Security Rules; Self Tests - Juniper SSG 5 Manual
Hide thumbs
Also See for SSG 5:
- Hardware installation (64 pages) ,
- Manual (21 pages) ,
- Datasheet (13 pages)
Table of Contents
Advertisement
•
Forces SSHv2 management traffic to use Triple-DES encryption. (SSHv1 is disabled.)
•
Disables the MD5 and DES algorithms
•
Requires HA encryption to 256-bit AES.
•
If a VPN is configured to use Triple-DES encryption, Diffie-Hellman Group 5 is required for
key agreement. DH groups 1 and 2 are disabled.
•
Prevents the operator from configuring a VPN whose strength is stronger then the security
provided by the management connection:
For sessions via a directly connected serial cable, no strength restriction is applied.
o
For remote SSH connections (which are protected by Triple-DES encryption), the
o
strength of the management connection is considered to be 112 bits. Therefore, the
operator is prevented from configuring a VPN whose encryption algorithm has a
strength greater than 112 bits, e.g. 128, 192 or 256 bit AES.
For remote telnet, WebUI or NSM connections, no strength restriction is applied,
o
since these connections are already forced to pass through a 256-bit AES VPN.
Security rules
The cryptographic module's design corresponds to the cryptographic module's security rules. This
section documents the security rules enforced by the cryptographic module to implement the security
requirements of this FIPS 140-2 Level 2 module.
The cryptographic module provides identity-based authentication. Until the operator has been
authenticated to the module to assume a valid role, the operator does not have access to any
cryptographic services.
Data output is inhibited during key generation, self-tests, zeroization, and error states. Status
information does not contain CSPs or sensitive data that if misused could lead to a compromise of the
module. The module does not support a maintenance mode.
The module performs key agreement as per the guidelines in NIST SP 800-57.
Self tests
The security appliance implements the following power-up self-tests:
•
Device Specific Self-Tests:
Boot ROM firmware self-test via DSA signature (Firmware Integrity Test)
o
•
Critical Function Self-Tests:
SDRAM read/write check
o
FLASH test
o
•
Algorithm Self-Tests:
Triple-DES, CBC mode, encrypt/decrypt KAT
o
SHA-1 KAT
o
SHA-256 KAT
o
RSA (encrypt/decrypt and sign/verify) KAT
o
DSA Sign/Verify pairwise consistency test
o
ECDSA Sign/Verify pairwise consistency test
o
Juniper Networks SSG 5 and SSG 20 Security Policy
10
Hide quick links:
Advertisement
Table of Contents
