Juniper Networks SSG 5 and SSG 20 Security Policy
enable SSH management through that interface), then disable the console connection using the set
console disable CLI command. If the console is re-enabled in FIPS mode, the device will
automatically zeroize itself and return to non-FIPS mode.
Loading and authenticating firmware
Prior to placing the device in FIPS mode, the administrator must load the Juniper firmware
authentication DSA public key, imagekey.cer, using the save image-key CLI command. When this
public key is present on the device, the integrity and authenticity of the firmware is checked at system
start and when firmware is loaded. If the DSA signature appended to the firmware is verified, the
device allows it to be loaded.
If the device is not already running a FIPS validated version of the firmware, the administrator should
load it using the save software CLI command. Loading a new version of firmware completely
replaces any existing firmware.
The firmware is signed by a well-protected 1024 bit modulus DSA private key, which provides 80 bits
of security. The generated signature is attached to the firmware. In order for the device to accept an
authorized image, the image has to have a correct signature.
The image download takes at least 23 seconds, so there can be no more than 3 download tries within
one minute. Therefore, the random success rate for multiple retries is 1/(2
80
) + 1/(2
80
) + 1/(2
80
) =
3/(2
80
), which is far less than 1/100,000.
Enabling FIPS mode
The module can be set to FIPS mode only through the CLI. To set the module to FIPS mode, execute
the set FIPS-mode enable command through the CLI. This command will zeroize and reset the
device. When prompted, confirm that the configuration should be saved and the device reset.
Determining the current mode
To check whether the device is in FIPS mode, enter the get system CLI command:
ns-> get system
Product Name: ns5200
Serial Number: 0099122004000991, Control Number: 00000000, Mode: FIPS
Hardware Version: 0110(0)-(12), FPGA checksum: 00000000, VLAN1 IP (0.0.0.0)
Software Version: 6.3.0r6.0, Type: Firewall+VPN
Base Mac: 0010.db90.f770
File Name: ns5200.6.3.0r6.0, Checksum: 48e3d429
The current mode appears on the second line of the output.
Operating restrictions in FIPS mode
The security appliance automatically imposes the following restrictions when operating in FIPS mode:
• Disables administration via SSL
• Disables the import or export of configuration files
• Disables the SNMP Read-Write community
• Disables the USB and Modem ports
• Forces management via Telnet, HTTP (WebUI) and NetScreen Security Manager (NSM) only
through a VPN with 256-bit AES encryption
To Next Page
Loading...
Need help?
General
