Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Understanding Roles and Services for Junos OS Evolved in FIPS

Junos OS Evolved allows a wide range of capabilities for identity-based users. In FIPS mode, the various range of capabilities are typically defined to assign each identity-based user one of two user roles: Crypto Officer and FIPS user. These roles are defined in terms of Junos OS Evolved user capabilities. The Crypto Officer may also choose to create additional roles consistent with the operational guidelines of their organization. Such additional roles might include specific permissions to various Junos OS Evolved commands as they are useful for rules such as: Security Officer, Audit Officer, and any other administrative roles as may be prudent to delegate. The creation of other administrative roles is outside the scope of this guide.

Any role that is intended to interact with the FIPS modules should fall into the class of either a Crypto Officer role or FIPS user role, or a subset of the Crypto Officer role as determined by local policies of the organization using the device.

Crypto Officer performs all FIPS-mode-related configuration tasks and issue all statements and commands for Junos OS Evolved in FIPS mode. Crypto Officer and FIPS user configurations must follow the guidelines for Junos OS Evolved in FIPS mode.

Crypto Officer Role and Responsibilities

The Crypto Officer is the person responsible for enabling, configuring, monitoring, and maintaining Junos OS Evolved in FIPS mode on a router. The Crypto Officer securely installs Junos OS Evolved on the device, enables FIPS mode, establishes keys and passwords for other users and software modules, and initializes the device before network connection.

The permissions that distinguish the Crypto Officer from other FIPS users are secret, security, maintenance, and control. For FIPS compliance, assign the Crypto Officer to a login class that contains all of these permissions. A user with the Junos OS Evolved maintenance permission can read sensitive files containing private information on the configuration of the device.

Note:

There is no relationship between the FIPS 140-3 maintenance mode and the similarly named Junos OS Evolved maintenance permission.

Among the tasks related to Junos OS Evolved in FIPS mode, the Crypto Officer is expected to:

  • Set the initial root password. The length of the password should be atleast 10 characters.

  • Examine log and audit files for events of interest.

  • Erase user-generated files, keys, and data by zeroizing the device.

FIPS User Role and Responsibilities

All FIPS users, including the Crypto Officer, can view the configuration. Only the user assigned as the Crypto Officer can modify the configuration.

FIPS user can view status output but cannot reboot or zeroize the device.

What Is Expected of All FIPS Users

All FIPS users, including the Crypto Officer, must observe security guidelines at all times.

All FIPS users must:

  • Keep all passwords confidential.

  • Store routers and documentation in a secure area.

  • Deploy routers or switches in secure areas.

  • Check audit files periodically.

  • Conform to all other FIPS 140-3 security rules.

  • Follow these guidelines:

    • Users are trusted.

    • Users abide by all security guidelines.

    • Users do not deliberately compromise security.

    • Users behave responsibly at all times.

Related Documentation