.