Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Operational Environment for Junos OS in FIPS Mode

A Juniper Networks device with Junos OS in FIPS mode creates a hardware and software operational environment different from the environment of a device in non-FIPS mode.

Hardware Environment for Junos OS in FIPS Mode

Junos OS in FIPS mode establishes a cryptographic boundary in the device, preventing any CSP from crossing the boundary in plain text. Every hardware component in the device, requiring a cryptographic boundary for FIPS 140-3 compliance, acts as a separate cryptographic module. Junos OS in FIPS mode includes two types of hardware with cryptographic boundaries: one specifically for each Routing Engine and another for the entire chassis.

Cryptographic methods are not a substitute for physical security. You must place the hardware in a secure physical environment. All types of users have the responsibility to keep keys or passwords secret and prevent unauthorized personnel from viewing written records.

Software Environment for Junos OS in FIPS Mode

A Juniper Networks device with Junos OS in FIPS mode creates a special type of nonmodifiable operational environment. To achieve this environment on the device, the system prevents the execution of any binary file that was not part of the certified Junos OS in FIPS mode distribution. When a device is in FIPS mode, it can use only Junos OS.

The Security Administrator establishes the software environment for Junos OS in FIPS mode after successfully enabling FIPS mode on the device. The Juniper Networks website hosts the Junos OS image that includes FIPS mode, and you can install the image on a functioning device.

For FIPS 140-3 compliance, we recommend you delete all user-created files and data by zeroizing the device before enabling FIPS mode.

Enabling FIPS mode disables many of the usual Junos OS protocols and services. You cannot configure the following services in Junos OS in FIPS mode:

  • finger

  • ftp

  • rlogin

  • telnet

  • tftp

  • xnm-clear-text

Attempts to configure these services or load configurations with these services configured, result in a configuration syntax error. You can use only SSH as a remote access service.

All passwords established for users after the upgrade to Junos OS in FIPS mode must conform to the specifications for Junos OS in FIPS mode. For more information, see Password Specifications and Guidelines for Junos OS in FIPS Mode.

Avoid attaching the device to a network until the Security Administrator completes configuring the device using the local console connection.

For strict compliance, while using Junos OS in FIPS mode, avoid examining core and crash file information about the local console, as the information can include some CSPs in plain text.