Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Understanding Junos OS in FIPS Mode

Federal Information Processing Standards (FIPS) 140-3 defines four security levels for hardware and software that perform cryptographic functions. FIPS 140-3 compliance is a prerequisite for the evaluated configuration.

Operating SRX Series Firewalls in a FIPS 140-3 Level 2 compliant mode requires enabling and configuring the FIPS mode on the device. The enabling and configuring of the FIPS mode is done by the administrator through the Junos OS command-line interface (CLI).

The Security Administrator enables FIPS mode in Junos OS Release 24.4R1 and sets up keys and passwords for the system and other FIPS users who can view the configuration. Both user types can also perform normal configuration tasks on the device (such as modify interface types) as the individual user configuration allows.

Best Practice:

Be sure to verify the secure delivery of your device and apply tamper-evident seals to its vulnerable ports.

About the Cryptographic Boundary on Your Device

FIPS 140-3 compliance requires a defined cryptographic boundary for each cryptographic module on a device. The cryptographic boundary is defined in the cryptographic documentation of the device. It is not configurable by the user. Junos OS in FIPS mode prevents the cryptographic module from running any software that is not part of the FIPS-certified distribution. Only FIPS-approved cryptographic algorithms can be used. Critical security parameters (CSPs), such as passwords and cryptographic keys, shall not cross the cryptographic boundary of the module by, for example, being displayed on a console or written to an external log file.

CAUTION:

Virtual Chassis features are not supported in FIPS mode. Do not configure a Virtual Chassis in the FIPS mode.

To physically secure the cryptographic module, all Juniper Networks devices require deployment of tamper-evident seals on the USB and mini-USB ports.

How FIPS Mode Differs from Non-FIPS Mode

Unlike Junos OS in non-FIPS mode, Junos OS in FIPS mode is a nonmodifiable operational environment. In addition, Junos OS in FIPS mode differs in the following ways from Junos OS in non-FIPS mode:

  • Self-tests of all cryptographic algorithms are performed at startup. The device shall not start if any of the self-tests fails.

  • Self-tests of random number and key generation are performed continuously.

  • Weak cryptographic algorithms such as Data Encryption Standard (DES) and MD5 are disabled.

  • Weak, remote, or unencrypted management connections must not be configured. However, TOE allows local and un-encrypted console access across all modes of operation.

  • Passwords are hashed with a cryptographically secure one-way function. It is not computationally feasible to recover the password from the hash value.

  • Junos-FIPS administrator passwords must be at least 10 characters long.

  • Cryptographic keys are encrypted before transmission.

The FIPS 140-3 standard is available for download from the National Institute of Standards and Technology (NIST) at https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-3.pdf.

Validated Version of Junos OS in FIPS Mode

To determine whether a Junos OS release is FIPS-validated, see the compliance page on the Juniper Networks Web site (https://apps.juniper.net/compliance).

Related Documentation