G. FIPS Certificate Verification ..................14 H. Critical Security Parameter (CSP) Definitions ............14 I. Public Key Definitions ....................14 J. Matrix Creation of Critical Security Parameter (CSP) versus the Services (Roles & Identity)..........................15 K. Definitions List ......................17 Juniper NS-5400 Security Policy...
A. Scope of Document The Juniper Networks NetScreen-5400 is an internet security device that integrates firewall, virtual private networking (VPN) and traffic shaping functionalities. The model number is NetScreen-5400 and includes interface options listed in Table 1. Part Number Model...
VSYS Read-Only User Role: This role has the same operations as the Read-Only User Role above, except that a VSYS read-only user only operates within a particular virtual system. See the NetScreen Concept and Examples ScreenOS Reference Guide for more information about virtual systems. Juniper NS-5400 Security Policy...
1. 8GSPM: The 8GSPM provides eight Gigabit Ethernet mini-Gigabit Interface Converter (GBIC) ports (labeled 1-8) using hot-swappable transceivers. The 8GSPM delivers up to 4 Gigabits per-second (Gbps) of firewall and up to 2 Gbps of Virtual Private Network (VPN) capacity. Juniper NS-5400 Security Policy...
Page 7
• The fan tray has a status output LED: Illuminates solid green when the fan is operational, and is dark when it is not operational. Juniper NS-5400 Security Policy...
Telnet, NSM and HTTP (WEB UI) are allowed only through a VPN with AES encryption. • User names and passwords are case-sensitive. The password consists of at least six alphanumeric characters. Since there are 26 uppercase letters, 26 lowercase letters, and 10 digits, the total Juniper NS-5400 Security Policy...
Page 9
DSA-signed firmware image cryptographic strength analysis: the firmware is signed by a DSA private key, which is in the sole possession of Juniper Networks. The generated signature is attached to the firmware. In order for the device to accept an endorsed image, the image has to have a correct 40-byte (320-bit) signature.
RADIUS server. The RADIUS server provides an external database for user role administrators. The NetScreen-5400 acts as a RADIUS proxy, forwarding the authentication request to the RADIUS server. The RADIUS server replies with either an accept or Juniper NS-5400 Security Policy...
Page 11
Upon a Telnet and console login failure, the next prompt will not come up for an estimated 5 seconds. • The NetScreen-5400's chips are production-grade quality and include standard passivation techniques. • The NetScreen-5400 is contained within a metal production-grade enclosure. Juniper NS-5400 Security Policy...
Page 12
CSPs. • The NetScreen-5400 includes the following algorithms: • FIPS Approved: SHA-1 TDES (CBC) DES (CBC) (transitional phase only valid until May 19, 2007) AES (CBC) HMAC-SHA-1 RSA Sign/Verify (PKCS #1) ANSI X9.31 DRNG Juniper NS-5400 Security Policy...
Page 13
Algorithm Error State or Device specific error state, depending on the self-test failure. The console displays error messages and the status LED flashes red. It is the responsibility of the Crypto-Officer to return the module to Juniper Networks for further analysis. •...
Below is a list of the public keys utilized by the module: • Firmware Authentication Key: Used by the device to verify DSA signatures over firmware images. • CA DSA/RSA Public Key: Used by IKE to authenticate a peer’s certificate. Juniper NS-5400 Security Policy...
HA Key N/A U N/A N/A IKE RSA/DSA Private Key N/A D N/A G,D,U N/A N/A N/A PRNG Algorithm Key N/A N/A N/A G,U N/A N/A Diffie Hellman Private Key Components G N/A N/A N/A N/A Juniper NS-5400 Security Policy...
Page 16
2. The Crypto-Officer is authorized to remove all authorized operators. 3. The Crypto-Officer is authorized to change all authorized operators' user names and passwords, but the user is only allowed to change his/her own user name and password. Juniper NS-5400 Security Policy...