FIPS Mode Roles and Services for Junos OS
Learn about FIPS mode roles and services for Junos OS.
FIPS Mode Roles and Services
In FIPS mode, a role refers to the specific functions or responsibilities that users have when interacting with the cryptographic module. The primary roles in FIPS mode include:
- Security Administrator role
FIPS user role
Security Administrator and FIPS users perform all configuration tasks for Junos OS in FIPS mode and issue all statements and commands. Security Administrator and FIPS user configurations must follow the Junos OS in FIPS mode guidelines.
The Junos OS running in non-FIPS mode allows a wide range of capabilities for users, and authentication is identity-based.
- Security Administrator Role and Responsibilities
- FIPS User Role and Responsibilities
- What Is Expected of All FIPS Users
Security Administrator Role and Responsibilities
The Security Administrator role is associated with the defined login class
security-admin. Security Administrator has the necessary
permissions to perform all tasks necessary to manage Junos OS. The system requires
administrative users (Security Administrator) to provide unique identification and
authentication data before granting any administrative access.
We recommend that the Security Administrator administer the system in a secure manner by keeping passwords secure and checking audit files.
The permissions that distinguish the Security Administrator from other FIPS users are
secret, security,
maintenance, and control permissions. The Security
Administrator has the login class that contains all these permissions.
The Security Administrator role is crucial for maintaining the integrity and security of the system, especially in environments that require adherence to stringent federal security standards.
The Security Administrator roles and responsibilities are as follows:
Administer locally and remotely.
Create, modify, and delete user accounts, including configuration of authentication failure parameters.
Re-enable a user account.
Configure and maintain cryptographic elements related to the establishment of secure connections to and from the evaluated product.
Reset user passwords with FIPS-approved algorithms.
Examine log and audit files for events of interest.
Erase user-generated files, keys, and data by zeroizing the device.
FIPS User Role and Responsibilities
A FIPS user is defined as any user that does not have the secret,
security, maintenance, and
control permissions.
All FIPS users, including the Security Administrator, can view the configuration. Only the user assigned as the Security Administrator can modify the configuration. FIPS user can view status output but cannot reboot or zeroize the device.
What Is Expected of All FIPS Users
All FIPS users, including the Security Administrator, must always observe security guidelines and they must:
Keep all passwords confidential.
Store devices and documentation in a secure area.
Deploy devices in secure areas.
Check audit files periodically.
Conform to all other FIPS 140-3 security rules.
-
Responsible for the security of the device always.
Configure Security Administrator Login Access
Junos OS in FIPS mode offers a finer granularity of user permissions than those
mandated by FIPS 140-3. For FIPS 140-3 compliance, any FIPS user with the
secret, security,
maintenance, and control permission is a
Security Administrator. In most cases the super-user class
suffices for the Security Administrator.
Junos OS login classes define the access privileges, permissions for using CLI commands and statements. For details, see Login Classes Overview.
To configure login access for a Security Administrator:
Configure FIPS User Login Access
As a Security Administrator, you can create FIPS users. The system does not permit FIPS users to have the permissions usually given to the Security Administrator—for example, the permission to zeroize the system.
To configure login access for a FIPS user: