Juniper MX480, MX240, MX960 Admin Guide

  • Hello! I am an AI chatbot trained to assist you with the Juniper MX480 Admin Guide. I’ve already reviewed the document and can help you find the information you need or explain it in simple terms. Just ask your questions, and providing more details will help me assist you more effectively!
Junos® OS
Common Criteria Conguraon Guide for
MX240, MX480, and MX960 Devices
with MX-SPC3 Services Card
Published
2023-12-25
RELEASE
22.2R1
Juniper Networks, Inc.
1133 Innovaon Way
Sunnyvale, California 94089
USA
408-745-2000
www.juniper.net
Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc.
in the United States and other countries. All other trademarks, service marks, registered marks, or registered service
marks are the property of their respecve owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right
to change, modify, transfer, or otherwise revise this publicaon without noce.
Junos® OS Common Criteria Conguraon Guide for MX240, MX480, and MX960 Devices with MX-SPC3 Services
Card
22.2R1
Copyright © 2023 Juniper Networks, Inc. All rights reserved.
The informaon in this document is current as of the date on the tle page.
YEAR 2000 NOTICE
Juniper Networks hardware and soware products are Year 2000 compliant. Junos OS has no known me-related
limitaons through the year 2038. However, the NTP applicaon is known to have some diculty in the year 2036.
END USER LICENSE AGREEMENT
The Juniper Networks product that is the subject of this technical documentaon consists of (or is intended for use
with) Juniper Networks soware. Use of such soware is subject to the terms and condions of the End User License
Agreement ("EULA") posted at hps://support.juniper.net/support/eula/. By downloading, installing or using such
soware, you agree to the terms and condions of that EULA.
ii
Table of Contents
About This Guide | vi
1
Overview
Common Criteria Evaluated Conguraon Overview | 2
Junos OS in FIPS Mode of Operaon Overview | 3
Overview of FIPS Terminology and Supported Cryptographic Algorithms | 5
Idenfy Secure Product Delivery | 8
Management Interfaces Overview | 9
2
Congure Roles and Authencaon Methods
Overview of Roles and Services for Junos OS | 12
Overview of the Operaonal Environment for Junos OS in FIPS Mode | 14
Overview of Password Specicaons and Guidelines for Junos OS in FIPS Mode | 18
Download Soware Packages from Juniper Networks | 19
Install Junos Soware Packages | 20
Overview of Zeroizaon to Clear System Data for FIPS Mode | 23
Zeroize the System | 24
Enable FIPS Mode | 26
Congure Security Administrator and FIPS User Idencaon and Access | 28
Congure Security Administrator Access | 28
Congure FIPS User Login Access | 30
3
Congure Administrave Credenals and Privileges
Understanding the Associated Password Rules for an Authorized Administrator | 34
Conguring a Network Device Collaborave Protecon Prole Authorized
Administrator | 36
iii
Customize Time | 37
Inacvity Timeout Period Conguraon, and Local and Remote Idle Session
Terminaon | 38
Congure Session Terminaon | 38
Sample Output for Local Administrave Session Terminaon | 40
Sample Output for Remote Administrave Session Terminaon | 40
Sample Output for User Iniated Terminaon | 41
4
Congure SSH and Console Connecon
Congure a System Login Message and Announcement | 43
Congure SSH on the Evaluated Conguraon for NDcPPv2.2e | 44
Limit the Number of User Login Aempts for SSH Sessions | 45
5
Congure the Remote Syslog Server
Sample Syslog Server Conguraon on a Linux System | 49
6
Congure Audit Log Opons
Congure Audit Log Opons in the Evaluated Conguraon | 57
Congure Audit Log Opons | 57
Sample Code Audits of Conguraon Changes | 58
7
Congure Event Logging
Event Logging Overview | 62
Interpret Event Messages | 79
Log Changes to Secret Data | 80
Login and Logout Events Using SSH | 81
Logging of Audit Startup | 82
8
Congure VPNs
MOD_VPN | 84
MOD_VPN Overview | 84
iv
Supported IPsec-IKE Algorithms | 85
Congure VPN on a Device Running Junos OS | 88
Conguring Firewall Rules | 111
9
Perform Self-Tests on a Device
FIPS Self-Tests Overview | 122
10
Operaonal Commands
request vmhost zeroize no-forwarding | 127
v
About This Guide
Use this guide to congure and evaluate MX240, MX480, and MX960 devices for Common Criteria (CC)
compliance. Common Criteria for informaon technology is an internaonal agreement signed by
several countries that permit the evaluaon of security products against a common set of standards.
RELATED DOCUMENTATION
Common Criteria and FIPS Cercaons
vi
1
CHAPTER
Overview
Common Criteria Evaluated Conguraon Overview | 2
Junos OS in FIPS Mode of Operaon Overview | 3
Overview of FIPS Terminology and Supported Cryptographic Algorithms | 5
Idenfy Secure Product Delivery | 8
Management Interfaces Overview | 9
Common Criteria Evaluated Conguraon Overview
IN THIS SECTION
Common Criteria Overview | 2
Supported Plaorms | 3
This document describes the steps required to duplicate the conguraon of the device running Junos
OS when the device is evaluated. This is referred to as the evaluated conguraon. The following list
describes the standards to which the device has been evaluated:
• NDcPPv2.2e—hps://www.niap-ccevs.org/MMO/PP/CPP_ND_V2.2E.pdf
• MOD_VPN—hps://www.niap-ccevs.org/Prole/Info.cfm?PPID=449
The Archived Protecon Proles documents are available at hps://www.niap-ccevs.org/Prole/PP.cfm?
archived=1.
NOTE: MX240, MX480, and MX960 devices with Junos OS Release 22.2R1 is cered for
Common Criteria with FIPS mode enabled on the devices.
Common Criteria Overview
Common Criteria for informaon technology is an internaonal agreement signed by several countries
that permits the evaluaon of security products against a common set of standards. In the Common
Criteria Recognion Arrangement (CCRA) at hps://www.commoncriteriaportal.org/ccra/, the
parcipants agree to mutually recognize evaluaons of products performed in other countries. All
evaluaons are performed using a common methodology for informaon technology security
evaluaon.
For more informaon on Common Criteria, see hps://www.commoncriteriaportal.org/.
2
Supported Plaorms
For the features described in this document, the following plaorms are supported with MX-SPC3
Services Card.
The NDcPPv2.2e and MOD_VPN apply to:
MX240 (hps://www.juniper.net/us/en/products/routers/mx-series/mx240-universal-roung-
plaorm.html)
MX480 (hps://www.juniper.net/us/en/products/routers/mx-series/mx480-universal-roung-
plaorm.html)
MX960 (hps://www.juniper.net/us/en/products/routers/mx-series/mx960-universal-roung-
plaorm.html)
RELATED DOCUMENTATION
Idenfy Secure Product Delivery | 8
Junos OS in FIPS Mode of Operaon Overview
IN THIS SECTION
About the Cryptographic Boundary on Your Device | 4
How FIPS Mode of Operaon Diers from Non-FIPS Mode of Operaon | 4
Validated Version of Junos OS in FIPS Mode of Operaon | 5
Federal Informaon Processing Standards (FIPS) 140-3 denes security levels for hardware and soware
that perform cryptographic funcons. Junos-FIPS is a version of the Junos operang system (Junos OS)
that complies with Federal Informaon Processing Standard (FIPS) 140-3.
Operang your security devices in a FIPS 140-3 Level 2 environment requires enabling and conguring
FIPS mode of operaon on the device from the Junos OS command-line interface (CLI).
3
The
Security Administrator
enables FIPS mode of operaon in Junos OS Release 22.2R1 and sets up
keys and passwords for the system and other
FIPS users
who can view the conguraon. Both user
types can also perform normal conguraon tasks on the device (such as modify interface types) as
individual user conguraon allows.
BEST PRACTICE: Be sure to verify the secure delivery of your device and apply tamper-
evident seals to its vulnerable ports.
About the Cryptographic Boundary on Your Device
FIPS 140-3 compliance requires a dened
cryptographic boundary
around each
cryptographic module
on a device. Junos OS in FIPS mode of operaon prevents the cryptographic module from running any
soware that is not part of the FIPS-cered distribuon, and allows only FIPS-approved cryptographic
algorithms to be used. No crical security parameters (CSPs), such as passwords and keys, can cross the
cryptographic boundary of the module by, for example, being displayed on a console or wrien to an
external log le.
CAUTION: Virtual Chassis features are not supported in FIPS mode of operaon. Do
not congure a Virtual Chassis in FIPS mode of operaon.
To physically secure the cryptographic module, all Juniper Networks devices require a tamper-evident
seal on the USB and mini-USB ports.
How FIPS Mode of Operaon Diers from Non-FIPS Mode of Operaon
Unlike Junos OS in non-FIPS mode of operaon, Junos OS in FIPS mode of operaon is a
nonmodiable
operaonal environment
. In addion, Junos OS in FIPS mode of operaon diers in the following ways
from Junos OS in non-FIPS mode of operaon:
Self-tests of all cryptographic algorithms are performed at startup.
Self-tests of random number and key generaon are performed connuously.
Weak cryptographic algorithms such as Data Encrypon Standard (DES) and MD5 are disabled.
Weak, remote, or unencrypted management connecons must not be congured. However, TOE
allows local and un-encrypted console access across all modes of operaon.
4
Passwords must be encrypted with strong one-way algorithms that do not permit decrypon.
Junos-FIPS administrator passwords must be at least 10 characters long.
Cryptographic keys must be encrypted before transmission.
The FIPS 140-3 standard is available for download from the Naonal Instute of Standards and
Technology (NIST) at hp://csrc.nist.gov/publicaons/ps/ps140-3/ps1402.pdf.
Validated Version of Junos OS in FIPS Mode of Operaon
To determine whether a Junos OS release is NIST-validated, see the compliance page on the Juniper
Networks Web site (hps://apps.juniper.net/compliance).
RELATED DOCUMENTATION
Idenfy Secure Product Delivery | 8
Overview of FIPS Terminology and Supported
Cryptographic Algorithms
IN THIS SECTION
FIPS Terminology | 6
Supported Cryptographic Algorithms | 7
Use the denions of FIPS terms, and supported algorithms to help you understand Junos OS in FIPS
mode.
5
FIPS Terminology
Crical security
parameter (CSP)
Security-related informaon—for example, secret and private cryptographic keys and
authencaon data such as passwords and personal idencaon numbers (PINs)—
whose disclosure or modicaon can compromise the security of a cryptographic
module or the informaon it protects.
Cryptographic
module
The set of hardware, soware, and rmware that implements approved security
funcons (including cryptographic algorithms and key generaon) and is contained
within the cryptographic boundary.
Security
Administrator
Person with appropriate permissions who is responsible for securely enabling,
conguring, monitoring, and maintaining Junos OS in FIPS mode of operaon on a
device. For details, see "Junos OS in FIPS Mode of Operaon Overview" on page 3.
ESP Encapsulang Security Payload (ESP) protocol. The part of the IPsec protocol that
guarantees the condenality of packets through encrypon. The protocol ensures
that if an ESP packet is successfully decrypted, and no other party knows the secret
key the peers share, the packet was not wiretapped in transit.
FIPS Federal Informaon Processing Standards. FIPS 140-3 species requirements for
security and cryptographic modules. Junos OS in FIPS mode of operaon complies
with FIPS 140-3 Level 2.
IKE The Internet Key Exchange (IKE) is part of IPsec and provides ways to securely
negoate the shared private keys that the authencaon header (AH) and ESP
porons of IPsec need to funcon properly. IKE employs Die-Hellman key-
exchange methods and is oponal in IPsec. (The shared keys can be entered manually
at the endpoints.)
IPsec The IP Security (IPsec) protocol. A standard way to add security to Internet
communicaons. An IPsec security associaon (SA) establishes secure
communicaon with another FIPS cryptographic module by means of mutual
authencaon and encrypon.
KATs Known answer tests. System self-tests that validate the output of cryptographic
algorithms approved for FIPS and test the integrity of some Junos OS modules. For
details, see "FIPS Self-Tests Overview" on page 122.
SA Security associaon (SA). A connecon between hosts that allows them to
communicate securely by dening, for example, how they exchange private keys. As
Security Administrator, you must manually congure an internal SA on devices
6
running Junos OS in FIPS mode of operaon. All values, including the keys, must be
stacally specied in the conguraon.
SPI Security parameter index (SPI). A numeric idener used with the desnaon address
and security protocol in IPsec to idenfy an SA. Because you manually congure the
SA for Junos OS in FIPS mode of operaon, the SPI must be entered as a parameter
rather than derived randomly.
SSH A protocol that uses strong authencaon and encrypon for remote access across a
nonsecure network. SSH provides remote login, remote program execuon, le copy,
and other funcons. It is intended as a secure replacement for rlogin, rsh, and rcp in a
UNIX environment. To secure the informaon sent over administrave connecons,
use SSHv2 for CLI conguraon. In Junos OS, SSHv2 is enabled by default, and
SSHv1, which is not considered secure, is disabled.
Zeroizaon Erasure of all CSPs and other user-created data on a device before its operaon as a
FIPS cryptographic module—or in preparaon for repurposing the device for non-
FIPS operaon. The Security Administrator can zeroize the system with a CLI
operaonal command. For details, see "Overview of Zeroizaon to Clear System Data
for FIPS Mode" on page 23.
Supported Cryptographic Algorithms
Each implementaon of an algorithm is checked by a series of known answer test (KAT) self-tests. Any
self-test failure results in a FIPS error state.
BEST PRACTICE: For FIPS 140-3 compliance, use only FIPS-approved cryptographic
algorithms in Junos OS in FIPS mode of operaon.
The following cryptographic algorithms are supported in FIPS mode of operaon. Symmetric methods
use the same key for encrypon and decrypon, while asymmetric methods (preferred) use dierent
keys for encrypon and decrypon.
AES The Advanced Encrypon Standard (AES), dened in FIPS PUB 197. The AES algorithm uses
keys of 128, 192, or 256 bits to encrypt and decrypt data in blocks of 128 bits.
Die-
Hellman
A method of key exchange across a nonsecure environment (such as the Internet). The
Die-Hellman algorithm negoates a session key without sending the key itself across the
network by allowing each party to pick a paral key independently and send part of that key
7
to the other. Each side then calculates a common key value. This is a symmetrical method,
and keys are typically used only for a short me, discarded, and regenerated.
ECDH Ellipc Curve Die-Hellman. A variant of the Die-Hellman key exchange algorithm that
uses cryptography based on the algebraic structure of ellipc curves over nite elds. ECDH
allows two pares, each having an ellipc curve public-private key pair, to establish a shared
secret over an insecure channel. The shared secret can be used either as a key or to derive
another key for encrypng subsequent communicaons using a symmetric key cipher.
ECDSA Ellipc Curve Digital Signature Algorithm. A variant of the Digital Signature Algorithm (DSA)
that uses cryptography based on the algebraic structure of ellipc curves over nite elds.
The bit size of the ellipc curve determines the diculty of decrypng the key. The public
key believed to be needed for ECDSA is about twice the size of the security level, in bits.
ECDSA using the P-256, P-384, or the P-521 curve can be congured under OpenSSH.
HMAC Dened as “Keyed-Hashing for Message Authencaon” in RFC 2104, HMAC combines
hashing algorithms with cryptographic keys for message authencaon. For Junos OS in
FIPS mode of operaon, HMAC uses the iterated cryptographic hash funcon SHA-1
(designated as HMAC-SHA1) along with a secret key.
RELATED DOCUMENTATION
FIPS Self-Tests Overview | 122
Overview of Zeroizaon to Clear System Data for FIPS Mode | 23
Idenfy Secure Product Delivery
There are several mechanisms provided in the delivery process to ensure that a customer receives a
product that has not been tampered with. The customer should perform the following checks upon
receipt of a device to verify the integrity of the plaorm.
Shipping label—Ensure that the shipping label correctly idenes the correct customer name and
address as well as the device.
Outside packaging—Inspect the outside shipping box and tape. Ensure that the shipping tape has not
been cut or otherwise compromised. Ensure that the box has not been cut or damaged to allow
access to the device.
8
Inside packaging—Inspect the plasc bag and seal. Ensure that the bag is not cut or removed. Ensure
that the seal remains intact.
If the customer idenes a problem during the inspecon, he or she should immediately contact the
supplier. Provide the order number, tracking number, and a descripon of the idened problem to the
supplier.
Addionally, there are several checks that can be performed to ensure that the customer has received a
box sent by Juniper Networks and not a dierent company masquerading as Juniper Networks. The
customer should perform the following checks upon receipt of a device to verify the authencity of the
device:
Verify that the device was ordered using a purchase order. Juniper Networks devices are never
shipped without a purchase order.
When a device is shipped, a shipment nocaon is sent to the e-mail address provided by the
customer when the order is taken. Verify that this e-mail nocaon was received. Verify that the e-
mail contains the following informaon:
Purchase order number
Juniper Networks order number used to track the shipment
Carrier tracking number used to track the shipment
List of items shipped including serial numbers
Address and contacts of both the supplier and the customer
Verify that the shipment was iniated by Juniper Networks. To verify that a shipment was iniated
by Juniper Networks, you should perform the following tasks:
Compare the carrier tracking number of the Juniper Networks order number listed in the Juniper
Networks shipping nocaon with the tracking number on the package received.
Log on to the Juniper Networks online customer support portal at hps://support.juniper.net/
support/ to view the order status. Compare the carrier tracking number or the Juniper Networks
order number listed in the Juniper Networks shipment nocaon with the tracking number on
the package received.
Management Interfaces Overview
The following management interfaces can be used in the evaluated conguraon:
9
Local Management Interfaces—The RJ-45 console port on the device is congured as RS-232 data
terminal equipment (DTE). You can use the command-line interface (CLI) over this port to congure
the device from a terminal.
Remote Management Protocols—The device can be remotely managed over any Ethernet interface.
SSHv2 is the only permied remote management protocol that can be used in the evaluated
conguraon. The remote management protocols J-Web and Telnet are not available for use on the
device.
10
2
CHAPTER
Congure Roles and Authencaon
Methods
Overview of Roles and Services for Junos OS | 12
Overview of the Operaonal Environment for Junos OS in FIPS Mode | 14
Overview of Password Specicaons and Guidelines for Junos OS in FIPS Mode |
18
Download Soware Packages from Juniper Networks | 19
Install Junos Soware Packages | 20
Overview of Zeroizaon to Clear System Data for FIPS Mode | 23
Zeroize the System | 24
Enable FIPS Mode | 26
Congure Security Administrator and FIPS User Idencaon and Access | 28
Overview of Roles and Services for Junos OS
IN THIS SECTION
Security Administrator Role and Responsibilies | 12
FIPS User Role and Responsibilies | 13
What Is Expected of All FIPS Users | 13
The Security Administrator is associated with the dened login class security-admin, which has the
necessary permission set to permit the administrator to perform all tasks necessary to manage Junos
OS. Administrave users (Security Administrator) must provide unique idencaon and authencaon
data before any administrave access to the system is granted.
Security Administrator roles and responsibilies are as follows:
1. Security Administrator can administer locally and remotely.
2. Create, modify, delete administrator accounts, including conguraon of authencaon failure
parameters.
3. Re-enable an Administrator account.
4. Responsible for the conguraon and maintenance of cryptographic elements related to the
establishment of secure connecons to and from the evaluated product.
The Juniper Networks Junos operang system (Junos OS) running in non-FIPS mode allows a wide range
of capabilies for users, and authencaon is identy-based.
Security Administrator performs all FIPS-mode-related conguraon tasks and issue all statements and
commands for Junos OS in FIPS mode.
Security Administrator Role and Responsibilies
The Security Administrator is the person responsible for enabling, conguring, monitoring, and
maintaining Junos OS in FIPS mode on a device. The Security Administrator securely installs Junos OS
on the device, enables FIPS mode, establishes keys and passwords for other users and soware
modules, and inializes the device before network connecon.
12
BEST PRACTICE: We recommend that the Security Administrator administer the system in a
secure manner by keeping passwords secure and checking audit les.
The permissions that disnguish the Security Administrator from other FIPS users are secret, security,
maintenance, and control. Assign the Security Administrator to a login class that contains all of these
permissions.
Among the tasks related to Junos OS in FIPS mode, the Security Administrator is expected to:
Set the inial root password. The length of the password should be at least 10 characters.
Reset user passwords with FIPS-approved algorithms.
Examine log and audit les for events of interest.
Erase user-generated les, keys, and data by zeroizing the device.
FIPS User Role and Responsibilies
All FIPS users, including the Security Administrator, can view the conguraon. Only the user assigned
as the Security Administrator can modify the conguraon.
FIPS user can view status output but cannot reboot or zeroize the device.
What Is Expected of All FIPS Users
All FIPS users, including the Security Administrator, must observe security guidelines at all mes.
All FIPS users must:
Keep all passwords condenal.
Store devices and documentaon in a secure area.
Deploy devices in secure areas.
Check audit les periodically.
Conform to all other FIPS 140-3 security rules.
Follow these guidelines:
13
Users are trusted.
Users abide by all security guidelines.
Users do not deliberately compromise security.
Users behave responsibly at all mes.
RELATED DOCUMENTATION
Zeroize the System | 24
Overview of the Operaonal Environment for Junos
OS in FIPS Mode
IN THIS SECTION
Hardware Environment for Junos OS in FIPS Mode | 14
Soware Environment for Junos OS in FIPS Mode | 15
Crical Security Parameters | 16
A Juniper Networks device running the Juniper Networks Junos operang system (Junos OS) in FIPS
mode forms a special type of hardware and soware operaonal environment that is dierent from the
environment of a device in non-FIPS mode:
Hardware Environment for Junos OS in FIPS Mode
Junos OS in FIPS mode establishes a cryptographic boundary in the device that no crical security
parameters (CSPs) can cross using plain text. Each hardware component of the device that requires a
cryptographic boundary for FIPS 140-3 compliance is a separate cryptographic module. There are two
types of hardware with cryptographic boundaries in Junos OS in FIPS mode: one for each Roung
Engine and one for enre chassis.
14
/