Stateful Firewall for Juniper Service Framework - Juniper Networks
Juniper Networks SRX5400, SRX5600, and SRX5800 ......The Juniper Networks SRX Series Services...
Transcript of Juniper Networks SRX5400, SRX5600, and SRX5800 ......The Juniper Networks SRX Series Services...
CopyrightJuniper,2017 Version1.10 Page1of30JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
JuniperNetworksSRX5400,SRX5600,andSRX5800ServicesGateways
Non-ProprietaryFIPS140-2CryptographicModuleSecurityPolicy
Version:1.10Date:June09,2017
JuniperNetworks,Inc.1133InnovationWaySunnyvale,California94089USA408.745.20001.888JUNIPERwww.juniper.net
CopyrightJuniper,2017 Version1.10 Page2of30JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
TableofContents1 Introduction...................................................................................................................4
1.1 HardwareandPhysicalCryptographicBoundary.......................................................................61.2 ModeofOperation...................................................................................................................111.3 Zeroization................................................................................................................................12
2 CryptographicFunctionality..........................................................................................13
2.1 ApprovedAlgorithms................................................................................................................132.2 AllowedAlgorithms..................................................................................................................142.3 AllowedProtocols.....................................................................................................................152.4 DisallowedAlgorithms..............................................................................................................162.5 CriticalSecurityParameters.....................................................................................................16
3 Roles,AuthenticationandServices...............................................................................18
3.1 RolesandAuthenticationofOperatorstoRoles......................................................................183.2 AuthenticationMethods...........................................................................................................183.3 Services.....................................................................................................................................183.4 Non-ApprovedServices............................................................................................................20
4 Self-tests......................................................................................................................21
5 PhysicalSecurityPolicy.................................................................................................23
5.1 GeneralTamperSealPlacementandApplicationInstructions................................................235.2 SRX5400(13seals)....................................................................................................................235.3 SRX5600(18seals)....................................................................................................................245.4 SRX5800(24seals)....................................................................................................................26
6 SecurityRulesandGuidance.........................................................................................28
7 ReferencesandDefinitions...........................................................................................29
ListofTablesTable1–CryptographicModuleHardwareConfigurations.........................................................................4Table2-SecurityLevelofSecurityRequirements.......................................................................................5Table3-PortsandInterfaces....................................................................................................................11Table4-DataPlaneApprovedCryptographicFunctions...........................................................................13Table5-ControlPlaneAuthentecApprovedCryptographicFunctions.....................................................13Table6-OpenSSLApprovedCryptographicFunctions..............................................................................14Table7–AllowedCryptographicFunctions...............................................................................................14Table8–ProtocolsAllowedinFIPSMode.................................................................................................15Table9–CriticalSecurityParameters(CSPs).............................................................................................16Table10–PublicKeys................................................................................................................................17Table11–AuthenticatedServices.............................................................................................................18Table12–Unauthenticatedtraffic............................................................................................................19
CopyrightJuniper,2017 Version1.10 Page3of30JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
Table13–CSPAccessRightswithinServices.............................................................................................19Table14–AuthenticatedServices.............................................................................................................20Table15–Unauthenticatedtraffic............................................................................................................20Table16–PhysicalSecurityInspectionGuidelines....................................................................................23Table17–References................................................................................................................................29Table18–AcronymsandDefinitions.........................................................................................................30Table19–Datasheets................................................................................................................................30ListofFiguresFigure1–SRX5400FrontView....................................................................................................................6Figure2–SRX5400BottomView.................................................................................................................7Figure3–SRX5600ProfileView..................................................................................................................7Figure4–SRX5600RearView......................................................................................................................8Figure5–SRX5600LeftView.......................................................................................................................8Figure6–SRX5800TopView.......................................................................................................................9Figure7–SRX5800RearView....................................................................................................................10Figure8–SRX5800LeftView.....................................................................................................................10Figure9-SRX5400-Tamper-EvidentSealLocationsonFront-SixSeals....................................................24Figure10-SRX5400-Tamper-EvidentSealLocationsonRear-SevenSeals..............................................24Figure11-SRX5600-Tamper-EvidentSealLocationsonFront-11Seals..................................................25Figure12-SRX5600-Tamper-EvidentSealLocationsonRear-SevenSeals..............................................25Figure13-SRX5800-Tamper-EvidentSealLocationsonFront-19Seals..................................................26Figure14-SRX5800-Tamper-EvidentSealLocationsonRear-FiveSeals.................................................27
CopyrightJuniper,2017 Version1.10 Page4of30JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
1 IntroductionTheJuniperNetworksSRXSeriesServicesGatewaysareaseriesofsecureroutersthatprovideessentialcapabilitiestoconnect,secure,andmanageworkforcelocationssizedfromhandfulstohundredsofusers.Byconsolidatingfast,highlyavailableswitching,routing,security,andapplicationscapabilitiesinasingledevice,enterprises caneconomicallydelivernewservices, safeconnectivity,anda satisfyingenduserexperience.AllmodelsrunJuniper’sJUNOSfirmware–inthiscase,aspecificFIPS-compliantversioncalledJUNOS-FIPS,version12.3X48-D30.Thefirmwareimageisjunos-srx5000-12.3X48-D30.12-fips.tgzandthefirmwareStatusserviceidentifiesitselfasinthe“Junos12.3X48-D30.12(FIPSedition)”.
This Security Policy covers the SRX5400, SRX5600, and SRX5800models. They aremeant for serviceproviders,largeenterprisenetworks,andpublic-sectornetworks.
Thecryptographicmodulesaredefinedasmultiple-chip standalonemodules thatexecute JUNOS-FIPSfirmwareonanyoftheJuniperNetworksSRX-Seriesgatewayslistedinthetablebelow.
Table1–CryptographicModuleHardwareConfigurations
ChassisPN REPN SCBPN SPCPN IOCPN PowerPN TamperSeals
SRX5400
SRX5K-RE-13-20 SRX5K-SCB SRX5K-SPC-4-
15-320SRX5K-40GE-SFP
withACHCorDC
JNPR-FIPS-TAMPER-LBLS
SRX5K-RE-1800X4 SRX5K-SCBE SRX5K-SPC-4-
15-320SRX-MIC-10XG-SFPP
SRX5600
SRX5K-RE-13-20 SRX5K-SCB SRX5K-SPC-2-
10-40SRX5K-40GE-SFP
SRX5K-RE-1800X4 SRX5K-SCBE SRX5K-SPC-4-
15-320SRX-MIC-10XG-SFPP
SRX5800
SRX5K-RE-13-20 SRX5K-SCB SRX5K-SPC-2-
10-40SRX-MIC-10XG-SFPP
SRX5K-RE-1800X4 SRX5K-SCBE SRX5K-SPC-4-
15-320SRX-MIC-10XG-SFPP
ThemodulesaredesignedtomeetFIPS140-2Level2overall:
CopyrightJuniper,2017 Version1.10 Page5of30JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
Table2-SecurityLevelofSecurityRequirements
Area Description Level1 ModuleSpecification 2
2 PortsandInterfaces 2
3 RolesandServices 3
4 FiniteStateModel 2
5 PhysicalSecurity 2
6 OperationalEnvironment N/A
7 KeyManagement 28 EMI/EMC 2
9 Self-test 2
10 DesignAssurance 3
11 MitigationofOtherAttacks N/A
Overall 2
Themoduleshavea limitedoperationalenvironmentaspertheFIPS140-2definitions.They includeafirmware load service to support necessary updates. New firmware versionswithin the scope of thisvalidationmustbevalidatedthroughtheFIPS140-2CMVP.AnyotherfirmwareloadedintothesemodulesareoutofthescopeofthisvalidationandrequireaseparateFIPS140-2validation.
ThemodulesdonotimplementanymitigationofotherattacksasdefinedbyFIPS140-2.
CopyrightJuniper,2017 Version1.10 Page6of30JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
1.1 HardwareandPhysicalCryptographicBoundary
Thephysicalformsofthemodule’svariousmodelsaredepictedinFigures1-11below.Forallmodels,thecryptographicboundaryisdefinedastheouteredgeofthechassis.ThemodulesexcludethepowersupplyandfancomponentsfromtherequirementsofFIPS140-2.Thepowersuppliesandfansdonotcontainanysecurityrelevantcomponentsandcannotaffectthesecurityofthemodule.Theexcludedcomponentsareidentifiedwithredbordersinthefollowingfigures.Themoduledoesnotrelyonexternaldevicesforinputandoutput.
Figure1–SRX5400FrontView
CopyrightJuniper,2017 Version1.10 Page7of30JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
Figure2–SRX5400BottomView
Figure3–SRX5600ProfileView
CopyrightJuniper,2017 Version1.10 Page8of30JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
Figure4–SRX5600RearView
Figure5–SRX5600LeftView
CopyrightJuniper,2017 Version1.10 Page9of30JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
Figure6–SRX5800TopView
CopyrightJuniper,2017 Version1.10 Page10of30JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
Figure7–SRX5800RearView
Figure8–SRX5800LeftView
CopyrightJuniper,2017 Version1.10 Page11of30JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
Table3-PortsandInterfaces
Port Description LogicalInterfaceTypeEthernet LANCommunications Controlin,Datain,Dataout,StatusoutSerial Consoleserialport Controlin,StatusoutPower Powerconnector PowerinReset Reset ControlinLED Statusindicatorlighting StatusoutUSB Firmwareloadport Controlin,DatainWAN SHDSL,VDSL,T1,E1 Controlin,Datain,Dataout,Statusout
1.2 ModeofOperation
FollowtheinstructionsinSection5toapplythetampersealstothemodule.Oncethetampersealshavebeenappliedasshowninthisdocument,theJUNOS-FIPSfirmwareimageisinstalledonthedevice,andintegrityandself-testshaverunsuccessfullyoninitialpower-on,themoduleisoperatingintheApprovedmode.TheCrypto-OfficermustensurethatthebackupimageofthefirmwareisalsoaJUNOS-FIPSimagebyissuingtherequestsystemsnapshotcommand.
If themodule was previously in a non-Approvedmode of operation, the Cryptographic OfficermustzeroizetheCSPsbyfollowingtheinstructionsinSection1.3.
Then,theCOmustrunthefollowingcommandstoconfigureSSHtouseFIPSApprovedandFIPSallowedalgorithms:co@fips-srx# set system services ssh hostkey-algorithm ssh-ecdsa
co@fips-srx# set system services ssh hostkey-algorithm no-ssh-rsa
co@fips-srx# set system services ssh hostkey-algorithm no-ssh-dss
co@fips-srx# set system services ssh hostkey-algorithm no-ssh-ed25519
co@fips-srx# commit
TheCOcanchangethepreferenceofSSHkeyexchangemethodsusingthefollowingcommand:co@fips-srx# set system services ssh key-exchange <algorithm>
<algorithm> - dh-group14-sha1, ecdh-sha2-nistp256, ecdh-sha2-nistp384, group-exchange-sha1, or group-exchange-sha2
TheCOcanchangethepreferenceofSSHcipheralgorithmsusingthefollowingcommand:co@fips-srx# set system services ssh ciphers <algorithm>
<algorithm> - 3des-cbc, aes128-cbc, aes128-ctr, aes192-cbc, aes192-ctr, aes256-cbc, aes256-ctr
TheCOcanchangethepreferenceofSSHMACalgorithmsorenableadditionalApprovedalgorithmsusingthefollowingcommand:
CopyrightJuniper,2017 Version1.10 Page12of30JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
co@fips-srx# set system services ssh macs <algorithm>
<algorithm> - hmac-sha1, hmac-sha1-96, hmac-sha2-256, hmac-sha2-512, [email protected], [email protected], [email protected], [email protected]
WhenAESGCMisconfiguredastheencryption-algorithmforIKEorIPsec,theCOmustrunthefollowingcommandtoconfigurethealgorithms:co@fips-srx# set security ike gateway <name> version v2-only
<name> - the user configured name for the IKE gateway
co@fips-srx# commit
The“showversion”commandwillindicateifthemoduleisoperatinginFIPSmode(e.g.JUNOSSoftwareRelease[12.3X48-D30](FIPSedition)),run“show system services ssh”,andrun“show security ipsec” toverify thatonly theFIPSApprovedandFIPSallowedalgorithmsareconfiguredforSSHandIPsecasspecifiedabove.
1.3 Zeroization
The cryptographic module provides a non-Approved mode of operation in which non-Approvedcryptographic algorithms are supported. When transitioning between the non-Approved mode ofoperation and the Approved mode of operation, the Cryptographic Officer must run the followingcommandstozeroizetheApprovedmodeCSPs:co@fips-srx> start shell
co@fips-srx% rm –P <keyfile>
<keyfile> - each persistent private or secret key other than the SSH host keys and the X.509 keys for IKE.
co@fips-srx% rm –P /var/db/certs/common/certificate-request/*
co@fips-srx% exit
co@fips-srx> request system zeroize
Note:TheCryptographicOfficermustretaincontrolofthemodulewhilezeroizationisinprocess.
CopyrightJuniper,2017 Version1.10 Page13of30JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
2 CryptographicFunctionality2.1 ApprovedAlgorithms
ThemoduleimplementstheFIPSApprovedandNon-ApprovedbutAllowedcryptographicfunctionslistedintheTables4to6below.Table8summarizesthehighlevelprotocolalgorithmsupport.Themoduledoesnotimplementalgorithmsthatrequirevendoraffirmation.
Table4-DataPlaneApprovedCryptographicFunctions
CAVPCert. Algorithm Mode Description Functions4070,4329 AES[197] CBC[38A] KeySizes:128,192,256 Encrypt,Decrypt
4070 AES[197] GCM[38D]1 KeySizes:128,192,256 Encrypt,Decrypt,AEAD
2657,2867 HMAC[198]
SHA-1 λ=96MessageAuthentication
SHA-256 λ=1283353,3571 SHS[180] SHA-1
SHA-256 MessageDigestGeneration
2221,2222 Triple-DES[67] TCBC[38A] KeySize:192 Encrypt,Decrypt
Table5-ControlPlaneAuthentecApprovedCryptographicFunctions
Cert Algorithm Mode Description Functions4054,4055 AES[197] CBC[38A] KeySizes:128,192,256 Encrypt,Decrypt
4055 AES[197] GCM[38D]1 KeySizes:128,256 Encrypt,Decrypt,AEAD
926 CVLIKEv1[135] SHA1,256,384
KeyDerivationIKEv2[135] SHA1,256,384
1103,1104 DSA[186] (L=2048,N=224)
(L=2048,N=256) KeyGen
916,917 ECDSA[186] P-256(SHA256)
P-384(SHA{256},384) KeyGen,SigGen,SigVer
2646,2647 HMAC[198]
SHA-1 λ=96,160MessageAuthentication,KDFPrimitiveSHA-256 λ=128,256
SHA-384 λ=192,384
N/A KTS[38F]
(AESCert.#4054andHMACCert.#2646),(AESCert.#4055andHMACCert.#2647),(Triple-DESCert.#2224
andHMACCert.#2646)
KeyWrapping/Unwrapping
2201,2202 RSA[186] PKCS1_V1_5 n=2048(SHA256)
{n=3072(SHA256)} SigGen,SigVer
1TheSRX5K-SPC-2-10-40doesnotsupportAESGCM.
CopyrightJuniper,2017 Version1.10 Page14of30JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
3341,3342 SHS[180]
SHA-1SHA-256SHA-384
MessageDigestGeneration
2224 Triple-DES[67] TCBC[38A] KeySize:192 Encrypt,Decrypt
Table6-OpenSSLApprovedCryptographicFunctions
CAVPCert. Algorithm Mode Description Functions
4056 AES[197] CBC[38A]CTR[38A] KeySizes:128,192,256 Encrypt,Decrypt
880 CVL SSH[135] SHA1,256,384 KeyDerivation1216,1399,1401
DRBG[90A] HMAC SHA-256 RandomBitGeneration
1096 DSA[186] {(2048,224)}(2048,256) KeyGen
909 ECDSA[186]
{P-224(SHA256)}P-256(SHA256){P-384(SHA256)}
SigGen
{P-224(SHA256)}P-256(SHA256)P-384(SHA{256},384)
KeyGen,SigVer
2648 HMAC[198]SHA-1 λ=96,160
MessageAuthenticationDRBGPrimitiveSHA-256 λ=256
SHA-512 λ=512
N/A KTS[38F](AESCert.#4056andHMACCert.#2648),(Triple-DESCert.#2223and
HMACCert.#2648)KeyWrapping/Unwrapping
2087 RSA[186] n=2048(SHA256){n=3072(SHA256)} KeyGen,SigGen,SigVer
RSA[186-2] {n=4096(SHA256)} {SigGen}
3343 SHS[180]
SHA-1SHA-256SHA-384
MessageDigestGeneration,KDFPrimitive
SHA-512 MessageDigestGeneration
2223 Triple-DES[67] TCBC[38A] KeySize:192 Encrypt,Decrypt
2.2 AllowedAlgorithms
Table7–AllowedCryptographicFunctions
Algorithm Caveat Use
CopyrightJuniper,2017 Version1.10 Page15of30JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
Diffie-Hellman[IG]D.8 Provides between 112 and 192 bits ofencryptionstrength. keyagreement;keyestablishment
EllipticCurveDiffie-Hellman[IG]D.8
Provides 128 or 192 bits of encryptionstrength. keyagreement;keyestablishment
NDRNG SeedingtheDBRG
2.3 AllowedProtocols
Table8–ProtocolsAllowedinFIPSMode
Protocol KeyExchange Auth Cipher Integrity
IKEv1 Diffie-Hellman(L=2048,N=224,256)ECDiffie-HellmanP-256,P-384
RSA2048Pre-SharedSecretECDSAP-256ECDSAP-384
Triple-DESCBCAESCBC128/192/256
HMAC-SHA-1-96HMAC-SHA-256-128HMAC-SHA-384-192
IKEv22 Diffie-Hellman(L=2048,N=224,256)ECDiffie-HellmanP-256,P-384
RSA2048Pre-SharedSecretECDSAP-256ECDSAP-384
Triple-DESCBCAESCBC128/192/256AESGCM3128/256
HMAC-SHA-1-96HMAC-SHA-256-128HMAC-SHA-384-192
IPsecESP
IKEv1withoptional:• Diffie-Hellman(L=2048,N=224,
256)• ECDiffie-HellmanP-256,P-384
IKEv13KeyTriple-DESCBCAESCBC128/192/256 HMAC-SHA-
1-96HMAC-SHA-256-128
IKEv2withoptional:• Diffie-Hellman(L=2048,N=224),
(2048,256)• ECDiffie-HellmanP-256,P-384
IKEv2
3KeyTriple-DESCBCAESCBC128/192/256AESGCM4128/192/256
SSHv2
Diffie-Hellman(L=2048,3072,4096,6144,7680,8192;N=256,320,384,512,1024)ECDiffie-HellmanP-256,P-384
ECDSAP-256
Triple-DESCBCAESCBC128/192/256AESCTR128/192/256
HMAC-SHA-1-96HMAC-SHA-1HMAC-SHA-256HMAC-SHA-512
2IKEv2generatestheSKEYSEEDaccordingtoRFC7296.3TheGCMIVisgeneratedaccordingtoRFC5282.4TheGCMIVisgeneratedaccordingtoRFC4106.
CopyrightJuniper,2017 Version1.10 Page16of30JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
TheseprotocolshavenotbeenreviewedortestedbytheCAVPorCMVP.
The IKE and SSH algorithms allow independent selection of key exchange, authentication, cipher andintegrity.InTable8above,eachcolumnofoptionsforagivenprotocolisindependent,andmaybeusedinanyviablecombination.ThesesecurityfunctionsarealsoavailableintheSSHconnect(non-compliant)service.
2.4 DisallowedAlgorithms
These algorithms are non-Approved algorithms that are disabledwhen themodule is operated in anApprovedmodeofoperation.
• ARCFOUR• Blowfish• CAST• HMAC-MD5• HMAC-RIPEMD160• UMAC
2.5 CriticalSecurityParameters
AllCSPsandpublickeysusedbythemodulearedescribedinthissection.
Table9–CriticalSecurityParameters(CSPs)
Name DescriptionandusageDRBG_Seed SeedmaterialusedtoseedorreseedtheDRBGDRBG_State VandKeyvaluesfortheHMAC_DRBG
SSHPHK SSHPrivatehostkey.1sttimeSSHisconfigured,thekeysaregenerated.ECDSAP-256.Usedtoidentifythehost.
SSHDHSSHDiffie-Hellmanprivatecomponent.EphemeralDiffie-HellmanprivatekeyusedinSSH.Diffie-Hellman(N=256bit,320bit,384bit,512bit,or1024bit5),ECDiffie-HellmanP-256,orECDiffie-HellmanP-384
SSH-SEK SSHSessionKey;SessionkeysusedwithSSH.Triple-DES(3key),AES,HMAC.ESP-SEK IPSecESPSessionKeys.Triple-DES(3key),AES,HMAC.IKE-PSK Pre-SharedKeyusedtoauthenticateIKEconnections.IKE-Priv IKEPrivateKey.RSA2048,ECDSAP-256,orECDSAP-384IKE-SKEYID IKESKEYID.IKEsecretusedtoderiveIKEandIPsecESPsessionkeys.IKE-SEK IKESessionKeys.Triple-DES(3key),AES,HMAC.
IKE-DH-PRI IKEDiffie-Hellmanprivatecomponent.EphemeralDiffie-HellmanprivatekeyusedinIKE.Diffie-HellmanN=224bit,ECDiffie-HellmanP-256,orECDiffie-HellmanP-384
5SSHgeneratesaDiffie-Hellmanprivatekeythatis2xthebitlengthofthelongestsymmetricorMACkeynegotiated.
CopyrightJuniper,2017 Version1.10 Page17of30JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
CO-PW ASCIITextusedtoauthenticatetheCO.User-PW ASCIITextusedtoauthenticatetheUser.
Table10–PublicKeys
Name DescriptionandusageSSH-PUB SSHPublicHostKeyusedtoidentifythehost.ECDSAP-256.
SSH-DH-PUBDiffie-Hellmanpubliccomponent.EphemeralDiffie-HellmanpublickeyusedinSSHkeyestablishment.Diffie-Hellman(L=2048bit,3072bit,4096bit,6144bit,7680bit,or8192bit),ECDiffie-HellmanP-256,orECDiffie-HellmanP-384
IKE-PUB IKEPublicKeyRSA2048,ECDSAP-256,orECDSAP-384
IKE-DH-PUBDiffie-Hellmanpubliccomponent.EphemeralDiffie-HellmanpublickeyusedinIKEkeyestablishment.Diffie-HellmanL=2048bit,ECDiffie-HellmanP-256,orECDiffie-HellmanP-384
Auth-UPub SSHUserAuthenticationPublicKeys.Usedtoauthenticateuserstothemodule.ECDSAP-256orP-384
Auth-COPub SSHCOAuthenticationPublicKeys.UsedtoauthenticateCOtothemodule.ECDSAP-256orP-384
RootCA JuniperRootCA.ECDSAP-256orP-384X.509Certificate;UsedtoverifythevalidityoftheJuniperPackageCAatsoftwareload.
PackageCA PackageCA.ECDSAP-256X.509Certificate;UsedtoverifythevalidityofJuniperImagesatsoftwareloadandalsoatruntimeintegrity.
CopyrightJuniper,2017 Version1.10 Page18of30JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
3 Roles,AuthenticationandServices3.1 RolesandAuthenticationofOperatorstoRoles
Themodulesupportstworoles:CryptographicOfficer(CO)andUser.Themodulesupportsconcurrentoperators,butdoesnotsupportamaintenanceroleand/orbypasscapability.Themoduleenforcestheseparationofrolesusingeitheridentity-basedoperatorauthentication.
TheCryptographicOfficerroleconfiguresandmonitorsthemoduleviaaconsoleorSSHconnection.Asrootorsuper-user,theCryptographicOfficerhaspermissiontoviewandeditsecretswithinthemodule
TheUserrolemonitorstherouterviatheconsoleorSSH.Theuserrolemaynotchangetheconfiguration.
3.2 AuthenticationMethods
ThemoduleimplementstwoformsofIdentity-Basedauthentication,usernameandpasswordovertheConsoleandSSHaswellasusernameandpublickeyoverSSH.
Passwordauthentication:Themoduleenforces10-characterpasswords(atminimum)chosenfromthe96humanreadableASCIIcharacters.Themaximumpasswordlengthis20characters.
Themoduleenforcesatimedaccessmechanismasfollows:Forthefirsttwofailedattempts(assuming0timetoprocess),notimedaccessisenforced.Uponthethirdattempt,themoduleenforcesa5-seconddelay.Eachfailedattemptthereafterresultsinanadditional5-seconddelayabovetheprevious(e.g.4thfailedattempt=10-seconddelay,5th failedattempt=15-seconddelay,6th failedattempt=20-seconddelay,7thfailedattempt=25-seconddelay).
Thisleadstoamaximumofseven(7)possibleattemptsinaone-minuteperiodforeachgetty.Thebestapproachfortheattackerwouldbetodisconnectafter4failedattempts,andwaitforanewgettytobespawned.Thiswouldallowtheattackertoperformroughly9.6attemptsperminute(576attemptsperhour/60mins); this would be rounded down to 9 perminute, because there is no such thing as 0.6attempts.Thustheprobabilityofasuccessfulrandomattemptis1/9610,whichislessthan1/1million.Theprobabilityofasuccesswithmultipleconsecutiveattemptsinaone-minuteperiodis9/(9610),whichislessthan1/100,000.
ECDSAsignatureverification:SSHpublic-keyauthentication.Processingconstraintsallowforamaximumof5.6e7ECDSAattemptsperminute.ThemodulesupportsECDSA(P-256andP-384).Theprobabilityofasuccesswithmultipleconsecutiveattemptsinaone-minuteperiodis5.6e7/(2128).
3.3 Services
Allservicesimplementedbythemodulearelistedinthetablesbelow.Table13–liststheaccesstoCSPsbyeachservice.
Table11–AuthenticatedServices
Service Description CO UserConfiguresecurity Securityrelevantconfiguration x
Configure Non-securityrelevantconfiguration x SecureTraffic IPsecprotectedconnection(ESP) x Status Showstatus x xZeroize DestroyallCSPs x
CopyrightJuniper,2017 Version1.10 Page19of30JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
SSHconnect InitiateSSHconnectionforSSHmonitoringandcontrol(CLI) x x
IPsecconnect InitiateIPsecconnection(IKE) x Consoleaccess Consolemonitoringandcontrol(CLI) x xRemotereset Softwareinitiatedreset x
Table12–Unauthenticatedtraffic
Service DescriptionLocalreset HardwareresetorpowercycleTraffic Trafficrequiringnocryptographicservices
Table13–CSPAccessRightswithinServices
Service
CSPs
DRBG
_Seed
DRBG
_State
SSHPH
K
SSHDH
SSH-SEK
ESP-SEK
IKE-PSK
IKE-Priv
IKE-SKEYI
IKE-SEK
IKE-DH
-PRI
CO-PW
User-PW
Configuresecurity -- E GW -- -- -- RW RGW -- -- -- RW RW
Configure -- -- -- -- -- -- -- -- -- -- -- -- --Securetraffic -- -- -- -- -- E -- -- -- E -- -- --
Status -- -- -- -- -- -- -- -- -- -- -- -- --
Zeroize -- Z Z -- -- -- Z Z -- -- -- Z Z
SSHconnect -- E E GE GE -- -- -- -- -- -- E EIPsecconnect -- E -- -- -- G E E G G G -- --
Consoleaccess -- -- -- -- -- -- -- -- -- -- -- E E
Remotereset GEZ G -- Z Z Z -- -- Z Z Z Z Z
Localreset GEZ G -- Z Z Z -- -- Z Z Z Z Z
Traffic -- -- -- -- -- -- -- -- -- -- -- -- --G=Generate:ThemodulegeneratestheCSPR=Read:TheCSPisreadfromthemodule(e.g.theCSPisoutput)E=Execute:ThemoduleexecutesusingtheCSPW=Write:TheCSPisupdatedorwrittentothemoduleZ=Zeroize:ThemodulezeroizestheCSP.
CopyrightJuniper,2017 Version1.10 Page20of30JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
3.4 Non-ApprovedServices
The following services are available in the non-Approved mode of operation. The security functionsprovidedbythenon-ApprovedservicesareidenticaltotheApprovedcounterpartswiththeexceptionofSSHConnect(non-compliant).SSHConnect(non-compliant)supportsthesecurityfunctionsidentifiedinSection2.4andtheSSHv2rowofTable8.
Table14–AuthenticatedServices
Service Description CO UserConfiguresecurity(non-compliant) Securityrelevantconfiguration x
Configure(non-compliant) Non-securityrelevantconfiguration x
SecureTraffic(non-compliant) IPsecprotectedconnection(ESP) x
Status(non-compliant) Showstatus x xZeroize(non-compliant) DestroyallCSPs x SSHconnect(non-compliant)
InitiateSSHconnectionforSSHmonitoringandcontrol(CLI) x x
IPsecconnect(non-compliant) InitiateIPsecconnection(IKE) x
Consoleaccess(non-compliant) Consolemonitoringandcontrol(CLI) x x
Remotereset(non-compliant) Softwareinitiatedreset x
Table15–Unauthenticatedtraffic
Service DescriptionLocalreset(non-compliant) Hardwareresetorpowercycle
Traffic(non-compliant) Trafficrequiringnocryptographicservices
CopyrightJuniper,2017 Version1.10 Page21of30JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
4 Self-testsEachtimethemoduleispoweredupitteststhatthecryptographicalgorithmsstilloperatecorrectlyandthatsensitivedatahavenotbeendamaged.Power-upself–testsareavailableondemandbypowercyclingthemodule.
Onpoweruporreset,themoduleperformstheself-testsdescribedbelow.AllKATsmustbecompletedsuccessfullypriortoanyotheruseofcryptographybythemodule.IfoneoftheKATsfails,themoduleenterstheCriticalFailureerrorstate.
Themoduleperformsthefollowingpower-upself-tests:
• FirmwareIntegritycheckusingECDSAP-256withSHA-256• DataPlaneKATs
o AES-CBC(128/192/256)EncryptKATo AES-CBC(128/192/256)DecryptKATo Triple-DES-CBCEncryptKATo Triple-DES-CBCDecryptKATo HMAC-SHA-1KATo HMAC-SHA-256KATo AES-GCM(128/192/256)EncryptKAT(Note:ExceptonSRX5K-SPC-2-10-40,whichdoes
notsupportAESGCM)o ASE-GCM(128/192/256)DecryptKAT(Note:ExceptonSRX5K-SPC-2-10-40,whichdoes
notsupportAESGCM)• ControlPlaneAuthentecKATs
o RSA2048w/SHA-256SignKATo RSA2048w/SHA-256VerifyKATo ECDSAP-256w/SHA-256Sign/VerifyPCTo Triple-DES-CBCEncryptKATo Triple-DES-CBCDecryptKATo HMAC-SHA-1KATo HMAC-SHA-256KATo HMAC-SHA-384KATo AES-CBC(128/192/256)EncryptKATo AES-CBC(128/192/256)DecryptKATo AES-GCM(128/256)EncryptKATo AES-GCM(128/256)DecryptKATo KDF-IKE-V1KATo KDF-IKE-V2KAT
• OpenSSLKATso SP800-90AHMACDRBGKAT
§ Health-testsinitialize,re-seed,andgenerate.o ECDSAP-256Sign/VerifyPCTo ECDiffie-HellmanP-256KAT
§ Derivationoftheexpectedsharedsecret.o RSA2048w/SHA-256SignKATo RSA2048w/SHA-256VerifyKATo Triple-DES-CBCEncryptKATo Triple-DES-CBCDecryptKAT
CopyrightJuniper,2017 Version1.10 Page22of30JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
o HMAC-SHA-1KATo HMAC-SHA-256KATo HMAC-SHA-512KATo SHA(256/384/512)KATo AES-CBC(128/192/256)EncryptKATo AES-CBC(128/192/256)DecryptKATo KDF-SSHKAT
• CriticalFunctionTest
o Thecryptographicmoduleperformsaverificationofalimitedoperationalenvironmentandverificationofoptionalnon-criticalpackages.
Themodulealsoperformsthefollowingconditionalself-tests:
• ContinuousRNGTestontheSP800-90AHMAC-DRBG• ContinuousRNGtestontheNDRNG• PairwiseconsistencytestwhengeneratingECDSAandRSAkeypairs.• FirmwareLoadTest(ECDSAsignatureverification)
CopyrightJuniper,2017 Version1.10 Page23of30JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
5 PhysicalSecurityPolicyThemodule’sphysicalembodimentisthatofamulti-chipstandalonedevicethatmeetsLevel2PhysicalSecurityrequirements.Themodule iscompletelyenclosed inarectangularnickelorclearzinccoated,coldrolledsteel,platedsteelandbrushedaluminumenclosure.Therearenoventilationholes,gaps,slits,cracks,slots,orcrevicesthatwouldallowforanysortofobservationofanycomponentcontainedwithinthecryptographicboundary.Tamper-evidentsealsallowtheoperatortotell if theenclosurehasbeenbreached.Thesesealsarenotfactory-installedandmustbeappliedbytheCryptographicOfficer.(Sealsare available for order from Juniper usingpart number JNPR-FIPS-TAMPER-LBLS.) The tamper-evidentsealsshallbeinstalledforthemoduletooperateinaFIPSmodeofoperation.
TheCryptographicOfficerisresponsibleforsecuringandhavingcontrolatalltimesofanyunusedsealsandthedirectcontrolandobservationofanychangestothemodule,suchasreconfigurationswherethetamper-evidentsealsorsecurityappliancesareremovedorinstalledtoensurethesecurityofthemoduleismaintainedduringsuchchangesandthemoduleisreturnedtoaFIPSApprovedstate.
Table16–PhysicalSecurityInspectionGuidelines
PhysicalSecurityMechanism
RecommendedFrequencyofInspection/Test
Inspection/TestGuidanceDetails
Tamperseals,opaquemetalenclosure.
OncepermonthbytheCryptographicOfficer.
Sealsshouldbefreeofanytamperevidence.
If the CryptographicOfficer observes tamper evidence, it shall be assumed that the device has beencompromised.TheCryptographicOfficershallretaincontrolofthemoduleandperformZeroizationofthemodule'sCSPsbyfollowingthestepsinSection1.3oftheSecurityPolicy.
5.1 GeneralTamperSealPlacementandApplicationInstructions
Forallsealapplications,theCryptographicOfficershouldobservethefollowinginstructions:
• Handlethesealswithcare.Donottouchtheadhesiveside.• Beforeapplyingaseal,ensurethelocationofapplicationisclean,dry,andclearofanyresidue.• Placethesealonthemodule,applyingfirmpressureacrossittoensureadhesion.Allowatleast
1hourfortheadhesivetocure.
5.2 SRX5400(13seals)
Tamper-evidentsealsshallbeappliedtothefollowinglocations:
• FrontPane:o Twoseals,vertical,connectedtothetopmost(non-honeycomb)sub-pane.Theyextend
tothethinpanebelowandthehoneycombpanelabove.o Oneseal,vertical,acrossthethinpane.Extendstotheblankpanebelowandthesub-
paneabove.o Threeseals,vertical,oneoneach“long”horizontalsub-pane.Eachattachestothesub-
paneaboveandtheonebelow(orthechassis,ifit’sthebottommostsub-pane).Ensureoneofthesealsextendstotheleftsub-panebelowthethinsub-pane.
• BackPane:o Fourseals,vertical:oneoneachofthetopfoursub-panes,extendingtothelargechassis
platebelow.o Oneseal,vertical:onthehorizontalscrewed-inplaterestingonthelargecentralchassis.
Shouldextendtothechassisinbothdirections.
CopyrightJuniper,2017 Version1.10 Page24of30JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
o Twoseals,horizontal:placedonthelowsidesub-panes,extendingtothelargecentralchassisareaandwrappingaroundtotheneighboringsidepanes.
Figure9-SRX5400-Tamper-EvidentSealLocationsonFront-SixSeals
Figure10-SRX5400-Tamper-EvidentSealLocationsonRear-SevenSeals
5.3 SRX5600(18seals)
Tamper-evidentsealsmustbeappliedtothefollowinglocations:
• FrontPane:o Elevenseals,vertical:oneforeachhorizontalsub-pane(excludingthehoneycombplate
onthetopandthethinsub-panealittlebelow),asecondforthetop(non-honeycomb)sub-pane,andanextraforthebottom.Thesealsshouldattachtoverticallyadjacentsub-panes.Theextraonthebottomattachestothelowermostsub-paneandwrapsaround,
CopyrightJuniper,2017 Version1.10 Page25of30JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
attachingtothebottompane.Itshouldbeensuredthatoneofthesealsspansacrossthethinplatewithampleextradistanceoneachside.
• BackPane:o Fiveseals,vertical:oneoneachoftheupperfoursub-panes,attachingtothelargeplate
below.o Twoseals,horizontal:oneoneachoftheverticalsidesub-panes,extendingtoboththe
largecentralplateandthesidepanes.
Figure11-SRX5600-Tamper-EvidentSealLocationsonFront-11Seals
Figure12-SRX5600-Tamper-EvidentSealLocationsonRear-SevenSeals
CopyrightJuniper,2017 Version1.10 Page26of30JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
5.4 SRX5800(24seals)
Tamper-evidentsealsshallbeappliedtothefollowinglocations:
• FrontPane:o Fourteenseals,horizontal:oneoneachofthelongverticalsub-panes,extendingtothe
neighboringtwo.Ifonanendsub-pane,sealshouldwraparoundtotheside.o Threeseals,vertical:oneovereachofthethinpanes–twonearthebottom,onenear
thetopofthelowerhalf.o Twoseals,vertical:bothontheconsoleareaatthetopofthemodule,oneextendingto
thetopandtheotherextendingtothechassisareabelow.• BackPane:
o Fiveseals,horizontal:threespanningthegapsbetweentheverticalsub-panels,andthentwomore,oneeachonthefaredgesoftheleftandrightpanels.(Theselasttwoshouldwraparoundtothesides.)
Figure13-SRX5800-Tamper-EvidentSealLocationsonFront-19Seals
CopyrightJuniper,2017 Version1.10 Page27of30JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
Figure14-SRX5800-Tamper-EvidentSealLocationsonRear-FiveSeals
CopyrightJuniper,2017 Version1.10 Page28of30JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
6 SecurityRulesandGuidanceThemoduledesigncorresponds to thesecurity rulesbelow.Thetermmust in thiscontextspecificallyrefers to a requirement for correctusageof themodule in theApprovedmode; all other statementsindicateasecurityruleimplementedbythemodule.
1. Themoduleclearspreviousauthenticationsonpowercycle.2. When themodule has not beenplaced in a valid role, the operator does not have access to any
cryptographicservices.3. Powerupself-testsdonotrequireanyoperatoraction.4. Dataoutputisinhibitedduringkeygeneration,self-tests,zeroization,anderrorstates.5. StatusinformationdoesnotcontainCSPsorsensitivedatathatifmisusedcouldleadtoacompromise
ofthemodule.6. TherearenorestrictionsonwhichkeysorCSPsarezeroizedbythezeroizationservice.7. Themoduledoesnotsupportamaintenanceinterfaceorrole.8. Themoduledoesnotsupportmanualkeyentry.9. Themoduledoesnotoutputintermediatekeyvalues.10. Themodulerequiresto independent internalactionstobeperformedpriortooutputingplaintext
CSPs.11. The cryptographic officer must determine whether firmware being loaded is a legacy use of the
firmwareloadservice.12. Thecryptographicofficermustretaincontrolofthemodulewhilezeroizationisinprocess.
CopyrightJuniper,2017 Version1.10 Page29of30JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
7 ReferencesandDefinitionsThefollowingstandardsarereferredtointhisSecurityPolicy.
Table17–References
Abbreviation FullSpecificationName
[FIPS140-2] SecurityRequirementsforCryptographicModules,May25,2001
[SP800-131A] Transitions:RecommendationforTransitioningtheUseofCryptographicAlgorithmsandKeyLengths,January2011
[IG] ImplementationGuidanceforFIPSPUB140-2andtheCryptographicModuleValidationProgram
[135] National Institute of Standards and Technology, Recommendation for ExistingApplication-Specific Key Derivation Functions, Special Publication 800-135rev1,December2011.
[186] National Institute of Standards and Technology, Digital Signature Standard (DSS),FederalInformationProcessingStandardsPublication186-4,July2013.
[186-2] National Institute of Standards and Technology, Digital Signature Standard (DSS),FederalInformationProcessingStandardsPublication186-2,January2000.
[197] National InstituteofStandardsandTechnology,AdvancedEncryptionStandard(AES),FederalInformationProcessingStandardsPublication197,November26,2001
[38A] National Institute of Standards and Technology, Recommendation for Block CipherModesofOperation,MethodsandTechniques,SpecialPublication800-38A,December2001
[38D] National Institute of Standards and Technology, Recommendation for Block CipherModesofOperation:Galois/CounterMode(GCM)andGMAC,SpecialPublication800-38D,November2007
[38F] National Institute of Standards and Technology, Recommendation for Block CipherModesofOperation:MethodsforKeyWrapping,SpecialPublication800-38F,December2012
[198] National Institute of Standards and Technology, The Keyed-Hash MessageAuthenticationCode(HMAC),FederalInformationProcessingStandardsPublication198-1,July,2008
[180] National Institute of Standards and Technology, Secure Hash Standard, FederalInformationProcessingStandardsPublication180-4,August,2015
[67] National Instituteof StandardsandTechnology,Recommendation for theTripleDataEncryptionAlgorithm(TDEA)BlockCipher,SpecialPublication800-67,May2004
[90A] NationalInstituteofStandardsandTechnology,RecommendationforRandomNumberGenerationUsingDeterministic RandomBit Generators, Special Publication 800-90A,June2015.
CopyrightJuniper,2017 Version1.10 Page30of30JuniperNetworksPublicMaterial–Maybereproducedonlyinitsoriginalentirety(withoutrevision).
Table18–AcronymsandDefinitions
Acronym DefinitionAES AdvancedEncryptionStandardDH Diffie-HellmanDSA DigitalSignatureAlgorithmECDH EllipticCurveDiffie-HellmanECDSA EllipticCurveDigitalSignatureAlgorithmEMC ElectromagneticCompatibilityESP EncapsulatingSecurityPayloadFIPS FederalInformationProcessingStandardHMAC Keyed-HashMessageAuthenticationCodeICV IntegrityCheckValue(i.e.Tag)IKE InternetKeyExchangeProtocolIOC Input/OutputCardIPsec InternetProtocolSecurityMD5 MessageDigest5NPC NetworkProcessingCardRE RoutingEngineRSA Public-keyencryptiontechnologydevelopedbyRSADataSecurity,Inc.SHA SecureHashAlgorithmsSPC ServicesProcessingCardSSH SecureShellTriple-DES Triple-DataEncryptionStandard
Table19–Datasheets
Model Title URL
SRX5400SRX5600SRX5800
SRXSeriesServiceGatewaysforserviceprovider,largeenterprise,andpublicsectornetworks.
http://www.juniper.net/assets/us/en/local/pdf/datasheets/1000254-en.pdf