ScreenOS 5.4.0r4 FIPS Reference Note

Similar documents
ScreenOS 5.0.0r9-FIPS With NSM Reference Note

Upgrade Guide. ScreenOS 6.1.0, Rev. 03. Security Products. Juniper Networks, Inc.

FIPS SECURITY POLICY

NSM Plug-In Users Guide

FIPS SECURITY POLICY

Managing User-Defined QID Map Entries

FIPS SECURITY POLICY

FIPS SECURITY POLICY

Deploying JSA in an IPV6 Environment

Customizing the Right-Click Menu

Partition Splitting. Release Juniper Secure Analytics. Juniper Networks, Inc.

FIPS SECURITY POLICY

Deploying STRM in an IPV6 Environment

FIPS SECURITY POLICY

Installing JSA Using a Bootable USB Flash Drive

JSA Common Ports Lists

SETTING UP A JSA SERVER

Setting Up an STRM Update Server

Reference Data Collections

Restore Data. Release Juniper Secure Analytics. Juniper Networks, Inc.

NSM Plug-In Users Guide

Release Notes. Juniper Secure Analytics. Juniper Networks, Inc North Mathilda Avenue Sunnyvale, CA USA

Forwarding Logs Using Tail2Syslog. Release Security Threat Response Manager. Juniper Networks, Inc.

Hardware Installation 1. Install two AA batteries in the mouse. Pairing Process in Vista and Windows XP SP2

NSM Plug-In Users Guide

Cisco Unified Communications Manager Device Package 10.5(1)( ) Release Notes

Blackwire C610 Blackwire C620

Reconfigure Offboard Storage During a JSA Upgrade

Cisco Meeting Management

NA502 Multiple RF Home Gateway

Zodiac WX QUICK START GUIDE

STRM Log Manager Administration Guide

Juniper Networks ScreenOS Release Notes

Juniper Networks ScreenOS Release Notes

Juniper Networks ScreenOS Release Notes

Juniper Networks ScreenOS Release Notes

Cisco Meeting Management

802.11a g Dual Band Wireless Access Point. User s Manual

Cisco Unified Communications Manager Device Package 8.6(2)( ) Release Notes

Patch Release Notes. Release Juniper Secure Analytics. Juniper Networks, Inc.

Upgrading STRM to

Panda Wireless Version 4.0 ( BLE + EDR) Bluetooth USB Adapter Quick Start Guide Model number: PBU40 FCC ID:2ADUTLGPBU40

Bluetooth Mini Keyboard. User s Manual. Version /05 ID NO: PAKL-231B

Operation Manual for Cloud 3700F Version 0

Cisco Unified IP Conference Phone 8831 and 8831NR Release Notes for Firmware Release 10.3(1)SR3

Quick Start Guide. Powerline Wireless Extender GPLWE150 PART NO. Q1337.

DSH-G300 Smart Hub. Manual

NA502S Multiple RF Home Gateway

ThinkPad Bluetooth Laser Mouse User Manual

Lyric C1 Wi-Fi Security Camera

5/8 Port Gigabit Ethernet Switch

User Manual. Daffodil. 2.4GHz Wireless Mouse Souris Sans Fil 2.4GHz 2.4GHz Wireless Maus Mouse senza fili da 2.4 GHz Ratón Inalámbrica 2.

Wireless-N PCI Adapter User Manual

Cisco Videoscape Distribution Suite Transparent Caching Troubleshooting Guide

FRG-3105 Series Residential Gateway

Quick Start Guide. 2/4-Port 4K DisplayPort KVMP Switch with Dual Video Out and RS-232

User Manual Gemtek WiMAX Modem

WHG311 V1.03. Secure WLAN Controller

Lantronix Wi-Fi Module Configuration Guide

PACKAGE CONTENTS SPECIFICATIONS

4MP WI-FI PAN TILT CAMERA QUICK START GUIDE ENGLISH

DATALOCKER H100 ENCRYPTED HARD DRIVE. User Guide

ZigBee Server USER GUIDE

RocketRAID 644L / 642L. 6Gb/s esata PCI-Express 2.0 RAID HBA

USB to Serial Converter User s Guide

Home Security Camera icamera-1000

AIRNET 54Mb b/g High Power USB Adapter. User s Manual

EAGLE-200. Intelligent Control Gateway. User Manual

DEFENDER F100 & DEFENDER F150 USER GUIDE

1. Product description

WiFi-Repeater User Manual. Quick Installation Guide(Q.I.G.) REV.1.2

APC-100. IEEE g Wireless USB Adapter. User s Guide v1.0

User Guide of AU-4612

LaserJet Pro M501 Getting Started Guide

Quick Start. PowerLEAP WiFi 1000 Quick Start Guide

Bluetooth Micro Dongle User s Guide. Rating: 5V DC 80mA Made in China

USER GUIDE. Element Wireless Smart Plug Model: E1C-NB6

Tetration Cluster Cloud Deployment Guide

Retractable Kaleidoscope TM Notebook mouse USER GUIDE

FCC CAUTION SETTING... 9

RocketU 1144CM 4-Port USB 3.0 PCI-Express 2.0 x4 RAID HBA

WL556E Portable Wireless-N Repeater

Light Mesh AP. User s Guide. 2009/2/20 v1.0 draft

11Mbps Wireless LAN Smart Access Point

Streaming Smart Stick. Quick Start Guide

CS1942DP / CS1944DP 2/4-Port USB 3.0 4K DisplayPort Dual Display KVMP TM Switch. RS-232 Commands. V1.0 User Manual.

XAVi Technologies Corporation Tel: Fax: F, No. 129, Hsing Te Road, Sanchung City, Taipei County 241, Taiwan

WL 5011s g Wireless Network Adapter Client Utility User Guide

EXPRESS. Assembly Manual & User Guide

MiraScreen Duo Powered by EZCast

Version P/N Rev. A

Single Port Serial PC Card User Manual

STRM Administration Guide

RFID SIP Firmware Update Instructions for minipad / rpad

HP LaserJet P3005 Series Printers. Getting Started Guide

Addonics Technologies. ExDrive. User Guide. Revision 2.7

2. New Features and Enhancements on page AV Scanner File Size Reduced on page XAuth on the NetScreen-Remote on page 14

HES-3109 SERIES 9 PORTS 10/100/1000BASE-T MANAGEMENT ETHERNET SWITCH

USB Hub-Audio Series. January 1999 A

WL-5420AP. User s Guide

Transcription:

31 January 2008 Part No. 093-1649-000 Revision 02 Before You Begin Before carrying out any step to secure a Juniper Networks security appliance, check that the product has not been tampered with. You should also confirm that the product received matches the version that is certified as FIPS 104-2 compliant. Verify the product security with these observations: The outside packaging does not show damage or evidence that is has been opened. If the cardboard shows damage that would allow the device to be removed or exchanged, this may be evidence of tampering. Each box is packaged with custom tape to indicate that the device was packaged by Juniper Networks or an authorized manufacturer. The tape is unique, with the word NetScreen printed repeatedly along the tape. If the tape is not present, your device may have been tampered with. The internal packaging does not show damage or evidence of tampering. The plastic bag should not have a large hole and the label that seals the plastic bag should not be detached or missing. If the bag or seal are damaged in any way, your device may have been tampered with. Before You Begin 1

About This Document This document describes the Federal Information Processing Standards (FIPS) certified release of ScreenOS 5.4.0.r4 for FIPS. This document contains the following information: FIPS Certified Platforms Restrictions Changing the Device Mode Managing FIPS Mode Devices Upgrading the OS Loader For more information on FIPS, please refer to the National Institute of Standards and Technology FIPS page at http://csrc.nist.gov/publications/fips/index.html. FIPS Certified Platforms ScreenOS 5.4.0r4 is FIPS certified on the following platforms: NS-5GT NS-204/208 NS-500 ISG-1000 ISG-2000 NS-5200/5400 SSG 5/20 SSG 520M/550M 2 About This Document

Restrictions ScreenOS images that run in FIPS mode must be authenticated before loading. To perform the authentication, the NetScreen DSA public key must be present. You must contact technical support to retrieve a key. To load the key on to the security device, use the save image-key CLI command. FIPS mode restricts the following on a security device: Management via Telnet, HTTP (WebUI), or NetScreen-Security Manager is available only through a VPN using 256-bit AES encryption. Management via SSH is available only with SSHv2 and Triple-DES encryption. High Availability (HA) traffic must be 256-bit AES encrypted. If a VPN is configured using Triple-DES encryption, Internet Key Exchange (IKE) must be configured to use Diffie-Hellman Group 5. FIPS mode disables the following on a security device: The modem port is disabled. Administration via SNMP Read-Write community is disabled. Monitoring via the Read-Only community remains available. The Global-Pro reporting agent is disabled. Loading and output configuration files to a TFTP server is disabled. Administration via SSL is disabled. The DES and MD5 algorithms are disabled. Restrictions 3

Changing the Device Mode To place the device in FIPS mode, enter the following CLI command: ns-> set fips-mode enable At the following prompt, press Enter to reset the device: CAUTION: Switching the device to FIPS mode causes the device configuration to revert back to factory defaults. The device automatically resets. Enable FIPS mode? [y]/n y Verifying the Device Mode To check whether the device is in FIPS mode, enter the following CLI command: ns-> get system Product Name: NS208 Serial Number: 0099122004000991, Control Number: 00000000, Mode: FIPS Hardware Version: 0110(0)-(12), FPGA checksum: 00000000, VLAN1 IP (0.0.0.0) Software Version: 5.4.0r4.0, Type: Firewall+VPN Base Mac: 0010.db90.f770 File Name: ns200.5.4.0r4.0, Checksum: 48e3d429 The current mode appears on the second line of the output. Disabling FIPS Mode To disable FIPS mode on a security device, enter the following CLI command: unset fips-mode enable At the following prompt press Enter to reset the device: unset fips-mode enable CAUTION: Switching the device to FIPS mode causes the device configuration to revert back to factory defaults. The device automatically resets. Disable FIPS mode? [y]/n y 4 Changing the Device Mode

Managing FIPS Mode Devices A security device that is operating in FIPS mode requires Telnet, WebUI, and all NetScreen-Security Manager traffic to be protected by a VPN with 256-bit AES encryption. This requires a manually configured VPN tunnel between the remote device that is to be managed and a local VPN device. The local VPN device should be on the same local network as the NetScreen-Security Manager server. After the VPN has been successfully configured, the managed device can be imported into NetScreen-Security Manager. To ensure that NetScreen-Security Manager traffic is routed solely through the VPN, use the following CLI command: set nsmgmt server primary a.b.c.d src-interface tunnel_int Variable a.b.c.d tunnel_int Meaning The IP address of the NetScreen-Security Manager server. The tunnel interface that is associated with the AES VPN. The VPN endpoint that is local to NetScreen-Security Manager Device Server cannot be in FIPS mode if the device is managed with NetScreen-Security Manager. All management traffic should be directed to the interface that terminates the VPN on the managed FIPS device. Configuring High Availability options in FIPS mode NSRP traffic between member devices in an NSRP cluster must be encrypted using a 256-bit key. The password option to the set nsrp encrypt command is not available in FIPS mode. Following is an example of how a 256-bit key is specified in four groups of 16 hexadecimal characters. set nsrp encrypt 0123456789abcdef,0123456789abcdef,01234567890abcdef,0123456789abc def Managing Virtual Security Device (VSD) clusters in FIPS mode We recommend that FIPS mode devices are placed in an Active-Active cluster, rather than an Active-Passive cluster if they are going to be managed using NSM. Managing FIPS Mode Devices 5

Upgrading the OS Loader FIPS mode requires both the firmware and OS loader to be digitally signed. Before the ISG 1000, ISG 2000, NS-5200-M2 and NS-5400-M2 devices can support ScreenOS 5.4.0r4 in FIPS mode, you might need to upgrade the OS loader if it is not a signed version. You can see the OS loader version number scroll by during the boot process or by entering the get envar CLI command. If the OS loader on the device is not signed, when you enable FIPS mode on the device the following error message appears: ********Invalid DSA signature ********Bogus image - not authenticated The following OS loaders are required for operation in FIPS mode: Table 1: Required OS Loaders for FIPS Device OS Loader Version OS Loader File Name ISG 1000 1.0.1 load1000v101.d ISG 2000 1.1.5 load2000v115.d NS-5200/5400 1.0.0 load5000v100.d To upgrade the OS loader on the device, you need to download the appropriate OS loader from the Juniper Networks support site to the root directory of a TFTP server. 1. Go to http://juniper.net/customers/support and log in using your user credentials. 2. In the Download Software section, download the software from the ScreenOS 5.4.0r4 folder. 3. Download the latest OS loader and save it to the root directory of your TFTP server. 4. If necessary, start the TFTP server. 5. Establish an Ethernet connection from the device hosting the TFTP server to the MGT port on the device, and a serial connection from your workstation to the console port on the device. 6. Restart the device by entering the reset CLI command. When prompted to confirm the command System reset, are you sure? y/[n] press the Y key. 7. When you see a prompt similar to the following, press the X key and then the A key in sequence: NetScreen NS-ISG 2000 BootROM V0.9.0 (Checksum: 8796E2F3) Copyright (c) 1997-2004 NetScreen Technologies, Inc. Total physical memory: 1024MB Test Pass Initialization... Done Hit key 'X' and 'A' sequentially to update OS Loader... 8. A set of prompts similar to those shown below will be displayed. Enter the filename for the OS loader software you want to load (for example, load2000v115.d.), the IP address of the device, and the IP address of your TFTP server: 6 Managing FIPS Mode Devices

Serial Number [0079112003000031]: READ ONLY BOM Version [C06]: READ ONLY Self MAC Address [0010-db58-c900]: READ ONLY OS Loader File Name [boot2000v090.ld.s]: load2000v115.d Self IP Address [10.150.65.152]: TFTP IP Address [10.150.65.151]: 9. After entering the name of the OS loader file and the IP addresses of the device and TFTP server, the device will attempt to download the OS loader from the TFTP server. Save loader config (112 bytes)... Done Loading file "load2000v115.d"... rtatatatatata... Loaded successfully! (size = 383,222 bytes) Image authenticated! Program OS Loader to on-board flash memory... ++++++++++++++++++++++++Done! Start loading... Done. You have completed the upgrade of the OS loader. Managing FIPS Mode Devices 7

Copyright Notice Copyright 2006 Juniper Networks, Inc. All rights reserved. Juniper Networks and the Juniper Networks logo are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered trademarks, or registered service marks in this document are the property of Juniper Networks or their respective owners. All specifications are subject to change without notice. Juniper Networks assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. FCC Statement The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. The equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense. The following information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency energy. If it is not installed in accordance with Juniper Networks installation instructions, it may cause interference with radio and television reception. This equipment has been tested and found to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules. These specifications are designed to provide reasonable protection against such interference in a residential installation. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures: Reorient or relocate the receiving antenna. Increase the separation between the equipment and receiver. Consult the dealer or an experienced radio/tv technician for help. Connect the equipment to an outlet on a circuit different from that to which the receiver is connected. CAUTION: Changes or modifications to this product could void the user s warranty and authority to operate this device. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR JUNIPER NETWORKS REPRESENTATIVE FOR A COPY. 8 Copyright Notice

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback