Juniper SSG 320M Manual
  1. Manuals
  2. Brands
  3. Juniper Manuals
  4. Server
  5. SSG 520M
  6. Manual

Juniper SSG 320M Manual

Hide thumbs Also See for SSG 320M:
Table of Contents

Advertisement

Quick Links

FIPS 140-2 S
P
ECURITY
OLICY
Juniper Networks, Inc.
SSG 320M and SSG 350M
HW P/N SSG-320M-SB, SSG-320M-SH, SSG-320M-SB-TAA, SSG-320M-SH-TAA, SSG-320M-SB-DC-N-TAA,
SSG-320M-SH-DC-N-TAA, SSG-350M-SB, SSG-350M-SH, SSG-350M-SB-TAA, SSG-350M-SH-TAA, SSG-
350M-SB-DC-N-TAA, SSG-350M-SH-DC-N-TAA , FW Version ScreenOS 6.3.0r6

Advertisement

Table of Contents
loading

Related Manuals for Juniper SSG 320M

Summary of Contents for Juniper SSG 320M

  • Page 1 FIPS 140-2 S ECURITY OLICY Juniper Networks, Inc. SSG 320M and SSG 350M HW P/N SSG-320M-SB, SSG-320M-SH, SSG-320M-SB-TAA, SSG-320M-SH-TAA, SSG-320M-SB-DC-N-TAA, SSG-320M-SH-DC-N-TAA, SSG-350M-SB, SSG-350M-SH, SSG-350M-SB-TAA, SSG-350M-SH-TAA, SSG- 350M-SB-DC-N-TAA, SSG-350M-SH-DC-N-TAA , FW Version ScreenOS 6.3.0r6...
  • Page 2 NetScreen-Global PRO, NetScreen-Global PRO Express, NetScreen-Remote Security Client, NetScreen-Remote VPN Client, NetScreen-IDP 10, NetScreen-IDP 100, NetScreen-IDP 500, GigaScreen ASIC, GigaScreen-II ASIC, and NetScreen ScreenOS are trademarks of Juniper Networks, Inc. All other trademarks and registered trademarks are the property of their respective companies.

  • Page 3: Table Of Contents

    Critical Security Parameter (CSP) Definitions ..................15 Public Key Definitions ........................15 Matrix Creation of Critical Security Parameter (CSP) versus the Services (Roles & Identity) ..15 Mitigation of Other Attacks Policy ......................18 Definitions List ............................19 Juniper Networks SSG 320M and 350M Security Policy...

  • Page 4: Overview

    The SSG 350M provides 500 Mbps of stateful firewall performance and 225 Mbps of IPSec VPN performance, while the SSG 320M provides 400 Mbps of stateful firewall performance and 175 Mbps of IPSec VPN performance.

  • Page 5: Roles And Services

    The module allows concurrent Admin users, either User or Read-Only User roles. It provides the following services for each role: Table 2: Roles and services summary Service Cryptographic User Read-only Officer User Configure Status Zeroize Manage Self-Tests Tamper Seals Juniper Networks SSG 320M and 350M Security Policy...

  • Page 6: Authentication

    Since a user is locked our after three contiguous login failures, the random success rate per minute is 1/(62 ) + 1/ (62 ) + 1/(62 3/(62 ), which is far less than 1/100,000. Juniper Networks SSG 320M and 350M Security Policy...

  • Page 7: Interfaces

    Interfaces The SSG 320M and 350M provide a number of interfaces: • Four Ethernet autosensing 10/100/1000 interfaces (RJ-45). (Data Input, Data Output, Control IN, Status OUT). These interfaces are network ports. Each port has two LEDs that indicate port status:...

  • Page 8: Operation In Fips Mode

    5 seconds, press again for 5 seconds, and release again for 5 seconds—the device erases all configurations and restores the default factory settings (Control Input). • The SSG 320M has three physical interface module (PIM) slots; the SSG 350M has five PIM slots. •...

  • Page 9: Enabling Fips Mode

    112 bits, e.g. 128, 192 or 256 bit AES. For remote telnet, WebUI or NSM connections, no strength restriction is applied, since these connections are already forced to pass through a 256-bit AES VPN. Security rules Juniper Networks SSG 320M and 350M Security Policy...

  • Page 10: Self Tests

     ECDSA pairwise consistency test  RSA pairwise consistency test  Bypass test  Firmware download DSA signature test (Firmware Load Test)  DH pairwise consistency test  Public key validation test Juniper Networks SSG 320M and 350M Security Policy...

  • Page 11: Fips Approved Algorithms

    The following non-approved algorithms are allowed in FIPS mode:  DH (key agreement, key establishment methodology provides 97 or 112 bits of strength)  Elliptic Curve Diffie-Hellman (key establishment methodology provides 128 bits of Juniper Networks SSG 320M and 350M Security Policy...

  • Page 12: Zeroization

    Delete, and Reset commands. Pressing the hardware reset button or issuing the “unset vendor-def” CLI command will cause the zeroization of all CSPs by reseting the device configuration to the factory default values. Juniper Networks SSG 320M and 350M Security Policy...

  • Page 13: Physical Security Policy

    Physical Security Policy Before carrying out any steps to deploy a Juniper Networks security appliance, the end-user must verify the security of the product with the following observations: Confirm that the product received matches the version that is validated as FIPS 140-2 compliant.
  • Page 14 Tamper Seal Placement – SSG320M (5 seals) Figure 2: Front of the SSG 320M device Figure 3: Rear of the SSG 320M device (inverted) Tamper-evident seals should be applied to front of the 320M, as shown in Figure 2 (4 seals): ...
  • Page 15 Label #6 vertically, overlapping the lower ¼ inch of label #5, extending across the left edge of the lower slot cover on to the bottom of the chassis. Juniper Networks SSG 320M and 350M Security Policy...
  • Page 16 5. Figure 7: SSG 320M with the cover slid back The removable cover on both the SSG320M and SSG350M is a single piece covering the top and sides of the unit and is fastened to the chassis by multiple retaining screws on the sides and back.
  • Page 17 Figure 8: SSG 350M with the cover slid back Juniper Networks SSG 320M and 350M Security Policy...

  • Page 18: Critical Security Parameter (Csp) Definitions

    Diffie Hellman Private Key Components: Used during the DH key agreement protocol.  PRNG Seed and Seed Key: Used during the ANSI X9.31 generation of pseudo random numbers.  RADIUS Secret Key: Used to authenticate exchanges with the RADIUS server Public Key Definitions Juniper Networks SSG 320M and 350M Security Policy...

  • Page 19: Matrix Creation Of Critical Security Parameter (Csp) Versus The Services (Roles & Identity)

    IKE HMAC SHA-1 Key Password SSH Server/Host DSA Private Key SSH Encryption Key SSH HMAC SHA-1 Key HA Key IKE RSA/DSA/ECDSA Private Key PRNG Seed and Seed Diffie Hellman Private Key Components RADIUS Secret Key Juniper Networks SSG 320M and 350M Security Policy...
  • Page 20 1. The Crypto-Officer is authorized to change all authorized operators' user names and passwords, but the user is only allowed to change his/her own user name and password 2. The Crypto-Officer is authorized to remove all authorized operators. Juniper Networks SSG 320M and 350M Security Policy...

  • Page 21: Mitigation Of Other Attacks Policy

    RADIUS Secret Key Entered directly at the CLI by administrator Mitigation of Other Attacks Policy The module is not designed to mitigate against attacks which are outside of the scope of FIPS 140-2. Juniper Networks SSG 320M and 350M Security Policy...

  • Page 22: Definitions List

    SDRAM – Synchronous Dynamic Random Access Memory SSH – Secure Shell protocol TCP – Transmission Control Protocol TFTP – Trivial File Transfer Protocol VPN – Virtual Private Networking VSYS – Virtual System Juniper Networks SSG 320M and 350M Security Policy...

This manual is also suitable for:

Ssg 350mSsg-320m-sbSsg-320m-shSsg-320m-sb-taaSsg-320m-sh-taaSsg-320m-sb-dc-n-taa ... Show all

Table of Contents