Juniper SSG 5 Manual
  1. Manuals
  2. Brands
  3. Juniper Manuals
  4. Server
  5. SSG5
  6. Manual

Juniper SSG 5 Manual

Hide thumbs Also See for SSG 5:
Table of Contents

Advertisement

Quick Links

FIPS 140-2 S
P
ECURITY
OLICY
Juniper Networks, Inc.
SSG 5 and SSG 20
HW P/N SSG-5 and SSG-20, FW Version ScreenOS 6.3.0r6

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the SSG 5 and is the answer not in the manual?

Questions and answers

Related Manuals for Juniper SSG 5

Summary of Contents for Juniper SSG 5

  • Page 1 FIPS 140-2 S ECURITY OLICY Juniper Networks, Inc. SSG 5 and SSG 20 HW P/N SSG-5 and SSG-20, FW Version ScreenOS 6.3.0r6...
  • Page 2 NetScreen-Global PRO, NetScreen-Global PRO Express, NetScreen-Remote Security Client, NetScreen-Remote VPN Client, NetScreen-IDP 10, NetScreen-IDP 100, NetScreen-IDP 500, GigaScreen ASIC, GigaScreen-II ASIC, and NetScreen ScreenOS are trademarks of Juniper Networks, Inc. All other trademarks and registered trademarks are the property of their respective companies.

  • Page 3: Table Of Contents

    Public Key Definitions ........................16 Matrix Creation of Critical Security Parameter (CSP) versus the Services (Roles & Identity) ..16 Mitigation of Other Attacks Policy ......................19 Definitions List ............................20 Juniper Networks SSG 5 and SSG 20 Security Policy...

  • Page 4: Overview

    The SSG 5 and SSG 20 are high-performance security platforms for small branch and standalone businesses that want to stop internal and external attacks, prevent unauthorized access and achieve regulatory compliance. Both the SSG 5 and SSG 20 deliver 160 Mbps of stateful firewall traffic and 40 Mbps of IPSec VPN traffic.

  • Page 5: Roles And Services

    The module allows concurrent Admin users, either User or Read-Only User roles. It provides the following services for each role: Table 2: Roles and services summary Service Cryptographic User Read-only Officer User Configure Status Zeroize Manage Juniper Networks SSG 5 and SSG 20 Security Policy...

  • Page 6: Authentication

    Since a user is locked our after three contiguous login failures, the random success rate per minute is 1/(62 ) + 1/ (62 ) + 1/(62 3/(62 ), which is far less than 1/100,000. Juniper Networks SSG 5 and SSG 20 Security Policy...

  • Page 7: Interfaces

    Indicates that the device is operating normally. Blinking Indicates that there was an error detected The SSG 5 has two LEDs that indicate the status of the optional integrated WAN link: Table 5: SSG 5 WAN link status LEDs Type Name Color...

  • Page 8: Operation In Fips Mode

    “netscreen”. This user is assigned the Crypto-Officer role. Once the device is operating in FIPS mode, the operator should perform the minimum configuration necessary to establish a management connection via SSH (i.e. configure a network interface and Juniper Networks SSG 5 and SSG 20 Security Policy...

  • Page 9: Loading And Authenticating Firmware

    Loading and authenticating firmware Prior to placing the device in FIPS mode, the administrator must load the Juniper firmware authentication DSA public key, imagekey.cer, using the save image-key CLI command. When this public key is present on the device, the integrity and authenticity of the firmware is checked at system start and when firmware is loaded.

  • Page 10: Security Rules

    SDRAM read/write check FLASH test • Algorithm Self-Tests: Triple-DES, CBC mode, encrypt/decrypt KAT SHA-1 KAT SHA-256 KAT RSA (encrypt/decrypt and sign/verify) KAT DSA Sign/Verify pairwise consistency test ECDSA Sign/Verify pairwise consistency test Juniper Networks SSG 5 and SSG 20 Security Policy...

  • Page 11: Fips Approved Algorithms

    FIPS Approved Algorithms The following FIPS approved algorithms are supported by the security appliance: • DSA , ECDSA Sign Verify • SHA-1, SHA-256 • Triple-DES (CBC) • AES (CBC) Juniper Networks SSG 5 and SSG 20 Security Policy...

  • Page 12: Non-Fips Approved Algorithms

    Delete, and Reset commands. Pressing the hardware reset button or issuing the “unset vendor-def” CLI command will cause the zeroization of all CSPs by reseting the device configuration to the factory default values. Juniper Networks SSG 5 and SSG 20 Security Policy...

  • Page 13: Physical Security Policy

    Physical Security Policy Before carrying out any steps to deploy a Juniper Networks security appliance, the end-user must verify the security of the product with the following observations: Confirm that the product received matches the version that is validated as FIPS 140-2 compliant.
  • Page 14 Figure 3: Front of the SSG 5 device Figure 4: Rear of the SSG 5 device Figure 5: Front of the SSG-20 device Figure 6: Rear of the SSG 20 device Juniper Networks SSG 5 and SSG 20 Security Policy...
  • Page 15 The front of the SSG 20 across both edges of each of the installed interface cards, or slot covers, as shown in figure 5. (4 seals) • The sides of the SSG 5 and 20 covering both edges of the removable cover, as shown in figure 7. (2 seals) •...
  • Page 16 Cryptographic Algorithm Validation Cryptographic algorithm validation certificate numbers for are listed in the table below: Table 7: Algorithm Validation Certificates Algorithm Certificate Number TDES 1061 1620 1429 HMAC ECDSA Juniper Networks SSG 5 and SSG 20 Security Policy...

  • Page 17: Critical Security Parameter (Csp) Definitions

    They also correlate the User roles and the Crypto-Officer roles to the set of services to which they have privileges. The matrices use the following convention: • G: Generate • D: Delete Juniper Networks SSG 5 and SSG 20 Security Policy...
  • Page 18 SSH Server/Host DSA Private Key SSH Encryption Key SSH HMAC SHA-1 Key HA Key IKE RSA/DSA/ECDSA Private Key PRNG Seed and Seed Key Diffie Hellman Private Key Components RADIUS Secret Key Juniper Networks SSG 5 and SSG 20 Security Policy...
  • Page 19 1. The Crypto-Officer is authorized to change all authorized operators' user names and passwords, but the user is only allowed to change his/her own user name and password 2. The Crypto-Officer is authorized to remove all authorized operators. Juniper Networks SSG 5 and SSG 20 Security Policy...

  • Page 20: Mitigation Of Other Attacks Policy

    RADIUS Secret Key Entered directly at the CLI by administrator Mitigation of Other Attacks Policy The module is not designed to mitigate against attacks which are outside of the scope of FIPS 140-2. Juniper Networks SSG 5 and SSG 20 Security Policy...

  • Page 21: Definitions List

    SDRAM – Synchronous Dynamic Random Access Memory SSH – Secure Shell protocol TCP – Transmission Control Protocol TFTP – Trivial File Transfer Protocol VPN – Virtual Private Networking VSYS – Virtual System Juniper Networks SSG 5 and SSG 20 Security Policy...

This manual is also suitable for:

Ssg 20

Table of Contents

Save PDF