Page 8

JuniperNetworks NetScreen-5GT Security Policy

E. Setting FIPS Mode

By default, the module is in non-FIPS mode on the first power-up.

Prior to placing the device in FIPS mode, the administrator must load the Juniper firmware

authentication DSA public key, imagekey.cer, using the save image-key CLI command. When

this public key is present on the device, the integrity and authenticity of the firmware is checked

at system start and when firmware is loaded. If the DSA signature appended to the firmware is

verified, the device allows it to be loaded.

If the device is not already running a FIPS validated version of the firmware, the administrator

should load it using the save software CLI command. Loading a new version of firmware

completely replaces any existing firmware.

To upgrade a device running a previous version of ScreenOS in FIPS mode to version 5.4, the

administrator must disable FIPS mode using the command unset FIPS-mode enable. The

module is automatically zeroized when toggling between FIPS and non-FIPS modes of

operation, which resets the configuration back to factory default values and restarts the module.

After placing the device in non-FIPS mode, the administrator may then load the version 5.4

firmware using the save software CLI command, and re-enable FIPS mode using the set FIPS-

mode enable command. It is suggested that the module's configuration be saved prior to

switching modes.

To check whether the device is in FIPS mode, enter the get system CLI command:

ns-> get system

Product Name: NS5GT

Serial Number: 0099122004000991, Control Number: 00000000, Mode: FIPS

Hardware Version: 0110(0)-(12), FPGA checksum: 00000000, VLAN1 IP (0.0.0.0)

Software Version: 5.4.0r4.0, Type: Firewall+VPN

Base Mac: 0010.db90.f770

File Name: ns5gt.5.4.0r4.0, Checksum: 48e3d429

The current mode appears on the second line of the output.

The module can be set to FIPS mode only through the CLI. To set the module to FIPS

mode, execute the set FIPS-mode enable command through the CLI.

The set FIPS-mode enable command performs the following:

Disables administration via SSL

Disables loading and output of configuration files from the TFTP server

Disables the NetScreen-Global PRO reporting agent

Disables the SNMP Read-Write community

Disables debug service

Disables the Modem port

Enforces management via Telnet, HTTP (WebUI) and NetScreen Security Manager

(NSM) only through a VPN with 256-bit AES encryption

Enforces SSHv2 management traffic to use only Triple-DES. (SSHv1 is disabled.)

Disables the MD5 and DES algorithms

Confirm the save command.

Confirm the reset command.

Note the following:

· Configure the HA encryption key before using the HA link.

· Management via Telnet, HTTP (WebUI) and NSM is only allowed through a VPN