- play_arrow Configure Roles and Authentication Methods
- Overview of Roles and Services for Junos OS
- Overview of the Operational Environment for Junos OS in FIPS Mode
- Overview of Password Specifications and Guidelines for Junos OS in FIPS Mode
- Download Software Packages from Juniper Networks
- Install Software on the Device with Single Routing Engine
- Overview of Zeroization to Clear System Data for FIPS Mode
- Zeroize the System
- Enable FIPS Mode
- Configure Security Administrator and FIPS User Identification and Access
- play_arrow Configure Administrative Credentials and Privileges
- play_arrow Configure SSH and Console Connection
- play_arrow Configure the Remote Syslog Server
- play_arrow Configure Audit Log Options
- play_arrow Configure Event Logging
- play_arrow Configure MACsec
- play_arrow Perform Self-Tests on a Device
- play_arrow Operational Commands
Overview of Junos OS in FIPS Mode
Federal Information Processing Standards (FIPS) 140-2 defines security levels for hardware and software that perform cryptographic functions. Operating the security devices in a FIPS 140-2 Level 1 environment requires enabling and configuring FIPS mode on the devices from the Junos OS command-line interface (CLI).
The Security Administrator enables FIPS mode in Junos OS and sets up keys and passwords for the system and other FIPS users.
Supported Platforms and Hardwares
For the features described in this document, the following platform is used to qualify FIPS certification:
About the Cryptographic Boundary on Your Device
FIPS 140-2 compliance requires a defined cryptographic boundary around each cryptographic module on a device. Junos OS in FIPS mode prevents the cryptographic module from executing any software that is not part of the FIPS-certified distribution, and allows only FIPS-approved cryptographic algorithms to be used. No critical security parameters (CSPs), such as passwords and keys, can cross the cryptographic boundary of the module in unencrypted format.
Virtual Chassis features are not supported in FIPS mode. Do not configure a Virtual Chassis in FIPS mode.
How FIPS Mode Differs from Non-FIPS Mode
Junos OS in FIPS mode differs in the following ways from Junos OS in non-FIPS mode:
Self-tests of all cryptographic algorithms are performed at startup.
Self-tests of random number and key generation are performed continuously.
Weak cryptographic algorithms such as Data Encryption Standard (DES) and MD5 are disabled.
Weak or unencrypted management connections must not be configured.
Passwords must be encrypted with strong one-way algorithms that do not permit decryption.
Administrator passwords must be at least 10 characters long.
Validated Version of Junos OS in FIPS Mode
To determine whether a Junos OS release is NIST-validated, see the compliance page on the Juniper Networks Web site (https://apps.juniper.net/compliance/).