manualshive.com logo in svg

Juniper NS-2G24FE, Manual

The Juniper NS-2G24FE, a high-performance network switch, offers 24 Fast Ethernet ports for seamless connectivity. To assist users in maximizing its functionality, a comprehensive user manual is available for download, completely free of charge, from our website. Explore the features and configurations of the NS-2G24FE with ease and convenience.

Share
Download
background image

Juniper NS-5400 Security Policy 

 

 

13

• 

Non-FIPS Approved:  

MD5 

DH (key agreement, key establishment methodology provides 
80 bits of encryption strength) 

RSA Encrypt/Decrypt (used for key wrapping only, key 
establishment methodology provides 80 bits of encryption 
strength) 

• 

The NetScreen-5400 conforms to FCC part 15, class A.  

• 

Upon the failure of any power-up self-test, the module enters and 
stays in either the Algorithm Error State or Device specific error 
state, depending on the self-test failure. The console displays error 
messages and the status LED flashes red. It is the responsibility of 
the Crypto-Officer to return the module to Juniper Networks for 
further analysis.  

• 

Upon the failure of any conditional test, the module enters and stays 
in a permanent error state, depending on the type of failure: Bypass 
test failure, DH key agreement test failure, DSA pair-wise test failure, 
or RSA pair-wise agreement test failure. The console displays error 
messages and the status LED flashes red. It is the responsibility of 
the Crypto-Officer to return the module to Juniper Networks for 
further analysis.  

• 

On power down, previous authentications are erased from memory 
and need to be re-authenticated again on power-up.  

• 

Bypass tests are performed at power-up, and as a conditional test. 
Bypass state occurs when the administrator configures the box with 
a non- VPN policy, and traffic matching this policy arrives at the 
network port. The bypass-enabled status can be found by retrieving 
the entire policy list. Two internal actions must exist in order for 
bypass to happen: (1) a non- VPN policy is matched for this traffic, 
and (2) a routing table entry exists for the traffic that matches this 
non-VPN policy.  

• 

In FIPS mode, SSH can use 3DES only to encrypt/decrypt 
commands. Also if the command from SSH is to set or get the AES 
manual key, it will fail and a message will be logged.  

• 

A VPN with AES encryption is manual key or IKE. 

• 

HA traffic encryption is 256 bit AES.  

• 

If a VPN uses 3DES Encryption, the key exchange protocol IKE is 
enforced to use group 5 only.  

• 

SHA-1 algorithm on GigaScreen II has the limitation that it cannot 
hash more than 8K of data. Other ASIC chips have no such 
limitation.  

• 

The module is not designed to mitigate against attacks which are 
outside of the scope of FIPS 140-2. 

 

Summary of Contents for NS-2G24FE

Page 1: ...Juniper NS 5400 Security Policy 1 FIPS 140 2 SECURITY POLICY Juniper Networks NetSreen 5400 HW P N NS 5400 VERSION 3010 FW VERSIONS SCREENOS 5 0 0R9 H SCREENOS 5 0 0R9A H AND SCREENOS 5 0 0R9B H ...

Page 2: ...s will be required to correct the interference at their own expense The following information is for FCC compliance of Class B devices The equipment described in this manual generates and may radiate radio frequency energy If it is not installed in accordance with NetScreen s installation instructions it may cause interference with radio and television reception This equipment has been tested and ...

Page 3: ...s and Services 5 D Interfaces 6 E Setting FIPS mode 8 F Other Parameters 10 G FIPS Certificate Verification 14 H Critical Security Parameter CSP Definitions 14 I Public Key Definitions 14 J Matrix Creation of Critical Security Parameter CSP versus the Services Roles Identity 15 K Definitions List 17 ...

Page 4: ... security Data security using the Data Encryption Standard DES Triple DES and Advanced Encryption Standard AES algorithms Note DES for legacy systems only transitional phase only valid until May 19 2007 Manual and automated IKE ISAKMP The use of RSA and DSA certificates The NetScreen 5400 also provides an interface for users to configure or set policies through the console or network ports The gen...

Page 5: ...o Officer can create other administrators and change to FIPS mode User Role Admin The Admin user can configure specific security policies These policies provide the module with information on how to operate for example configure access policies and VPN encryption with Triple DES Read Only User Role Admin This role can only perform a limited set of services to retrieve information or status This ro...

Page 6: ...ure system parameters The NetScreen 5400 supports both role based and identity based authentication All roles can be authenticated locally within NS 5400 optionally the module supports authentication via a RADIUS server for only the User role Authentication by use of the RADIUS server is viewed as role based authentication all other methods of authentication are identity based All other forms of a...

Page 7: ... level of CPU utilization Utilization is defined as the amount of traffic detected on the interface at any given time The CPU utilization LEDs represent the following percentages of utilization 5 10 25 50 and 90 When all LEDs are dark this indicates CPU utilization is less than 5 One Power status LED Illuminates solid green when the power is supplied to the NetScreen 5400 One Module status LED Ill...

Page 8: ...ve even if the box is previously in FIPS mode please re enable FIPS again by issuing the commands unset FIPS mode enable set FIPS mode enable followed by rebooting the box This command will perform the following Disable administration via SSL Disable the loading and output of the configuration file from the TFTP server Disable the Global reporting agent Disable administration via SNMP Disable the ...

Page 9: ... signature The probability of someone guessing a signature correctly is 1 2 320 which is far less than 1 1 000 000 The image download takes at least 23 seconds so there can be no more than 3 download tries within one minute Therefore the random success rate for multiple retries is 1 2 320 1 2 320 1 2 320 3 2 320 which is far less than 1 100 000 In order for authentication data to be protected agai...

Page 10: ...l File Transfer Protocol TFTP where a firmware load test is performed via a DSA signature Keys are generated using the FIPS approved ANSI X9 31 pseudo random number generator For every usage of the module s random number generator a continuous RNG self test is performed Note that this is performed on both the FIPS approved RNG and non FIPS approved RNG The NetScreen 5400 enforces both identity bas...

Page 11: ...ent user s user name and password or delete an existing user 2 set FIPS enable and unset FIPS enable These two services allow the Crypto Officer to switch between FIPS mode and default mode HTTP can only come through a VPN with AES encryption The default page time out is 10 minutes this is user configurable The maximum number of HTTP connections i e the maximum number of concurrent WebUI logins de...

Page 12: ...d RSA encryption are employed for public key based key distribution techniques which are commercially available public key methods and are known to provide at least 80 bits of strength as implemented All keys and unprotected security parameters can be zeroized through the Unset Clear Delete and Reset commands Pressing the hardware reset button will also cause the zeroization of all plaintext CSPs ...

Page 13: ...turn the module to Juniper Networks for further analysis On power down previous authentications are erased from memory and need to be re authenticated again on power up Bypass tests are performed at power up and as a conditional test Bypass state occurs when the administrator configures the box with a non VPN policy and traffic matching this policy arrives at the network port The bypass enabled st...

Page 14: ...r user traffic encryption IKE Pre Shared Key Used during the IKE protocol to establish cryptographic keys to be used by IKE IKE Encryption Key DES TDES and AES for peer to peer IKE message encryption IKE HMAC SHA 1 Key Used by IKE for data integrity Password Crypto Officer and User passwords SSH Server Host DSA Private Key Used to create digital signatures SSH Encryption Key TDES encryption key to...

Page 15: ...use the following convention G Generate D Delete U Usage N A Not Available Table 3 Crypto Officer Crypto Officer CSP Services SetUnsetClear DeleteGetExecSavePingReset ExitTrace route IPSEC HMAC SHA 1 Key G D N A U N A U N A N A N A N A IPSEC ESP Key G D N A U N A U N A N A N A N A IKE Pre shared Key G D N A U G U N A N A N A N A IKE Encryption Key N A N A D N A N A N A N A D N A N A IKE HMAC SHA 1...

Page 16: ...mponents G N A N A N A N A N A N A D N A N A Table 5 Read Only User and VSYS Read Only User Read Only User and VSYS Read Only User CSP Services GetPingExitTrace route IPSEC HMAC SHA 1 Key U N A N A N A IPSEC ESP Key U N A N A N A IKE Pre shared Key U N A N A N A IKE Encryption Key N A N A N A N A IKE HMAC SHA 1 Key N A N A N A N A Password U N A N A N A SSH Server Host DSA Private Key U N A N A N ...

Page 17: ...RNG Deterministic RNG HA High Availability IPSec Internet Protocol Security IV Initial Vector KAT Known Answer Test NS NetScreen PRNG Pseudo RNG RNG Random Number Generator ROM Read Only Memory RSA Rivest Shamir Adelman Algorithm SDRAM Synchronous Dynamic Random Access Memory SSH Secure Shell TCP Transmission Control Protocol TFTP Trivial File Transfer Protocol VPN Virtual Private Networking ...

Reviews:

No comments

Related manuals for NS-2G24FE

Watchguard XTM 5 Series Quick Start Manual preview
XTM 5 Series
Brand: Watchguard Pages: 13
3Com OfficeConnect 3C16770 Quick Start Manual preview
OfficeConnect 3C16770
Brand: 3Com Pages: 7
3Com 3CRFW102 User Manual preview
3CRFW102
Brand: 3Com Pages: 38
ZyXEL Communications USG1100 Quick Start Manual preview
USG1100
Brand: ZyXEL Communications Pages: 8
ZyXEL Communications Unified Security Gateway ZyWALL 300 User Manual preview
Unified Security Gateway ZyWALL 300
Brand: ZyXEL Communications Pages: 1156
Sophos XGS 4300 Operating Instructions Manual preview
XGS 4300
Brand: Sophos Pages: 14
D-Link DFL-1100 - Security Appliance User Manual preview
DFL-1100 - Security Appliance
Brand: D-Link Pages: 144
D-Link DFL-1660-AV-12 Datasheet preview
DFL-1660-AV-12
Brand: D-Link Pages: 5
D-Link DFL-200 - Security Appliance User Manual preview
DFL-200 - Security Appliance
Brand: D-Link Pages: 133
D-Link D DFL-500 DFL-500 Manual preview
D DFL-500 DFL-500
Brand: D-Link Pages: 122
D-Link DFL-200 - Security Appliance Quick Installation Manual preview
DFL-200 - Security Appliance
Brand: D-Link Pages: 14
D-Link DFL-1000 User Manual preview
DFL-1000
Brand: D-Link Pages: 118
D-Link CP310 - DFL - Security Appliance User Manual preview
CP310 - DFL - Security Appliance
Brand: D-Link Pages: 485
D-Link DFL-1660-IPS-12 Manual preview
DFL-1660-IPS-12
Brand: D-Link Pages: 20
D-Link DFL-1100 - Security Appliance Installation Manual preview
DFL-1100 - Security Appliance
Brand: D-Link Pages: 24
D-Link DFL- 860 Log Reference Manual preview
DFL- 860
Brand: D-Link Pages: 476
vpneveryone HTTPS VPN Secure WiFi USB Dongle User Manual preview
HTTPS VPN Secure WiFi USB Dongle
Brand: vpneveryone Pages: 13
Fortinet FortiGate-3016B Quick Start Manual preview
FortiGate-3016B
Brand: Fortinet Pages: 2

Brands by name

Popular brands

Load more brands