Juniper NETWORKS MX240Junos OS Devices with Services Card

Product Information

Product Name: Common Criteria Configuration Guide for MX240, MX480, and MX960 Devices with MX-SPC3 Services Card

Publication Date: 2023-12-25

Release Version: 22.2R1

Manufacturer: Juniper Networks, Inc.

Manufacturer Address: 1133 Innovation Way Sunnyvale, California 94089 USA

Manufacturer Contact: 408-745-2000

Manufacturer Website: https://www.juniper.net

Trademark: Juniper Networks, Junos

Product Usage Instructions

Overview

Common Criteria Evaluated Configuration Overview:
The Common Criteria evaluated configuration provides an overview of the security features and configurations required for the MX240, MX480, and MX960 devices with MX-SPC3 Services Card. This section explains the purpose and scope of the evaluated configuration.

Junos OS in FIPS Mode of Operation Overview:
The Junos OS in FIPS mode of operation ensures compliance with the Federal Information Processing Standards (FIPS) for cryptographic modules. This section provides an overview of the FIPS mode and its benefits.

Overview of FIPS Terminology and Supported Cryptographic Algorithms:
This section explains the terminology used in the FIPS mode and provides information about the supported cryptographic algorithms.

Identify Secure Product Delivery:
This section provides guidelines on how to ensure the secure delivery of the product, including verifying the integrity of the delivered software packages.

Management Interfaces Overview:
Learn about the different management interfaces available for the MX240, MX480, and MX960 devices with MX-SPC3 Services Card. This section explains the purpose and usage of each interface.

Configure Roles and Authentication Methods

Overview of Roles and Services for Junos OS:
This section provides an overview of the different roles and services available in Junos OS and explains how to configure them for the evaluated configuration.

Overview of the Operational Environment for Junos OS in FIPS Mode:
Understand the operational environment requirements for running Junos OS in FIPS mode. This section covers the necessary configurations and considerations.

Overview of Password Specifications and Guidelines for Junos OS in FIPS Mode:
Learn about the password specifications and guidelines for Junos OS in FIPS mode. This section provides recommendations for creating strong and secure passwords.

Download Software Packages from Juniper Networks:
Step-by-step instructions on how to download software packages from Juniper Networks’ website. This section ensures you have the latest firmware updates and security patches.

Install Junos Software Packages:
A detailed guide on how to install Junos software packages on your MX240, MX480, or MX960 device. This section covers both the initial installation and upgrade processes.

Overview of Zeroization to Clear System Data for FIPS Mode:
Understand the process of zeroizing the system to clear sensitive data when operating in FIPS mode. This section explains the steps and considerations involved.

**Zeroize the System:

**

Step-by-step instructions on how to zeroize the system to remove all sensitive data. This section ensures the proper erasure of data before disposal or reconfiguration.

Enable FIPS Mode:
Learn how to enable FIPS mode on your MX240, MX480, or MX960 device. This section provides the necessary configurations and considerations.

Configure Security Administrator and FIPS User Identification and Access:
This section explains how to configure the security administrator and FIPS user identification and access. It covers the required steps for proper authentication and authorization.

Configure Security Administrator Access:
A detailed guide on configuring security administrator access for the evaluated configuration. This section covers the necessary configurations and best practices.

Configure FIPS User Login Access:
Step-by-step instructions on configuring FIPS user login access for the evaluated configuration. This section ensures secure user authentication and access control.

Configure Administrative Credentials and Privileges

Understanding the Associated Password Rules for an Authorized Administrator:
This section provides an understanding of the password rules associated with an authorized administrator. It covers password complexity, expiration, and other related considerations.

Configuring a Network Device Collaborative Protection Profile Authorized Administrator:
A detailed guide on configuring a network device collaborative protection profile authorized administrator. This section ensures proper administrative access control for the evaluated configuration.

Customize Time:
Learn how to customize time settings on your MX240, MX480, or MX960 device. This section covers the necessary configurations for accurate time synchronization.

Inactivity Timeout Period Configuration, and Local and Remote Idle Session Termination:
Configure the inactivity timeout period and local/remote idle session termination for the evaluated configuration. This section provides instructions on setting session timeouts.

Configure Session Termination:
Step-by-step instructions on how to configure session termination for the evaluated configuration. This section ensures proper session management and security.

Sample Output for Local Administrative Session Termination:
Sample output and examples of local administrative session termination for reference. This section helps you understand the expected behavior and output.

Sample Output for Remote Administrative Session Termination:
Sample output and examples of remote administrative session termination for reference. This section helps you understand the expected behavior and output.

Sample Output for User Initiated Termination:
Sample output and examples of user-initiated session termination for reference. This section helps you understand the expected behavior and output.

Configure SSH and Console Connection

Configure a System Login Message and Announcement:
This section explains how to configure a system login message and announcement for the evaluated configuration. It provides instructions on customizing the login experience.

Configure SSH on the Evaluated Configuration for NDcPPv2.2e:
Step-by-step instructions on how to configure SSH on the evaluated configuration for NDcPPv2.2e compliance. This section ensures secure remote access to the device.

Limit the Number of User Login Attempts for SSH Sessions:
Learn how to limit the number of user login attempts for SSH sessions on the evaluated configuration. This section provides instructions for enhancing security against brute-force attacks.

Specifications

Common Criteria Configuration Guide: MX240, MX480, and MX960 Devices with MX-SPC3 Services Card

Publication Date: 2023-12-25

Release Version: 22.2R1

Frequently Asked Questions (FAQ)

Q: Are Juniper Networks hardware and software products Year 2000 compliant?
A: Yes, Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the year 2038.

Q: Where can I find the End User License Agreement (EULA) for Juniper Networks software?
A: The End User License Agreement (EULA) for Juniper Networks software can be found at https://support.juniper.net/support/eula/. By downloading, installing, or using the software, you agree to the terms and conditions of the EULA.

Junos® OS
Common Criteria Configuration Guide for MX240, MX480, and MX960 Devices with MX-SPC3 Services Card

Published
2023-12-25

RELEASE
22.2R1

ii
Juniper Networks, Inc. 1133 Innovation Way Sunnyvale, California 94089 USA 408-745-2000 www.juniper.net
Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
Junos® OS Common Criteria Configuration Guide for MX240, MX480, and MX960 Devices with MX-SPC3 Services Card 22.2R1 Copyright © 2023 Juniper Networks, Inc. All rights reserved.
The information in this document is current as of the date on the title page.
YEAR 2000 NOTICE
Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.
END USER LICENSE AGREEMENT
The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted at https://support.juniper.net/support/eula/. By downloading, installing or using such software, you agree to the terms and conditions of that EULA.

About This Guide

Use this guide to configure and evaluate MX240, MX480, and MX960 devices for Common Criteria (CC) compliance. Common Criteria for information technology is an international agreement signed by several countries that permit the evaluation of security products against a common set of standards.
RELATED DOCUMENTATION Common Criteria and FIPS Certifications

1 CHAPTER
Overview
Common Criteria Evaluated Configuration Overview | 2 Junos OS in FIPS Mode of Operation Overview | 3 Overview of FIPS Terminology and Supported Cryptographic Algorithms | 5 Identify Secure Product Delivery | 8 Management Interfaces Overview | 9

Common Criteria Evaluated Configuration Overview
IN THIS SECTION Common Criteria Overview | 2 Supported Platforms | 3
This document describes the steps required to duplicate the configuration of the device running Junos OS when the device is evaluated. This is referred to as the evaluated configuration. The following list describes the standards to which the device has been evaluated: · NDcPPv2.2e–https://www.niap- ccevs.org/MMO/PP/CPP_ND_V2.2E.pdf · MOD_VPN–https://www.niap- ccevs.org/Profile/Info.cfm?PPID=449 The Archived Protection Profiles documents are available at https://www.niap-ccevs.org/Profile/PP.cfm? archived=1.
NOTE: MX240, MX480, and MX960 devices with Junos OS Release 22.2R1 is certified for Common Criteria with FIPS mode enabled on the devices.
Common Criteria Overview
Common Criteria for information technology is an international agreement signed by several countries that permits the evaluation of security products against a common set of standards. In the Common Criteria Recognition Arrangement (CCRA) at https://www.commoncriteriaportal.org/ccra/, the participants agree to mutually recognize evaluations of products performed in other countries. All evaluations are performed using a common methodology for information technology security evaluation. For more information on Common Criteria, see https://www.commoncriteriaportal.org/.

3
Supported Platforms
For the features described in this document, the following platforms are supported with MX-SPC3 Services Card. The NDcPPv2.2e and MOD_VPN apply to: · MX240 (https://www.juniper.net/us/en/products/routers/mx-series/mx240 -universal-routing-
platform.html) · MX480 (https://www.juniper.net/us/en/products/routers/mx- series/mx480-universal-routing-
platform.html) · MX960 (https://www.juniper.net/us/en/products/routers/mx- series/mx960-universal-routing-
platform.html)
RELATED DOCUMENTATION Identify Secure Product Delivery | 8
Junos OS in FIPS Mode of Operation Overview
IN THIS SECTION About the Cryptographic Boundary on Your Device | 4 How FIPS Mode of Operation Differs from Non-FIPS Mode of Operation | 4 Validated Version of Junos OS in FIPS Mode of Operation | 5
Federal Information Processing Standards (FIPS) 140-3 defines security levels for hardware and software that perform cryptographic functions. Junos-FIPS is a version of the Junos operating system (Junos OS) that complies with Federal Information Processing Standard (FIPS) 140-3. Operating your security devices in a FIPS 140-3 Level 2 environment requires enabling and configuring FIPS mode of operation on the device from the Junos OS command-line interface (CLI).

4
The Security Administrator enables FIPS mode of operation in Junos OS Release 22.2R1 and sets up keys and passwords for the system and other FIPS users who can view the configuration. Both user types can also perform normal configuration tasks on the device (such as modify interface types) as individual user configuration allows.
BEST PRACTICE: Be sure to verify the secure delivery of your device and apply tamperevident seals to its vulnerable ports.
About the Cryptographic Boundary on Your Device
FIPS 140-3 compliance requires a defined cryptographic boundary around each cryptographic module on a device. Junos OS in FIPS mode of operation prevents the cryptographic module from running any software that is not part of the FIPS-certified distribution, and allows only FIPS-approved cryptographic algorithms to be used. No critical security parameters (CSPs), such as passwords and keys, can cross the cryptographic boundary of the module by, for example, being displayed on a console or written to an external log file.
CAUTION: Virtual Chassis features are not supported in FIPS mode of operation. Do not configure a Virtual Chassis in FIPS mode of operation.
To physically secure the cryptographic module, all Juniper Networks devices require a tamper-evident seal on the USB and mini-USB ports.
How FIPS Mode of Operation Differs from Non-FIPS Mode of Operation
Unlike Junos OS in non-FIPS mode of operation, Junos OS in FIPS mode of operation is a nonmodifiable operational environment. In addition, Junos OS in FIPS mode of operation differs in the following ways from Junos OS in non-FIPS mode of operation: · Self-tests of all cryptographic algorithms are performed at startup. · Self-tests of random number and key generation are performed continuously. · Weak cryptographic algorithms such as Data Encryption Standard (DES) and MD5 are disabled. · Weak, remote, or unencrypted management connections must not be configured. However, TOE
allows local and un-encrypted console access across all modes of operation.

5
· Passwords must be encrypted with strong one-way algorithms that do not permit decryption. · Junos-FIPS administrator passwords must be at least 10 characters long. · Cryptographic keys must be encrypted before transmission. The FIPS 140-3 standard is available for download from the National Institute of Standards and Technology (NIST) at http://csrc.nist.gov/publications/fips/fips140-3/fips1402.pdf.
Validated Version of Junos OS in FIPS Mode of Operation
To determine whether a Junos OS release is NIST-validated, see the compliance page on the Juniper Networks Web site (https://apps.juniper.net/compliance).
RELATED DOCUMENTATION Identify Secure Product Delivery | 8
Overview of FIPS Terminology and Supported Cryptographic Algorithms
IN THIS SECTION FIPS Terminology | 6 Supported Cryptographic Algorithms | 7
Use the definitions of FIPS terms, and supported algorithms to help you understand Junos OS in FIPS mode.

6

FIPS Terminology

Critical security parameter (CSP)

Security-related information–for example, secret and private cryptographic keys and authentication data such as passwords and personal identification numbers (PINs)– whose disclosure or modification can compromise the security of a cryptographic module or the information it protects.

Cryptographic module

The set of hardware, software, and firmware that implements approved security functions (including cryptographic algorithms and key generation) and is contained within the cryptographic boundary.

Security Administrator

Person with appropriate permissions who is responsible for securely enabling, configuring, monitoring, and maintaining Junos OS in FIPS mode of operation on a device. For details, see “Junos OS in FIPS Mode of Operation Overview” on page 3.

ESP

Encapsulating Security Payload (ESP) protocol. The part of the IPsec protocol that

guarantees the confidentiality of packets through encryption. The protocol ensures

that if an ESP packet is successfully decrypted, and no other party knows the secret

key the peers share, the packet was not wiretapped in transit.

FIPS

Federal Information Processing Standards. FIPS 140-3 specifies requirements for

security and cryptographic modules. Junos OS in FIPS mode of operation complies

with FIPS 140-3 Level 2.

IKE

The Internet Key Exchange (IKE) is part of IPsec and provides ways to securely

negotiate the shared private keys that the authentication header (AH) and ESP

portions of IPsec need to function properly. IKE employs Diffie-Hellman key-

exchange methods and is optional in IPsec. (The shared keys can be entered manually

at the endpoints.)

IPsec

The IP Security (IPsec) protocol. A standard way to add security to Internet communications. An IPsec security association (SA) establishes secure communication with another FIPS cryptographic module by means of mutual authentication and encryption.

KATs

Known answer tests. System self-tests that validate the output of cryptographic algorithms approved for FIPS and test the integrity of some Junos OS modules. For details, see “FIPS Self-Tests Overview” on page 122.

SA

Security association (SA). A connection between hosts that allows them to

communicate securely by defining, for example, how they exchange private keys. As

Security Administrator, you must manually configure an internal SA on devices

7

SPI SSH Zeroization

running Junos OS in FIPS mode of operation. All values, including the keys, must be statically specified in the configuration.
Security parameter index (SPI). A numeric identifier used with the destination address and security protocol in IPsec to identify an SA. Because you manually configure the SA for Junos OS in FIPS mode of operation, the SPI must be entered as a parameter rather than derived randomly.
A protocol that uses strong authentication and encryption for remote access across a nonsecure network. SSH provides remote login, remote program execution, file copy, and other functions. It is intended as a secure replacement for rlogin, rsh, and rcp in a UNIX environment. To secure the information sent over administrative connections, use SSHv2 for CLI configuration. In Junos OS, SSHv2 is enabled by default, and SSHv1, which is not considered secure, is disabled.
Erasure of all CSPs and other user-created data on a device before its operation as a FIPS cryptographic module–or in preparation for repurposing the device for nonFIPS operation. The Security Administrator can zeroize the system with a CLI operational command. For details, see “Overview of Zeroization to Clear System Data for FIPS Mode” on page 23.

Supported Cryptographic Algorithms
Each implementation of an algorithm is checked by a series of known answer test (KAT) self-tests. Any self-test failure results in a FIPS error state.

BEST PRACTICE: For FIPS 140-3 compliance, use only FIPS-approved cryptographic algorithms in Junos OS in FIPS mode of operation.

The following cryptographic algorithms are supported in FIPS mode of operation. Symmetric methods use the same key for encryption and decryption, while asymmetric methods (preferred) use different keys for encryption and decryption.

AES

The Advanced Encryption Standard (AES), defined in FIPS PUB 197. The AES algorithm uses

keys of 128, 192, or 256 bits to encrypt and decrypt data in blocks of 128 bits.

DiffieHellman

A method of key exchange across a nonsecure environment (such as the Internet). The Diffie-Hellman algorithm negotiates a session key without sending the key itself across the network by allowing each party to pick a partial key independently and send part of that key

8

ECDH ECDSA HMAC

to the other. Each side then calculates a common key value. This is a symmetrical method, and keys are typically used only for a short time, discarded, and regenerated.
Elliptic Curve Diffie-Hellman. A variant of the Diffie-Hellman key exchange algorithm that uses cryptography based on the algebraic structure of elliptic curves over finite fields. ECDH allows two parties, each having an elliptic curve public-private key pair, to establish a shared secret over an insecure channel. The shared secret can be used either as a key or to derive another key for encrypting subsequent communications using a symmetric key cipher.
Elliptic Curve Digital Signature Algorithm. A variant of the Digital Signature Algorithm (DSA) that uses cryptography based on the algebraic structure of elliptic curves over finite fields. The bit size of the elliptic curve determines the difficulty of decrypting the key. The public key believed to be needed for ECDSA is about twice the size of the security level, in bits. ECDSA using the P-256, P-384, or the P-521 curve can be configured under OpenSSH.
Defined as “Keyed-Hashing for Message Authentication” in RFC 2104, HMAC combines hashing algorithms with cryptographic keys for message authentication. For Junos OS in FIPS mode of operation, HMAC uses the iterated cryptographic hash function SHA-1 (designated as HMAC-SHA1) along with a secret key.

RELATED DOCUMENTATION FIPS Self-Tests Overview | 122 Overview of Zeroization to Clear System Data for FIPS Mode | 23
Identify Secure Product Delivery
There are several mechanisms provided in the delivery process to ensure that a customer receives a product that has not been tampered with. The customer should perform the following checks upon receipt of a device to verify the integrity of the platform. · Shipping label–Ensure that the shipping label correctly identifies the correct customer name and
address as well as the device. · Outside packaging–Inspect the outside shipping box and tape. Ensure that the shipping tape has not
been cut or otherwise compromised. Ensure that the box has not been cut or damaged to allow access to the device.

9
· Inside packaging–Inspect the plastic bag and seal. Ensure that the bag is not cut or removed. Ensure that the seal remains intact.
If the customer identifies a problem during the inspection, he or she should immediately contact the supplier. Provide the order number, tracking number, and a description of the identified problem to the supplier. Additionally, there are several checks that can be performed to ensure that the customer has received a box sent by Juniper Networks and not a different company masquerading as Juniper Networks. The customer should perform the following checks upon receipt of a device to verify the authenticity of the device: · Verify that the device was ordered using a purchase order. Juniper Networks devices are never
shipped without a purchase order. · When a device is shipped, a shipment notification is sent to the e-mail address provided by the
customer when the order is taken. Verify that this e-mail notification was received. Verify that the email contains the following information: · Purchase order number · Juniper Networks order number used to track the shipment · Carrier tracking number used to track the shipment · List of items shipped including serial numbers · Address and contacts of both the supplier and the customer · Verify that the shipment was initiated by Juniper Networks. To verify that a shipment was initiated by Juniper Networks, you should perform the following tasks: · Compare the carrier tracking number of the Juniper Networks order number listed in the Juniper
Networks shipping notification with the tracking number on the package received. · Log on to the Juniper Networks online customer support portal at https://support.juniper.net/
support/ to view the order status. Compare the carrier tracking number or the Juniper Networks order number listed in the Juniper Networks shipment notification with the tracking number on the package received.
Management Interfaces Overview
The following management interfaces can be used in the evaluated configuration:

10
· Local Management Interfaces–The RJ-45 console port on the device is configured as RS-232 data terminal equipment (DTE). You can use the command- line interface (CLI) over this port to configure the device from a terminal.
· Remote Management Protocols–The device can be remotely managed over any Ethernet interface. SSHv2 is the only permitted remote management protocol that can be used in the evaluated configuration. The remote management protocols J-Web and Telnet are not available for use on the device.

2 CHAPTER
Configure Roles and Authentication Methods
Overview of Roles and Services for Junos OS | 12 Overview of the Operational Environment for Junos OS in FIPS Mode | 14 Overview of Password Specifications and Guidelines for Junos OS in FIPS Mode |
18 Download Software Packages from Juniper Networks | 19 Install Junos Software Packages | 20 Overview of Zeroization to Clear System Data for FIPS Mode | 23 Zeroize the System | 24 Enable FIPS Mode | 26 Configure Security Administrator and FIPS User Identification and Access | 28

12
Overview of Roles and Services for Junos OS
IN THIS SECTION Security Administrator Role and Responsibilities | 12 FIPS User Role and Responsibilities | 13 What Is Expected of All FIPS Users | 13
The Security Administrator is associated with the defined login class security-admin, which has the necessary permission set to permit the administrator to perform all tasks necessary to manage Junos OS. Administrative users (Security Administrator) must provide unique identification and authentication data before any administrative access to the system is granted. Security Administrator roles and responsibilities are as follows: 1. Security Administrator can administer locally and remotely. 2. Create, modify, delete administrator accounts, including configuration of authentication failure
parameters. 3. Re-enable an Administrator account. 4. Responsible for the configuration and maintenance of cryptographic elements related to the
establishment of secure connections to and from the evaluated product. The Juniper Networks Junos operating system (Junos OS) running in non-FIPS mode allows a wide range of capabilities for users, and authentication is identity- based. Security Administrator performs all FIPS-mode-related configuration tasks and issue all statements and commands for Junos OS in FIPS mode.
Security Administrator Role and Responsibilities
The Security Administrator is the person responsible for enabling, configuring, monitoring, and maintaining Junos OS in FIPS mode on a device. The Security Administrator securely installs Junos OS on the device, enables FIPS mode, establishes keys and passwords for other users and software modules, and initializes the device before network connection.

13
BEST PRACTICE: We recommend that the Security Administrator administer the system in a secure manner by keeping passwords secure and checking audit files.
The permissions that distinguish the Security Administrator from other FIPS users are secret, security, maintenance, and control. Assign the Security Administrator to a login class that contains all of these permissions. Among the tasks related to Junos OS in FIPS mode, the Security Administrator is expected to: · Set the initial root password. The length of the password should be at least 10 characters. · Reset user passwords with FIPS-approved algorithms. · Examine log and audit files for events of interest. · Erase user-generated files, keys, and data by zeroizing the device.
FIPS User Role and Responsibilities
All FIPS users, including the Security Administrator, can view the configuration. Only the user assigned as the Security Administrator can modify the configuration. FIPS user can view status output but cannot reboot or zeroize the device.
What Is Expected of All FIPS Users
All FIPS users, including the Security Administrator, must observe security guidelines at all times. All FIPS users must: · Keep all passwords confidential. · Store devices and documentation in a secure area. · Deploy devices in secure areas. · Check audit files periodically. · Conform to all other FIPS 140-3 security rules. · Follow these guidelines:

14
· Users are trusted. · Users abide by all security guidelines. · Users do not deliberately compromise security. · Users behave responsibly at all times.
RELATED DOCUMENTATION Zeroize the System | 24
Overview of the Operational Environment for Junos OS in FIPS Mode
IN THIS SECTION Hardware Environment for Junos OS in FIPS Mode | 14 Software Environment for Junos OS in FIPS Mode | 15 Critical Security Parameters | 16
A Juniper Networks device running the Juniper Networks Junos operating system (Junos OS) in FIPS mode forms a special type of hardware and software operational environment that is different from the environment of a device in non-FIPS mode:
Hardware Environment for Junos OS in FIPS Mode
Junos OS in FIPS mode establishes a cryptographic boundary in the device that no critical security parameters (CSPs) can cross using plain text. Each hardware component of the device that requires a cryptographic boundary for FIPS 140-3 compliance is a separate cryptographic module. There are two types of hardware with cryptographic boundaries in Junos OS in FIPS mode: one for each Routing Engine and one for entire chassis.

15
Cryptographic methods are not a substitute for physical security. The hardware must be located in a secure physical environment. Users of all types must not reveal keys or passwords, or allow written records or notes to be seen by unauthorized personnel.
Software Environment for Junos OS in FIPS Mode
A Juniper Networks device running Junos OS in FIPS mode forms a special type of nonmodifiable operational environment. To achieve this environment on the device, the system prevents the execution of any binary file that was not part of the certified Junos OS in FIPS mode distribution. When a device is in FIPS mode, it can run only Junos OS. The Junos OS in FIPS mode software environment is established after the Security Administrator successfully enables FIPS mode on a device. The Junos OS image that includes FIPS mode is available on the Juniper Networks website and can be installed on a functioning device. For FIPS 140-3 compliance, we recommend that you delete all user-created files and data by zeroizing the device before enabling FIPS mode. Enabling FIPS mode disables many of the usual Junos OS protocols and services. In particular, you cannot configure the following services in Junos OS in FIPS mode: · finger
· ftp
· rlogin
· telnet
· tftp
· xnm-clear-text
Attempts to configure these services, or load configurations with these services configured, result in a configuration syntax error. You can use only SSH as a remote access service. All passwords established for users after upgrading to Junos OS in FIPS mode must conform to Junos OS in FIPS mode specifications. Passwords must be between 10 and 20 characters in length and require the use of at least three of the five defined character sets (uppercase and lowercase letters, digits, punctuation marks, and keyboard characters, such as % and &, not included in the other four categories). Attempts to configure passwords that do not conform to these rules result in an error. All passwords and keys used to authenticate peers must be at least 10 characters in length, and in some cases the length must match the digest size.

16

NOTE: Do not attach the deviceto a network until the Security Administrator completes configuration from the local console connection.
For strict compliance, do not examine core and crash dump information on the local console in Junos OS in FIPS mode because some CSPs might be shown in plain text.

Critical Security Parameters

Critical security parameters (CSPs) are security-related information such as cryptographic keys and passwords that can compromise the security of the cryptographic module or the security of the information protected by the module if they are disclosed or modified.
Zeroization of the system erases all traces of CSPs in preparation for operating the deviceor Routing Engine as a cryptographic module.
Table 1 on page 16 lists CSPs on devices running Junos OS.
Table 1: Critical Security Parameters

CSP

Description

Zeroize

Use

SSHv2 private host key

ECDSA / RSA key used to identify the host, generated the first time SSH is configured.

Zeroize command.

Used to identify the host.

SSHv2 session keys

Session key used with SSHv2 and as a Power cycle and

Diffie-Hellman private key.

terminate session.

Encryption: AES-128, AES-256.

Symmetric key used to encrypt data between host and client.

MACs: HMAC-SHA-1, HMACSHA-2-256, HMAC-SHA2-512.

Key exchange: dh-group14-sha1, ECDH-sha2-nistp256, ECDH-sha2nistp384, and ECDH-sha2-nistp521.

17

Table 1: Critical Security Parameters (Continued)

CSP

Description

Zeroize

Use

User authentication Hash of the user’s password: SHA256, Zeroize command.

key

SHA512.

Used to authenticate a user to the cryptographic module.

Crypto Officer authentication key

Hash of the Crypto Officer’s password: SHA256, SHA512.

Zeroize command.

Used to authenticate the Security Administrator to the cryptographic module.

HMAC DRBG seed

Seed for deterministic randon bit generator (DRBG).

Seed is not stored by the cryptographic module.

Used for seeding DRBG.

HMAC DRBG V value

The value (V) of output block length (outlen) in bits, which is updated each time another outlen bits of output are produced.

Power cycle.

A critical value of the internal state of DRBG.

HMAC DRBG key value

The current value of the outlen-bit key, which is updated at least once each time that the DRBG mechanism generates pseudorandom bits.

Power cycle.

A critical value of the internal state of DRBG.

NDRNG entropy

Used as entropy input string to the HMAC DRBG.

Power cycle.

A critical value of the internal state of DRBG.

In Junos OS in FIPS mode, all CSPs must enter and leave the cryptographic module in encrypted form. Any CSP encrypted with a non-approved algorithm is considered plain text by FIPS.
Local passwords are hashed with the SHA256 or SHA512 algorithm. Password recovery is not possible in Junos OS in FIPS mode. Junos OS in FIPS mode cannot boot into single-user mode without the correct root password.

RELATED DOCUMENTATION Overview of Zeroization to Clear System Data for FIPS Mode | 23

18
Overview of Password Specifications and Guidelines for Junos OS in FIPS Mode
All passwords established for users by the Security Administrator must conform to the following Junos OS in FIPS mode requirements. Attempts to configure passwords that do not conform to the following specifications result in an error. · Length: Passwords must contain between 10 and 20 characters. · Character set requirements: Passwords must contain at least three of the following five defined
character sets: · Uppercase letters · Lowercase letters · Digits · Punctuation marks · Keyboard characters not included in the other four sets–such as the percent sign (%) and the
ampersand (&) · Authentication requirements: All passwords and keys used to authenticate peers must contain at
least 10 characters, and in some cases the number of characters must match the digest size. · Password encryption: To change the default encryption method (SHA512) include the format
statement at the [edit system login password] hierarchy level. Guidelines for strong passwords: Strong, reusable passwords can be based on letters from a favorite phrase or word and then concatenated with other unrelated words, along with added digits and punctuation. In general, a strong password is: · Easy to remember so that users are not tempted to write it down. · Made up of mixed alphanumeric characters and punctuation. For FIPS compliance include at least
one change of case, one or more digits, and one or more punctuation marks. · Changed periodically. · Not divulged to anyone. Characteristics of weak passwords: Do not use the following weak passwords: · Words that might be found in or exist as a permuted form in a system files such as /etc/passwd.

19
· The hostname of the system (always a first guess). · Any word or phrase that appears in a dictionary or other well-known source, including dictionaries
and thesauruses in languages other than English; works by classical or popular writers; or common words and phrases from sports, sayings, movies or television shows. · Permutations on any of the above–for example, a dictionary word with letters replaced with digits (r00t) or with digits added to the end. · Any machine-generated password. Algorithms reduce the search space of password-guessing programs and so must not be used.
RELATED DOCUMENTATION Overview of the Operational Environment for Junos OS in FIPS Mode | 14
Download Software Packages from Juniper Networks
You can download the Junos OS software package from the Juniper Networks website. Before you begin to download the software, ensure that you have a Juniper Networks Web account and a valid support contract. To obtain an account, complete the registration form at the Juniper Networks website: https://userregistration.juniper.net/. To download software packages from Juniper Networks: 1. Using a Web browser, follow the links to the download URL on the Juniper Networks webpage.
https://support.juniper.net/support/downloads/ 2. Log in to the Juniper Networks authentication system using the username (generally your e-mail
address) and password supplied by Juniper Networks representatives. 3. Download the software. See Downloading Software.
RELATED DOCUMENTATION Installation and Upgrade Guide

Install Junos Software Packages

You can use this procedure to upgrade Junos OS on device with a single Routing Engine. To install software upgrades on a device with a single Routing Engine:

1. Download the software package as described in “Download Software Packages from Juniper
   Networks” on page 19. 2. If you have not already done so, connect to the console port on the device from your management
   device, and log in to the Junos OS CLI. 3. (Optional) Back up the current software configuration to a second storage option. See the Software
   Installation and Upgrade Guide for instructions on performing this task. 4. (Optional) Copy the software package to the device. We recommend that you use FTP to copy the
   file to the /var/tmp/ directory. This step is optional because Junos OS can also be upgraded when the software image is stored at a remote location. These instructions describe the software upgrade process for both scenarios. 5. Install the new package on the device:
   user@host> request vmhost software add
   Replace package with one of the following paths: · For a software package in a local directory on the device, use /var/tmp/package.tgz. · For a software package on a remote server, use one of the following paths, replacing variable
   option package with the software package name. · ftp://hostname/pathname/package.tgz · http://hostname/pathname/package.tgz 6. Reboot the device to load the installation:
   user@host> request vmhost reboot 7. After the reboot has completed, log in and use the show version command to verify that the new
   version of the software is successfully installed.
   user@host> show version Hostname: hostname Model: mx240

21
Junos: 22.2R1.10 JUNOS OS Kernel 64-bit [20210529.2f59a40_builder_stable_12] JUNOS OS libs [20210529.2f59a40_builder_stable_12] JUNOS OS runtime [20210529.2f59a40_builder_stable_12] JUNOS OS time zone information [20210529.2f59a40_builder_stable_12] JUNOS network stack and utilities [20210622.124332_builder_junos_212_r1] JUNOS libs [20210622.124332_builder_junos_212_r1] JUNOS OS libs compat32 [20210529.2f59a40_builder_stable_12] JUNOS OS 32-bit compatibility [20210529.2f59a40_builder_stable_12] JUNOS libs compat32 [20210622.124332_builder_junos_212_r1] JUNOS runtime [20210622.124332_builder_junos_212_r1] Junos vmguest package [20210622.124332_builder_junos_212_r1] JUNOS sflow mx [20210622.124332_builder_junos_212_r1] JUNOS py extensions [20210622.124332_builder_junos_212_r1] JUNOS py base [20210622.124332_builder_junos_212_r1] JUNOS OS vmguest [20210529.2f59a40_builder_stable_12] JUNOS OS crypto [20210529.2f59a40_builder_stable_12] JUNOS OS boot-ve files [20210529.2f59a40_builder_stable_12] JUNOS na telemetry [22.2R1.10] JUNOS Security Intelligence [20210622.124332_builder_junos_212_r1] JUNOS mx libs compat32 [20210622.124332_builder_junos_212_r1] JUNOS mx runtime [20210621.124332_builder_junos_212_r1] JUNOS RPD Telemetry Application [22.2R1.10] JUNOS Routing mpls-oam-basic [20210621.124332_builder_junos_212_r1] JUNOS Routing mpls-oam-advanced [20210621.124332_builder_junos_212_r1] JUNOS Routing lsys [20210621.124332_builder_junos_212_r1] JUNOS Routing controller-internal [20210621.124332_builder_junos_212_r1] JUNOS Routing controller-external [20210621.124332_builder_junos_212_r1] JUNOS Routing 32-bit Compatible Version [20210621.124332_builder_junos_212_r1] JUNOS Routing aggregated [20210621.124332_builder_junos_212_r1] Redis [20210621.124332_builder_junos_212_r1] JUNOS probe utility [20210621.124332_builder_junos_212_r1] JUNOS common platform support [20210621.124332_builder_junos_212_r1] JUNOS Openconfig [22.2R1.10] JUNOS mtx network modules [20210621.124332_builder_junos_212_r1] JUNOS modules [20210621.124332_builder_junos_212_r1] JUNOS mx modules [20210621.124332_builder_junos_212_r1] JUNOS mx libs [20210621.124332_builder_junos_212_r1] JUNOS SQL Sync Daemon [20210621.124332_builder_junos_212_r1] JUNOS mtx Data Plane Crypto Support [20210621.124332_builder_junos_212_r1] JUNOS daemons [20210621.124332_builder_junos_212_r1] JUNOS mx daemons [20210621.124332_builder_junos_212_r1] JUNOS Broadband Egde User Plane Apps [22.2R1.10]

22
JUNOS appidd-mx application-identification daemon [20210621.124332_builder_junos_212_r1] JUNOS TPM2 [20210621.124332_builder_junos_212_r1] JUNOS Services URL Filter package [20210621.124332_builder_junos_212_r1] JUNOS Services TLB Service PIC package [20210621.124332_builder_junos_212_r1] JUNOS Services Telemetry [20210621.124332_builder_junos_212_r1] JUNOS Services TCP-LOG [20210621.124332_builder_junos_212_r1] JUNOS Services SSL [20210621.124332_builder_junos_212_r1] JUNOS Services SOFTWIRE [20210621.124332_builder_junos_212_r1] JUNOS Services Stateful Firewall [20210621.124332_builder_junos_212_r1] JUNOS Services RTCOM [20210621.124332_builder_junos_212_r1] JUNOS Services RPM [20210621.124332_builder_junos_212_r1] JUNOS Services PCEF package [20210621.124332_builder_junos_212_r1] JUNOS Services NAT [20210621.124332_builder_junos_212_r1] JUNOS Services Mobile Subscriber Service Container package [20210621.124332_builder_junos_212_r1] JUNOS Services MobileNext Software package [20210621.124332_builder_junos_212_r1] JUNOS Services Logging Report Framework package [20210621.124332_builder_junos_212_r1] JUNOS Services LL-PDF Container package [20210621.124332_builder_junos_212_r1] JUNOS Services Jflow Container package [20210621.124332_builder_junos_212_r1] JUNOS Services Deep Packet Inspection package [20210621.124332_builder_junos_212_r1] JUNOS Services IPSec [20210621.124332_builder_junos_212_r1] JUNOS Services IDS [20210621.124332_builder_junos_212_r1] JUNOS IDP Services [20210621.124332_builder_junos_212_r1] JUNOS Services HTTP Content Management package [20210621.124332_builder_junos_212_r1] JUNOS Services DNS Filter package (i386) [20210621.124332_builder_junos_212_r1] JUNOS Services Crypto [20210621.124332_builder_junos_212_r1] JUNOS Services Captive Portal and Content Delivery Container package [20210621.124332_builder_junos_212_r1] JUNOS Services COS [20210621.124332_builder_junos_212_r1] JUNOS AppId Services [20210621.124332_builder_junos_212_r1] JUNOS Services Application Level Gateways [20210621.124332_builder_junos_212_r1] JUNOS Services AACL Container package [20210621.124332_builder_junos_212_r1] JUNOS SDN Software Suite [20210621.124332_builder_junos_212_r1] JUNOS Extension Toolkit [20210621.124332_builder_junos_212_r1] JUNOS Packet Forwarding Engine Support (wrlinux9) [20210621.124332_builder_junos_212_r1] JUNOS Packet Forwarding Engine Support (MX/EX92XX Common) [20210621.124332_builder_junos_212_r1] JUNOS Packet Forwarding Engine Support (M/T Common) [20210621.124332_builder_junos_212_r1] JUNOS Packet Forwarding Engine Support (aft) [20210621.124332_builder_junos_212_r1] JUNOS Packet Forwarding Engine Support (MX Common) [20210621.124332_builder_junos_212_r1] JUNOS Juniper Malware Removal Tool (JMRT) [1.0.0+20210621.124332_builder_junos_212_r1] JUNOS J-Insight [20210621.124332_builder_junos_212_r1] JUNOS jfirmware [20210621.124332_builder_junos_212_r1]

23
JUNOS Online Documentation [20210621.124332_builder_junos_212_r1] JUNOS jail runtime [20210529.2f59a40_builder_stable_12] RELATED DOCUMENTATION Installation and Upgrade Guide
Overview of Zeroization to Clear System Data for FIPS Mode
IN THIS SECTION Why Zeroize? | 24 When to Zeroize? | 24
Zeroization completely erases all configuration information on the device, including all plaintext passwords, secrets, and private keys for SSH, local encryption, local authentication, and IPsec. To exit the FIPS mode you need to zeroize the device. Security Administrator initiates the zeroization process by entering the request vmhost zeroize no-forwarding operational command. In reference to cryptographic key destruction, TOE does not support delayed key destruction.
CAUTION: Perform system zeroization with care. After the zeroization process is complete, no data is left on the device. Zeroization can be time-consuming. Although all configurations are removed in a few seconds, the zeroization process goes on to overwrite all media, which can take considerable time depending on the size of the media.

24
Why Zeroize?
Your device is not considered a valid FIPS cryptographic module until all critical security parameters (CSPs) have been entered–or reentered–while the device is in FIPS mode. For FIPS 140-3 compliance, you must zeroize the system to remove sensitive information before disabling FIPS mode on the device.
When to Zeroize?
As Security Administrator, perform zeroization in the following situations: · Before enabling FIPS mode of operation: To prepare your device for operation as a FIPS
cryptographic module, perform zeroization before enabling FIPS mode. · Before disabling FIPS mode of operation: To begin repurposing your device for non- FIPS operation,
perform zeroization before disabling FIPS mode on the device.
NOTE: Juniper Networks does not support installing non-FIPS software in a FIPS environment, but doing so might be necessary in certain test environments. Be sure to zeroize the system first.
RELATED DOCUMENTATION Zeroize the System | 24
Zeroize the System
To zeroize your device, follow the below procedure:

25
1. Login to the device as Crypto Officer and from CLI, enter
crypto-officer@host> request vmhost zeroize no-forwarding VMHost Zeroization : Erase all data, including configuration and log files ? [yes,no] (no) yes
2. To initiate the zeroization process, type yes at the prompt:
Erase all data, including configuration and log files? [yes, no] (no) yes VMHost Zeroization : Erase all data, including configuration and log files ? [yes,no] (no) yes
warning: Vmhost will reboot and may not boot without configuration warning: Proceeding with vmhost zeroize Zeroise secondary internal disk … Proceeding with zeroize on secondary disk Mounting device in preparation for zeroize… Cleaning up target disk for zeroize … Zeroize done on target disk. Zeroize of secondary disk completed Zeroize primary internal disk … Proceeding with zeroize on primary disk /etc/ssh/ssh_host_ecdsa_key.pub /etc/ssh/ssh_host_rsa_key.pub /etc/ssh/ssh_host_ecdsa_key /etc/ssh/ssh_host_dsa_key /etc/ssh/ssh_host_dsa_key.pub /etc/ssh/ssh_host_rsa_key Mounting device in preparation for zeroize… Cleaning up target disk for zeroize … Zeroize done on target disk. Zeroize of primary disk completed Zeroize done warning: Proceeding with vmhost reboot Initiating vmhost reboot…
The entire operation can take considerable time depending on the size of the media, but all critical security parameters (CSPs) are removed within a few seconds. The physical environment must remain secure until the zeroization process is complete.

26

Enable FIPS Mode

As Security Administrator, you must establish a root password conforming to the FIPS password requirements in “Overview of Password Specifications and Guidelines for Junos OS in FIPS Mode” on page 18. When you enable FIPS mode in Junos OS on the device, you cannot configure passwords unless they meet this standard.
Local passwords are encrypted with the secure hash algorithm SHA256 or SHA512. Password recovery is not possible in Junos OS in FIPS mode. Junos OS in FIPS mode cannot boot into single-user mode without the correct root password.
To enable FIPS mode in Junos OS on the device:
1. Zeroize the device to delete all CSPs before entering FIPS mode. Refer to “Zeroize the System” on page 24 section for details.
2. After the device comes up in ‘Amnesiac mode’, login using username root and password “” (blank).

FreeBSD/amd64 (Amnesiac) (ttyu0) login: root — JUNOS 22.2R1.10 Kernel 64-bit root@:~ # cli root>

JNPR-12.1-20210529.2f59a40_build

3. Configure root authentication with password at least 10 characters or more.

root> edit Entering configuration mode [edit] root# set system root- authentication plain-text-password New password: Retype new password: [edit] root# commit commit complete
4. Load configuration onto device and commit new configuration. Configure Security Administrator and
login with Security Administrator credentials.

27
5. The fips-mode and jpfe-fips are optional packages needed for enabling FIPS. These packages are part of Junos OS software. To enable these packages, use below commands:
security-administrator@hostname> request system software add optional://fips- mode.tgz Verified fips-mode signed by PackageDevelopmentECP256_2020 method ECDSA256+SHA256cryptoofficer@hostname> request system software add optional ://jpfe-fips.tgz /usr/sbin/pkg: package jpfe-fips-x86-32-20.3I- 20200610_dev_common.0.0743 is already installed
6. Configure chassis boundary fips by setting set system fips chassis level 1 and commit.
Device might display the Encrypted-password must be re-configured to use FIPS compliant hash warning to delete older CSPs in loaded configuration.
7. After deleting and reconfiguring CSPs, commit will go through and device needs reboot to enter FIPS mode.
[edit] security-administrator@hostname# commit [edit] system reboot is required to transition to FIPS level 1 commit complete [edit] security- administrator@hostname# run request vmhost reboot
8. After rebooting the device, FIPS self-tests will run and device enters FIPS mode.
security-administrator@hostname:fips>

28
Configure Security Administrator and FIPS User Identification and Access
IN THIS SECTION Configure Security Administrator Access | 28 Configure FIPS User Login Access | 30
Security Administrator and FIPS users perform all configuration tasks for Junos OS in FIPS mode and issue all Junos OS in FIPS mode statements and commands. Security Administrator and FIPS user configurations must follow Junos OS in FIPS mode guidelines.
Configure Security Administrator Access
Junos OS in FIPS mode offers a finer granularity of user permissions than those mandated by FIPS 140-3. For FIPS 140-3 compliance, any FIPS user with the secret, security, maintenance, and control permission bits set is a Security Administrator. In most cases the super-user class suffices for the Security Administrator. To configure login access for a Security Administrator: 1. Log in to the device with the root password if you have not already done so, and enter configuration
mode:
root@hostname# edit Entering configuration mode [edit] root@hostname# 2. Name the user security-administrator and assign the Security Administrator a user ID (for example, 6400, which must be a unique number associated with the login account in the range of 100 through

29
64000) and a class (for example, super-user). When you assign the class, you assign the permissions– for example, secret, security, maintenance, and control.
[edit] root@hostname# set system login user username uid value class class- name
For example:
[edit] root@hostname# set system login user security-administrator uid 6400 class super-user
3. Following the guidelines in “Overview of Password Specifications and Guidelines for Junos OS in FIPS Mode” on page 18, assign the Security Administrator a plain-text password for login authentication. Set the password by typing a password after the prompts New password and Retype new password.
[edit] root@hostname# set system login user username class class-name authentication (plain-testpassword | encrypted-password)
For example:
[edit] root@hostname# set system login user security-administrator class super-user authentication plain-text-password
4. Optionally, display the configuration:
[edit] root@hostname#edit system [edit system] root@hostname#show login {
user security-administrator { uid 6400; authentication { encrypted-password “”; ## SECRET-DATA } class super-user;

30
} }
5. If you are finished configuring the device, commit the configuration and exit:
[edit] root@hostname# commit commit completeroot@hostname# exit
Configure FIPS User Login Access
A fips-user is defined as any FIPS user that does not have the secret, security, maintenance, and control permission bits set. As the Security Administrator you set up FIPS users. FIPS users cannot be granted permissions normally reserved for the Security Administrator–for example, permission to zeroize the system. To configure login access for a FIPS user: 1. Log in to the device with your Security Administrator password if you have not already done so, and
enter configuration mode:
security-administrator@hostname:fips> edit Entering configuration mode [edit] security-administrator@hostname:fips# 2. Give the user, a username, and assign the user a user ID (for example, 6401, which must be a unique number in the range of 1 through 64000) and a class. When you assign the class, you assign the permissions–for example, clear, network, resetview, and view- configuration.
[edit] security-administrator@hostname:fips# set system login user username uid value class classname

31
For example:
[edit]security-administrator@hostname:fips# set system login user fips-user1 uid 6401 class read-only
3. Following the guidelines in “Overview of Password Specifications and Guidelines for Junos OS in FIPS Mode” on page 18, assign the FIPS user a plain-text password for login authentication. Set the password by typing a password after the prompts New password and Retype new password.
[edit] security-administrator@hostname:fips# set system login user username class class-name authentication (plain-text-password | encrypted-password)
For example:
[edit] security-administrator@hostname:fips# set system login user fips-user1 class read-only authentication plain-text-password
4. Optionally, display the configuration:
[edit] security-administrator@hostname:fips# edit system [edit system] security-administrator@hostname:fips# show login {
user fips-user1 { uid 6401; authentication { encrypted-password “<cipher- text>”; ## SECRET-DATA } class read-only;
} }

32
5. If you are finished configuring the device, commit the configuration and exit:
[edit] security-administrator@hostname:fips# commit security- administrator@hostname:fips# exit
RELATED DOCUMENTATION Overview of Roles and Services for Junos OS | 12

3 CHAPTER
Configure Administrative Credentials and Privileges
Understanding the Associated Password Rules for an Authorized Administrator | 34
Configuring a Network Device Collaborative Protection Profile Authorized Administrator | 36 Customize Time | 37 Inactivity Timeout Period Configuration, and Local and Remote Idle Session Termination | 38

34
Understanding the Associated Password Rules for an Authorized Administrator
The authorized administrator is associated with a defined login class, and the administrator is assigned with all permissions. Data is stored locally for fixed password authentication.
NOTE: We recommend to not use control characters in passwords.
Use the following guidelines and configuration options for passwords and when selecting passwords for authorized administrator accounts. Passwords should be: · Easy to remember so that users are not tempted to write it down. · Changed periodically. · Private and not shared with anyone. · Contain a minimum of 10 characters. The minimum password length is 10 characters.
[ edit ] security-administrator@host# set system login password minimum-length 10
· Include both alphanumeric and punctuation characters, composed of any combination of upper and lowercase letters, numbers, and special characters such as, “!”, “@”, “#”, “$”, “%”, “^”, “&”, “*”, “(“, and “)”. There should be at least a change in one case, one or more digits, and one or more punctuation marks.
· Contain character sets. Valid character sets include uppercase letters, lowercase letters, numbers, punctuation, and other special characters.
[ edit ] security-administrator@host# set system login password change-type character-sets

35
· Contain the minimum number of character sets or character set changes. The minimum number of character sets required in plain-text passwords in Junos FIPS is 3.
[ edit ] security-administrator@host# set system login password minimum- changes 3
· The hashing algorithm for user passwords can be either SHA256 or SHA512 (SHA512 is the default hashing algorithm).
[ edit ] security-administrator@host# set system login password format sha512
NOTE: The device supports ECDSA (P-256, P-384, and P-521) and RSA (2048, 3072, and 4092 modulus bit length) key-types.
NOTE: The new hash algorithm affect only those passwords that are generated after commit.
Weak passwords are: · Words that might be found in or exist as a permuted form in a system file such as /etc/passwd. · The hostname of the system (always a first guess). · Any words appearing in a dictionary. This includes dictionaries other than English, and words found
in works such as Shakespeare, Lewis Carroll, Roget’s Thesaurus, and so on. This prohibition includes common words and phrases from sports, sayings, movies, and television shows. · Permutations on any of the above. For example, a dictionary word with vowels replaced with digits (for example f00t) or with digits added to the end. · Any machine-generated passwords. Algorithms reduce the search space of password-guessing programs and so should not be used. Strong reusable passwords can be based on letters from a favorite phrase or word, and then concatenated with other, unrelated words, along with additional digits and punctuation.

36
Configuring a Network Device Collaborative Protection Profile Authorized Administrator
An account for root is always present in a configuration and is not intended for use in normal operation. In the evaluated configuration, the root account is restricted to the initial installation and configuration of the evaluated device. An NDcPPv2.2e authorized administrator must have all permissions, including the ability to change the device configuration. To configure an authorized administrator: 1. Create a login class named security-admin with all permissions.
[edit] root@host# set system login class security-admin permissions all 2. Configure the hashed algorithm for plain-text passwords as sha512.
[edit] root@host# set system login password format sha512 3. Commit the changes.
[edit] root@host# commit 4. Define your NDcPPv2.2e user authorized administrator.
[edit] root@host# set system login user NDcPPv2-user class security-admin authentication encryptedpassword
OR
[edit] root@host# set system login user NDcPPv2-user class security-admin authentication plain-textpassword

37
5. Load an SSH key file that was previously generated using ssh-keygen. This command loads RSA (SSH version 2), or ECDSA (SSH version 2).
[edit] root@host# set system root-authentication load-key-file url:filename 6. Set the log-key-changes configuration statement to log when SSH authentication keys are added or removed.
[edit] root@host# set system services ssh log-key-changes
NOTE: When the log-key-changes configuration statement is enabled and committed (with the commit command in configuration mode), Junos OS logs the changes to the set of authorized SSH keys for each user (including the keys that were added or removed). Junos OS logs the differences since the last time the log-key-changes configuration statement was enabled. If the log-key- changes configuration statement was never enabled, then Junos OS logs all the authorized SSH keys.
7. Commit the changes.
[edit] root@host# commit
NOTE: The root password should be reset following the change to sha256 / sha512 for the password storage format. This ensures the new password is protected using a sha256 / sha512 hash. To reset the root password, use the set system root-authentication plain-textpassword password command, and confirm the new password when prompted.
Customize Time
To customize time, disable NTP and set the date.

38
1. Disable NTP.
[edit] security-administrator@hostname:fips# deactivate groups global system ntp security-administrator@hostname:fips# deactivate system ntp security- administrator@hostname:fips# commit security-administrator@hostname:fips# exit 2. Setting date and time. Date and time format is YYYYMMDDHHMM.ss.
[edit] security-administrator@hostname:fips# set date 201803202034.00 security-administrator@hostname:fips# set cli timestamp
Inactivity Timeout Period Configuration, and Local and Remote Idle Session Termination
IN THIS SECTION Configure Session Termination | 38 Sample Output for Local Administrative Session Termination | 40 Sample Output for Remote Administrative Session Termination | 40 Sample Output for User Initiated Termination | 41
Configure Session Termination
Terminate the session after the security administrator specifies inactive timeout period.

39
1. Set the idle timeout.
[edit] security-administrator@host:fips# set system login class security-admin idle-timeout 2 2. Configure the login access privileges.
[edit] security-administrator@host:fips# set system login class security-admin permissions all 3. Commit the configuration.
[edit] security-administrator@host:fips# commit
commit complete 4. Set the password.
[edit] security-administrator@host:fips# set system login user NDcPPv2-user authentication plaintext-password New password: Retype new password: 5. Define login class.
[edit] security-administrator@host:fips# set system login user NDcPPv2-user class security-admin 6. Commit the configuration.
[edit] security-administrator@host:fips# commit
commit complete

40
Sample Output for Local Administrative Session Termination
con host Trying a.b.c.d… ‘autologin’: unknown argument (‘set ?’ for help). Connected to device.example.com Escape character is ‘^]’.
Type the hot key to suspend the connection: Z FreeBSD/amd64 (host) (ttyu0) login: NDcPPv2-user Password: Last login: Sun Jun 23 22:42:27 from 10.224.33.70
— JUNOS 22.2R1.4 Kernel 64-bit JNPR-11.0-20190316.df99236_buil NDcPPv2-user@host> Warning: session will be closed in 1 minute if there is no activity Warning: session will be closed in 10 seconds if there is no activity Idle timeout exceeded: closing session
FreeBSD/amd64 (host) (ttyu0)
Sample Output for Remote Administrative Session Termination
ssh NDcPPv2-user@host Password: Last login: Sun Jun 23 22:48:05 2019 — JUNOS 22.2R1.4 Kernel 64-bit JNPR-11.0-20190316.df99236_buil NDcPPv2-user@host> exit
Connection to host closed. ssh NDcPPv2-user@host Password: Last login: Sun Jun 23 22:50:50 2019 from 10.224.33.70 — JUNOS 22.2R1.6 Kernel 64-bit JNPR-11.0-20190316.df99236_buil NDcPPv2-user@host> Warning: session will be closed in 1 minute if there is no activity Warning: session will be closed in 10 seconds if there is no activity Idle timeout exceeded: closing session

41
Connection to host closed.
Sample Output for User Initiated Termination
ssh NDcPPv2-user@host Password: Last login: Sun Jun 23 22:48:05 2019 — JUNOS 22.2R1.4 Kernel 64-bit JNPR-11.0-20190316.df99236_buil NDcPPv2-user@host> exit Connection to host closed.

4 CHAPTER
Configure SSH and Console Connection
Configure a System Login Message and Announcement | 43 Configure SSH on the Evaluated Configuration for NDcPPv2.2e | 44 Limit the Number of User Login Attempts for SSH Sessions | 45

43
Configure a System Login Message and Announcement
A system login message appears before the user logs in and a system login announcement appears after the user logs in. By default, no login message or announcement is displayed on the device. To configure a system login message through console or management interface, use the following command:
[edit] security-administrator@host:fips# set system login message login- message-banner-text To configure system announcement, use the following command:
[edit] security-administrator@host:fips# set system login announcement system- announcement-text
NOTE: · If the message text contains any spaces, enclose it in quotation marks. · You can format the message using the following special characters:
· n–New line · t–Horizontal tab · ‘–Single quotation mark · “–Double quotation mark · \–Backslash

44
Configure SSH on the Evaluated Configuration for NDcPPv2.2e
SSH through remote management interface allowed in the evaluated configuration. This topic describes how to configure SSH for remote management of TOE. The following algorithms that needs to be configured to validate SSH for NDcPPv2.2e. To configure SSH on the TOE: 1. Specify the permissible SSH host-key algorithms for the system services.
[edit] security-administrator@host:fips# set system services ssh hostkey- algorithm ssh-ecdsa security-administrator@host:fips# set system services ssh hostkey-algorithm no-ssh-dss security-administrator@host:fips# set system services ssh hostkey-algorithm ssh-rsa security-administrator@host:fips# set system services ssh hostkey-algorithm no-ssh-ed25519
2. Specify the SSH key-exchange for Diffie-Hellman keys for the system services.
[edit] security-administrator@host:fips# set system services ssh key-exchange dh-group14-sha1 security-administrator@host:fips# set system services ssh key- exchange ecdh-sha2-nistp256 security-administrator@host:fips# set system services ssh key-exchange ecdh-sha2-nistp384 security-administrator@host:fips# set system services ssh key-exchange ecdh-sha2-nistp521
3. Specify all the permissible message authentication code algorithms for SSHv2
[edit] security-administrator@host:fips# set system services ssh macs hmac- sha1 security-administrator@host:fips# set system services ssh macs hmac- sha2-256 security-administrator@host:fips# set system services ssh macs hmac- sha2-512
4. Specify the ciphers allowed for protocol version 2.
[edit] security-administrator@host:fips# set system services ssh ciphers aes128-cbc security-administrator@host:fips# set system services ssh ciphers aes256-cbc

45

security-administrator@host:fips# set system services ssh ciphers aes128-ctr security-administrator@host:fips# set system services ssh ciphers aes256-ctr
Supported SSH hostkey algorithm:

ssh-ecdsa ssh-rsa

Allow generation of ECDSA host-key Allow generation of RSA host-key

Supported SSH key-exchange algorithm:

dh-group14-sha1 ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521

The RFC 4253 mandated group14 with SHA1 hash The EC Diffie-Hellman on nistp256 with SHA2-256 The EC Diffie-Hellman on nistp384 with SHA2-384 The EC Diffie- Hellman on nistp521 with SHA2-512

Supported MACs algorithm:

hmac-sha1 hmac-sha2-256 hmac-sha2-512

Hash-based MAC using Secure Hash Algorithm (SHA1) Hash-based MAC using Secure Hash Algorithm (SHA2) Hash-based MAC using Secure Hash Algorithm (SHA2)

Supported SSH ciphers algorithm:

aes128-cbc aes128-ctr aes256-cbc aes256-ctr

128-bit AES with Cipher Block Chaining 128-bit AES with Counter Mode 256-bit AES with Cipher Block Chaining 256-bit AES with Counter Mode

Limit the Number of User Login Attempts for SSH Sessions
An administrator may login remotely to a device through SSH. Administrator credentials are stored locally on the device. If the remote administrator presents a valid username and password, access to the TOE is granted. If the credentials are invalid, the TOE allows the authentication to be retried after an interval that starts after 1 second and increases exponentially. If the number of authentication attempts

46
exceed the configured maximum, no authentication attempts are accepted for a configured time interval. When the interval expires, authentication attempts are again accepted.
You configure the amount of time the device gets locked after failed attempts. The amount of time in minutes before the user can attempt to log in to the device after being locked out due to the number of failed login attempts specified in the tries-before-disconnect statement. When a user fails to correctly login after the number of allowed attempts specified by the tries- before-disconnect statement, the user must wait the configured amount of minutes before attempting to log in to the device again.
The lockout-period must be greater than zero. The range at which you can configure the lockout-period is one through 43,200 minutes.
[edit system login] security-administrator@host:fips# set retry-options lockout-period
You can configure the device to limit the number of attempts to enter a password while logging through SSH. Using the following command, the connection.
[edit system login] security-administrator@host:fips# set retry-options tries- before-disconnect
Here, tries-before-disconnect is the number of times a user can attempt to enter a password when logging in. The connection closes if a user fails to log in after the number specified. The range is from 1 through 10, and the default value is 10.
The local administrator access will be maintained even if the remote administration is made permanently or temporarily unavailable due to the multiple failed login attempts. The console login for local administration will be available to the users during the lockout period.
You can also configure a delay, in seconds, before a user can try to enter a password after a failed attempt.
[edit system login] security-administrator@host:fips# set retry-options backoff-threshold
Here, backoff-threshold is the threshold for the number of failed login attempts before the user experiences a delay in being able to enter a password again. Use the backoff-factor option to specify the length of the delay in seconds. The range is from 1 through 3, and the default value is 2 seconds.

47
In addition, the device can be configured to specify the threshold for the number of failed attempts before the user experiences a delay in entering the password again.
[edit system login] security-administrator@host:fips# set retry-options backoff-factor
Here, backoff-factor is the length of time, in seconds, before a user can attempt to log in after a failed attempt. The delay increases by the value specified for each subsequent attempt after the threshold. The range is from 5 through 10, and the default value is 5 seconds. You can control user access through SSH. By configuring ssh root-login deny, you can ensure the root account remains active and continues to have local administrative privileges to the TOE even if other remote users are logged off.
[edit system] security-administrator@host:fips# set services ssh root-login deny
The SSH2 protocol provides secure terminal sessions utilizing the secure encryption. The SSH2 protocol enforces running the key-exchange phase and changing the encryption and integrity keys for the session. Key exchange is done periodically, after specified seconds or after specified bytes of data have passed over the connection. You can configure thresholds for SSH rekeying, FCS_SSHS_EXT.1.8 and FCS_SSHC_EXT.1.8. The TSF ensures that within the SSH connections the same session keys are used for a threshold of no longer than one hour, and no more than one gigabyte of the transmitted data. When either of the thresholds are reached, a rekey must be performed.
[edit system] security-administrator@host:fips# set services ssh rekey time- limit
Time limit before renegotiating session keys is 1 through 1440 minutes.
[edit system] security-administrator@host:fips# set services ssh rekey data- limit
Data limit before renegotiating session keys is 51200 through 4294967295 byte.
NOTE: Need to re-initiate the SSH connection in case the connection is broken unintentionally.

5 CHAPTER
Configure the Remote Syslog Server
Sample Syslog Server Configuration on a Linux System | 49

49
Sample Syslog Server Configuration on a Linux System
A secure Junos OS environment requires auditing of events and storing them in a local audit file. The recorded events are simultaneously sent to an external syslog server. A syslog server receives the syslog messages streamed from the device. The syslog server must have an SSH client with NETCONF support configured to receive the streamed syslog messages. Use the configuration details and establish a session between the target of evaluation (TOE) and the audit server. Examine the traffic that passes between the audit server and the TOE during several activities, and the generated audit data to be transferred to the audit server. Examine the TOE Summary Specification (TSS) to ensure that it specifies the means by which the audit data is transferred to the external audit server and how the trusted channel is provided. The NDcPP logs capture the following events: · Committed changes · System startup · Login and logout of users · Failure to establish an SSH session · Establishment or termination of an SSH session · Changes to the system time · Initiation of a system update To configure event logging to a remote server when the SSH connection to the ToE is initiated from the remote system log server. 1. Generate an RSA public key on the remote syslog server.
$ ssh-keygen -b 2048 -t rsa -C ‘syslog-monitor key pair’ -f ~/.ssh/syslog- monitor
You will be prompted to enter the desired pass phrase. The storage locations for the syslog-monitor key pair is displayed.

50
2. On the TOE, create a class named monitor that has permission to trace events.
[edit system login] security-administrator@host:fips# set class monitor permissions trace
3. Create a user named syslog-mon with the class monitor, and with authentication that uses the syslogmonitor key pair from the key pair file located on the remote syslog server.
[edit system login] security-administrator@host:fips# set user syslog-mon class monitor authentication ssh-rsa public key from syslog-monitor key pair
4. Set up NETCONF with SSH.
[edit system services] security-administrator@host:fips# set netconf ssh
5. Configure syslog to log all the messages at /var/log/messages..
[edit system services] security-administrator@host:fips# set syslog file messages any any commit
6. On the remote system log server, start up the SSH agent ssh-agent. The start up is required to simplify the handling of the syslog-monitor key.
$ eval ssh-agent -s
7. On the remote syslog server, add the syslog-monitor key pair to the ssh- agent.
$ ssh-add ~/.ssh/syslog-monitor You will be prompted to enter the desired passphrase. Enter the same passphrase used in Step 1.

51

8. After logging in to the external_syslog_server session, establish a tunnel to the device and start NETCONF.

security-administrator@host:fips# $ssh syslog-mon@NDcPP_TOE -s netconf > test.out
9. After NETCONF is established, configure a system log events message stream. This RPC will cause the NETCONF service to start transmitting messages over the SSH connection that is established.

host@ssh-keygen -b 2048 -t rsa -C ‘syslog-monitor key pair’ -f ~/.ssh/syslog- monitor

Generating public/private rsa key pair.

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in /home/host/.ssh/syslog-monitor.

Your public key has been saved in /home/host/.ssh/syslog-monitor.pub.

The key fingerprint is:

ef:75:d7:68:c5:ad:8d:6f:5e:7a:7e:9b:3d:f1:4d:3f syslog-monitor key pair

The key’s randomart image is:

+–[ RSA 2048]—-+

|

|

|

|

|

|

|

..|

|

S

+|

|

. Bo|

|

. . *.X|

|

. . o E@|

|

. .BX|

+—————–+

[host@nms5-vm-linux2 ~]$ cat /home/host/.ssh/syslog-monitor.pub

ssh-rsa

AAAAB3NzaC1yc2EAAAADAQABAAABAQCrUREJUBpjwAoIgRrGy9zgt+

52

D2pikk3Q/Wdf8I5vr+njeqJhCx2bUAkrRbYXNILQQAZbg7kLfi/8TqqL eon4HOP2e6oCSorKdx/GrOTzLONL4fh0EyuSAk8bs5JuwWNBUokV025 gzpGFsBusGnlj6wqqJ/sjFsMmfxyCkbY+pUWb8m1/A9YjOFT+6esw+9S tF6Gbg+VpbYYk/Oday4z+z7tQHRFSrxj2G92aoliVDBLJparEMBc8w LdSUDxmgBTM2oadOmm+kreBUQjrmr6775RJn9H9YwIxKOxGm4SFnX/Vl4 R+lZ9RqmKH2wodIEM34K0wXEHzAzNZ01oLmaAVqT syslog-monitor key pair [host@nms5 -vm-linux2 ~]$ eval ssh-agent -s Agent pid 1453 [host@nms5-vm-linux2 ~]$ ssh-add ~/.ssh/syslog-monitor Enter passphrase for /home/host/.ssh/syslog- monitor: Identity added: /home/host/.ssh/syslog-monitor (/home/host/.ssh /syslog-monitor)
Net configuration channel

host@nms5-vm-linux2 ~]$ ssh syslog-mon@starfire -s netconf
this is NDcPP test device
<!– No zombies were killed during the creation of this user interface -<!– user syslog-mon, class j-monitor ->