Junos OS Evolved in FIPS Mode Overview

Supported Modules

The following cryptographic modules are supported on PTX10003 devices:

• Juniper Linux Kernel Cryptographic Module version 2.0

• Juniper OpenSSL Cryptographic Module version 3.0

• Juniper MACsec Cryptographic Module version 1.2

These modules enter FIPS mode only after self-test and integrity check is passed, and FIPS mode level is set.

About the Cryptographic Boundary on Your Device

FIPS 140-3 compliance requires a defined cryptographic boundary around each cryptographic module on a device. Junos OS Evolved in FIPS mode defines three cryptographic boundaries: Kernel, OpenSSL, and MACsec. When operating in an approved mode of operation, these programs, or programs accessing elements inside of these cryptographic boundaries, should ensure to only use approved configurations as specified in this guide to ensure the proper FIPS 140-3 compliance. No CSPs will be allowed outside of the cryptographic boundary and zeroization of any CSPs will occur when the software comprising the cryptographic boundary is terminated.

How FIPS Mode Differs from Non-FIPS Mode

Junos OS Evolved in FIPS mode differs in the following ways from Junos OS Evolved in non-FIPS mode:

• Self-tests of all cryptographic algorithms are performed at the program startup. Self-test failure means that the cryptographic module is terminated.

• Self-tests of random number and key generation are performed continuously.

• Weak or unencrypted management connections must not be configured.

Validated Version of Junos OS Evolved in FIPS Mode

To determine whether a Junos OS Evolved release is FIPS 140-3 Level 1 certified, see the compliance page on the Juniper Networks Web site (https://apps.juniper.net/compliance/fips.html).