JUNOS Cryptographic Security Policy Juniper Networks SRX5000 Series Services Gateways consist of models SRX5600 and SRX5800 running JUNOS-FIPS, a version of JUNOS created specifically

  • View
    213

  • Download
    1

Embed Size (px)

Text of JUNOS Cryptographic Security Policy Juniper Networks SRX5000 Series Services Gateways consist of...

  • Page 1 FIPS Policy

    Juniper Networks SRX5600 and SRX5800 Services Gateways Security Policy

    Document Version: 1.0

    Date: June 27, 2011

    Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, California 94089 USA 408.745.2000 1.888 JUNIPER www.juniper.net

  • Page 2 FIPS Policy

    Table of Contents Table of Contents ....................................................................................................................................................................................... 2

    List of Tables ............................................................................................................................................................................................. 2

    1. Module Overview .................................................................................................................................................................................. 4

    2. Security Level ........................................................................................................................................................................................ 6

    3. Modes of Operation ............................................................................................................................................................................... 6

    Approved Mode of Operation ...................................................................................................................................................... 6

    Placing the Module in the Approved Mode of Operation ............................................................................................................ 7

    Non-FIPS Mode of Operation ..................................................................................................................................................... 7

    4. Ports and Interfaces ................................................................................................................................................................................ 7

    5. Identification and Authentication Policy ............................................................................................................................................... 7

    Assumption of Roles ................................................................................................................................................................... 7

    6. Access Control Policy .......................................................................................................................................................................... 10

    Roles and Services ..................................................................................................................................................................... 10

    Unauthenticated Services........................................................................................................................................................... 10

    Definition of Critical Security Parameters (CSPs) .................................................................................................................... 11

    Definition of Public Keys .......................................................................................................................................................... 12

    Definition of CSP Modes of Access .......................................................................................................................................... 13

    7. Operational Environment ..................................................................................................................................................................... 13

    8. Security Rules ..................................................................................................................................................................................... 13

    9. Physical Security Policy ...................................................................................................................................................................... 14

    Physical Security Mechanisms .................................................................................................................................................. 14

    Tamper Seal Placement ............................................................................................................................................................. 15

    10. Cryptographic Algorithm Validation ................................................................................................................................................. 18

    10. Mitigation of Other Attacks Policy .................................................................................................................................................... 18

    11. Acronyms ........................................................................................................................................................................................... 20

    About Juniper Networks .......................................................................................................................................................................... 20

    List of Tables SRX5000 Series Configurations ................................................................................................................................................................ 4 Security Level ............................................................................................................................................................................................ 6 Hardware Guides ....................................................................................................................................................................................... 7 Roles and Required Identification and Authentication .............................................................................................................................. 8 Strengths of Authentication Mechanisms .................................................................................................................................................. 9 Services Authorized for Roles ................................................................................................................................................................. 10 Table of CSPs .......................................................................................................................................................................................... 11 Table of Public Keys ................................................................................................................................................................................ 12 CSP Access Rights within Roles & Services ........................................................................................................................................... 13 Inspection/Testing of Physical Security Mechanisms .............................................................................................................................. 15

  • Page 3 FIPS Policy Cryptographic Algorithm Validation Certificates .................................................................................................................................... 18 Mitigation of Other Attacks ..................................................................................................................................................................... 18

  • Page 4 FIPS Policy

    1. Module Overview Juniper Networks SRX5000 line of services gateways is the next generation solution for securing the ever increasing network infrastructure and applications requirements for both enterprise and service provider environments. Designed from the ground up to provide flexible processing scalability, I/O scalability, and services integration, the SRX5000 line can meet the network and security requirements of data center hyper-consolidation, rapid managed services deployments, and aggregation of security solutions.

    Incorporating the routing heritage and service provider reliability of Junos OS with the rich security heritage of ScreenOS, service provider reliability, and ScreenOS security heritage, the SRX Series also offers the high feature/service integration necessary to secure modern network infrastructure and applications.

    The Juniper Networks SRX5000 Series Services Gateways consist of models SRX5600 and SRX5800 running JUNOS-FIPS, a version of JUNOS created specifically for FIPS compliance. The validated version of JUNOS-FIPS is 10.4R3; the image is junos-srx5000-10.4R3.4-fips.tgz.

    The cryptographic module is defined as a multiple-chip standalone module that executes JUNOS-FIPS firmware on any of the Juniper Networks SRX-Series gateways listed in the table below. The cryptographic boundary for the SRX5600 and SRX5800 is defined as the outer edge of the chassis, excluding the power distribution module on the rear of the device. The cryptographic modules operational environment is a limited operational environment.

    SRX5000 Series Configurations

    Series Model Hardware version

    SRX5000 Series SRX5600

    SRX5600BASE-AC, SRX5600BASE-DC

    SRX5800 SRX5800BASE-AC, SRX5800BASE-DC

  • Page 5 FIPS Policy

    Figure 1. Images of the Cryptographic Modules

    SRX5600

    SRX5800

    Figure 1 depicts the SRX series without tamper seals. For depictions of the units with tamper seals, see section 9.

  • Page 6 FIPS Policy

    2. Security Level The