Related Manuals for Juniper SSG-140-SB
Summary of Contents for Juniper SSG-140-SB
- Page 1 FIPS 140-2 S ECURITY OLICY Juniper Networks, Inc. SSG 140 HW P/N SSG-140-SB, SSG-140-SH, FW Version ScreenOS 6.3.0r6...
- Page 2 NetScreen-Global PRO, NetScreen-Global PRO Express, NetScreen-Remote Security Client, NetScreen-Remote VPN Client, NetScreen-IDP 10, NetScreen-IDP 100, NetScreen-IDP 500, GigaScreen ASIC, GigaScreen-II ASIC, and NetScreen ScreenOS are trademarks of Juniper Networks, Inc. All other trademarks and registered trademarks are the property of their respective companies.
-
Page 3: Table Of Contents
Critical Security Parameter (CSP) Definitions ..................16 Public Key Definitions ........................16 Matrix Creation of Critical Security Parameter (CSP) versus the Services (Roles & Identity) ..17 Mitigation of Other Attacks Policy ......................19 Definitions List ............................20 Juniper Networks SSG 140 Security Policy... -
Page 4: Overview
The entire case is defined as the cryptographic boundary of the module. The SSG 140 physical configuration is defined as a multi-chip standalone module. The chips are production-grade quality and include standard passivation techniques. The SSG 140 conforms to FCC part 15, class B. Fig. 1: SSG 140 Juniper Networks SSG 140 Security Policy... -
Page 5: Validation Level
Zeroize: Overwrite all CSP values with three alternating bit patterns, then reset the configuration to the factory default values. Also occurs when placing the device into or removing it from FIPS mode. Manage: Create new users. Self-tests: Invoke cryptographic algorithm and system integrity self-tests. Juniper Networks SSG 140 Security Policy... -
Page 6: Authentication
Since a user is locked our after three contiguous login failures, the random success rate per minute is 1/(62 ) + 1/ (62 ) + 1/(62 3/(62 ), which is far less than 1/100,000. Juniper Networks SSG 140 Security Policy... -
Page 7: Interfaces
HA status changed or redundant group member not found. Steady Critical alarm: Failure of hardware component or software module. Firewall attacks detected. HA (High Green Steady Unit is the primary (master) Juniper Networks SSG 140 Security Policy... -
Page 8: Operation In Fips Mode
Loading and authenticating firmware Prior to placing the device in FIPS mode, the administrator must load the Juniper firmware authentication DSA public key, imagekey.cer, using the save image-key CLI command. When this public key is present on the device, the integrity and authenticity of the firmware is checked at system start and when firmware is loaded. -
Page 9: Enabling Fips Mode
112 bits. Therefore, the operator is prevented from configuring a VPN whose encryption algorithm has a strength greater than 112 bits, e.g. 128, 192 or 256 bit AES. Juniper Networks SSG 140 Security Policy... -
Page 10: Security Rules
RNG statistical (monobit, poker, runs and long runs) tests DH exponentiation test IKE v1/v2 Key Derivation Function KAT The security appliance implements the following conditional tests: DRNG continuous test (both approved and non-approved RNG’s) Juniper Networks SSG 140 Security Policy... -
Page 11: Fips Approved Algorithms
AES (CBC) HMAC-SHA-1, HMAC-SHA-256 RSA Sign/Verify (PKCS #1) ANSI X9.31 DRNG The module supports the following communication protocols which are allowed in FIPS mode: SSL v3.1 SSH v2 IPSec Juniper Networks SSG 140 Security Policy... -
Page 12: Non-Fips Approved Algorithms
All keys and unprotected security parameters can be individually zeroized through the Unset, Clear, Delete, and Reset commands. Pressing the hardware reset button or issuing the “unset vendor-def” CLI command will cause the zeroization of all CSPs by reseting the device configuration to the factory default values. Juniper Networks SSG 140 Security Policy... -
Page 13: Physical Security Policy
Physical Security Policy Before carrying out any steps to deploy a Juniper Networks security appliance, the end-user must verify the security of the product with the following observations: Confirm that the product received matches the version that is validated as FIPS 140-2 compliant. - Page 14 Figure 2: Front of the SSG 140 device Figure 3: Rear of the SSG 140 device Figure 4: Right side of the SSG 140 device Figure 5: Side of the SSG 140 device Figure 6: SSG 140 with cover slid back Juniper Networks SSG 140 Security Policy...
- Page 15 The removable cover is a single piece covering the top and sides of the unit and is fastened to the chassis by the center retaining screws. Figure 6 depicts the device with the tamper seals removed and the cover partially removed. Please note that there are no user serviceable components inside the device. Juniper Networks SSG 140 Security Policy...
-
Page 16: Critical Security Parameter (Csp) Definitions
RADIUS Secret Key: Used to authenticate exchanges with the RADIUS server Public Key Definitions Below is a list of the public keys utilized by the module: Firmware Authentication Key: Used by the device to verify DSA signatures over firmware images. Juniper Networks SSG 140 Security Policy... -
Page 17: Matrix Creation Of Critical Security Parameter (Csp) Versus The Services (Roles & Identity)
Password SSH Server/Host DSA Private Key SSH Encryption Key SSH HMAC SHA-1 Key HA Key IKE RSA/DSA/ECDSA Private Key PRNG Seed and Seed Diffie Hellman Private Key Components RADIUS Secret Key Table B: User Juniper Networks SSG 140 Security Policy... - Page 18 1. The Crypto-Officer is authorized to change all authorized operators' user names and passwords, but the user is only allowed to change his/her own user name and password 2. The Crypto-Officer is authorized to remove all authorized operators. Juniper Networks SSG 140 Security Policy...
-
Page 19: Mitigation Of Other Attacks Policy
RADIUS Secret Key Entered directly at the CLI by administrator Mitigation of Other Attacks Policy The module is not designed to mitigate against attacks which are outside of the scope of FIPS 140-2. Juniper Networks SSG 140 Security Policy... -
Page 20: Definitions List
SA – Security Association SDRAM – Synchronous Dynamic Random Access Memory SSH – Secure Shell protocol TCP – Transmission Control Protocol TFTP – Trivial File Transfer Protocol VPN – Virtual Private Networking VSYS – Virtual System Juniper Networks SSG 140 Security Policy...