Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Overview of Roles and Services for Junos OS Evolved in FIPS

Junos OS Evolved allows a wide range of capabilities for identity-based users. In FIPS mode, the various range of capabilities are typically defined to assign each identity-based user one of two user roles: Security Administrator and FIPS user. These roles are defined in terms of Junos OS Evolved user capabilities. The Security Administrator may also choose to create additional roles consistent with the operational guidelines of their organization. Such additional roles might include specific permissions to various Junos OS Evolved commands as they are useful for rules such as: Security Officer, Audit Officer, and any other administrative roles as may be prudent to delegate. The creation of other administrative roles is outside the scope of this guide.

Any role that is intended to interact with the FIPS modules should fall into the class of either a Security Administrator role or FIPS user role, or a subset of the Security Administrator role as determined by local policies of the organization using the device.

Security Administrator performs all FIPS-mode-related configuration tasks and issue all statements and commands for Junos OS Evolved in FIPS mode. Security Administrator and FIPS user configurations must follow the guidelines for Junos OS Evolved in FIPS mode.

Security Administrator Role and Responsibilities

The Security Administrator is the person responsible for enabling, configuring, monitoring, and maintaining Junos OS Evolved in FIPS mode on a router. The Security Administrator securely installs Junos OS Evolved on the device, enables FIPS mode, establishes keys and passwords for other users and software modules, and initializes the device before network connection.

The permissions that distinguish the Security Administrator from other FIPS users are secret, security, maintenance, and control. For FIPS compliance, assign the Security Administrator to a login class that contains all of these permissions. A user with the Junos OS Evolved maintenance permission can read sensitive files containing private information on the configuration of the device.

Note:

There is no relationship between the FIPS 140-3 maintenance mode and the similarly named Junos OS Evolved maintenance permission.

Among the tasks related to Junos OS Evolved in FIPS mode, the Security Administrator is expected to:

  • Set the initial root password. The length of the password should be atleast 10 characters.

  • Examine log and audit files for events of interest.

FIPS User Role and Responsibilities

All FIPS users who are part of operator/read-only/superuser or super-user class, including the Security Administrator, can view the configuration. Only the user assigned as the Security Administrator can modify the configuration.

FIPS user can view status output but cannot reboot or zeroize the device.

What Is Expected of All FIPS Users

All FIPS users, including the Security Administrator, must observe security guidelines at all times.

All FIPS users must:

  • Keep all passwords confidential.

  • Store routers and documentation in a secure area.

  • Deploy routers or switches in secure areas.

  • Check audit files periodically.

  • Conform to all other FIPS 140-3 security rules.

  • Follow these guidelines:

    • Users are trusted.

    • Users abide by all security guidelines.

    • Users do not deliberately compromise security.

    • Users behave responsibly at all times.