Juniper Networks SSG 520M and SSG 550M Security Policy
Enabling FIPS mode
The module can be set to FIPS mode only through the CLI. To set the module to FIPS mode, execute
the set FIPS-mode enable command through the CLI. This command will zeroize and reset the
device. When prompted, confirm that the configuration should be saved and the device reset.
Determining the current mode
To check whether the device is in FIPS mode, enter the get system CLI command:
ns-> get system
Product Name: ns5200
Serial Number: 0099122004000991, Control Number: 00000000, Mode: FIPS
Hardware Version: 0110(0)-(12), FPGA checksum: 00000000, VLAN1 IP (0.0.0.0)
Software Version: 6.3.0r6.0, Type: Firewall+VPN
Base Mac: 0010.db90.f770
File Name: ns5200.6.3.0r6.0, Checksum: 48e3d429
The current mode appears on the second line of the output.
Operating restrictions in FIPS mode
The security appliance automatically imposes the following restrictions when operating in FIPS mode:
Disables administration via SSL
Disables the import or export of configuration files
Disables the SNMP Read-Write community
Disables the USB and Modem ports
Forces management via Telnet, HTTP (WebUI) and NetScreen Security Manager (NSM) only
through a VPN with 256-bit AES encryption
Forces SSHv2 management traffic to use Triple-DES encryption. (SSHv1 is disabled.)
Disables the MD5 and DES algorithms
Requires HA encryption to 256-bit AES.
If a VPN is configured to use Triple-DES encryption, Diffie-Hellman Group 5 is required for
key agreement. DH groups 1 and 2 are disabled.
Prevents the operator from configuring a VPN whose strength is stronger then the security
provided by the management connection:
o For sessions via a directly connected serial cable, no strength restriction is applied.
o For remote SSH connections (which are protected by Triple-DES encryption), the
strength of the management connection is considered to be 112 bits. Therefore, the
operator is prevented from configuring a VPN whose encryption algorithm has a
strength greater than 112 bits, e.g. 128, 192 or 256 bit AES.
o For remote telnet, WebUI or NSM connections, no strength restriction is applied,
since these connections are already forced to pass through a 256-bit AES VPN.
Security rules
To Next Page
Loading...
Need help?
General
