Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Understanding Junos OS in FIPS Mode

Federal Information Processing Standards (FIPS) 140-3 defines security levels for hardware and software that perform cryptographic functions.

Operating your device in a FIPS 140-3 Level 1 environment requires enabling and configuring FIPS mode on the device from the Junos OS CLI.

The Security Administrator enables FIPS mode in Junos OS and sets up keys and passwords for the system and other FIPS users who can view the configuration. Both Security Administrator and user can perform normal configuration tasks on the device (such as modify interface types) as individual user configuration allows.

About the Cryptographic Boundary on Your Device

FIPS 140-3 compliance requires a defined cryptographic boundary around each cryptographic module on a device. Junos OS in FIPS mode prevents the cryptographic module from executing any software that is not part of the FIPS-certified distribution, and allows only FIPS-approved cryptographic algorithms to be used. No critical security parameters (CSPs), such as passwords and keys, can cross the cryptographic boundary of the module in unencrypted format.

CAUTION:

Virtual Chassis features are not supported in FIPS mode. Do not configure a Virtual Chassis in FIPS mode.

How FIPS Mode Differs from Non-FIPS Mode

Unlike Junos OS in non-FIPS mode, Junos OS in FIPS mode is a non-modifiable operational environment. In addition, Junos OS in FIPS mode differs in the following ways from Junos OS in non-FIPS mode:

  • Self-tests of all cryptographic algorithms are performed at startup.

  • Self-tests of random number and key generation are performed continuously.

  • Weak cryptographic algorithms such as Data Encryption Standard (DES) and Message Digest 5 (MD5) are disabled.

  • Weak or unencrypted management connections must not be configured. However, TOE allows local and un-encrypted console access across all modes of operation.

  • Passwords must be encrypted with strong one-way algorithms that do not permit decryption.

  • Junos-FIPS administrator passwords must be at least 10 characters long.

  • Cryptographic keys must be encrypted before transmission.

Validated Version of Junos OS in FIPS Mode

To determine whether a Junos OS release is NIST-validated, see the compliance page on the Juniper Networks Web site (https://apps.juniper.net/compliance/).