Juniper SSG 5 Manual
  1. Manuals
  2. Brands
  3. Juniper Manuals
  4. Gateway
  5. SSG5
  6. Manual

Juniper SSG 5 Manual

Fips 140-2 security policy
Hide thumbs Also See for SSG 5:
Table of Contents

Advertisement

Quick Links

FIPS 140-2 S
P
ECURITY
OLICY
Juniper Networks
SSG 5 and SSG 20
HW P/N SSG-5 and SSG-20
FW Version ScreenOS 5.4.0r4-5.4.0r19
Document # 530-021036-01
JuniperNetworks SSG 5 and SSG 20 Security Policy
1

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the SSG 5 and is the answer not in the manual?

Questions and answers

Related Manuals for Juniper SSG 5

Summary of Contents for Juniper SSG 5

  • Page 1 FIPS 140-2 S ECURITY OLICY Juniper Networks SSG 5 and SSG 20 HW P/N SSG-5 and SSG-20 FW Version ScreenOS 5.4.0r4-5.4.0r19 Document # 530-021036-01 JuniperNetworks SSG 5 and SSG 20 Security Policy...
  • Page 2 5400, NetScreen-Global PRO, NetScreen-Global PRO Express, NetScreen-Remote Security Client, NetScreen-Remote VPN Client, NetScreen-IDP 10, NetScreen-IDP 100, NetScreen-IDP 500, GigaScreen ASIC, GigaScreen-II ASIC, and NetScreen ScreenOS are trademarks of Juniper Networks, Inc. All other trademarks and registered trademarks are the property of their respective companies.

  • Page 3: Table Of Contents

    I. Critical Security Parameter (CSP) Definitions ..................16 J. Public Key Definitions ..........................18 K. Matrix Creation of Critical Security Parameter (CSP) versus the Services (Roles & Identity) ..18 L. Definitions List ............................21 JuniperNetworks SSG 5 and SSG 20 Security Policy...

  • Page 4: Scope Of Document

    • Use of RSA and DSA certificates The SSG 5 and SSG 20 provide an interface for an operator to configure or set policies through the Console or Network ports. For initial configuration, the operator must directly connect a VT-100 terminal or a non-networked device that can emulate a VT-100 terminal to the Console port via a serial cable.

  • Page 5: Roles And Services

    This role cannot perform services to configure the box. The module allows concurrent Admin users, either User or Read-Only User roles. The SSG 5 and SSG 20 provide the following services for each role: Table 2: Roles and services summary...
  • Page 6 RADIUS server replies with either an accept or reject message. See the log for authenticated logins. The RADIUS shared secret must be at least six characters. • All logins through a TCP connection disconnect upon three consecutive login failures and an alarm is logged. JuniperNetworks SSG 5 and SSG 20 Security Policy...

  • Page 7: Interfaces

    USB port. Disabled in FIPS mode. • Power interface: AC or DC. • The SSG 5 and 20 have four status LEDs. Two LEDs are common to both: Table 3: Common LEDs to SSG 5 and SSG 20 Name Color...
  • Page 8 TX/RX Green Blinking Indicates that traffic is passing through Indicates that no traffic is passing through ISDN BRI CH B1 Green Indicates that B- steadily Channel 1 is active JuniperNetworks SSG 5 and SSG 20 Security Policy...
  • Page 9 DSU/CSU in the mini PIM is communicating with another DSU/CSU Indicates that carrier detect is not active TX/RX Green Blinking Indicates that traffic is passing through Indicates that no traffic is passing through. JuniperNetworks SSG 5 and SSG 20 Security Policy...

  • Page 10: Setting Fips Mode

    E. Setting FIPS Mode By default, the module is in non-FIPS mode on the first power-up. Prior to placing the device in FIPS mode, the administrator must load the Juniper firmware authentication DSA public key, imagekey.cer, using the save image-key CLI command. When this public key is present on the device, the integrity and authenticity of the firmware is checked at system start and when firmware is loaded.
  • Page 11 The SSG 5 and 20 do not employ a maintenance interface or have a maintenance role. • When in FIPS mode, the WebUI of the SSG 5 and SSG 20 only displays options that comply with the requirements of FIPS 140-2. •...
  • Page 12 112 bits, e.g. 128, 192 or 256 bit AES. For remote telnet, WebUI or NSM connections, no strength restriction is applied, since these connections are already forced to pass through a 256-bit AES VPN. JuniperNetworks SSG 5 and SSG 20 Security Policy...

  • Page 13: Other Parameters

    Upon a Telnet or console login failure, the next prompt will not come up for an estimated 5 seconds. • The SSG 5 and 20 chips are production-grade quality and include standard passivation techniques. • The SSG 5 and 20 are contained within a metal production-grade enclosure.
  • Page 14 Figure 3: Front of the SSG-20 device, with location of tamper evident seals Figure 4: Rear of the SSG 20 device Figure 5: Side of both SSG 5 and 20 devices, with location of tamper evident seal • The enclosures are opaque to visible spectrum radiation.
  • Page 15 Software load test, DSA pair-wise test failure, or RSA pair-wise agreement test failure. The console displays error messages and the status LED flashes red. It is the responsibility of the Crypto-Officer to return the module to Juniper Networks for further analysis.

  • Page 16: Physical Security Policy

    H. FIPS Certificate Verification In FIPS mode, if the signing CA certificate cannot be found in the SSG 5 and SSG 20 during the loading of the X509 certificate, the following message appears (where x is one of 0, 1,2,3,4,5,6,7,8,9,A,B,C,D,E,F): Please contact your CA's administrator to verify the following finger print (in HEX) of the CA cert...
  • Page 17 IKE RSA/DSA Private Key: DSA/RSA key used in IKE identity authentication. • Diffie Hellman Private Key Components: Used during the DH key agreement protocol. • PRNG Algorithm Key: Used during the ANSI X9.31 generation of pseudo random numbers. JuniperNetworks SSG 5 and SSG 20 Security Policy...

  • Page 18: Public Key Definitions

    N/A N/A N/A SSH HMAC SHA-1 Key N/A N/A N/A N/A HA Key IKE RSA/DSA Private N/A G,D, PRNG Algorithm Key N/A G,U N/A Diffie Hellman Private N/A N/A N/A Key Components JuniperNetworks SSG 5 and SSG 20 Security Policy...
  • Page 19 2. The Crypto-Officer is authorized to remove all authorized operators. 3. The Crypto-Officer is authorized to change all authorized operators' user names and passwords, but the user is only allowed to change his/her own user name and password. JuniperNetworks SSG 5 and SSG 20 Security Policy...
  • Page 20 Manually entered by administrator IKE RSA/DSA Private Key Internally via ANSI X9.31 RNG Diffie Hellman Private Key “ Components PRNG Algorithm Key Initial generation via entropy gathered from a variety of internal sources. JuniperNetworks SSG 5 and SSG 20 Security Policy...

  • Page 21: Definitions List

    RSA – Rivest Shamir Adelman Algorithm SDRAM – Synchronous Dynamic Random Access Memory SSH – Secure Shell protocol TCP – Transmission Control Protocol TFTP – Trivial File Transfer Protocol VPN – Virtual Private Networking JuniperNetworks SSG 5 and SSG 20 Security Policy...

This manual is also suitable for:

Ssg 20

Table of Contents