Understanding Junos OS in FIPS Mode

Supported Platforms and Hardware

For the features described in this document, the following platform is used to qualify FIPS certification:

• PTX1000-72Q device

About the Cryptographic Boundary on Your Device

FIPS 140-3 compliance requires a defined cryptographic boundary around each cryptographic module on a device. Junos OS in FIPS mode prevents the cryptographic module from executing any software that is not part of the FIPS-certified distribution, and allows only FIPS-approved cryptographic algorithms to be used. No critical security parameters (CSPs), such as passwords and keys, can cross the cryptographic boundary of the module in unencrypted format.

Table 1: Cryptographic Boundaries on FIPS-Certified PTX1000-72Q Router

Router	Chassis Type	Cryptographic Boundary
PTX1000-72Q	Fixed configuration	Router case

How FIPS Mode Differs from Non-FIPS Mode

Junos OS in FIPS mode differs in the following ways from Junos OS in non-FIPS mode:

• Self-tests of all cryptographic algorithms are performed at startup.

• Self-tests of random number and key generation are performed continuously.

• Weak cryptographic algorithms such as Data Encryption Standard (DES) and MD5 are disabled.

• Weak or unencrypted management connections must not be configured.

• Passwords must be encrypted with strong one-way algorithms that do not permit decryption.

• Administrator passwords must be at least 10 characters long.

Validated Version of Junos OS in FIPS Mode

To determine whether a Junos OS release is NIST-validated, see the compliance page on the Juniper Networks Web site (https://apps.juniper.net/compliance/).