- play_arrow Overview
- Understanding the Common Criteria Evaluated Configuration
- Understanding Junos OS in FIPS Mode of Operation
- Understanding FIPS Mode of Operation Terminology and Supported Cryptographic Algorithms
- Identifying Secure Product Delivery
- Applying Tamper-Evident Seals to the Cryptographic Module
- Understanding Management Interfaces
- play_arrow Configuring Roles and Authentication Methods
- Understanding Roles and Services for Junos OS in FIPS Mode of Operation
- Understanding Services for Junos OS in FIPS Mode of Operation
- Downloading Software Packages from Juniper Networks
- Installing Junos Software Packages
- Understanding Zeroization to Clear System Data for FIPS Mode of Operation
- Loading Firmware on the Device
- How to Enable and Configure Junos OS in FIPS Mode of Operation
- play_arrow Network Time Protocol
- play_arrow Configuring SSH and Console Connection
- play_arrow Configuring the Remote Syslog Server
- play_arrow Configuring Audit Log Options
- play_arrow Configuring Event Logging
- play_arrow Configuring a Secure Logging Channel
- play_arrow Configuring VPNs
- play_arrow Configuring Security Flow Policies
- play_arrow Configuring Traffic Filtering Rules
- Overview
- Understanding Protocol Support
- Configuring Traffic Filter Rules
- Configuring Default Deny-All and Reject Rules
- Logging the Dropped Packets Using Default Deny-all Option
- Configuring Mandatory Reject Rules for Invalid Fragments and Fragmented IP Packets
- Configuring Default Reject Rules for Source Address Spoofing
- Configuring Default Reject Rules with IP Options
- Configuring Default Reject Rules
- play_arrow Configuring Network Attacks
- Configuring IP Teardrop Attack Screen
- Configuring TCP Land Attack Screen
- Configuring ICMP Fragment Screen
- Configuring Ping-Of-Death Attack Screen
- Configuring tcp-no-flag Attack Screen
- Configuring TCP SYN-FIN Attack Screen
- Configuring TCP fin-no-ack Attack Screen
- Configuring UDP Bomb Attack Screen
- Configuring UDP CHARGEN DoS Attack Screen
- Configuring TCP SYN and RST Attack Screen
- Configuring ICMP Flood Attack Screen
- Configuring TCP SYN Flood Attack Screen
- Configuring TCP Port Scan Attack Screen
- Configuring UDP Port Scan Attack Screen
- Configuring IP Sweep Attack Screen
- play_arrow Configuring the IDP Extended Package
- play_arrow Configuring Cluster Mode
- play_arrow Performing Self-Tests on a Device
- play_arrow Configuration Statements
- checksum-validate
- code
- data-length
- destination-option
- extension-header
- header-type
- home-address
- identification
- icmpv6 (Security IDP Custom Attack)
- ihl (Security IDP Custom Attack)
- option-type
- reserved (Security IDP Custom Attack)
- routing-header
- sequence-number (Security IDP ICMPv6 Headers)
- type (Security IDP ICMPv6 Headers)
Understanding the Associated Password Rules for an Authorized Administrator
The authorized administrator is associated with a defined login class, and the administrator is assigned with all permissions. Data is stored locally for fixed password authentication.
We recommend that you not use control characters in passwords.
Use the following guidelines and configuration options for passwords and when selecting passwords for authorized administrator accounts. Passwords should be:
Easy to remember so that users are not tempted to write it down.
Changed periodically.
Private and not shared with anyone.
Contain a minimum of 10 characters. The minimum password length is 10 characters.
content_copy zoom_out_map[ edit ] administrator@host# set system login password minimum-length 10
Include both alphanumeric and punctuation characters, composed of any combination of upper and lowercase letters, numbers, and special characters such as, “!”, “@”, “#”, “$”, “%”, “^”, “&”, “*”, “(“, and “)”. There should be at least a change in one case, one or more digits, and one or more punctuation marks.
Contain character sets. Valid character sets include uppercase letters, lowercase letters, numbers, punctuation, and other special characters.
content_copy zoom_out_map[ edit ] administrator@host# set system login password change-type character-sets
Contain the minimum number of character sets or character set changes. The minimum number of character sets required in plain-text passwords in Junos FIPS is 2.
content_copy zoom_out_map[ edit ] administrator@host# set system login password minimum-changes 2
The authentication algorithm for plain-text passwords must be configured as sha256.
[ edit ] administrator@host# set system login password format sha256
Weak passwords are:
Words that might be found in or exist as a permuted form in a system file such as /etc/passwd.
The hostname of the system (always a first guess).
Any words appearing in a dictionary. This includes dictionaries other than English, and words found in works such as Shakespeare, Lewis Carroll, Roget's Thesaurus, and so on. This prohibition includes common words and phrases from sports, sayings, movies, and television shows.
Permutations on any of the above. For example, a dictionary word with vowels replaced with digits (for example f00t) or with digits added to the end.
Any machine-generated passwords. Algorithms reduce the search space of password-guessing programs and so should not be used.
Strong reusable passwords can be based on letters from a favorite phrase or word, and then concatenated with other, unrelated words, along with additional digits and punctuation. If the limit on the consecutive invalid password is reached, the user account is locked. The account automatically unlocks after the configured lockout time expires, or the account can be manually unlocked using the following command:
[ edit ] administrator@host# clear system login lockout user username
Passwords should be changed periodically.