EasyManuals Logo
Home>Juniper>Server>SSG 320M

Juniper SSG 320M User Manual

Juniper SSG 320M
22 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Page #9 background imageLoading...
Page #9 background image
Juniper Networks SSG 320M and 350M Security Policy
9
The image download takes at least 23 seconds, so there can be no more than 3 download tries within
one minute. Therefore, the random success rate for multiple retries is 1/(2
80
) + 1/(2
80
) + 1/(2
80
) =
3/(2
80
), which is far less than 1/100,000.
Enabling FIPS mode
The module can be set to FIPS mode only through the CLI. To set the module to FIPS mode, execute
the set FIPS-mode enable command through the CLI. This command will zeroize and reset the
device. When prompted, confirm that the configuration should be saved and the device reset.
Determining the current mode
To check whether the device is in FIPS mode, enter the get system CLI command:
ns-> get system
Product Name: ns5200
Serial Number: 0099122004000991, Control Number: 00000000, Mode: FIPS
Hardware Version: 0110(0)-(12), FPGA checksum: 00000000, VLAN1 IP (0.0.0.0)
Software Version: 6.3.0r6.0, Type: Firewall+VPN
Base Mac: 0010.db90.f770
File Name: ns5200.6.3.0r6.0, Checksum: 48e3d429
The current mode appears on the second line of the output.
Operating restrictions in FIPS mode
The security appliance automatically imposes the following restrictions when operating in FIPS mode:
Disables administration via SSL
Disables the import or export of configuration files
Disables the SNMP Read-Write community
Disables the USB and Modem ports
Forces management via Telnet, HTTP (WebUI) and NetScreen Security Manager (NSM) only
through a VPN with 256-bit AES encryption
Forces SSHv2 management traffic to use Triple-DES encryption. (SSHv1 is disabled.)
Disables the MD5 and DES algorithms
Requires HA encryption to 256-bit AES.
If a VPN is configured to use Triple-DES encryption, Diffie-Hellman Group 5 is required for
key agreement. DH groups 1 and 2 are disabled.
Prevents the operator from configuring a VPN whose strength is stronger then the security
provided by the management connection:
o For sessions via a directly connected serial cable, no strength restriction is applied.
o For remote SSH connections (which are protected by Triple-DES encryption), the
strength of the management connection is considered to be 112 bits. Therefore, the
operator is prevented from configuring a VPN whose encryption algorithm has a
strength greater than 112 bits, e.g. 128, 192 or 256 bit AES.
o For remote telnet, WebUI or NSM connections, no strength restriction is applied,
since these connections are already forced to pass through a 256-bit AES VPN.
Security rules

Table of Contents

Questions and Answers:

Question and Answer IconNeed help?

Do you have a question about the Juniper SSG 320M and is the answer not in the manual?

Juniper SSG 320M Specifications

General IconGeneral
BrandJuniper
ModelSSG 320M
CategoryServer
LanguageEnglish

Related product manuals