Juniper Networks SSG 320M and 350M Security Policy
On failure of any self-test, the module enters and stays in a permanent error state with the following
characteristics:
The console displays an error message of the format: “XXX test failed: error code N”.
The status LED flashes red.
All traffic processing halts.
The module must be power cycled to return to operation.
Bypass tests are performed as a conditional test. The bypass state occurs when the administrator
configures the module with a non-VPN policy and an incoming packet whose source address,
destination address and service matching this policy arrives at the network port. The bypass enabled
status can be found by retrieving the entire policy list. Two internal actions must exist in order for
bypass to happen: (1) a non-VPN policy is matched for this traffic, and (2) a routing table entry exists
for the traffic that matches this non-VPN policy.
For every usage of the module’s random number generator, a continuous RNG self-test is performed.
Note that this is performed on both the FIPS approved RNG and non-FIPS approved RNG.
At any time the cryptographic module is in an idle state, the operator may command the device to
perform the self-tests.
FIPS Approved Algorithms
The following FIPS approved algorithms are supported by the security appliance:
DSA , ECDSA Sign Verify
SHA-1, SHA-256
Triple-DES (CBC)
AES (CBC)
HMAC-SHA-1, HMAC-SHA-256
RSA Sign/Verify (PKCS #1)
ANSI X9.31 DRNG
The module supports the following communication protocols which are allowed in FIPS mode:
SSL v3.1
SSH v2
IPSec
Non-FIPS Approved Algorithms
The following non-approved algorithms are allowed in FIPS mode:
DH (key agreement, key establishment methodology provides 97 or 112 bits of strength)
Elliptic Curve Diffie-Hellman (key establishment methodology provides 128 bits of
To Next Page
Loading...
Need help?
General
