- play_arrow Port Security
- play_arrow Port Security Overview
-
- play_arrow IPSec
- play_arrow Understanding IPsec and Security Associations
- play_arrow IPsec Configurations and Examples
- play_arrow Configuring IPsec Security Associations
- play_arrow Using Digital Certificates for IPsec
- play_arrow Additional IPsec Options
- play_arrow Configuring IPsec Dynamic Endpoints
- play_arrow Additional ES and AS PIC Configuration Examples
- Example: ES PIC Manual SA Configuration
- Example: AS PIC Manual SA Configuration
- Example: ES PIC IKE Dynamic SA Configuration
- Example: AS PIC IKE Dynamic SA Configuration
- Example: IKE Dynamic SA Between an AS PIC and an ES PIC Configuration
- Example: AS PIC IKE Dynamic SA with Digital Certificates Configuration
- Example: Dynamic Endpoint Tunneling Configuration
-
- play_arrow Trusted Platform Module
- play_arrow MACsec
- play_arrow Understanding MACsec
- play_arrow MACsec Examples
-
- play_arrow MAC Limiting and Move Limiting
- play_arrow MAC Limiting and Move Limiting Configurations and Examples
- Understanding MAC Limiting and MAC Move Limiting
- Understanding MAC Limiting on Layer 3 Routing Interfaces
- Understanding and Using Persistent MAC Learning
- Configuring MAC Limiting
- Example: Configuring MAC Limiting
- Verifying That MAC Limiting Is Working Correctly
- Override a MAC Limit Applied to All Interfaces
- Configuring MAC Move Limiting (ELS)
- Verifying That MAC Move Limiting Is Working Correctly
- Verifying That the Port Error Disable Setting Is Working Correctly
-
- play_arrow DHCP Protection
- play_arrow DHCPv4 and DHCPv6
- play_arrow DHCP Snooping
- Understanding DHCP Snooping (ELS)
- Understanding DHCP Snooping (non-ELS)
- Understanding DHCP Snooping Trust-All Configuration
- Enabling DHCP Snooping (non-ELS)
- Configuring Static DHCP IP Addresses
- Example: Protecting Against Address Spoofing and Layer 2 DoS Attacks
- Example: Protecting Against DHCP Snooping Database Attacks
- Example: Protecting Against ARP Spoofing Attacks
- Example: Prioritizing Snooped and Inspected Packet
- Configuring DHCP Security with Q-in-Q Tunneling in Service Provider Style
- play_arrow DHCP Option 82
- play_arrow Dynamic ARP Inspection (DAI)
-
- play_arrow IP Source Guard
- play_arrow Understanding IP Source Guard
- play_arrow IP Source Guard Examples
- Example: Configuring IP Source Guard on a Data VLAN That Shares an Interface with a Voice VLAN
- Example: Configuring IP Source Guard with Other EX Series Switch Features to Mitigate Address-Spoofing Attacks on Untrusted Access Interfaces
- Example: Configuring IP Source Guard and Dynamic ARP Inspection to Protect the Switch from IP Spoofing and ARP Spoofing
- Example: Configuring IPv6 Source Guard and Neighbor Discovery Inspection to Protect a Switch from IPv6 Address Spoofing
- Configuring IP Source Guard to Mitigate the Effects of Source IP Address Spoofing and Source MAC Address Spoofing
- Example: Configuring IP Source Guard and Dynamic ARP Inspection on a Specified Bridge Domain to Protect the Devices Against Attacks
- Example: Configuring IPv6 Source Guard and Neighbor Discovery Inspection to Protect a Switch from IPv6 Address Spoofing
-
- play_arrow IPv6 Access Security
- play_arrow Neighbor Discovery Protocol
- play_arrow SLAAC Snooping
- play_arrow Router Advertisement Guard
-
- play_arrow Control Plane Distributed Denial-of-Service (DDoS) Protection and Flow Detection
- play_arrow Control Plane DDoS Protection
- play_arrow Flow Detection and Culprit Flows
-
- play_arrow Unicast Forwarding
- play_arrow Unicast Reverse Path Forwarding
- play_arrow Unknown Unicast Forwarding
-
- play_arrow Storm Control
- play_arrow Malware Protection
- play_arrow Juniper Malware Removal Tool
-
- play_arrow Configuration Statements and Operational Commands
Configuring IPsec for FIPS Mode
Configuring IPsec for Enabling Internal Communications Between Routing Engines for Junos OS in FIPS Mode
In a Junos OS in FIPS mode environment, routers with two Routing Engines must use IPsec for internal communication between the Routing Engines. You configure internal IPsec after you install the Junos OS in FIPS mode. You must be a Crypto Officer to configure internal IPsec.
You cannot configure DES-based IPsec SAs in Junos OS in FIPS mode. The internal IPsec SAs use HMAC-SHA1-96 authentication and 3DES-CBC encryption.
Manual SAs require no negotiation. All values, including the keys, are static and specified in the configuration. Manual SAs statically define the SPI values, algorithms, and keys to be used, and require matching configurations on both ends of the tunnel. Each peer must have the same configured options for communication to take place.
When the switch is in FIPS mode, you cannot use the commit synchronize command until you have established an IPsec SA on each Routing Engine.
As Crypto Officer, you configure an internal IPsec SA for communication
between Routing Engines by creating an SA on each Routing Engine with the following statements
at the [security] hierarchy level:
To configure internal IPsec, include the security-association statement at the [security] hierarchy level. You can configure parameters, such
as the direction in which the manual IPsec SAs must be applied, the SPI value that uniquely
identifies the SA to use at the receiving Routing Engine, and the IPsec key that defines the
authentication and encryption keys for the manual IPsec SA.
[ security] ipsec { internal { security-association { manual { direction (bidirectional | inbound | outbound) { protocol esp; spi spi-value; encryption { algorithm (hmac-sha1-96 | hmac-sha2-256); key (ascii-text ascii-text-string | hexadecimal hexadecimal-number); } } } } } }
Tasks for configuring internal IPsec for Junos-FIPS are the following. You can configure the direction in which the manual IPsec SAs must be applied, the SPI value that uniquely identifies the SA to use at the receiving Routing Engine, and the IPsec key that defines the authentication and encryption keys for the manual IPsec SA.
Configuring the SA Direction
To configure the IPsec SA direction in which manual SAs of the IPsec tunnels
must be applied, include the direction statement at the [security ipsec internal
security-association manual] hierarchy level:
direction (bidirectional | inbound | outbound);
The value can be one of the following:
bidirectional—Apply the same SA values in both directions between Routing Engines.inbound—Apply these SA properties only to the inbound IPsec tunnel.outbound—Apply these SA properties only to the outbound IPsec tunnel.
If you do not configure the SA to be bidirectional, you must configure SA parameters for IPsec tunnels in both the inbound and outbound directions. The following example uses an inbound and outbound IPsec tunnel:
We recommend that you do not use the IPsec keys as ASCII keys for Junos OS in FIPS mode. Instead, you must use the IPsec keys as hexadecimal keys for maximum key strength.
[security]
ipsec {
internal {
security-association {
manual {
direction inbound {
protocol esp;
spi 512;
encryption {
algorithm 3des-cbc;
key hexadecimal 309fc4be20f04e53e011b00744642d3fe66c2c7c;
}
}
direction outbound {
protocol esp;
spi 513;
encryption {
algorithm 3des-cbc;
key hexadecimal b0344c61d8db38535ca8afceaf0bf12b881dc200c9833da7;
}
}
}
}
}
}
Configuring the IPsec SPI
A security parameter index (SPI) is a 32-bit
index that identifies a security context between a pair of Routing Engines. To configure the
IPsec SPI value, include the spi statement at the [security ipsec internal
security-association manual direction] hierarchy level:
spi value;
The value must be from 256 through 16,639.
Configuring the IPsec Key
We recommend that you do not use the IPsec keys as ASCII keys for Junos OS in FIPS mode. Instead, you must use the IPsec keys as hexadecimal keys for maximum key strength.
The distribution and management of keys are critical to using VPNs successfully.
You must configure the ASCII text key values for authentication and encryption. To configure
the ASCII text key, include the key statement at the [security ipsec internal
security-association manual direction encryption] hierarchy level:
key (ascii-text ascii-text-string | hexadecimal hexadecimal-string);
For this type of SA, both keys must be preshared hexadecimal values, and each requires a specific cryptographic algorithm:
Authentication algorithm
HMAC-SHA1-96 (40 characters)
HMAC-SHA2-256 (64 characters)
Encryption algorithm
3DES-CBC (48 characters)
You must enter the key hexadecimal value twice and the strings entered must match, or the key will not be set. The hexadecimal key is never displayed in plain text. We recommend that you use the IPsec keys as hexadecimal keys for maximum key strength and not as ASCII keys for Junos OS in FIPS mode.
Example: Configuring Internal IPsec
Configure a bidirectional IPsec SA with an SPI value of 512 and a key value conforming to the FIPS 140-2 rules:
[edit security]
ipsec {
internal {
security-association {
manual {
direction bidirectional {
protocol esp;
spi 512;
encryption {
algorithm 3des-cbc;
key ascii-text “$ABC123”;
}
}
}
}
}
}
