ScreenOS 5.0.0r9-FIPS With NSM Reference Note

Similar documents
ScreenOS 5.4.0r4 FIPS Reference Note

FIPS SECURITY POLICY

FIPS SECURITY POLICY

FIPS SECURITY POLICY

FIPS SECURITY POLICY

FIPS SECURITY POLICY

FIPS SECURITY POLICY

),36 6(&85,7< 32/,&< 1HW6FUHHQ ;7 9HUVLRQ U 3 1 5HY %

EXAM - JN ACX, Specialist (JNCIS-ACX) Buy Full Product.

This article explains how to configure NSRP-Lite for a NS50 firewall to a single WAN.

Vendor: Juniper. Exam Code: JN Exam Name: FWV, Specialist (JNCIS-FWV) Version: Demo

Upgrade Guide. ScreenOS 6.1.0, Rev. 03. Security Products. Juniper Networks, Inc.

1(76&5((1 &U\SWRJUDSKLF 0RGXOH 6HFXULW\ 3ROLF\ 9HUVLRQ 3 1 5HY $

Cisco VPN 3002 Hardware Client Security Policy

econet smart grid gateways: econet SL and econet MSA FIPS Security Policy

Cisco VPN 3000 Concentrator Series Security Policy

The Xirrus Wi Fi Array XS4, XS8 Security Policy Document Version 1.0. Xirrus, Inc.

Juniper Networks ScreenOS Release Notes

Dell SonicWALL. NSA 220, NSA 220W and NSA 240. FIPS Non-Proprietary Security Policy

Dell Software, Inc. Dell SonicWALL NSA Series SM 9600, SM 9400, SM 9200, NSA FIPS Non-Proprietary Security Policy

Juniper Networks ScreenOS Release Notes

Juniper Networks ScreenOS Release Notes

Juniper Networks ScreenOS Release Notes

VPN Configuration Guide. Juniper Networks NetScreen / SSG / ISG Series

How to Configure a Site-to-Site IPsec IKEv1 VPN Tunnel

ZyWALL 70. Internet Security Appliance. Quick Start Guide Version 3.62 December 2003

FIPS SECURITY POLICY FOR

FireEye CM Series: CM-4400, CM-7400, CM-9400

Juniper Networks ScreenOS Release Notes

Internet. SonicWALL IP Cisco IOS IP IP Network Mask

Juniper Networks ScreenOS Release Notes

How to Configure a Site-to-Site IPsec IKEv1 VPN Tunnel

Windows 2000 Pre-shared IKE Dialup VPN Setup Procedures

Management Access. Configure Management Remote Access. Configure ASA Access for ASDM, Telnet, or SSH

Network and Security Manager (NSM) Release Notes DMI Schema

This release of the product includes these new features that have been added since NGFW 5.5.

Network and Security Manager (NSM) Release Notes DMI Schema

FireEye HX Series: HX 4400, HX 4400D, HX 4402, HX 9402

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Fortinet Firewall. Overview

Alcatel OmniAccess 200 Series

FAQ about Communication

QUICKSTART GUIDE FOR BRANCH SRX SERIES SERVICES GATEWAYS

Integrating WX WAN Optimization with Netscreen Firewall/VPN

Configuring VPN from Proventia M Series Appliance to Proventia M Series Appliance

FireEye NX Series: NX-900, NX1400, NX-2400, NX-4400, NX4420, NX-7400, NX-7420, NX7500, NX-10000, NX-9450, NX10450

FIPS Management. FIPS Management Overview. Configuration Changes in FIPS Mode

Juniper Networks ScreenOS Release Notes

SonicOS Release Notes

Meru Networks. Security Gateway SG1000 Cryptographic Module Security Policy Document Version 1.2. Revision Date: June 24, 2009

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Configuring Role-Based Access Control

Netscreen of the Dead Developing a Trojaned Firmware for Juniper Netscreen Appliances

SonicOS Enhanced Release Notes

Configuration of an IPSec VPN Server on RV130 and RV130W

NAC Appliance (Cisco Clean Access) In Band Virtual Gateway for Remote Access VPN Configuration Example

Juniper Networks Access Control Release Notes

1. Version Summary. Refer to the following table to understand what ScreenOS versions map to which product. ns5gt.5.0.0r10.1

Version P/N Rev. A

Configuring VPN from Proventia M Series Appliance to NetScreen Systems

CheckPoint. Check Point Certified Security Administrator R71

Cradlepoint COR IBR350 Specifications

Chapter 8 Lab Configuring a Site-to-Site VPN Using Cisco IOS

Configuring LAN-to-LAN IPsec VPNs

Stratusphere. Security Overview

Encrypted Phone Configuration File Setup

Network Encryption 3 4/20/17

NetScreen Systems. NetScreen Security Systems. Purpose-built, integrated security systems. Managed security domains.

LAN-to-LAN IPsec VPNs

C2000 and C4000 Hardware Quick Start Guide

Australasian Information Security Evaluation Program

ScreenOS CLI Reference Guide: IPv6 Command Descriptions

Integration Guide. Auvik

Cisco Storage Media Encryption for Tape

Application Notes for Configuring Avaya Mobile Communication System (VPNremote Phone Option) with Clear Channel Satellite XtremeSat Issue 1.

Stonesoft Next Generation Firewall

IPSec VPN Setup with IKE Preshared Key and Manual Key on WRVS4400N Router

VNS3 Configuration. Quick Launch for first time VNS3 users in Azure

NGFW Security Management Center

Stonesoft VPN Client. for Windows Release Notes Revision A

Network and Security Manager (NSM) Release Notes DMI Schema

CUSTOMER RELEASE NOTES Access Points: AP-8000 and AP-800

Remote Access Clients for Windows 32/64-bit

Prepared by the Fortress Technologies, Inc., Government Technology Group 4023 Tampa Rd. Suite Oldsmar, FL 34677

Artisan Technology Group is your source for quality new and certified-used/pre-owned equipment

Defining IPsec Networks and Customers

Pulse Policy Secure. UAC Interoperability with the ScreenOS Enforcer. Product Release 5.1. Document Revision 1.0 Published:

Release Notes for DrayTek Vigor 2955 (UK/Ireland)

SonicOS Enhanced Release Notes

Management Access. Configure Management Remote Access. Configure SSH Access. Before You Begin

Platform Settings for Classic Devices

Implementing Cisco Network Security (IINS) 3.0

Non-Proprietary Security Policy Version 1.1

Cisco Exam Questions & Answers

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the SonicWall Firewall.

NCP Secure Client Juniper Edition (Win32/64) Release Notes

Google Cloud VPN Interop Guide

RSA NetWitness Logs. Juniper Networks NetScreen Firewall Last Modified: Monday, October 9, Event Source Log Configuration Guide

Cisco Integrated Services Router Security Policy

SonicOS Enhanced Release Notes

Stonesoft VPN Client. for Windows Release Notes Revision B

Transcription:

ScreenOS 5.0.0r9-FIPS With NSM Reference Note 12 August 2005 Part No. 093-1735-000 Revision A Before You Begin Before carrying out any step to secure a Juniper Networks security appliance, check that the product has not been tampered with. You should also confirm that the product received matches the version that is certified as FIPS 104-2 compliant. Verify the product security with these observations: The outside packaging does not show damage or evidence that is has been opened. If the cardboard shows damage that would allow the device to be removed or exchanged, this may be evidence of tampering. Each box is packaged with custom tape to indicate that the device was packaged by Juniper Networks or an authorized manufacturer. The tape is unique, with the word NetScreen printed repeatedly along the tape. If the tape is not present, your device may have been tampered with. The internal packaging does not show damage or evidence of tampering. The plastic bag should not have a large hole and the label that seals the plastic bag should not be detached or missing. If the bag or seal are damaged in any way, your device may have been tampered with. Before You Begin 1

About This Document This document describes the Federal Information Processing Standards (FIPS) certified release of ScreenOS 5.0.0.r9-FIPS. There are no new features in this release; however, certain behaviors and options vary from the 5.0 release. These variations were developed in order to comply with FIPS requirements. This document contains the following information: FIPS Supported Platforms Restrictions Changing the Device Mode Managing FIPS Mode Devices Deployment Tips For more information on FIPS, please refer to the National Institute of Standards and Technology FIPS page at http://csrc.nist.gov/publications/fips/index.html. FIPS Supported Platforms The 5.0.0r9-FIPS release supports the following platforms: NS-5XT NS-204/208 NS-500 NS-5200/5400 Following is a summary of FIPS 5.0.0r9 firmware images: Platform NS-5XT NS-200 NS-500 NS-5200/5400 NSM and SNMP support ns5xt.500-fips.r9.h ns200.500-fips.r9.h ns500.500-fips.r9.h ns5000.500-fips.r9.h 2 About This Document

Restrictions When ScreenOS 5.0.0r9-FIPS is not operating in FIPS mode, its behavior is identical to that of ScreenOS 5.0. ScreenOS images that run in FIPS mode must be authenticated before loading. To perform the authentication, the NetScreen DSA public key must be present. The public key can be downloaded from the Juniper Networks support site at http://www.juniper.net/support. To load the key on to the NetScreen device, use the save image-key CLI command. FIPS mode restricts the following on a NetScreen device: Management via Telnet, HTTP (WebUI), or NetScreen-Security Manager is available only through a VPN using 256-bit AES encryption. Management via SSH is available only with Triple-DES encryption. High Availability (HA) traffic must be 256-bit AES encrypted. If a VPN is configured using Triple-DES encryption, Internet Key Exchange (IKE) must be configured to use Diffie-Hellman Group 5. FIPS mode disables the following on a NetScreen device: The modem port is disabled. Administration via SNMP Read-Write community is disabled. Monitoring via the Read-Only community remains available. The debug service is disabled. The Global-Pro reporting agent is disabled. Loading and output configuration files to a TFTP server is disabled. Administration via SSL is disabled. Use of the MD5 algorithm is disabled. All hidden commands are disabled. NOTE: The Data Encryption Standard (DES) protocol is supported but not recommended for use. It will not be supported in future releases. Restrictions 3

Changing the Device Mode To place the device in FIPS mode, enter the following CLI command: ns-> set fips-mode enable At the following prompt, press Enter to reset the device: Fips_mode is set! Reset dev? [y]/n Verifying the Device Mode To check whether the device is in FIPS mode, enter the following CLI command: ns-> get system Product Name: NS208 Serial Number: 0099122004000991, Control Number: 00000000, Mode: FIPS Hardware Version: 0110(0)-(12), FPGA checksum: 00000000, VLAN1 IP (0.0.0.0) Software Version: 5.0.0r9.h, Type: Firewall+VPN Feature: FIPS Base Mac: 0010.db90.f770 File Name: ns200.500-fips.r9.h, Checksum: 48e3d429 The current mode appears on the second line of the output. Disabling FIPS Mode To disable FIPS mode on a NetScreen device, enter the following CLI command: unset fips-mode enable At the following prompt press Enter to reset the device: Fips_mode is set! Reset dev? [y]/n Managing FIPS Mode Devices A NetScreen device that is operating in FIPS mode requires all NetScreen-Security Manager traffic to be protected by a VPN with 256-bit AES encryption. This requires a manually configured VPN tunnel between the remote device that is to be managed and a local VPN device. The local VPN device should be on the same local network as the NetScreen-Security Manager server. After the VPN has been successfully configured, the managed device can be imported into NetScreen-Security Manager. To ensure that NetScreen-Security Manager traffic is routed solely through the VPN, use the following CLI command: set nsmgmt server primary a.b.c.d src-interface tunnel_int Variable a.b.c.d tunnel_int meaning The IP address of the NetScreen-Security Manager server. The tunnel interface that is associated with the AES VPN. 4 Changing the Device Mode

The VPN endpoint that is local to NetScreen-Security Manager Device Server cannot be in FIPS mode if the device is managed with NetScreen-Security Manager. [ a graphic would be useful here to illustrate the network architecture] Configuring High Availability options in FIPS mode NSRP traffic between member devices in an NSRP cluster must be encrypted using a 256-bit key. The password option to the set nsrp encrypt command is not available in FIPS mode. Following is an example of how a 256-bit key is specified in four groups of 16 hexadecimal characters. set nsrp encrypt 0123456789abcdef,0123456789abcdef,01234567890abcdef,0123456789abc def Managing Virtual Security Device (VSD) clusters in FIPS mode We recommend that FIPS mode devices are placed in an Active-Active cluster, rather than an Active-Passive cluster if they are going to be managed using NSM. Deployment Tips Because the debug service is not available in FIPS mode, Juniper Networks recommends that you do not place the device in FIPS mode until after the configuration is debugged. In a multi-device deployment, you should enable FIPS mode on each device sequentially, confirming that each configuration is still functioning as expected before enabling the next device. If an error occurs when the configuration is loaded, refer to the Restrictions on page 3 and edit your configuration as necessary to use only the supported options. Deployment Tips 5

6 Deployment Tips

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback