Juniper MX240 Admin Guide

Junos® OS

Common Criteria Conguraon Guide for

MX240, MX480, and MX960 Devices

with MX-SPC3 Services Card

Published

2023-12-25

RELEASE

22.2R1

Juniper Networks, Inc.

1133 Innovaon Way

Sunnyvale, California 94089

USA

408-745-2000

www.juniper.net

Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc.

in the United States and other countries. All other trademarks, service marks, registered marks, or registered service

marks are the property of their respecve owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right

to change, modify, transfer, or otherwise revise this publicaon without noce.

Junos® OS Common Criteria Conguraon Guide for MX240, MX480, and MX960 Devices with MX-SPC3 Services

Card

22.2R1

The informaon in this document is current as of the date on the tle page.

YEAR 2000 NOTICE

Juniper Networks hardware and soware products are Year 2000 compliant. Junos OS has no known me-related

limitaons through the year 2038. However, the NTP applicaon is known to have some diculty in the year 2036.

END USER LICENSE AGREEMENT

The Juniper Networks product that is the subject of this technical documentaon consists of (or is intended for use

with) Juniper Networks soware. Use of such soware is subject to the terms and condions of the End User License

Agreement ("EULA") posted at hps://support.juniper.net/support/eula/. By downloading, installing or using such

soware, you agree to the terms and condions of that EULA.

ii

Table of Contents

About This Guide | vi

1

Overview

Common Criteria Evaluated Conguraon Overview | 2

Junos OS in FIPS Mode of Operaon Overview | 3

Overview of FIPS Terminology and Supported Cryptographic Algorithms | 5

Idenfy Secure Product Delivery | 8

Management Interfaces Overview | 9

2

Congure Roles and Authencaon Methods

Overview of Roles and Services for Junos OS | 12

Overview of the Operaonal Environment for Junos OS in FIPS Mode | 14

Overview of Password Specicaons and Guidelines for Junos OS in FIPS Mode | 18

Download Soware Packages from Juniper Networks | 19

Install Junos Soware Packages | 20

Overview of Zeroizaon to Clear System Data for FIPS Mode | 23

Zeroize the System | 24

Enable FIPS Mode | 26

Congure Security Administrator and FIPS User Idencaon and Access | 28

Congure Security Administrator Access | 28

Congure FIPS User Login Access | 30

3

Congure Administrave Credenals and Privileges

Understanding the Associated Password Rules for an Authorized Administrator | 34

Conguring a Network Device Collaborave Protecon Prole Authorized

Administrator | 36

iii

Customize Time | 37

Inacvity Timeout Period Conguraon, and Local and Remote Idle Session

Terminaon | 38

Congure Session Terminaon | 38

Sample Output for Local Administrave Session Terminaon | 40

Sample Output for Remote Administrave Session Terminaon | 40

Sample Output for User Iniated Terminaon | 41

4

Congure SSH and Console Connecon

Congure a System Login Message and Announcement | 43

Congure SSH on the Evaluated Conguraon for NDcPPv2.2e | 44

Limit the Number of User Login Aempts for SSH Sessions | 45

5

Congure the Remote Syslog Server

Sample Syslog Server Conguraon on a Linux System | 49

6

Congure Audit Log Opons

Congure Audit Log Opons in the Evaluated Conguraon | 57

Congure Audit Log Opons | 57

Sample Code Audits of Conguraon Changes | 58

7

Congure Event Logging

Event Logging Overview | 62

Interpret Event Messages | 79

Log Changes to Secret Data | 80

Login and Logout Events Using SSH | 81

Logging of Audit Startup | 82

8

Congure VPNs

MOD_VPN | 84

MOD_VPN Overview | 84

iv

Supported IPsec-IKE Algorithms | 85

Congure VPN on a Device Running Junos OS | 88

Conguring Firewall Rules | 111

9

Perform Self-Tests on a Device

FIPS Self-Tests Overview | 122

10

Operaonal Commands

request vmhost zeroize no-forwarding | 127

v

About This Guide

Use this guide to congure and evaluate MX240, MX480, and MX960 devices for Common Criteria (CC)

compliance. Common Criteria for informaon technology is an internaonal agreement signed by

several countries that permit the evaluaon of security products against a common set of standards.

RELATED DOCUMENTATION

Common Criteria and FIPS Cercaons

vi

1

CHAPTER

Overview

Common Criteria Evaluated Conguraon Overview | 2

Junos OS in FIPS Mode of Operaon Overview | 3

Overview of FIPS Terminology and Supported Cryptographic Algorithms | 5

Idenfy Secure Product Delivery | 8

Management Interfaces Overview | 9

Common Criteria Evaluated Conguraon Overview

IN THIS SECTION

Common Criteria Overview | 2

Supported Plaorms | 3

This document describes the steps required to duplicate the conguraon of the device running Junos

OS when the device is evaluated. This is referred to as the evaluated conguraon. The following list

describes the standards to which the device has been evaluated:

• NDcPPv2.2e—hps://www.niap-ccevs.org/MMO/PP/CPP_ND_V2.2E.pdf

• MOD_VPN—hps://www.niap-ccevs.org/Prole/Info.cfm?PPID=449

The Archived Protecon Proles documents are available at hps://www.niap-ccevs.org/Prole/PP.cfm?

archived=1.

NOTE: MX240, MX480, and MX960 devices with Junos OS Release 22.2R1 is cered for

Common Criteria with FIPS mode enabled on the devices.

Common Criteria Overview

Common Criteria for informaon technology is an internaonal agreement signed by several countries

that permits the evaluaon of security products against a common set of standards. In the Common

Criteria Recognion Arrangement (CCRA) at hps://www.commoncriteriaportal.org/ccra/, the

parcipants agree to mutually recognize evaluaons of products performed in other countries. All

evaluaons are performed using a common methodology for informaon technology security

evaluaon.

For more informaon on Common Criteria, see hps://www.commoncriteriaportal.org/.

2

Supported Plaorms

For the features described in this document, the following plaorms are supported with MX-SPC3

Services Card.

The NDcPPv2.2e and MOD_VPN apply to:

• MX240 (hps://www.juniper.net/us/en/products/routers/mx-series/mx240-universal-roung-

plaorm.html)

• MX480 (hps://www.juniper.net/us/en/products/routers/mx-series/mx480-universal-roung-

plaorm.html)

• MX960 (hps://www.juniper.net/us/en/products/routers/mx-series/mx960-universal-roung-

plaorm.html)

RELATED DOCUMENTATION

Idenfy Secure Product Delivery | 8

Junos OS in FIPS Mode of Operaon Overview

IN THIS SECTION

About the Cryptographic Boundary on Your Device | 4

How FIPS Mode of Operaon Diers from Non-FIPS Mode of Operaon | 4

Validated Version of Junos OS in FIPS Mode of Operaon | 5

Federal Informaon Processing Standards (FIPS) 140-3 denes security levels for hardware and soware

that perform cryptographic funcons. Junos-FIPS is a version of the Junos operang system (Junos OS)

that complies with Federal Informaon Processing Standard (FIPS) 140-3.

Operang your security devices in a FIPS 140-3 Level 2 environment requires enabling and conguring

FIPS mode of operaon on the device from the Junos OS command-line interface (CLI).

3

The

Security Administrator

enables FIPS mode of operaon in Junos OS Release 22.2R1 and sets up

keys and passwords for the system and other

FIPS users

who can view the conguraon. Both user

types can also perform normal conguraon tasks on the device (such as modify interface types) as

individual user conguraon allows.

BEST PRACTICE: Be sure to verify the secure delivery of your device and apply tamper-

evident seals to its vulnerable ports.

About the Cryptographic Boundary on Your Device

FIPS 140-3 compliance requires a dened

cryptographic boundary

around each

cryptographic module

on a device. Junos OS in FIPS mode of operaon prevents the cryptographic module from running any

soware that is not part of the FIPS-cered distribuon, and allows only FIPS-approved cryptographic

algorithms to be used. No crical security parameters (CSPs), such as passwords and keys, can cross the

cryptographic boundary of the module by, for example, being displayed on a console or wrien to an

external log le.

CAUTION: Virtual Chassis features are not supported in FIPS mode of operaon. Do

not congure a Virtual Chassis in FIPS mode of operaon.

To physically secure the cryptographic module, all Juniper Networks devices require a tamper-evident

seal on the USB and mini-USB ports.

How FIPS Mode of Operaon Diers from Non-FIPS Mode of Operaon

Unlike Junos OS in non-FIPS mode of operaon, Junos OS in FIPS mode of operaon is a

nonmodiable

operaonal environment

. In addion, Junos OS in FIPS mode of operaon diers in the following ways

from Junos OS in non-FIPS mode of operaon:

• Self-tests of all cryptographic algorithms are performed at startup.

• Self-tests of random number and key generaon are performed connuously.

• Weak cryptographic algorithms such as Data Encrypon Standard (DES) and MD5 are disabled.

• Weak, remote, or unencrypted management connecons must not be congured. However, TOE

allows local and un-encrypted console access across all modes of operaon.

4

• Passwords must be encrypted with strong one-way algorithms that do not permit decrypon.

• Junos-FIPS administrator passwords must be at least 10 characters long.

• Cryptographic keys must be encrypted before transmission.

The FIPS 140-3 standard is available for download from the Naonal Instute of Standards and

Technology (NIST) at hp://csrc.nist.gov/publicaons/ps/ps140-3/ps1402.pdf.

Validated Version of Junos OS in FIPS Mode of Operaon

To determine whether a Junos OS release is NIST-validated, see the compliance page on the Juniper

Networks Web site (hps://apps.juniper.net/compliance).

RELATED DOCUMENTATION

Idenfy Secure Product Delivery | 8

Overview of FIPS Terminology and Supported

Cryptographic Algorithms

IN THIS SECTION

FIPS Terminology | 6

Supported Cryptographic Algorithms | 7

Use the denions of FIPS terms, and supported algorithms to help you understand Junos OS in FIPS

mode.

5

FIPS Terminology

Crical security

parameter (CSP)

Security-related informaon—for example, secret and private cryptographic keys and

authencaon data such as passwords and personal idencaon numbers (PINs)—

whose disclosure or modicaon can compromise the security of a cryptographic

module or the informaon it protects.

Cryptographic

module

The set of hardware, soware, and rmware that implements approved security

funcons (including cryptographic algorithms and key generaon) and is contained

within the cryptographic boundary.

Security

Administrator

Person with appropriate permissions who is responsible for securely enabling,

conguring, monitoring, and maintaining Junos OS in FIPS mode of operaon on a

device. For details, see "Junos OS in FIPS Mode of Operaon Overview" on page 3.

ESP Encapsulang Security Payload (ESP) protocol. The part of the IPsec protocol that

guarantees the condenality of packets through encrypon. The protocol ensures

that if an ESP packet is successfully decrypted, and no other party knows the secret

key the peers share, the packet was not wiretapped in transit.

FIPS Federal Informaon Processing Standards. FIPS 140-3 species requirements for

security and cryptographic modules. Junos OS in FIPS mode of operaon complies

with FIPS 140-3 Level 2.

IKE The Internet Key Exchange (IKE) is part of IPsec and provides ways to securely

negoate the shared private keys that the authencaon header (AH) and ESP

porons of IPsec need to funcon properly. IKE employs Die-Hellman key-

exchange methods and is oponal in IPsec. (The shared keys can be entered manually

at the endpoints.)

IPsec The IP Security (IPsec) protocol. A standard way to add security to Internet

communicaons. An IPsec security associaon (SA) establishes secure

communicaon with another FIPS cryptographic module by means of mutual

authencaon and encrypon.

KATs Known answer tests. System self-tests that validate the output of cryptographic

algorithms approved for FIPS and test the integrity of some Junos OS modules. For

details, see "FIPS Self-Tests Overview" on page 122.

SA Security associaon (SA). A connecon between hosts that allows them to

communicate securely by dening, for example, how they exchange private keys. As

Security Administrator, you must manually congure an internal SA on devices

6

running Junos OS in FIPS mode of operaon. All values, including the keys, must be

stacally specied in the conguraon.

SPI Security parameter index (SPI). A numeric idener used with the desnaon address

and security protocol in IPsec to idenfy an SA. Because you manually congure the

SA for Junos OS in FIPS mode of operaon, the SPI must be entered as a parameter

rather than derived randomly.

SSH A protocol that uses strong authencaon and encrypon for remote access across a

nonsecure network. SSH provides remote login, remote program execuon, le copy,

and other funcons. It is intended as a secure replacement for rlogin, rsh, and rcp in a

UNIX environment. To secure the informaon sent over administrave connecons,

use SSHv2 for CLI conguraon. In Junos OS, SSHv2 is enabled by default, and

SSHv1, which is not considered secure, is disabled.

Zeroizaon Erasure of all CSPs and other user-created data on a device before its operaon as a

FIPS cryptographic module—or in preparaon for repurposing the device for non-

FIPS operaon. The Security Administrator can zeroize the system with a CLI

operaonal command. For details, see "Overview of Zeroizaon to Clear System Data

for FIPS Mode" on page 23.

Supported Cryptographic Algorithms

Each implementaon of an algorithm is checked by a series of known answer test (KAT) self-tests. Any

self-test failure results in a FIPS error state.

BEST PRACTICE: For FIPS 140-3 compliance, use only FIPS-approved cryptographic

algorithms in Junos OS in FIPS mode of operaon.

The following cryptographic algorithms are supported in FIPS mode of operaon. Symmetric methods

use the same key for encrypon and decrypon, while asymmetric methods (preferred) use dierent

keys for encrypon and decrypon.

AES The Advanced Encrypon Standard (AES), dened in FIPS PUB 197. The AES algorithm uses

keys of 128, 192, or 256 bits to encrypt and decrypt data in blocks of 128 bits.

Die-

Hellman

A method of key exchange across a nonsecure environment (such as the Internet). The

Die-Hellman algorithm negoates a session key without sending the key itself across the

network by allowing each party to pick a paral key independently and send part of that key

7

to the other. Each side then calculates a common key value. This is a symmetrical method,

and keys are typically used only for a short me, discarded, and regenerated.

ECDH Ellipc Curve Die-Hellman. A variant of the Die-Hellman key exchange algorithm that

uses cryptography based on the algebraic structure of ellipc curves over nite elds. ECDH

allows two pares, each having an ellipc curve public-private key pair, to establish a shared

secret over an insecure channel. The shared secret can be used either as a key or to derive

another key for encrypng subsequent communicaons using a symmetric key cipher.

ECDSA Ellipc Curve Digital Signature Algorithm. A variant of the Digital Signature Algorithm (DSA)

that uses cryptography based on the algebraic structure of ellipc curves over nite elds.

The bit size of the ellipc curve determines the diculty of decrypng the key. The public

key believed to be needed for ECDSA is about twice the size of the security level, in bits.

ECDSA using the P-256, P-384, or the P-521 curve can be congured under OpenSSH.

HMAC Dened as “Keyed-Hashing for Message Authencaon” in RFC 2104, HMAC combines

hashing algorithms with cryptographic keys for message authencaon. For Junos OS in

FIPS mode of operaon, HMAC uses the iterated cryptographic hash funcon SHA-1

(designated as HMAC-SHA1) along with a secret key.

RELATED DOCUMENTATION

FIPS Self-Tests Overview | 122

Overview of Zeroizaon to Clear System Data for FIPS Mode | 23

Idenfy Secure Product Delivery

There are several mechanisms provided in the delivery process to ensure that a customer receives a

product that has not been tampered with. The customer should perform the following checks upon

receipt of a device to verify the integrity of the plaorm.

• Shipping label—Ensure that the shipping label correctly idenes the correct customer name and

address as well as the device.

• Outside packaging—Inspect the outside shipping box and tape. Ensure that the shipping tape has not

been cut or otherwise compromised. Ensure that the box has not been cut or damaged to allow

access to the device.

8

• Inside packaging—Inspect the plasc bag and seal. Ensure that the bag is not cut or removed. Ensure

that the seal remains intact.

If the customer idenes a problem during the inspecon, he or she should immediately contact the

supplier. Provide the order number, tracking number, and a descripon of the idened problem to the

supplier.

Addionally, there are several checks that can be performed to ensure that the customer has received a

box sent by Juniper Networks and not a dierent company masquerading as Juniper Networks. The

customer should perform the following checks upon receipt of a device to verify the authencity of the

device:

• Verify that the device was ordered using a purchase order. Juniper Networks devices are never

shipped without a purchase order.

• When a device is shipped, a shipment nocaon is sent to the e-mail address provided by the

customer when the order is taken. Verify that this e-mail nocaon was received. Verify that the e-

mail contains the following informaon:

• Purchase order number

• Juniper Networks order number used to track the shipment

• Carrier tracking number used to track the shipment

• List of items shipped including serial numbers

• Address and contacts of both the supplier and the customer

• Verify that the shipment was iniated by Juniper Networks. To verify that a shipment was iniated

by Juniper Networks, you should perform the following tasks:

• Compare the carrier tracking number of the Juniper Networks order number listed in the Juniper

Networks shipping nocaon with the tracking number on the package received.

• Log on to the Juniper Networks online customer support portal at hps://support.juniper.net/

support/ to view the order status. Compare the carrier tracking number or the Juniper Networks

order number listed in the Juniper Networks shipment nocaon with the tracking number on

the package received.

Management Interfaces Overview

The following management interfaces can be used in the evaluated conguraon:

9

• Local Management Interfaces—The RJ-45 console port on the device is congured as RS-232 data

terminal equipment (DTE). You can use the command-line interface (CLI) over this port to congure

the device from a terminal.

• Remote Management Protocols—The device can be remotely managed over any Ethernet interface.

SSHv2 is the only permied remote management protocol that can be used in the evaluated

conguraon. The remote management protocols J-Web and Telnet are not available for use on the

device.

10

2

CHAPTER

Congure Roles and Authencaon

Methods

Overview of Roles and Services for Junos OS | 12

Overview of the Operaonal Environment for Junos OS in FIPS Mode | 14

Overview of Password Specicaons and Guidelines for Junos OS in FIPS Mode |

18

Download Soware Packages from Juniper Networks | 19

Install Junos Soware Packages | 20

Overview of Zeroizaon to Clear System Data for FIPS Mode | 23

Zeroize the System | 24

Enable FIPS Mode | 26

Congure Security Administrator and FIPS User Idencaon and Access | 28

Overview of Roles and Services for Junos OS

IN THIS SECTION

Security Administrator Role and Responsibilies | 12

FIPS User Role and Responsibilies | 13

What Is Expected of All FIPS Users | 13

The Security Administrator is associated with the dened login class security-admin, which has the

necessary permission set to permit the administrator to perform all tasks necessary to manage Junos

OS. Administrave users (Security Administrator) must provide unique idencaon and authencaon

data before any administrave access to the system is granted.

Security Administrator roles and responsibilies are as follows:

1. Security Administrator can administer locally and remotely.

2. Create, modify, delete administrator accounts, including conguraon of authencaon failure

parameters.

3. Re-enable an Administrator account.

4. Responsible for the conguraon and maintenance of cryptographic elements related to the

establishment of secure connecons to and from the evaluated product.

The Juniper Networks Junos operang system (Junos OS) running in non-FIPS mode allows a wide range

of capabilies for users, and authencaon is identy-based.

Security Administrator performs all FIPS-mode-related conguraon tasks and issue all statements and

commands for Junos OS in FIPS mode.

Security Administrator Role and Responsibilies

The Security Administrator is the person responsible for enabling, conguring, monitoring, and

maintaining Junos OS in FIPS mode on a device. The Security Administrator securely installs Junos OS

on the device, enables FIPS mode, establishes keys and passwords for other users and soware

modules, and inializes the device before network connecon.

12

BEST PRACTICE: We recommend that the Security Administrator administer the system in a

secure manner by keeping passwords secure and checking audit les.

The permissions that disnguish the Security Administrator from other FIPS users are secret, security,

maintenance, and control. Assign the Security Administrator to a login class that contains all of these

permissions.

Among the tasks related to Junos OS in FIPS mode, the Security Administrator is expected to:

• Set the inial root password. The length of the password should be at least 10 characters.

• Reset user passwords with FIPS-approved algorithms.

• Examine log and audit les for events of interest.

• Erase user-generated les, keys, and data by zeroizing the device.

FIPS User Role and Responsibilies

All FIPS users, including the Security Administrator, can view the conguraon. Only the user assigned

as the Security Administrator can modify the conguraon.

FIPS user can view status output but cannot reboot or zeroize the device.

What Is Expected of All FIPS Users

All FIPS users, including the Security Administrator, must observe security guidelines at all mes.

All FIPS users must:

• Keep all passwords condenal.

• Store devices and documentaon in a secure area.

• Deploy devices in secure areas.

• Check audit les periodically.

• Conform to all other FIPS 140-3 security rules.

• Follow these guidelines:

13

• Users are trusted.

• Users abide by all security guidelines.

• Users do not deliberately compromise security.

• Users behave responsibly at all mes.

RELATED DOCUMENTATION

Zeroize the System | 24

Overview of the Operaonal Environment for Junos

OS in FIPS Mode

IN THIS SECTION

Hardware Environment for Junos OS in FIPS Mode | 14

Soware Environment for Junos OS in FIPS Mode | 15

Crical Security Parameters | 16

A Juniper Networks device running the Juniper Networks Junos operang system (Junos OS) in FIPS

mode forms a special type of hardware and soware operaonal environment that is dierent from the

environment of a device in non-FIPS mode:

Hardware Environment for Junos OS in FIPS Mode

Junos OS in FIPS mode establishes a cryptographic boundary in the device that no crical security

parameters (CSPs) can cross using plain text. Each hardware component of the device that requires a

cryptographic boundary for FIPS 140-3 compliance is a separate cryptographic module. There are two

types of hardware with cryptographic boundaries in Junos OS in FIPS mode: one for each Roung

Engine and one for enre chassis.

14

Page is loading ...

Juniper MX240 Admin Guide

This manual is also suitable for

Juniper MX240 Admin Guide

Related papers

Other documents