- play_arrow Overview
- Understanding the Common Criteria Evaluated Configuration
- Understanding Junos OS in FIPS Mode of Operation
- Understanding FIPS Mode of Operation Terminology and Supported Cryptographic Algorithms
- Identifying Secure Product Delivery
- Applying Tamper-Evident Seals to the Cryptographic Module
- Understanding Management Interfaces
- play_arrow Configuring Administrative Credentials and Privileges
- Network Time Protocol
- play_arrow Configuring SSH and Console Connection
- play_arrow Configuring the Remote Syslog Server
- play_arrow Configuring Audit Log Options
- play_arrow Configuring Event Logging
- play_arrow Configuring MACSec
- play_arrow Configuring a Secure Logging Channel
- play_arrow Configuring VPNs
- play_arrow Configuring Security Flow Policies
- play_arrow Configuring Traffic Filtering Rules
- Overview
- Understanding Protocol Support
- Configuring Traffic Filter Rules
- Configuring Default Deny-All and Reject Rules
- Logging the Dropped Packets Using Default Deny-all Option
- Configuring Mandatory Reject Rules for Invalid Fragments and Fragmented IP Packets
- Configuring Default Reject Rules for Source Address Spoofing
- Configuring Default Reject Rules with IP Options
- Configuring Default Reject Rules
- play_arrow Configuring Network Attacks
- Configuring IP Teardrop Attack Screen
- Configuring TCP Land Attack Screen
- Configuring ICMP Fragment Screen
- Configuring Ping-Of-Death Attack Screen
- Configuring tcp-no-flag Attack Screen
- Configuring TCP SYN-FIN Attack Screen
- Configuring TCP fin-no-ack Attack Screen
- Configuring UDP Bomb Attack Screen
- Configuring UDP CHARGEN DoS Attack Screen
- Configuring TCP SYN and RST Attack Screen
- Configuring ICMP Flood Attack Screen
- Configuring TCP SYN Flood Attack Screen
- Configuring TCP Port Scan Attack Screen
- Configuring UDP Port Scan Attack Screen
- Configuring IP Sweep Attack Screen
- play_arrow Configuring the IDP Extended Package
- play_arrow Configuring Cluster Mode
- play_arrow Performing Self-Tests on a Device
- play_arrow Configuration Statements
- checksum-validate
- code
- data-length
- destination-option
- extension-header
- header-type
- home-address
- identification
- icmpv6 (Security IDP Custom Attack)
- ihl (Security IDP Custom Attack)
- option-type
- reserved (Security IDP Custom Attack)
- routing-header
- sequence-number (Security IDP ICMPv6 Headers)
- type (Security IDP ICMPv6 Headers)
ON THIS PAGE
Understanding Zeroization to Clear System Data for FIPS Mode of Operation
Zeroization completely erases all configuration information on the device, including all plaintext passwords, secrets, and private keys for SSH, local encryption, local authentication, and IPsec. To exit the FIPS mode you need to zeroize the device.
The cryptographic module provides a non-approved mode of operation in which non-approved
cryptographic algorithms are supported. When moving from the non-approved mode of operation to
the approved mode of operation, the Cryptographic Officer must zeroize the non-approved mode
critical security parameters (CSPs). For SRX380 devices, the
Cryptographic Officer initiates the zeroization process by entering the request system
zeroize
from the CLI after enabling FIPS mode of operation. Use of this command is
restricted to the Cryptographic Officer.
Perform system zeroization with care. After the zeroization process is complete, no data is left on the device. This command erases all the CSPs, configurations, and the hard disk partitions containing the device image. Hence, the device does not boot up on zeroization and USB reimage is required to recover the device.
Zeroization can be time-consuming. Although all configurationsare removed in a few seconds, the zeroization process goes on to overwrite all media, which can take considerable time depending on the size of the media.
Why Zeroize?
Your device is not considered a valid FIPS cryptographic module until all CSPs have been entered—or reentered—while the device is in FIPS mode of operation. For FIPS 140-3 compliance, the only way to exit from FIPS mode is to zeroize the TOE.
For FIPS 140-3 compliance, we recommend that you zeroize the device to exit the FIPS mode.
When to Zeroize?
As a Cryptographic Officer, perform zeroization in the following situations:
Before FIPS operation—To prepare your device for operation as a FIPS cryptographic module, perform zeroization to remove the non-approved mode critical security parameters (CSPs) and enable FIPS mode on the device.
Before non-FIPS operation—To begin repurposing your device for non-FIPS operation, perform zeroization on the device.
Note:Juniper Networks does not support installing non-FIPS software in a FIPS mode of operation, but doing so might be necessary in certain test environments. Be sure to zeroize the system first.
When a tamper-evident seal is disturbed—If the seal on an insecure port has been tampered with, the system is considered to be compromised. After applying new tamper-evident seals to the appropriate locations, zeroize the system and set up new passwords and CSPs.