Junos OS for EX Series Ethernet Switches, Release 12.1R6

Transcription

1 Junos OS for EX Series Ethernet Switches, Release 12.1R6 FIPS Published: Revision 1

2 Juniper Networks, Inc North Mathilda Avenue Sunnyvale, California USA This product includes the Envoy SNMP Engine, developed by Epilogue Technology, an Integrated Systems Company. Copyright , Epilogue Technology Corporation. All rights reserved. This program and its documentation were developed at private expense, and no part of them is in the public domain. This product includes memory allocation software developed by Mark Moraes, copyright 1988, 1989, 1993, University of Toronto. This product includes FreeBSD software developed by the University of California, Berkeley, and its contributors. All of the documentation and software included in the 4.4BSD and 4.4BSD-Lite Releases is copyrighted by the Regents of the University of California. Copyright 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, The Regents of the University of California. All rights reserved. GateD software copyright 1995, the Regents of the University. All rights reserved. Gate Daemon was originated and developed through release 3.0 by Cornell University and its collaborators. Gated is based on Kirton s EGP, UC Berkeley s routing daemon (routed), and DCN s HELLO routing protocol. Development of Gated has been supported in part by the National Science Foundation. Portions of the GateD software copyright 1988, Regents of the University of California. All rights reserved. Portions of the GateD software copyright 1991, D. L. S. Associates. This product includes software developed by Maker Communications, Inc., copyright 1996, 1997, Maker Communications, Inc. Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785. Junos OS for EX Series Ethernet Switches, Release 12.1R6 FIPS Copyright 2011, 2012, 2013 Juniper Networks, Inc. All rights reserved. Revision History May 2013 Revision 1 The information in this document is current as of the date listed in the revision history. END USER LICENSE AGREEMENT The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement ( EULA ) posted at By downloading, installing or using such software, you agree to the terms and conditions of that EULA. ii

3 Table of Contents About This Topic Collection vii How to Use This Guide vii List of EX Series Guides for Junos OS Release vii Downloading Software ix Documentation Symbols Key x Documentation Feedback xi Requesting Technical Support xii Self-Help Online Tools and Resources xii Opening a Case with JTAC xii Part 1 Junos OS in FIPS Mode for EX Series Switches Chapter 1 Junos OS in FIPS Mode Overview Environment and Requirements Understanding Junos OS in FIPS Mode About the Cryptographic Boundary on Your EX Series Switch How FIPS Mode Differs from Non-FIPS Mode How Junos OS in FIPS Mode Differs from Junos-FIPS Validated Version of Junos OS in FIPS Mode How to Use FIPS Documentation Verifying Secure Delivery of the Product Verifying Product Integrity Verifying Product Authenticity Applying Tamper-Evident Seals to Switch Management Ports and VCP Ports for FIPS Mode and Resetting EX3300 VCP Ports as Network Ports General Tamper-Evident Seal Instructions EX3300 Switch Tamper-Evident Seal Application and Reconfiguration of VCP Ports as Network Ports EX4200 Switch Tamper-Evident Seal Application EX4500 Switch Tamper-Evident Seal Application EX6210 Switch Tamper-Evident Seal Application EX8208 Switch Tamper-Evident Seal Application EX8216 Switch Tamper-Evident Seal Application Understanding FIPS Mode Terminology and Supported Cryptographic Algorithms FIPS Terminology Supported Cryptographic Algorithms Understanding Zeroization to Clear System Data for FIPS Mode Why Zeroize? When to Zeroize? Understanding FIPS Self-Tests iii

4 Junos OS for EX Series Ethernet Switches, Release 12.1R6: FIPS Understanding FIPS Error States and System Panic FIPS System Panic Memory Allocation Error Error Recovery from Alternate Boot Media Understanding Roles and Services for Junos OS in FIPS Mode Crypto Officer Role and Responsibilities FIPS User Role and Responsibilities What Is Expected of All FIPS Users Understanding the Operational Environment for Junos OS in FIPS Mode Hardware Environment for Junos OS in FIPS Mode Software Environment for Junos OS in FIPS Mode Critical Security Parameters Understanding Requirements for Secure Communication Between Routing Engines in FIPS Mode SA Direction SPI IPsec Keys IPsec Limitations Understanding Password Specifications and Guidelines for Junos OS in FIPS Mode Understanding Remote Access for Junos OS in FIPS Mode Understanding Event Logging for Junos OS in FIPS Mode Understanding Configuration Limitations and Restrictions on Junos OS in FIPS Mode How to Enable and Configure Junos OS in FIPS Mode Overview Chapter 2 Enabling and Configuring Junos OS in FIPS Mode Installing the Junos OS Image (FIPS Mode) Downloading Software Packages from Juniper Networks (FIPS Mode) Installing Software on an EX Series Switch with a Single Routing Engine (FIPS Mode) Installing Software on an EX Series Switch with Redundant Routing Engines (FIPS Mode) Preparing the Switch for the Software Installation Installing Software on the Backup Routing Engine Installing Software on the Default Master Routing Engine Returning Routing Control to the Default Master Routing Engine (Optional) Disabling Non-CLI User Interfaces (FIPS Mode) Zeroizing the System (FIPS Mode) Establishing Root Password Access (FIPS Mode) Setting a Switch to FIPS Mode Enabling Internal Communications Between Routing Engines (FIPS Mode) Configuring the IPsec SA on the Master Routing Engine Configuring the IPsec SA on the Backup Routing Engine Configuring Crypto Officer and FIPS User Identification and Access Configuring Crypto Officer Access Configuring FIPS User Login Access Configuring the Console Port for FIPS Mode iv

5 Table of Contents Configuring Event Logging for Junos OS in FIPS Mode Configuring Event Logging to a Local File Configuring Event Logging to a Remote Server Disabling FIPS Mode Chapter 3 Administering Junos OS in FIPS Mode on an EX Series Switch Verifying That FIPS Self-Tests Are Taking Place Chapter 4 Configuration Statements for Junos OS in FIPS Mode algorithm (FIPS) authentication (FIPS) direction (FIPS) encryption (FIPS) fips (FIPS) internal (FIPS) ipsec (FIPS) key (FIPS) level (FIPS) manual (FIPS) protocol esp (FIPS) security (FIPS) security-association (FIPS) spi (FIPS) Chapter 5 Operational Commands for Junos OS in FIPS Mode request system zeroize (FIPS) Part 2 Index Index v

6 Junos OS for EX Series Ethernet Switches, Release 12.1R6: FIPS vi

7 About This Topic Collection How to Use This Guide How to Use This Guide on page vii List of EX Series Guides for Junos OS Release 12.1 on page vii Downloading Software on page ix Documentation Symbols Key on page x Documentation Feedback on page xi Requesting Technical Support on page xii Complete documentation for the EX Series product family is provided on webpages at pathway-pages/ex-series/product/index.html. We have selected content from these webpages and created a number of EX Series guides that collect related topics into a book-like format so that the information is easy to print and easy to download to your local computer. Software features for EX Series switches are listed by platform and by Junos OS release in a standalone document. See EX Series Switch Software Features Overview. The release notes are at information-products/topic-collections/release-notes/12.1/junos-release-notes-12.1.pdf. List of EX Series Guides for Junos OS Release 12.1 Title Description Complete Hardware Guide for EX3300 Ethernet Switches Component descriptions, site preparation, installation, replacement, and safety and compliance information for EX3300 Ethernet switches Complete Hardware Guide for EX4200 Ethernet Switches Component descriptions, site preparation, installation, replacement, and safety and compliance information for EX4200 Ethernet switches Complete Hardware Guide for EX4500 Ethernet Switches Component descriptions, site preparation, installation, replacement, and safety and compliance information for EX4500 Ethernet switches vii

8 Junos OS for EX Series Ethernet Switches, Release 12.1R6: FIPS Title Description Complete Hardware Guide for EX6210 Ethernet Switches Component descriptions, site preparation, installation, replacement, and safety and compliance information for EX6210 Ethernet switches Complete Hardware Guide for EX8208 Ethernet Switches Component descriptions, site preparation, installation, replacement, and safety and compliance information for EX8208 Ethernet switches Complete Hardware Guide for EX8216 Ethernet Switches Component descriptions, site preparation, installation, replacement, and safety and compliance information for EX8216 Ethernet switches Complete Software Guide for Junos OS for EX Series Ethernet Switches, Release 12.1 Software feature descriptions, configuration examples, and tasks for Junos OS for EX Series switches Software Topic Collections Software feature descriptions, configuration examples and tasks, and reference pages for configuration statements and operational commands (This information also appears in the Complete Software Guide for Junos OS for EX Series Ethernet Switches, Release 12.1.) Junos OS for EX Series Ethernet Switches, Release 12.1: Access Control Junos OS for EX Series Ethernet Switches, Release 12.1: Configuration Management Junos OS for EX Series Ethernet Switches, Release 12.1: Class of Service Junos OS for EX Series Ethernet Switches, Release 12.1: Device Security Junos OS for EX Series Ethernet Switches, Release 12.1: Ethernet Switching Junos OS for EX Series Ethernet Switches, Release 12.1: Fibre Channel over Ethernet Junos OS for EX Series Ethernet Switches, Release 12.1: High Availability Junos OS for EX Series Ethernet Switches, Release 12.1: Interfaces Junos OS for EX Series Ethernet Switches, Release 12.1: Layer 3 Protocols Junos OS for EX Series Ethernet Switches, Release 12.1: MPLS Junos OS for EX Series Ethernet Switches, Release 12.1: Multicast Junos OS for EX Series Switches, Release 12.1: Network Management and Monitoring viii

9 About This Topic Collection Title Description Junos OS for EX Series Switches, Release 12.1: Port Security Junos OS for EX Series Switches, Release 12.1: Power over Ethernet Junos OS for EX Series Ethernet Switches, Release 12.1: Routing Policy and Packet Filtering Junos OS for EX Series Ethernet Switches, Release 12.1: Software Installation Junos OS for EX Series Ethernet Switches, Release 12.1: Spanning-Tree Protocols Junos OS for EX Series Ethernet Switches, Release 12.1: System Monitoring Junos OS for EX Series Ethernet Switches, Release 12.1: System Services Junos OS for EX Series Ethernet Switches, Release 12.1: System Setup Junos OS for EX Series Ethernet Switches, Release 12.1: User and Access Management Junos OS for EX Series Ethernet Switches, Release 12.1: User Interfaces Downloading Software You can download Junos OS for EX Series switches from the Download Software area at To download the software, you must have a Juniper Networks user account. For information about obtaining an account, see ix

10 Junos OS for EX Series Ethernet Switches, Release 12.1R6: FIPS Documentation Symbols Key Notice Icons Icon Meaning Description Informational note Indicates important features or instructions. Caution Indicates a situation that might result in loss of data or hardware damage. Warning Alerts you to the risk of personal injury or death. Laser warning Alerts you to the risk of personal injury from a laser. Text and Syntax Conventions Convention Description Examples Bold text like this Represents text that you type. To enter configuration mode, type the configure command: user@host> configure Fixed-width text like this Italic text like this Represents output that appears on the terminal screen. Introduces important new terms. Identifies book names. Identifies RFC and Internet draft titles. user@host> show chassis alarms No alarms currently active A policy term is a named structure that defines match conditions and actions. Junos OS System Basics Configuration Guide RFC 1997, BGP Communities Attribute Italic text like this Plain text like this Represents variables (options for which you substitute a value) in commands or configuration statements. Represents names of configuration statements, commands, files, and directories; IP addresses; configuration hierarchy levels; or labels on routing platform components. Configure the machine s domain name: root@# set system domain-name domain-name To configure a stub area, include the stub statement at the [edit protocols ospf area area-id] hierarchy level. The console port is labeled CONSOLE. < > (angle brackets) Enclose optional keywords or variables. stub <default-metric metric>; x

11 About This Topic Collection Text and Syntax Conventions Convention Description Examples (pipe symbol) Indicates a choice between the mutually exclusive keywords or variables on either side of the symbol. The set of choices is often enclosed in parentheses for clarity. broadcast multicast (string1 string2 string3) # (pound sign) Indicates a comment specified on the same line as the configuration statement to which it applies. rsvp { # Required for dynamic MPLS only [ ] (square brackets) Enclose a variable for which you can substitute one or more values. community name members [ community-ids ] Indention and braces ( { ) Identify a level in the configuration hierarchy. routing-options { static { route default { nexthop address; retain; ; (semicolon) Identifies a leaf statement at a configuration hierarchy level. J-Web GUI Conventions Bold text like this Represents J-Web graphical user interface (GUI) items you click or select. In the Logical Interfaces box, select All Interfaces. To cancel the configuration, click Cancel. > (bold right angle bracket) Separates levels in a hierarchy of J-Web selections. In the configuration editor hierarchy, select Protocols>Ospf. Documentation Feedback We encourage you to provide feedback, comments, and suggestions so that we can improve the documentation. Send to techpubs-comments@juniper.net with the following: Document URL or title Page number if applicable Software version Your name and company xi

12 Junos OS for EX Series Ethernet Switches, Release 12.1R6: FIPS Requesting Technical Support Technical product support is available through the Juniper Networks Technical Assistance Center (JTAC). If you are a customer with an active J-Care or JNASC support contract, or are covered under warranty, and need post-sales technical support, you can access our tools and resources online or open a case with JTAC. JTAC policies For a complete understanding of our JTAC procedures and policies, review the JTAC User Guide located at Product warranties For product warranty information, visit JTAC hours of operation The JTAC centers have resources available 24 hours a day, 7 days a week, 365 days a year. Self-Help Online Tools and Resources For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features: Find CSC offerings: Search for known bugs: Find product documentation: Find solutions and answer questions using our Knowledge Base: Download the latest versions of software and review release notes: Search technical bulletins for relevant hardware and software notifications: Join and participate in the Juniper Networks Community Forum: Open a case online in the CSC Case Management tool: To verify service entitlement by product serial number, use our Serial Number Entitlement (SNE) Tool: Opening a Case with JTAC You can open a case with JTAC on the Web or by telephone. Use the Case Management tool in the CSC at Call JTAC ( toll-free in the USA, Canada, and Mexico). For international or direct-dial options in countries without toll-free numbers, see xii

13 PART 1 Junos OS in FIPS Mode for EX Series Switches Junos OS in FIPS Mode Overview Environment and Requirements on page 3 Enabling and Configuring Junos OS in FIPS Mode on page 35 Administering Junos OS in FIPS Mode on an EX Series Switch on page 63 Configuration Statements for Junos OS in FIPS Mode on page 65 Operational Commands for Junos OS in FIPS Mode on page 77 1

14 Junos OS for EX Series Ethernet Switches, Release 12.1R6: FIPS 2

15 CHAPTER 1 Junos OS in FIPS Mode Overview Environment and Requirements Understanding Junos OS in FIPS Mode Understanding Junos OS in FIPS Mode on page 3 Verifying Secure Delivery of the Product on page 6 Applying Tamper-Evident Seals to Switch Management Ports and VCP Ports for FIPS Mode and Resetting EX3300 VCP Ports as Network Ports on page 7 Understanding FIPS Mode Terminology and Supported Cryptographic Algorithms on page 15 Understanding Zeroization to Clear System Data for FIPS Mode on page 19 Understanding FIPS Self-Tests on page 21 Understanding FIPS Error States and System Panic on page 21 Understanding Roles and Services for Junos OS in FIPS Mode on page 23 Understanding the Operational Environment for Junos OS in FIPS Mode on page 25 Understanding Requirements for Secure Communication Between Routing Engines in FIPS Mode on page 28 Understanding Password Specifications and Guidelines for Junos OS in FIPS Mode on page 30 Understanding Remote Access for Junos OS in FIPS Mode on page 31 Understanding Event Logging for Junos OS in FIPS Mode on page 31 Understanding Configuration Limitations and Restrictions on Junos OS in FIPS Mode on page 32 How to Enable and Configure Junos OS in FIPS Mode Overview on page 34 Federal Information Processing Standards (FIPS) defines security levels for hardware and software that perform cryptographic functions. By meeting the applicable overall requirements within the FIPS standard, Juniper Networks EX Series Ethernet Switches running the Juniper Networks Junos operating system (Junos OS) in FIPS mode comply with the FIPS Level 1 standard. 3

16 Junos OS for EX Series Ethernet Switches, Release 12.1R6: FIPS Operating EX Series Ethernet switches in a FIPS Level 1 environment requires enabling and configuring FIPS mode on the switches from the Junos OS command-line interface (CLI). The Crypto Officer enables FIPS mode in Junos OS Release 12.1R6 and sets up keys and passwords for the system and other FIPS users who can view the configuration. Both user types can also perform normal configuration tasks on the switch (such as modify interface types) as individual user configuration allows. BEST PRACTICE: Be sure to verify the secure delivery of your switch and apply tamper-evident seals to its vulnerable ports. On EX3300 switches, be sure to reset the preconfigured Virtual Chassis ports (VCPs) as network ports. For instructions, see Verifying Secure Delivery of the Product on page 6 and Applying Tamper-Evident Seals to Switch Management Ports and VCP Ports for FIPS Mode and Resetting EX3300 VCP Ports as Network Ports on page 7. About the Cryptographic Boundary on Your EX Series Switch on page 4 How FIPS Mode Differs from Non-FIPS Mode on page 5 How Junos OS in FIPS Mode Differs from Junos-FIPS on page 5 Validated Version of Junos OS in FIPS Mode on page 6 How to Use FIPS Documentation on page 6 About the Cryptographic Boundary on Your EX Series Switch FIPS compliance requires a defined cryptographic boundary around each cryptographic module on a switch. Junos OS in FIPS mode prevents the cryptographic module from executing any software that is not part of the FIPS-certified distribution, and allows only FIPS-approved cryptographic algorithms to be used. No critical security parameters (CSPs), such as passwords and keys, can cross the cryptograpic boundary of the module by, for example, being displayed on a console or written to an external log file. For the Juniper Networks EX Series switches that are certified at FIPS Level 1, the cryptographic boundary of the module is determined by the chassis type. For a list of FIPS-certified switches and the cryptographic boundary of each switch, see Table 1 on page 4. Table 1: Cryptographic Boundaries on FIPS-Certified EX Series Switches Switch Chassis Type Cryptographic Boundary EX3300 switch Fixed configuration Switch case EX4200 switch Fixed configuration Switch case EX4500 switch Fixed configuration Switch case 4

17 Chapter 1: Junos OS in FIPS Mode Overview Environment and Requirements Table 1: Cryptographic Boundaries on FIPS-Certified EX Series Switches (continued) Switch Chassis Type Cryptographic Boundary EX6210 switch with any line card configuration Modular configuration Routing Engine EX8208 switch with any line card configuration Modular configuration Routing Engine EX8216 switch with any line card configuration Modular configuration Routing Engine CAUTION: Virtual Chassis features are not supported in FIPS mode they have not been tested by Juniper Networks. Do not configure a Virtual Chassis in FIPS mode. To physically secure the cryptographic module, all EX Series switches require a tamper-evident seal on the USB port. In addition, EX4200 switches and EX4500 switches require seals on dedicated Virtual Chassis ports (VCPs). EX8208 and EX8216 switches require a seal on the auxiliary (AUX) port. Finally, you must reconfigure the EX3300 ports that are set by default as VCPs to be network ports. For details, see Applying Tamper-Evident Seals to Switch Management Ports and VCP Ports for FIPS Mode and Resetting EX3300 VCP Ports as Network Ports on page 7. How FIPS Mode Differs from Non-FIPS Mode Unlike Junos OS in non-fips mode, Junos OS in FIPS mode is a nonmodifiable operational environment. In addition, Junos OS in FIPS mode differs in the following ways from Junos OS in non-fips mode: Self-tests of all cryptographic algorithms are performed at startup. Self-tests of random number and key generation are performed continuously. Weak cryptographic algorithms such as Data Encryption Standard (DES) and Message Digest 5 (MD5) are disabled. Weak or unencrypted management connections must not be configured. Passwords must be encrypted with strong one-way algorithms that do not permit decryption. Administrator passwords must be at least 10 characters long. For specific configuration limitations and restrictions, see Understanding Configuration Limitations and Restrictions on Junos OS in FIPS Mode on page 32. How Junos OS in FIPS Mode Differs from Junos-FIPS Junos OS in FIPS mode is an operating mode of Junos OS that you enable from the Junos OS command-line interface (CLI). In contrast, the Junos-FIPS image is a separately downloadable Junos OS image available for Juniper Networks MX Series routers and SRX Series Services Gateways. 5

18 Junos OS for EX Series Ethernet Switches, Release 12.1R6: FIPS Junos OS in FIPS mode is available only on the EX Series switches listed in Table 1 on page 4 that are running Junos OS Release 12.1R6. Validated Version of Junos OS in FIPS Mode Juniper Networks submits one Junos OS release per year Junos OS Release 12.1R6, for example to the National Institute of Standards and Technology (NIST) for validation. To determine whether a Junos OS release is NIST-validated, see the software download page on the Juniper Networks Web site ( or the National Institute of Standards and Technology site at How to Use FIPS Documentation For configuration and operational tasks that are specific to FIPS mode on EX Series switches, be sure to use the documentation for Junos OS in FIPS mode. Do not use the documentation for Junos-FIPS statements and commands because the syntax and options might not apply to FIPS mode. For Junos OS configuration and operational tasks that are not specific to FIPS mode, see other EX Series hardware and software documentation at pathway-pages/ex-series/product/index.html. Related Documentation Verifying Secure Delivery of the Product on page 6 Applying Tamper-Evident Seals to Switch Management Ports and VCP Ports for FIPS Mode and Resetting EX3300 VCP Ports as Network Ports on page 7 Configuration Statements for Junos OS in FIPS Mode on page 65 Operational Commands for Junos OS in FIPS Mode on page 77 Verifying Secure Delivery of the Product Use the following checklists to verify the secure delivery of your Juniper Networks product: Verifying Product Integrity on page 6 Verifying Product Authenticity on page 7 Verifying Product Integrity To ensure that you received a product that was not tampered with, perform the following checks upon receipt of your Juniper Networks product to verify its integrity: Shipping label Ensure that the shipping label correctly identifies your correct customer name and address as well as the Juniper Networks product you ordered. Outside packaging Inspect the outside shipping box and tape. Ensure that the shipping tape has not been cut or otherwise compromised. Ensure that the box has not been cut or damaged to allow access to the product. Inside packaging Inspect the plastic bag and seal. Ensure that the bag is not cut or removed. Ensure that the seal is intact. 6

19 Chapter 1: Junos OS in FIPS Mode Overview Environment and Requirements If you identify a problem during the inspection, immediately contact the supplier and provide the order number, tracking number, and a description of the problem. Verifying Product Authenticity Perform the following checks upon receipt of your Juniper Networks product to verify its authenticity: Verify that the product was ordered using a purchase order. Juniper Networks products are never shipped without a purchase order. When a product is shipped, a shipment notification is sent to the address provided by the customer when the order is taken. Verify that this notification was received. Verify that the contains the following information: Purchase order number Juniper Networks order number used to track the shipment Carrier tracking number used to track the shipment List of items shipped, including serial numbers Address and contacts of both the supplier and the customer Perform the following additional checks to ensure that the box you received was sent by Juniper Networks and not a different company masquerading as Juniper Networks. To verify that a shipment was initiated by Juniper Networks: Compare the carrier tracking number of the Juniper Networks order number listed in the Juniper Networks shipping notification with the tracking number on the package you received. Log in to the Juniper Networks online customer support portal at to view the order status. Related Documentation Applying Tamper-Evident Seals to Switch Management Ports and VCP Ports for FIPS Mode and Resetting EX3300 VCP Ports as Network Ports on page 7 Applying Tamper-Evident Seals to Switch Management Ports and VCP Ports for FIPS Mode and Resetting EX3300 VCP Ports as Network Ports Adhesive seals applied to insecure management ports and VCP ports help secure an EX Series switch. Any damage to a seal provides evidence of physical tampering with the FIPS cryptographic module. Tamper-evident seals are shipped with your switch. As Crypto Officer, you are responsible for applying the seals to secure the cryptographic module, controlling any unused seals, and directly controlling and observing any changes 7

20 Junos OS for EX Series Ethernet Switches, Release 12.1R6: FIPS to the cryptographic module that require removing or replacing the seals such as repairs or booting from an external USB drive to maintain the security of the module. General Tamper-Evident Seal Instructions on page 8 EX3300 Switch Tamper-Evident Seal Application and Reconfiguration of VCP Ports as Network Ports on page 8 EX4200 Switch Tamper-Evident Seal Application on page 9 EX4500 Switch Tamper-Evident Seal Application on page 9 EX6210 Switch Tamper-Evident Seal Application on page 10 EX8208 Switch Tamper-Evident Seal Application on page 12 EX8216 Switch Tamper-Evident Seal Application on page 13 General Tamper-Evident Seal Instructions All FIPS-certified switches require a tamper-evident seal on the USB port. In addition, the auxiliary (AUX) port, if present on a switch, requires a seal. (For details, see the specific instructions for your switch.) For all seal applications, follow these general instructions: Handle the seals with care. Do not touch the adhesive side. Do not cut or otherwise resize a seal to make it fit. Make sure all surfaces to which the seals are applied are clean and dry and clear of any residue. Apply the seals with firm pressure across the seal to ensure adhesion. Allow at least 1 hour for the adhesive to cure. EX3300 Switch Tamper-Evident Seal Application and Reconfiguration of VCP Ports as Network Ports Apply one tamper-evident seal to the USB port to secure the EX3300 cryptographic module, as shown in Figure 1 on page 8. Figure 1: EX3300 Tamper-Evident Seal Location Chassis Front 8

21 Chapter 1: Junos OS in FIPS Mode Overview Environment and Requirements To reset the EX3300 uplink ports 2 and 3 from their default configuration as VCP ports to network ports: CAUTION: Ensure that you reconfigure the VCP ports as network ports before you put the switch into FIPS mode. 1. Delete the VCP setting on port 2: user@switch> request virtual-chassis vc-port delete pic-slot 1 port 2 2. Delete the VCP setting on port 3: user@switch> request virtual-chassis vc-port delete pic-slot 1 port 3 EX4200 Switch Tamper-Evident Seal Application Apply one tamper-evident seal to the USB port and one seal each to the VCP ports to secure the EX4200 cryptographic module, as shown in Figure 2 on page 9. Figure 2: EX4200 Tamper-Evident Seal Locations Chassis Rear EX4500 Switch Tamper-Evident Seal Application Apply one tamper-evident seal to the USB port to secure the EX4500 cryptographic module, as shown in Figure 3 on page 9. Figure 3: EX4500 Tamper-Evident Seal Location Chassis Front 9

22 Junos OS for EX Series Ethernet Switches, Release 12.1R6: FIPS If the switch has a Virtual Chassis module installed, apply one tamper-evident seal each to the VCP ports to secure the EX4500 cryptographic module, as shown in Figure 4 on page 10. Figure 4: EX4500 Tamper-Evident Seal Locations Chassis Rear EX6210 Switch Tamper-Evident Seal Application A USB port is located on each Switch Fabric and Routing Engine (SRE) module in the EX6210 chassis (Figure 5 on page 11). An EX6210 chassis can have a single SRE module or two (redundant) SRE modules. 10

23 Chapter 1: Junos OS in FIPS Mode Overview Environment and Requirements Figure 5: EX6210 SRE Module Locations Apply one tamper-evident seal to the USB port on each SRE module (Figure 6 on page 11) to secure the EX6210 cryptographic module. Figure 6: EX6210 Tamper-Evident Seal Location SRE Module NOTE: The management (MGMT) port on an EX6210 SRE module does not require a tamper-evident seal. The SRE module has a fiber MGMT port and a copper MGMT port for the same shared Ethernet management interface. Because only one MGMT port can be active at any given time, the other port is disabled. 11

24 Junos OS for EX Series Ethernet Switches, Release 12.1R6: FIPS EX8208 Switch Tamper-Evident Seal Application A USB port and an auxiliary (AUX) port are located on each SRE module in the EX8208 chassis (Figure 7 on page 12). An EX8208 chassis can have a single SRE module or two redundant SRE modules. Figure 7: EX8208 SRE Module Locations Apply two tamper-evident seals one to the USB port and one to the auxiliary (AUX) port on each SRE module to secure the EX8208 cryptographic module, as shown in Figure 8 on page

25 Chapter 1: Junos OS in FIPS Mode Overview Environment and Requirements Figure 8: EX8208 Tamper-Evident Seal Locations SRE Module EX8216 Switch Tamper-Evident Seal Application A USB port and an auxiliary (AUX) port are located on each Routing Engine (RE) module in the EX8216 chassis (Figure 9 on page 14). An EX8216 chassis can have a single RE module or two redundant RE modules. 13

26 Junos OS for EX Series Ethernet Switches, Release 12.1R6: FIPS Figure 9: EX8216 RE Module Locations Apply two tamper-evident seals one to the USB port and one to the auxiliary (AUX) port on each RE module to secure the EX8216 cryptographic module, as shown in Figure 10 on page

27 Chapter 1: Junos OS in FIPS Mode Overview Environment and Requirements Figure 10: EX8216 Tamper-Evident Seal Locations RE Module Related Documentation Understanding Junos OS in FIPS Mode on page 3 Understanding the Operational Environment for Junos OS in FIPS Mode on page 25 Understanding FIPS Mode Terminology and Supported Cryptographic Algorithms Use the definitions of FIPS terms and supported algorithms to help you understand Junos OS in FIPS mode. FIPS Terminology on page 15 Supported Cryptographic Algorithms on page 18 FIPS Terminology Critical security parameter (CSP) Security-related information for example, secret and private cryptographic keys and authentication data such as passwords and personal identification numbers (PINs) whose disclosure or modification can compromise the security of a cryptographic module or the information it protects. For details, see Understanding the Operational Environment for Junos OS in FIPS Mode on page 25. Cryptographic module The set of hardware, software, and firmware that implements approved security functions (including cryptographic algorithms and key generation) and is contained within the cryptographic boundary. EX Series switches are certified at FIPS Level 1. For fixed-configuration switches, the cryptographic module is the switch case. For modular switches, the cryptographic module is the Routing Engine. Crypto Officer Person with appropriate permissions who is responsible for securely enabling, configuring, monitoring, and maintaining Junos OS in FIPS mode on a switch. For details, see Understanding Roles and Services for Junos OS in FIPS Mode on page 23. ESP Encapsulating Security Payload (ESP) protocol. The part of the IPsec protocol that guarantees the confidentiality of packets through encryption. The protocol ensures that if an ESP packet is successfully decrypted, and no other party knows the secret key the peers share, the packet was not wiretapped in transit. 15

28 Junos OS for EX Series Ethernet Switches, Release 12.1R6: FIPS FIPS Federal Information Processing Standards. FIPS specifies requirements for security and cryptographic modules. Junos OS in FIPS mode complies with FIPS Level 1. FIPS maintenance role The role the Crypto Officer assumes to perform physical maintenance or logical maintenance services such as hardware or software diagnostics. For FIPS compliance, the Crypto Officer zeroizes the Routing Engine on entry to and exit from the FIPS maintenance role to erase all plain-text secret and private keys and unprotected CSPs. NOTE: The FIPS maintenance role is not supported on Junos OS in FIPS mode. Hashing A message authentication method that applies a cryptographic technique iteratively to a message of arbitrary length and produces a hash message digest or signature of fixed length that is appended to the message when sent. IKE The Internet Key Exchange (IKE) is part of IPsec and provides ways to securely negotiate the shared private keys that the AH and ESP portions of IPsec need to function properly. IKE employs Diffie-Hellman key-exchange methods and is optional in IPsec. (The shared keys can be entered manually at the endpoints.) IPsec The IP Security (IPsec) protocol. A standard way to add security to Internet communications. An IPsec security association (SA) establishes secure communication with another FIPS cryptographic module by means of mutual authentication and encryption. 16

29 Chapter 1: Junos OS in FIPS Mode Overview Environment and Requirements NOTE: An IPsec SA is required for switches running Junos OS in FIPS mode for the following reasons: Because the cryptographic boundary on modular switches is the Routing Engine, an EX6210, EX8208, or EX8216 switch with redundant Routing Engines running Junos OS in FIPS mode requires an internal, manual IPsec security association (SA) between the Routing Engines for secure communication. Because the Routing Engine on an EX3300, EX4200, or EX4500 fixed-configuration switch communicates with system processes through logical connections, the switch requires an internal, manual IPsec SA to protect those logical communications when the switch is running in FIPS mode. By default design, the switch has some innate characteristics of a master switch in a Virtual Chassis, and this use of logical communications is one such characteristic. In a multimember Virtual Chassis, the master switch s Routing Engine would send control messages to the Routing Engines of the other member switches by using those built-in logical communications. Do not configure a Virtual Chassis in FIPS mode (see the following Caution). Note, however, that the IPsec SA is required on your single switch to protect the built-in logical connections. NOTE: Virtual Chassis features are not supported in FIPS mode they have not been tested by Juniper Networks. Do not configure a Virtual Chassis in FIPS mode. For more information, see Understanding Requirements for Secure Communication Between Routing Engines in FIPS Mode on page 28. KATs Known answer tests. System self-tests that validate the output of cryptographic algorithms approved for FIPS and test the integrity of some Junos OS modules. For details, see Understanding FIPS Self-Tests on page 21. SA Security association (SA). A connection between hosts that allows them to communicate securely by defining, for example, how they exchange private keys. As Crypto Officer, you must manually configure an internal SA on switches running Junos OS in FIPS mode. All values, including the keys, must be statically specified in the configuration. On switches with more than one Routing Engine, the configuration must match on both ends of the connection between the Routing Engines. For communication to take place, each Routing Engine must have the same configured options, which need no negotiation and do not expire. For more information, see Understanding Requirements for Secure Communication Between Routing Engines in FIPS Mode on page 28. SPI Security parameter index (SPI). A numeric identifier used with the destination address and security protocol in IPsec to identify an SA. Because you manually 17

30 Junos OS for EX Series Ethernet Switches, Release 12.1R6: FIPS configure the SA for Junos OS in FIPS mode, the SPI must be entered as a parameter rather than derived randomly. SSH A protocol that uses strong authentication and encryption for remote access across a nonsecure network. SSH provides remote login, remote program execution, file copy, and other functions. It is intended as a secure replacement for rlogin, rsh, and rcp in a UNIX environment. To secure the information sent over administrative connections, use SSHv2 for CLI configuration. In Junos OS, SSHv2 is enabled by default, and SSHv1, which is not considered secure, is disabled. Zeroization Erasure of all CSPs and other user-created data on a switch before its operation as a FIPS cryptographic module or in preparation for repurposing the switch for non-fips operation. The Crypto Officer can zerioze the system with a CLI operational command. For details, see Understanding Zeroization to Clear System Data for FIPS Mode on page 19. Supported Cryptographic Algorithms Each implementation of an algorithm is checked by a series of known answer test (KAT) self-tests. Any self-test failure results in a FIPS error state. BEST PRACTICE: For FIPS compliance, use only FIPS-approved cryptographic algorithms In Junos OS in FIPS mode. The following cryptographic algorithms are supported in FIPS mode. Symmetric methods use the same key for encryption and decryption, while asymmetric methods (preferred) use different keys for encryption and decryption. AES The Advanced Encryption Standard (AES), defined in FIPS PUB 197. The AES algorithm uses keys of 128, 192, or 256 bits to encrypt and decrypt data in blocks of 128 bits. Diffie-Hellman A method of key exchange across a nonsecure environment (such as the Internet). The Diffie-Hellman algorithm negotiates a session key without sending the key itself across the network by allowing each party to pick a partial key independently and send part of that key to the other. Each side then calculates a common key value. This is a symmetrical method, and keys are typically used only for a short time, discarded, and regenerated. DSA Digital Signature Algorithm. A United States Federal Government standard for digital signatures that are used to authenticate electronic documents much as a written signature verifies the authenticity of a paper document. Each document signer has a public and private key. The signer uses the DSA with the private key to generate a digital signature on the document. The document verifier uses the DSA with the public key to verify the authenticity of the signature. DSA 1024-bit keys can be configured for use with the SSHv2 protocol. ECDH Elliptic Curve Diffie-Hellman. A variant of the Diffie-Hellman key exchange algorithm that uses cryptography based on the algebraic structure of elliptic curves over finite fields. ECDH allows two parties, each having an elliptic curve public-private 18

31 Chapter 1: Junos OS in FIPS Mode Overview Environment and Requirements key pair, to establish a shared secret over an insecure channel. The shared secret can be used either as a key or to derive another key for encrypting subsequent communications using a symmetric key cipher. ECDSA Elliptic Curve Digital Signature Algorithm. A variant of the Digital Signature Algorithm (DSA) that uses cryptography based on the algebraic structure of elliptic curves over finite fields. The bit size of the elliptic curve determines the difficulty of decrypting the key. The public key believed to be needed for ECDSA is about twice the size of the security level, in bits. ECDSA using the P-256 curve can be configured under OpenSSH. HMAC Defined as Keyed-Hashing for Message Authentication in RFC 2104, HMAC combines hashing algorithms with cryptographic keys for message authentication. For Junos OS in FIPS mode, HMAC uses the iterated cryptographic hash function SHA-1 (designated as HMAC-SHA1) along with a secret key. MAC Any general method of Message Authentication Code (MAC) that uses encryption to compute a digital fingerprint (signature) for the original message. The recipient recomputes the fingerprint and compares it to the sent fingerprint. RSA Algorithm for public key cryptography that is based on the presumed difficulty of factoring large integers of up to 2048 bits. The RSA algorithm involves three steps: key generation, encryption, and decryption. SSHv2 requires the asymmetric algorithm RSA-2048 with 2,048 bits (617 decimal digits), the largest of the RSA integers. The RSA algorithm is used in the validation of Juniper Networks signed binaries and is also available and used with the ssh command. SHA-1 A Secure Hash Algorithm (SHA) standard defined in FIPS PUB (SHA-1). Developed by NIST, SHA-1 produces a 160-bit hash for message authentication. 3DES (3des-cbc) Encryption standard based on the original Data Encryption Standard (DES) from the 1970s that used a 56-bit key and was cracked in The more secure 3DES is DES enhanced with three multiple stages and effective key lengths of about 112 bits. For Junos OS in FIPS mode, 3DES is implemented with cipher block chaining (CBC). Related Documentation Understanding FIPS Self-Tests on page 21 Understanding Zeroization to Clear System Data for FIPS Mode on page 19 Understanding Requirements for Secure Communication Between Routing Engines in FIPS Mode on page 28 Understanding Zeroization to Clear System Data for FIPS Mode Zeroization completely erases all configuration information on the Routing Engines, including all plain-text passwords, secrets, and private keys for SSH, local encryption, local authentication, and IPsec. The Crypto Officer initiates the zeroization process by entering the request system zeroize (FIPS) operational command from the CLI after enabling FIPS mode. Use of this command 19