Understanding Junos OS in FIPS Mode

Supported Platforms and Hardware

For the features described in this document, the following platform is used to qualify FIPS certification:

• ACX5448 (https://www.juniper.net/us/en/products/routers/acx-series/acx5400-universal-metro-router.html)

About the Cryptographic Boundary on Your Device

FIPS 140-3 compliance requires a defined cryptographic boundary around each cryptographic module on a device. Junos OS in FIPS mode prevents the cryptographic module from executing any software that is not part of the FIPS-certified distribution, and allows only FIPS-approved cryptographic algorithms to be used. No critical security parameters (CSPs), such as passwords and keys, can cross the cryptographic boundary of the module in unencrypted format.

CAUTION:

Virtual Chassis features are not supported in FIPS mode. Do not configure a Virtual Chassis in FIPS mode.

How FIPS Mode Differs from Non-FIPS Mode

Table 1 summarizes how Junos OS in FIPS mode differs from Junos OS in non-FIPS mode:

Table 1: FIPS Mode and Non-FIPS Mode Comparison

Features	FIPS Mode	Non-FIPS Mode
Self-tests of all cryptographic algorithms at startup	Yes	No
Self-tests of random number and key generation perform continuously	Yes	No
Weak cryptographic algorithms such as Data Encryption Standard (DES) and MD5	Not allowed	Allowed
Weak, remote, or unencrypted management connections	Not allowed	Allowed
Local and unencrypted console access across all modes of operation	Allowed	Allowed
One-way algorithm used for password hashing	Yes	Yes
Administrator passwords with less than 10 characters length	Not allowed	Allowed
You must encrypt cryptographic keys before transmission	Yes	Not necessary

Validated Version of Junos OS in FIPS Mode

To determine whether a Junos OS release is NIST-validated, see the compliance page on the Juniper Networks Web site (https://apps.juniper.net/compliance/).