FIPS Mode Roles and Services for Junos OS
Learn about FIPS mode roles and services for Junos OS.
FIPS Mode Roles and Services
In FIPS mode, a role refers to the specific functions or responsibilities that users have when interacting with the cryptographic module. The primary roles in FIPS mode include:
- Security Administrator
FIPS user
The Security Administrator and FIPS users perform all configuration tasks for Junos OS in FIPS mode and issue all statements and commands. Security Administrator and FIPS user configurations must meet the requirements for Junos OS in FIPS mode.
The Junos OS in non-FIPS mode provides a wide range of capabilities for users and supports identity-based authentication.
- Security Administrator Role and Responsibilities
- FIPS User Role and Responsibilities
- What Is Expected of all FIPS Users
Security Administrator Role and Responsibilities
The Security Administrator role is associated with the defined login class
security-admin. A Security Administrator has the necessary
permissions to perform all tasks to manage Junos OS. The system requires
administrative users (Security Administrator) to provide unique identification and
authentication data before granting any administrative access.
We recommend that the Security Administrator follows security measures such as keeping passwords secure and checking audit files.
The permissions that distinguish the Security Administrator from other FIPS users are
secret, security,
maintenance, and control. The Security
Administrator has the login class that contains all these permissions.
The Security Administrator role is crucial for maintaining the integrity and security of the system, especially in environments that require adherence to stringent federal security standards.
The Security Administrator has the following responsibilities:
Administer locally and remotely.
Create, modify, and delete user accounts, including configuration of authentication failure parameters.
Re-enable a user account.
Configure and maintain cryptographic elements related to the establishment of secure connections to and from the evaluated product.
Reset user passwords with FIPS-approved algorithms.
Examine log and audit files for events of interest.
Erase user-generated files, keys, and data by zeroizing the device.
FIPS User Role and Responsibilities
A FIPS user is defined as any user who does not have the secret,
security, maintenance, and
control permissions.
All FIPS users, including the Security Administrator, can view the configurations in the system. However, only the user assigned as the Security Administrator can modify the configurations. All FIPS users can view status output, but only the Security Administrator can reboot or zeroize the device.
What Is Expected of all FIPS Users
All FIPS users, including the Security Administrator, must always follow the security guidelines and ensure to:
Keep all passwords confidential.
Store devices and documentation in a secure area.
Deploy devices in secure areas.
Check audit files periodically.
Conform to all other FIPS 140-3 security rules.
-
Ensure device security always.
Configure Security Administrator Login Access
Junos OS in FIPS mode offers a finer granularity of user permissions than those
mandated by FIPS 140-3. For FIPS 140-3 compliance, any FIPS user with the
secret, security,
maintenance, and control is a Security
Administrator. In most cases, the super-user class suffices for
the Security Administrator.
Junos OS login classes define the access privileges and permissions for using CLI commands and statements. For details, see Login Classes Overview.
To configure login access for a Security Administrator:
Configure FIPS User Login Access
As a Security Administrator, you can create FIPS users. The system does not permit FIPS users to have the permissions that are given to the Security Administrator only—for example, the permission to zeroize the system.
To configure login access for a FIPS user: