Understanding Junos OS in FIPS Mode

Supported Platforms

For the features described in this document, the following platforms are supported to qualify NDcPPv2.2e:

• EX4300-48MP (https://www.juniper.net/us/en/products/switches/ex-series/ex4300-multigigabit-enterprise-switch.html)

About the Cryptographic Boundary on Your Device

FIPS 140-3 compliance requires a defined cryptographic boundary around each cryptographic module on a device. Junos OS in FIPS mode prevents the cryptographic module from executing any software that is not part of the FIPS-certified distribution, and allows only FIPS-approved cryptographic algorithms to be used. No critical security parameters (CSPs), such as passwords and keys, can cross the cryptographic boundary of the module in unencrypted format.

For the Juniper Networks switches that are certified at FIPS-140-3 Level 1, the cryptographic boundary of the module is determined by the chassis type. For a list of FIPS-certified switches and the cryptographic boundary of each switch, see Table 1.

Table 1: Cryptographic Boundaries on FIPS-Certified Switches

Switch	Chassis Type	Cryptographic Boundary
EX4300-48MP	Fixed configuration	Switch case

How FIPS Mode Differs from Non-FIPS Mode

Junos OS in FIPS mode differs in the following ways from Junos OS in non-FIPS mode:

• Self-tests of all cryptographic algorithms are performed at startup.

• Self-tests of random number and key generation are performed continuously.

• Weak cryptographic algorithms such as Data Encryption Standard (DES) and MD5 are disabled.

• Weak or unencrypted management connections must not be configured.

• Passwords must be encrypted with strong one-way algorithms that do not permit decryption.

• Administrator passwords must be at least 10 characters long.

Validated Version of Junos OS in FIPS Mode

To determine whether a Junos OS release is NIST-validated, see the compliance page on the Juniper Networks Web site (https://apps.juniper.net/compliance/).