Juniper SSG 500 Series Security Policy
  1. Manuals
  2. Brands
  3. Juniper Manuals
  4. Server
  5. SSG 500 Series
  6. Security policy

Juniper SSG 500 Series Security Policy

Hide thumbs
Table of Contents

Advertisement

Quick Links

FIPS 140-2 S
P
ECURITY
OLICY
Juniper Networks, Inc.
SSG 520M and SSG 550M
HW P/N SSG-520M-SH, SSG-520M-SH-N, SSG-520M-SH-DC-N, SSG-520M-N-TAA, SSG-520M-SH-DC-N-
TAA, SSG-550M-SH, SSG-550M-SH-N, SSG-550M-SH-DC-N, SSG-550M-N-TAA, SSG-550M-SH-DC-N-TAA
FW Version ScreenOS 6.3.0r6

Advertisement

Table of Contents
loading

Related Manuals for Juniper SSG 500 Series

Summary of Contents for Juniper SSG 500 Series

  • Page 1 FIPS 140-2 S ECURITY OLICY Juniper Networks, Inc. SSG 520M and SSG 550M HW P/N SSG-520M-SH, SSG-520M-SH-N, SSG-520M-SH-DC-N, SSG-520M-N-TAA, SSG-520M-SH-DC-N- TAA, SSG-550M-SH, SSG-550M-SH-N, SSG-550M-SH-DC-N, SSG-550M-N-TAA, SSG-550M-SH-DC-N-TAA FW Version ScreenOS 6.3.0r6...
  • Page 2 NetScreen-Global PRO, NetScreen-Global PRO Express, NetScreen-Remote Security Client, NetScreen-Remote VPN Client, NetScreen-IDP 10, NetScreen-IDP 100, NetScreen-IDP 500, GigaScreen ASIC, GigaScreen-II ASIC, and NetScreen ScreenOS are trademarks of Juniper Networks, Inc. All other trademarks and registered trademarks are the property of their respective companies.

  • Page 3: Table Of Contents

    Public Key Definitions ........................18 Matrix Creation of Critical Security Parameter (CSP) versus the Services (Roles & Identity) ..18 Mitigation of Other Attacks Policy ......................21 Definitions List ............................22 Juniper Networks SSG 520M and SSG 550M Security Policy...

  • Page 4: Overview

    ASIC (Cavium Nitrox), 10/100 Mbps Ethernet interface, console interface, midplane and power supply. The entire case is defined as the cryptographic boundary of the module. The SSG 500 series physical configuration is defined as a multi-chip standalone module. The chips are production-grade quality and include standard passivation techniques.

  • Page 5: Validation Level

    Also occurs when placing the device into or removing it from FIPS mode.  Manage: Create new users.  Self-tests: Invoke cryptographic algorithm and system integrity self-tests. Juniper Networks SSG 520M and SSG 550M Security Policy...

  • Page 6: Authentication

    Since a user is locked our after three contiguous login failures, the random success rate per minute is 1/(62 ) + 1/ (62 ) + 1/(62 3/(62 ), which is far less than 1/100,000. Juniper Networks SSG 520M and SSG 550M Security Policy...

  • Page 7: Interfaces

    Steady Critical alarm:  Failure of hardware component or software module.  Firewall attacks detected. HA (High Green Steady Unit is the primary Availability) (master) device. Juniper Networks SSG 520M and SSG 550M Security Policy...

  • Page 8: Operation In Fips Mode

    Loading and authenticating firmware Prior to placing the device in FIPS mode, the administrator must load the Juniper firmware authentication DSA public key, imagekey.cer, using the save image-key CLI command. When this public key is present on the device, the integrity and authenticity of the firmware is checked at system start and when firmware is loaded.

  • Page 9: Enabling Fips Mode

    112 bits, e.g. 128, 192 or 256 bit AES. For remote telnet, WebUI or NSM connections, no strength restriction is applied, since these connections are already forced to pass through a 256-bit AES VPN. Security rules Juniper Networks SSG 520M and SSG 550M Security Policy...

  • Page 10: Self Tests

    ECDSA pairwise consistency test  RSA pairwise consistency test  Bypass test  Firmware download DSA signature test (Firmware Load Test)  DH pairwise consistency test  Public key validation test Juniper Networks SSG 520M and SSG 550M Security Policy...

  • Page 11: Fips Approved Algorithms

    The following non-approved algorithms are allowed in FIPS mode:  DH (key agreement, key establishment methodology provides 97 or 112 bits of strength)  Elliptic Curve Diffie-Hellman (key establishment methodology provides 128 bits of strength) Juniper Networks SSG 520M and SSG 550M Security Policy...

  • Page 12: Zeroization

    Delete, and Reset commands. Pressing the hardware reset button or issuing the unset vendor-def CLI command will cause the zeroization of all CSPs by reseting the device configuration to the factory default values. Juniper Networks SSG 520M and SSG 550M Security Policy...

  • Page 13: Physical Security Policy

    Physical Security Policy Before carrying out any steps to deploy a Juniper Networks security appliance, the end-user must verify the security of the product with the following observations: Confirm that the product received matches the version that is validated as FIPS 140-2 compliant.
  • Page 14 Figure 3: Front of the SSG 520M and 550M devices Figure 4: Rear detail of the SSG 520M Figure 5: Rear detail of the SSG 550M device Juniper Networks SSG 520M and SSG 550M Security Policy...
  • Page 15 • Label #13 applied vertically across the screw to the left of the power supply fan. • For the SSG 550M, as shown in figure 5: Juniper Networks SSG 520M and SSG 550M Security Policy...
  • Page 16 Figure 7 depicts the device with the tamper seals removed and the cover partially removed. Please note that there are no user serviceable components inside the device. Figure 7: SSG 350M with the cover slid back Juniper Networks SSG 520M and SSG 550M Security Policy...

  • Page 17: Cryptographic Algorithm Validation

    Cryptographic Algorithm Validation Cryptographic algorithm validation certificate numbers for are listed in the table below: Table 7: Algorithm Validation Certificates Algorithm Certificate Number TDES 1063 1622 1431 HMAC ECDSA Juniper Networks SSG 520M and SSG 550M Security Policy...

  • Page 18: Critical Security Parameter (Csp) Definitions

    They also correlate the User roles and the Crypto-Officer roles to the set of services to which they have privileges. The matrices use the following convention:  G: Generate  D: Delete Juniper Networks SSG 520M and SSG 550M Security Policy...
  • Page 19 SSH Server/Host DSA Private Key SSH Encryption Key SSH HMAC SHA-1 Key HA Key IKE RSA/DSA/ECDSA Private Key PRNG Seed and Seed Key Diffie Hellman Private Key Components RADIUS Secret Key Juniper Networks SSG 520M and SSG 550M Security Policy...
  • Page 20 1. The Crypto-Officer is authorized to change all authorized operators' user names and passwords, but the user is only allowed to change his/her own user name and password 2. The Crypto-Officer is authorized to remove all authorized operators. Juniper Networks SSG 520M and SSG 550M Security Policy...

  • Page 21: Mitigation Of Other Attacks Policy

    RADIUS Secret Key Entered directly at the CLI by administrator Mitigation of Other Attacks Policy The module is not designed to mitigate against attacks which are outside of the scope of FIPS 140-2. Juniper Networks SSG 520M and SSG 550M Security Policy...

  • Page 22: Definitions List

    SDRAM – Synchronous Dynamic Random Access Memory SSH – Secure Shell protocol TCP – Transmission Control Protocol TFTP – Trivial File Transfer Protocol VPN – Virtual Private Networking VSYS – Virtual System Juniper Networks SSG 520M and SSG 550M Security Policy...

This manual is also suitable for:

Ssg 520mSsg 550mSsg-520m-shSsg-520m-sh-nSsg-520m-sh-dc-nSsg-520m-n-taa ... Show all

Table of Contents