background image

Juniper NS-5400 Security Policy 

 

 

10

• 

TDES, CBC mode, encrypt/decrypt KAT 

• 

SHA-1 KAT 

• 

RSA (encryption and signature) KAT 

• 

ANSI X9.31 DRNG KAT 

• 

DSA Sign/Verify KAT 

• 

AES, CBC mode, encrypt/decrypt KAT 

• 

HMAC-SHA-1 KAT 

• 

DH key agreement test  

• 

The NetScreen-5400 implements the following conditional tests:  

• 

DRNG continuous test  

• 

Hardware RNG continuous test  

• 

DSA pairwise consistency test  

• 

RSA pairwise consistency test  

• 

Bypass test  

• 

Firmware download DSA signature test (Software Load Test) 

 

• 

The internal packaging cannot show damage or evidence of tampering. 
The plastic bag should not have a large hole and the label that seals the 
plastic bag should not be detached or missing. If the bag or the seal are 
damaged in any way, this may be evidence of tampering 

 

F.  Other Parameters 

Also note that: 

• 

The firmware can be loaded through the Trivial File Transfer Protocol 
(TFTP), where a firmware load test is performed via a DSA 
signature.  

• 

Keys are generated using the FIPS-approved ANSI X9.31 pseudo 
random number generator.  

• 

For every usage of the module's random number generator, a 
continuous RNG self-test is performed. Note that this is performed 
on both the FIPS approved RNG and non-FIPS approved RNG.  

• 

The NetScreen-5400 enforces both identity based and role based 
authentication. Based on their identity, the operator assumes the 
correct role.  

• 

Operators must be authenticated using user names and passwords.  
Alternatively, the CO may also be authenticated via digital signature 
verification during the download of a new firmware image. 
Authentication will occur locally. As an option, the user can be 
authenticated via a RADIUS server. The RADIUS server provides an 
external database for user role administrators. The NetScreen-5400 
acts as a RADIUS proxy, forwarding the authentication request to the 
RADIUS server. The RADIUS server replies with either an accept or 

Summary of Contents for NS-2G24FE

Page 1: ...Juniper NS 5400 Security Policy 1 FIPS 140 2 SECURITY POLICY Juniper Networks NetSreen 5400 HW P N NS 5400 VERSION 3010 FW VERSIONS SCREENOS 5 0 0R9 H SCREENOS 5 0 0R9A H AND SCREENOS 5 0 0R9B H ...

Page 2: ...s will be required to correct the interference at their own expense The following information is for FCC compliance of Class B devices The equipment described in this manual generates and may radiate radio frequency energy If it is not installed in accordance with NetScreen s installation instructions it may cause interference with radio and television reception This equipment has been tested and ...

Page 3: ...s and Services 5 D Interfaces 6 E Setting FIPS mode 8 F Other Parameters 10 G FIPS Certificate Verification 14 H Critical Security Parameter CSP Definitions 14 I Public Key Definitions 14 J Matrix Creation of Critical Security Parameter CSP versus the Services Roles Identity 15 K Definitions List 17 ...

Page 4: ... security Data security using the Data Encryption Standard DES Triple DES and Advanced Encryption Standard AES algorithms Note DES for legacy systems only transitional phase only valid until May 19 2007 Manual and automated IKE ISAKMP The use of RSA and DSA certificates The NetScreen 5400 also provides an interface for users to configure or set policies through the console or network ports The gen...

Page 5: ...o Officer can create other administrators and change to FIPS mode User Role Admin The Admin user can configure specific security policies These policies provide the module with information on how to operate for example configure access policies and VPN encryption with Triple DES Read Only User Role Admin This role can only perform a limited set of services to retrieve information or status This ro...

Page 6: ...ure system parameters The NetScreen 5400 supports both role based and identity based authentication All roles can be authenticated locally within NS 5400 optionally the module supports authentication via a RADIUS server for only the User role Authentication by use of the RADIUS server is viewed as role based authentication all other methods of authentication are identity based All other forms of a...

Page 7: ... level of CPU utilization Utilization is defined as the amount of traffic detected on the interface at any given time The CPU utilization LEDs represent the following percentages of utilization 5 10 25 50 and 90 When all LEDs are dark this indicates CPU utilization is less than 5 One Power status LED Illuminates solid green when the power is supplied to the NetScreen 5400 One Module status LED Ill...

Page 8: ...ve even if the box is previously in FIPS mode please re enable FIPS again by issuing the commands unset FIPS mode enable set FIPS mode enable followed by rebooting the box This command will perform the following Disable administration via SSL Disable the loading and output of the configuration file from the TFTP server Disable the Global reporting agent Disable administration via SNMP Disable the ...

Page 9: ... signature The probability of someone guessing a signature correctly is 1 2 320 which is far less than 1 1 000 000 The image download takes at least 23 seconds so there can be no more than 3 download tries within one minute Therefore the random success rate for multiple retries is 1 2 320 1 2 320 1 2 320 3 2 320 which is far less than 1 100 000 In order for authentication data to be protected agai...

Page 10: ...l File Transfer Protocol TFTP where a firmware load test is performed via a DSA signature Keys are generated using the FIPS approved ANSI X9 31 pseudo random number generator For every usage of the module s random number generator a continuous RNG self test is performed Note that this is performed on both the FIPS approved RNG and non FIPS approved RNG The NetScreen 5400 enforces both identity bas...

Page 11: ...ent user s user name and password or delete an existing user 2 set FIPS enable and unset FIPS enable These two services allow the Crypto Officer to switch between FIPS mode and default mode HTTP can only come through a VPN with AES encryption The default page time out is 10 minutes this is user configurable The maximum number of HTTP connections i e the maximum number of concurrent WebUI logins de...

Page 12: ...d RSA encryption are employed for public key based key distribution techniques which are commercially available public key methods and are known to provide at least 80 bits of strength as implemented All keys and unprotected security parameters can be zeroized through the Unset Clear Delete and Reset commands Pressing the hardware reset button will also cause the zeroization of all plaintext CSPs ...

Page 13: ...turn the module to Juniper Networks for further analysis On power down previous authentications are erased from memory and need to be re authenticated again on power up Bypass tests are performed at power up and as a conditional test Bypass state occurs when the administrator configures the box with a non VPN policy and traffic matching this policy arrives at the network port The bypass enabled st...

Page 14: ...r user traffic encryption IKE Pre Shared Key Used during the IKE protocol to establish cryptographic keys to be used by IKE IKE Encryption Key DES TDES and AES for peer to peer IKE message encryption IKE HMAC SHA 1 Key Used by IKE for data integrity Password Crypto Officer and User passwords SSH Server Host DSA Private Key Used to create digital signatures SSH Encryption Key TDES encryption key to...

Page 15: ...use the following convention G Generate D Delete U Usage N A Not Available Table 3 Crypto Officer Crypto Officer CSP Services SetUnsetClear DeleteGetExecSavePingReset ExitTrace route IPSEC HMAC SHA 1 Key G D N A U N A U N A N A N A N A IPSEC ESP Key G D N A U N A U N A N A N A N A IKE Pre shared Key G D N A U G U N A N A N A N A IKE Encryption Key N A N A D N A N A N A N A D N A N A IKE HMAC SHA 1...

Page 16: ...mponents G N A N A N A N A N A N A D N A N A Table 5 Read Only User and VSYS Read Only User Read Only User and VSYS Read Only User CSP Services GetPingExitTrace route IPSEC HMAC SHA 1 Key U N A N A N A IPSEC ESP Key U N A N A N A IKE Pre shared Key U N A N A N A IKE Encryption Key N A N A N A N A IKE HMAC SHA 1 Key N A N A N A N A Password U N A N A N A SSH Server Host DSA Private Key U N A N A N ...

Page 17: ...RNG Deterministic RNG HA High Availability IPSec Internet Protocol Security IV Initial Vector KAT Known Answer Test NS NetScreen PRNG Pseudo RNG RNG Random Number Generator ROM Read Only Memory RSA Rivest Shamir Adelman Algorithm SDRAM Synchronous Dynamic Random Access Memory SSH Secure Shell TCP Transmission Control Protocol TFTP Trivial File Transfer Protocol VPN Virtual Private Networking ...

Reviews: