Understanding the Operational Environment for Junos OS Evolved in FIPS Mode
A Juniper Networks router running the Juniper Networks Junos operating system (Junos OS) Evolved in FIPS mode provides an enhanced software operational environment that is different from the environment of a device in non-FIPS mode.
Software Environment for Junos OS Evolved in FIPS Mode
The Junos OS Evolved in FIPS mode software environment is established after the Crypto Officer successfully enables FIPS mode on a device. This Junos OS Evolved Release that includes FIPS mode is available on the Juniper Networks website and can be configured on a functioning router.
The minimum length of the passwords must be 10 characters and require the use of at least three of the five defined character sets (uppercase and lowercase letters, digits, punctuation marks, and keyboard characters, such as % and &, not included in the other four categories). All passwords and keys used to authenticate peers must be at least 10 characters in length, and in some cases the length must match the digest size.
Do not attach the router to a network until the Crypto Officer completes configuration from the local console connection.
For strict compliance, do not examine core and crash dump information on the local console in Junos OS Evolved in FIPS mode because some CSPs might be shown in plain text.
Critical Security Parameters
Critical security parameters (CSPs) are security-related information such as cryptographic keys and passwords that can compromise the security of the cryptographic module or the security of the information protected by the module if they are disclosed or modified.
Zeroization of the system erases all traces of CSPs in preparation for operating the router or Routing Engine as a cryptographic module.
For FIPS compliance, configure the device over SSH connections because they are encrypted connections.
Local passwords are hashed with the SHA256 or SHA512 algorithm. Junos OS Evolved in FIPS mode cannot boot into single-user mode without the correct root password.