1. Manuals
  2. Brands
  3. Juniper Manuals
  4. Firewall
  5. NS-5400-P00A-S00
  6. Manual

Juniper NS-5400-P00A-S00 Manual page 13

Fips 140-2 security policy
Hide thumbs
Table of Contents

Advertisement

Juniper NS-5400 Security Policy
• Non-FIPS Approved:
MD5
DH (key agreement, key establishment methodology provides
80 bits of encryption strength)
RSA Encrypt/Decrypt (used for key wrapping only, key
establishment methodology provides 80 bits of encryption
strength)
The NetScreen-5400 conforms to FCC part 15, class A.
Upon the failure of any power-up self-test, the module enters and
stays in either the Algorithm Error State or Device specific error
state, depending on the self-test failure. The console displays error
messages and the status LED flashes red. It is the responsibility of
the Crypto-Officer to return the module to Juniper Networks for
further analysis.
Upon the failure of any conditional test, the module enters and stays
in a permanent error state, depending on the type of failure: Bypass
test failure, DH key agreement test failure, DSA pair-wise test failure,
or RSA pair-wise agreement test failure. The console displays error
messages and the status LED flashes red. It is the responsibility of
the Crypto-Officer to return the module to Juniper Networks for
further analysis.
On power down, previous authentications are erased from memory
and need to be re-authenticated again on power-up.
Bypass tests are performed at power-up, and as a conditional test.
Bypass state occurs when the administrator configures the box with
a non- VPN policy, and traffic matching this policy arrives at the
network port. The bypass-enabled status can be found by retrieving
the entire policy list. Two internal actions must exist in order for
bypass to happen: (1) a non- VPN policy is matched for this traffic,
and (2) a routing table entry exists for the traffic that matches this
non-VPN policy.
In FIPS mode, SSH can use 3DES only to encrypt/decrypt
commands. Also if the command from SSH is to set or get the AES
manual key, it will fail and a message will be logged.
A VPN with AES encryption is manual key or IKE.
HA traffic encryption is 256 bit AES.
If a VPN uses 3DES Encryption, the key exchange protocol IKE is
enforced to use group 5 only.
SHA-1 algorithm on GigaScreen II has the limitation that it cannot
hash more than 8K of data. Other ASIC chips have no such
limitation.
The module is not designed to mitigate against attacks which are
outside of the scope of FIPS 140-2.
13

Advertisement

Table of Contents
loading

Related Manuals for Juniper NS-5400-P00A-S00

Related Products for Juniper NS-5400-P00A-S00

This manual is also suitable for:

Ns-5400-p00d-s00Ns-5400-p01a-s00Ns-5400-p01d-s00Ns-5000-8gNs-2g24fe

Table of Contents