Applying Tamper-Evident Seals to the Cryptographic Module
The cryptographic modules physical embodiment is that of a multi-chip standalone device that meets Level 2 physical security requirements. The module is completely enclosed in a rectangular nickel or clear zinc coated, cold rolled steel, plated steel, and brushed aluminum enclosure. There are no ventilation holes, gaps, slits, cracks, slots, or crevices that would allow for any sort of observation of any component contained within the cryptographic boundary. Tamper-evident seals allow the operator to verify if the enclosure has been breached. These seals are not factory-installed and must be applied by the Cryptographic Officer.
Seals are available for order from Juniper Networks using part number JNPR-FIPS-TAMPER-LBLS.
As a Cryptographic Officer, you are responsible for:
Applying seals to secure the cryptographic module
Controlling any unused seals
Controlling and observing any changes, such as repairs or booting from an external USB drive to the cryptographic module, that require removing or replacing the seals to maintain the security of the module
As per the security inspection guidelines, upon receipt of the cryptographic module, the Cryptographic Officer must check that the labels are free of any tamper evidence.
General Tamper-Evident Seal Instructions
All FIPS-certified switches require a tamper-evident seal on the USB ports. While applying seals, follow these general instructions:
-
Handle the seals with care. Do not touch the adhesive side. Do not cut or otherwise resize a seal to make it fit.
-
Make sure all surfaces to which the seals are applied are clean and dry and clear of any residue.
-
Apply the seals with firm pressure across the seal to ensure adhesion. Allow at least 1 hour for the adhesive to cure.
Applying Tamper-Evident Seals on the SRX1600 Device
On SRX1600 devices, apply 14 tamper-evident seals at the following locations:
-
Front pane:
- Apply one seal on the left side of the power supply inlet vent holes (left of the front pane). Position the seal so that it extends from the top cover approximately one quarter overhang, the overhanging part is sealed onto the non hex vent hole part of the front pane.
- Apply one seal on the middle of the front pane. Position the seal so that it extends from the top cover to the top of the front faceplate above the center of the management ports without blocking the hex vent holes.
- Apply one seal on the right of the front pane. Position the seal so that it extends from the top cover to top of the front faceplate above the center of the cluster port and management port, without blocking the hex vent holes.
-
Access door on top cover:
- Apply two seals on top of the SSD access door on the top cover. Position the seal approximately at 45 degree angle so that two ends of the seal are applied on the top cover and the central portion of the seal is on the access door. Place the second seal in a parallel to cover the other diagonal of the access door.
-
Sides of chassis:
- Apply four seals on the sides of the system. Fold the seals twice so that the resulting three faces can be attached to the top cover, side of the chassis, and bottom of chassis. For each side, the two seals should cover the forth and seventh top cover side screws counting from the front faceplate. Repeat the same for the other side.
-
Rear pane:
- Apply a total of five seals on the rear faceplate.
- Fold the seals twice so that the seals so that the resulting three faces can be attached to the top cover, rear face of chassis, and bottom of chassis. Place the first seal along the centerline of the Power Supply Unit (PSU) 1 blank. Place the second seal on the left edge of PSU0 such that it does not block the airflow.
- Attach the seal onto Fan0’s screw on the rear face and bend it once so that the remaining face is attached to the top cover. Repeat the same step for Fan1 and Fan2.