Page 1
FIPS 140-2 S ECURITY OLICY Juniper Networks, Inc. SSG 520M and SSG 550M HW P/N SSG-520M-SH, SSG-520M-SH-N, SSG-520M-SH-DC-N, SSG-520M-N-TAA, SSG-520M-SH-DC-N- TAA, SSG-550M-SH, SSG-550M-SH-N, SSG-550M-SH-DC-N, SSG-550M-N-TAA, SSG-550M-SH-DC-N-TAA FW Version ScreenOS 6.3.0r6...
Page 2
NetScreen-Global PRO, NetScreen-Global PRO Express, NetScreen-Remote Security Client, NetScreen-Remote VPN Client, NetScreen-IDP 10, NetScreen-IDP 100, NetScreen-IDP 500, GigaScreen ASIC, GigaScreen-II ASIC, and NetScreen ScreenOS are trademarks of Juniper Networks, Inc. All other trademarks and registered trademarks are the property of their respective companies.
Public Key Definitions ........................18 Matrix Creation of Critical Security Parameter (CSP) versus the Services (Roles & Identity) ..18 Mitigation of Other Attacks Policy ......................21 Definitions List ............................22 Juniper Networks SSG 520M and SSG 550M Security Policy...
ASIC (Cavium Nitrox), 10/100 Mbps Ethernet interface, console interface, midplane and power supply. The entire case is defined as the cryptographic boundary of the module. The SSG 500 series physical configuration is defined as a multi-chip standalone module. The chips are production-grade quality and include standard passivation techniques.
Also occurs when placing the device into or removing it from FIPS mode. Manage: Create new users. Self-tests: Invoke cryptographic algorithm and system integrity self-tests. Juniper Networks SSG 520M and SSG 550M Security Policy...
Since a user is locked our after three contiguous login failures, the random success rate per minute is 1/(62 ) + 1/ (62 ) + 1/(62 3/(62 ), which is far less than 1/100,000. Juniper Networks SSG 520M and SSG 550M Security Policy...
Steady Critical alarm: Failure of hardware component or software module. Firewall attacks detected. HA (High Green Steady Unit is the primary Availability) (master) device. Juniper Networks SSG 520M and SSG 550M Security Policy...
Loading and authenticating firmware Prior to placing the device in FIPS mode, the administrator must load the Juniper firmware authentication DSA public key, imagekey.cer, using the save image-key CLI command. When this public key is present on the device, the integrity and authenticity of the firmware is checked at system start and when firmware is loaded.
112 bits, e.g. 128, 192 or 256 bit AES. For remote telnet, WebUI or NSM connections, no strength restriction is applied, since these connections are already forced to pass through a 256-bit AES VPN. Security rules Juniper Networks SSG 520M and SSG 550M Security Policy...
ECDSA pairwise consistency test RSA pairwise consistency test Bypass test Firmware download DSA signature test (Firmware Load Test) DH pairwise consistency test Public key validation test Juniper Networks SSG 520M and SSG 550M Security Policy...
The following non-approved algorithms are allowed in FIPS mode: DH (key agreement, key establishment methodology provides 97 or 112 bits of strength) Elliptic Curve Diffie-Hellman (key establishment methodology provides 128 bits of strength) Juniper Networks SSG 520M and SSG 550M Security Policy...
Delete, and Reset commands. Pressing the hardware reset button or issuing the unset vendor-def CLI command will cause the zeroization of all CSPs by reseting the device configuration to the factory default values. Juniper Networks SSG 520M and SSG 550M Security Policy...
Physical Security Policy Before carrying out any steps to deploy a Juniper Networks security appliance, the end-user must verify the security of the product with the following observations: Confirm that the product received matches the version that is validated as FIPS 140-2 compliant.
Page 14
Figure 3: Front of the SSG 520M and 550M devices Figure 4: Rear detail of the SSG 520M Figure 5: Rear detail of the SSG 550M device Juniper Networks SSG 520M and SSG 550M Security Policy...
Page 15
• Label #13 applied vertically across the screw to the left of the power supply fan. • For the SSG 550M, as shown in figure 5: Juniper Networks SSG 520M and SSG 550M Security Policy...
Page 16
Figure 7 depicts the device with the tamper seals removed and the cover partially removed. Please note that there are no user serviceable components inside the device. Figure 7: SSG 350M with the cover slid back Juniper Networks SSG 520M and SSG 550M Security Policy...
They also correlate the User roles and the Crypto-Officer roles to the set of services to which they have privileges. The matrices use the following convention: G: Generate D: Delete Juniper Networks SSG 520M and SSG 550M Security Policy...
Page 20
1. The Crypto-Officer is authorized to change all authorized operators' user names and passwords, but the user is only allowed to change his/her own user name and password 2. The Crypto-Officer is authorized to remove all authorized operators. Juniper Networks SSG 520M and SSG 550M Security Policy...
RADIUS Secret Key Entered directly at the CLI by administrator Mitigation of Other Attacks Policy The module is not designed to mitigate against attacks which are outside of the scope of FIPS 140-2. Juniper Networks SSG 520M and SSG 550M Security Policy...