- play_arrow Configuring Administrative Credentials and Privileges
- play_arrow Configuring Network Time Protocol
- play_arrow Configuring Roles and Authentication Methods
- Understanding Roles and Services for Junos OS in FIPS Mode of Operation
- Understanding Services for Junos OS in FIPS Mode of Operation
- Downloading Software Packages from Juniper Networks (FIPS Mode)
- Installing Junos Software Packages
- Understanding Zeroization to Clear System Data for FIPS Mode of Operation
- How to Enable and Configure Junos OS in FIPS Mode of Operation
- play_arrow Configuring SSH and Console Connection
- play_arrow Configuring the Remote Syslog Server
- play_arrow Configuring Audit Log Options
- play_arrow Configuring Event Logging
- play_arrow Configuring VPNs
- play_arrow Configuring Security Flow Policies
- play_arrow Configuring Traffic Filtering Rules
- Overview
- Understanding Protocol Support
- Configuring Traffic Filter Rules
- Configuring Default Deny-All and Reject Rules
- Logging the Dropped Packets Using Default Deny-all Option
- Configuring Mandatory Reject Rules for Invalid Fragments and Fragmented IP Packets
- Configuring Default Reject Rules for Source Address Spoofing
- Configuring Default Reject Rules with IP Options
- Configuring Default Reject Rules
- play_arrow Configuring Network Attacks
- Configuring IP Teardrop Attack Screen
- Configuring TCP Land Attack Screen
- Configuring ICMP Fragment Screen
- Configuring Ping-Of-Death Attack Screen
- Configuring tcp-no-flag Attack Screen
- Configuring TCP SYN-FIN Attack Screen
- Configuring TCP fin-no-ack Attack Screen
- Configuring UDP Bomb Attack Screen
- Configuring UDP CHARGEN DoS Attack Screen
- Configuring TCP SYN and RST Attack Screen
- Configuring ICMP Flood Attack Screen
- Configuring TCP SYN Flood Attack Screen
- Configuring TCP Port Scan Attack Screen
- Configuring UDP Port Scan Attack Screen
- Configuring IP Sweep Attack Screen
- play_arrow Configuring the IDP Extended Package
- play_arrow Configuring Cluster Mode
- play_arrow Performing Self-Tests on a Device
- play_arrow Configuration Statements
- checksum-validate
- code
- data-length
- destination-option
- extension-header
- header-type
- home-address
- identification
- icmpv6 (Security IDP Custom Attack)
- ihl (Security IDP Custom Attack)
- option-type
- reserved (Security IDP Custom Attack)
- routing-header
- sequence-number (Security IDP ICMPv6 Headers)
- type (Security IDP ICMPv6 Headers)
- play_arrow Junos-FIPS Configuration Restrictions
Understanding the Common Criteria Evaluated Configuration
This document describes the steps required to duplicate the configuration of the device running Junos OS when the device is evaluated. This is referred to as the evaluated configuration. The following list describes the standards to which the device has been evaluated:
Collaborative Protection Profile for Network Devices, NDcPPv2.2e—https://www.commoncriteriaportal.org/files/ppfiles/CPP_ND_V2.2E.pdf.
PP modules for NDcPP are as follows:
- MOD_FW_CPP v1.4e –https://www.niap-ccevs.org/MMO/PP/MOD_CPP_FW_v1.4e.pdf
- MOD_IPS_V1.0 –https://www.niap-ccevs.org/MMO/PP/MOD_IPS_v1.0.pdf
- VPNGW_MOD v1.2 – https://www.niap-ccevs.org/MMO/PP/MOD_VPNGW_v1.2.pdf
- Network Device Collaborative Protection Profile (NDcPPv2.2)/Stateful Traffic Filter Firewall Collaborative Protection Profile (FWcPP) Extended Package VPN Gateway, Version 2.2, 22 March 2020 (VPNEP)
- Collaborative Protection Profile for Stateful Traffic Filter Firewalls, version 2.0, 14 March 2018 (FWcPP)https://www.commoncriteriaportal.org/files/ppfiles/CPP_FW_V2.0E.pdf
Collaborative Protection Profile for Network Devices or Collaborative Protection Profile for Stateful Traffic Filter Firewalls Extended Package (EP) for Intrusion Prevention Systems (IPS), (IPSEP)
FIPS—https://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf
These documents are available at https://www.niap-ccevs.org/Profile/PP.cfm.
On vSRX3.0, Junos OS Release 22.2R2 is certified for Common Criteria with FIPS mode enabled on the devices.
Understanding Common Criteria
Common Criteria for information technology is an international agreement signed by several countries that permits the evaluation of security products against a common set of standards. In the Common Criteria Recognition Arrangement (CCRA) at http://www.commoncriteriaportal.org/ccra/, the participants agree to mutually recognize evaluations of products performed in other countries. All evaluations are performed using a common methodology for information technology security evaluation.
For more information on Common Criteria, see http://www.commoncriteriaportal.org/.
Supported Platforms for vSRX Virtual Firewall
For the features described in this document, the following platforms are supported: • vSRX3.0 instances
The evaluated configuration for Common Criteria certification includes the following components:
- HP ProLiant DL380p Gen9 with Intel Xeon E5 with 3 to 8 NICs (at least as many as the number of configured virtual NICs (vNIC) in vSRX3.0)
- VMWare ESXi 7.0 Hypervisor
- Junos OS Release 22.2R2 for vSRX3.0 software installed as an ESXi Virtual Machine (VM)
- Pacstar 451 Model with 4 CPUs x Intel(R) Xeon(R) E-2254ML CPU @ 1.70GHz
No other VMs may be installed on the ESXi instance. Each vNIC in vSRX3.0 must be mapped to a different physical NIC in the appliance or ESXi.
For more information on vSRX deployment over ESXi, see vSRX Virtual Firewall Deployment Guide for Private and Public Cloud Platforms.
