Juniper Networks SRX1500, SRX4100, SRX4200 And SRX4600 .
Juniper Networks SRX1500, SRX4100, SRX4200 and SRX4600Services GatewaysNon-Proprietary FIPS 140-2 Cryptographic Module SecurityPolicyVersion: 1.1Date: July 30, 2020Juniper Networks, Inc.1133 Innovation WaySunnyvale, California 94089USA408.745.20001.888 JUNIPERwww.juniper.netCopyright Juniper, 2020Version 1.1Juniper Networks Public Material – May be reproduced only in its original entirety (without revision).Page 1 of 35
Table of Contents1Introduction . 51.1 Hardware and Physical Cryptographic Boundary.71.2 Mode of Operation.81.3 Zeroization.102Cryptographic Functionality . 112.12.22.32.42.53Approved Algorithms .11Allowed Algorithms .14Allowed Protocols .14Disallowed Algorithms.16Critical Security Parameters .16Roles, Authentication and Services . 183.13.23.33.4Roles and Authentication of Operators to Roles .18Authentication Methods .18Services.19Non-Approved Services .204Self-tests . 225Physical Security Policy . 245.15.25.35.4General Tamper Evident Label Placement and Application Instructions .24SRX1500 (10 seals) .24SRX4100 & SRX4200 (13 seals) .27SRX4600 (15 seals) .306Security Rules and Guidance . 337References and Definitions . 34Copyright Juniper, 2020Version 1.1Juniper Networks Public Material – May be reproduced only in its original entirety (without revision).Page 2 of 35
List of TablesTable 1 – Cryptographic Module Configurations . 5Table 2 – Security Level of Security Requirements . 6Table 3 – Ports and Interfaces . 8Table 4 – Data Plane Approved Cryptographic Functions . 11Table 5 – Control Plane QuickSec Approved Cryptographic Functions . 11Table 6 – OpenSSL Approved Cryptographic Functions. 12Table 7 – OpenSSH Approved Cryptographic Functions . 13Table 8 – LibMD Approved Cryptographic Functions . 14Table 9 – Kernel Approved Cryptographic Functions . 14Table 10 – Allowed Cryptographic Functions . 14Table 11 – Protocols Allowed in FIPS Mode. 14Table 12 – Critical Security Parameters (CSPs) . 16Table 13 – Public Keys . 17Table 14 – Authenticated Services. 19Table 15 – Unauthenticated traffic . 19Table 16 – CSP Access Rights within Services . 20Table 17 – Authenticated Services. 21Table 18 – Unauthenticated traffic . 21Table 19 – Physical Security Inspection Guidelines . 24Table 20 – References . 34Table 21 – Acronyms and Definitions . 35Table 22 – Datasheets . 35Copyright Juniper, 2020Version 1.1Juniper Networks Public Material – May be reproduced only in its original entirety (without revision).Page 3 of 35
List of FiguresFigure 1 - SRX1500 . 7Figure 2 - SRX4100 . 7Figure 3 - SRX4200 . 7Figure 4 - SRX4600 . 7Figure 5 - SRX1500 Front View: TEL 1 - 6 . 25Figure 6 - SRX1500 Top-Front View: TEL 1 & 2 . 25Figure 7 - SRX1500 Rear View: TEL 7 & 8 . 25Figure 8 - SRX1500 Top - Rear View: TEL 7 . 26Figure 9 - SRX1500 Bottom View: TEL 8, 9 & 10 . 26Figure 10 - SRX1500 Right Side View: TEL 9 . 27Figure 11 - SRX1500 Left Side View: TEL 10 . 27Figure 12 - SRX4100 & SRX4200 Top View: TEL 1, 2, 6, 8 & 10 . 28Figure 13 - SRX4100 & SRX4200 Left-Side View: TEL 1 . 28Figure 14 - SRX4100 & SRX4200 Right-Side View: TEL 2 . 28Figure 15 - SRX4100 & SRX4200 Bottom View: TEL 3, 4, 5 . 29Figure 16 - SRX4100 & SRX4200 Front View: TEL 6-11 . 29Figure 17 - SRX4100 & SRX4200 Rear View: TEL 12-13. 30Figure 18 - SRX4600 Front View: TEL 1 – 8 . 30Figure 19 - SRX4600 Top Front View: TEL 1, 3, 5, 7, 8. 30Figure 20 - SRX4600 Rear View: TEL 9-15 . 31Figure 21 - SRX4600 Top Rear View: TEL 9 – 10. 31Figure 22 - SRX4600 Right Side View: TEL 12 . 31Figure 23 - SRX4600 Left Side View: TEL 11 . 32Figure 24 - SRX4600 Bottom View: TEL 2, 4, 11, 12 . 32Copyright Juniper, 2020Version 1.1Juniper Networks Public Material – May be reproduced only in its original entirety (without revision).Page 4 of 35
1IntroductionThe Juniper Networks SRX Series Services Gateways are a series of secure routers that provide essentialcapabilities to connect, secure, and manage work force locations sized from handfuls to hundreds ofusers. By consolidating fast, highly available switching, routing, security, and applications capabilities ina single device, enterprises can economically deliver new services, safe connectivity, and a satisfying enduser experience. All models run Juniper’s JUNOS firmware. The JUNOS firmware is FIPS-compliant, whenconfigured in FIPS-MODE called JUNOS-FIPS-MODE, version 19.2R1. The firmware image is junossrxentedge-x86-64-19.2R1.8.tgz for the SRX1500, junos-srxmr-x86-64-19.2R1.8.tgz for the SRX4100/4200 and junos-srxhe-x86-64-19.2R1.8.tgz for the SRX4600. The firmware status service identifiesitself as “Junos 19.2R1.8”.This Security Policy covers the following models – the SRX1500, SRX4100, SRX4200 and SRX 4600 models.They are meant for mid-size enterprise and data center environments.The cryptographic modules are defined as multiple-chip standalone modules that execute the JUNOS-FIPSfirmware on the Juniper Networks SRX-series models listed in the table below .Table 1 – Cryptographic Module ConfigurationsModelHardware VersionsFirmwareDistinguishing Features12x1GbE ports; 4x1GbE SFP ports;4x10GbE SFP ports ; 2 PIM slots (not usedin validation)SRX1500SRX1500 SYS-JB-ACSRX1500 SYS-JB-DCJUNOS OS19.2R1SRX4100SRX4100 SYS-JB-ACSRX4100 SYS-JB-DCJUNOS OS19.2R18 x 1GbE/10GbE portsSRX4200SRX4200 SYS-JB-ACSRX4200 SYS-JB-DCJUNOS OS19.2R18 x 1GbE/10GbE portsSRX4600SRX4600 (AC)SRX4600 (DC)Junos OS19.2R18 x 1GbE/10Gb Ethernet SFP ports,4 x 40/100Gb Ethernet QSFP21 portsAllJNPR-FIPS-TAMPER-LBLSN/ATamper-Evident SealsEach Hardware Version for a model is identical in physical form factor, materials, and assemblymethods. The Hardware Version differences for a model are considered non-security relevant. Thedifferences denoted by the various suffixes are described below: AC – Alternating current power DC – Direct current power JB – Junos Base licensingCopyright Juniper, 2020Version 1.1Juniper Networks Public Material – May be reproduced only in its original entirety (without revision).Page 5 of 35
The module is designed to meet FIPS 140-2 Level 2 overall:Table 2 – Security Level of Security RequirementsArea1234567891011DescriptionModule SpecificationPorts and InterfacesRoles and ServicesFinite State ModelPhysical SecurityOperational EnvironmentKey ManagementEMI/EMCSelf-testDesign AssuranceMitigation of Other AttacksOverallLevel22322N/A2223N/A2The modules have a non-modifiable operational environment as per the FIPS 140-2 definitions. Theyinclude a firmware load service to support necessary updates. New firmware versions within the scope ofthis validation must be validated through the FIPS 140-2 CMVP. Any other firmware loaded into themodule is out of the scope of this validation and require a separate FIPS 140-2 validation.The modules do not implement any mitigations of other attacks as defined by FIPS 140-2.Copyright Juniper, 2020Version 1.1Juniper Networks Public Material – May be reproduced only in its original entirety (without revision).Page 6 of 35
1.1Hardware and Physical Cryptographic BoundaryThe physical forms of the modules are depicted in Figures 1-4 below. The cryptographic boundary isdefined as the outer edge of the chassis. The modules do not rely on external devices for input and outputof critical security parameters (CSPs).Figure 1 - SRX1500Figure 2 - SRX4100Figure 3 - SRX4200Figure 4 - SRX4600Copyright Juniper, 2020Version 1.1Juniper Networks Public Material – May be reproduced only in its original entirety (without revision).Page 7 of 35
Table 3 – Ports and InterfacesPortEthernetSerialPowerResetLEDDevice (# of ports)SRX1500 (21: 1Management, 1210/100/1000 Base-T, 4 SFP,4 SFP ),SRX4100 (9: 1Management, 8 SFP ),SRX4200 (9: 1Management, 8 SFP )SRX4600 (13: 4 QSFP28, 8SFP , 1 Management,)SRX1500 (1), SRX4100 (1),SRX4200 (1), SRX4600 (1)SRX1500 (1), SRX4100 (1),SRX4200 (1), SRX4600 (2)SRX1500 (1), SRX4100 (1),SRX4200 (1), SRX4600 (1)SRX1500 (6), SRX4100 (3),SRX4200 (3), SRX4600 (6)ToDSRX4600 (1)BITSSRX4600(1)SRX4600(2: 1 input, 1output)SRX4600(2: 1 input, 1output)SRX4600(1)SRX1500 (1), SRX4100 (2),SRX4200 (2), SRX4600 (4)GPSPPSOfflineHADescriptionLAN CommunicationsControl in, Data in, Data out,Status outConsole serial portControl in, Status outPower connectorPowerResetControl inStatus indicatorlightingRJ-45 Time of DayPortBITS RJ-45 port10 Mhz clocksynchronizationStatus outControl in, Status outControl in, Status outControl in, Status out1 pulse per secondControl in, Status outOffline buttonControl inTamper Evident Label –InaccessibleTamper Evident Label –InaccessibleTamper Evident Label –InaccessibleCluster Control PortsSSDSRX4600(2)Solid state storageUSBSRX1500 (1), SRX4100 (2),SRX4200 (2), SRX4600 (1)Firmware loadport/Storage device1.2Logical Interface TypeMode of OperationThe JUNOS firmware image must be installed on the device. Once the image is installed, the Crypto-Officer(CO) shall follow the instructions in Section 5 to apply the tamper seals to the module. Next, the moduleis configured in FIPS-MODE, as described below, and rebooted. Once the module is rebooted and theintegrity and self-tests have run successfully on initial power-on in FIPS-MODE, the module is operating inthe FIPS-Approved mode. The Crypto-Officer (CO) must create a backup image of the firmware to ensureit is also a JUNOS-FIPS-MODE image by issuing the request system snapshot command.Copyright Juniper, 2020Version 1.1Juniper Networks Public Material – May be reproduced only in its original entirety (without revision).Page 8 of 35
If the module was previously in a non-Approved mode of operation, the Cryptographic Officer mustzeroize the CSPs by following the instructions in Section 1.3The CO shall enable the module for FIPS mode of operation by performing the following steps.1. Enable the FIPS mode on the device.user@host# set system fips level 22. Commit and reboot the device.user@host# commitWhen AES GCM is configured as the encryption-algorithm for IKE or IPsec, the CO must configure themodule to use IKEv2 by running the following commands:IKE:root@host# set security ike proposal ike proposal name encryption-algorithm aes-256gcmIPSec:root@host# set security ipsec proposal ipsec proposal name encryption-algorithm aes128-gcmroot@host# set security ike gateway gateway name version v2-onlyroot@host# commitIn order to ensure compliance with [IG A.13], the module must be configured to limit the number of blocksencrypted by a specific key bundle with the Triple-DES algorithm to a value less than 2 20. Both IPsec andIKEv2 may utilize Triple-DES encryption. In IPsec, Triple-DES may be used for transfer of data packets andin IKEv2 Triple-DES may be utilized for re-keying operations that occur when the IPsec protocol reaches aconfigured limit for the number of packets transmitted.When Triple-DES is configured as the encryption-algorithm for IPsec, the CO must configure the IPsecproposal lifetime-kilobytes to comply with [IG A.13] using the following command, setting kilobytes toa value less than or equal to 8192 which is the maximum amount of kilobytes permitted to be encryptedby a key:co@fips-srx:fips# set security ipsec proposal ipsec proposal name lifetime-kilobytes kilobytes ”co@fips-srx:fips# commitWhenever kilobytes of data has been transmitted by the IPsec protocol, a re-key operation is triggeredto establish a new key bundle for IPsec. This rekey operation is negotiated by the IKE protocol. If the IKEprotocol is configured to use Triple-DES, it must also be configured to limit the number of blocks to a valueless than 2 20. Because the Maximum lifetime of IKE key is 24 hours, the IPsec limit needs to be set toensure that the number of rekey operations in a 24-hour period won’t cause the IKE protocol to encryptmore than 2 20 blocks. To reduce the number of rekey operations requested by the IPsec protocol, it isnecessary to increase the number of blocks transmitted by the IPsec protocol. Therefore, when Triple-DESis the encryption-algorithm for IKE, the lifetime-kilobytes for the associated IPsec proposal in the abovecommand must be greater than or equal to 6913080.Because the lifetime-kilobytes cannot be set to a value that is less than 8192 and greater than 6913080,Triple-DES encryption may not be used for IKE and IPsec simultaneously. e.g. if IKE is configured to useTriple-DES, IPsec would be configured to use AES.Copyright Juniper, 2020Version 1.1Juniper Networks Public Material – May be reproduced only in its original entirety (without revision).Page 9 of 35
The show version command will display the version of the Junos OS on the device so that the CO canconfirm it is the FIPS validated version. The CO should also verify the presence of the suffix string “:fips”in the cli prompt, indicating the module is operating in FIPS mode.The show configuration security ike and show configuration security ipsec commands display theapproved and configured IKE/IPsec configuration for the device operating in FIPS-approved mode.1.3ZeroizationThe cryptographic module provides a non-Approved mode of operation in which non-approvedcryptographic algorithms are supported. When transitioning between the non-Approved mode ofoperation and the Approved mode of operation, the Cryptographic Officer must run the followingcommands to zeroize the Approved mode CSPs:user@host request system zeroize hypervisorThis command wipes clean all the CSPs/configs as well as the disk. After zeroization, the device will haveto be reimaged to bring it back into FIPS mode, as all the disk partitions are securely erased. The CO mustfollow the instructions in Section 1.2, including installing the FIPs validated image on the device and newtamper evident labels after reimaging.Use of the zeroize command is restricted to the Cryptographic Officer. The cryptographic officer shallperform zeroization in the following situations:1. Before FIPS Operation: To prepare the device for operation as a FIPS cryptographic module byerasing all CSPs and other user-created data on a device before its operation as a FIPScryptographic module.2. Before non-FIPS Operation: To conduct erasure of all CSPs and other user-created data on adevice in preparation for repurposing the device for non-FIPS operation.Note: The Cryptographic Officer must retain control of the module while zeroization is in process.Copyright Juniper, 2020Version 1.1Juniper Networks Public Material – May be reproduced only in its original entirety (without revision).Page 10 of 35
2Cryptographic FunctionalityThe module implements the FIPS Approved and Non-Approved but Allowed cryptographic functions listedin Tables 4, 5, 6, 7, 8 and 9 below. Although the module may have been tested for additional algorithmsor modes, only those listed below are actually utilized by the module. Table 11 summarizes the allowedhigh-level protocol and algorithm support.2.1Approved AlgorithmsTable 4 – Data Plane Approved Cryptographic FunctionsCAVPCert.AlgorithmStandardModeKey Lengths, Curves, orModuliFunctionsPUB 197-38ACBCKey Sizes: 128, 192, 256Encrypt, DecryptSP800-38DGCMKey Sizes: 128, 192, 256Encrypt, Decrypt, AEADSHA-1Key size: 160 bits, λ 96Key size: 256 bits, λ 128Message AuthenticationAESC1046HMACPUB 198SHSPUB 180-4Triple-DES1SP 800-67SHA-256SHA-1SHA-256TCBCMessage Digest GenerationKey Size: 192Encrypt, DecryptTable 5 – Control Plane QuickSec Approved Cryptographic y Lengths, Curves, orModuliFunctionsPUB 197-38ACBCKey Sizes: 128, 192, 256Encrypt, DecryptSP800-38DGCMKey Sizes: 128, 256Encrypt, Decrypt, AEADCKGSP800-133Rev2(IKE)Section 4CVLSP 800-135DRBGSP 800-90AECDSAPUB 186-4AESIKEv1IKEv2HMACAsymmetric key generation usingunmodified DRBG outputSHA 256, 384SHA 256, 384SHA-256P-256 (SHA 256)P-384 (SHA 384)Key DerivationRandom Bit GenerationKeyGen, SigGen, SigVer1Use of Triple-DES in this module is only allowed until December 31st, 2023, as per SP 800-131A.2Vendor Affirmed.Copyright Juniper, 2020Version 1.1Juniper Networks Public Material – May be reproduced only in its original entirety (without revision).Page 11 of 35
HMACSHA-256Key size: 256bitsλ 256SHA-384Key size: 384 bits,λ 384PUB 198Message Authentication, KDFPrimitiveAES Cert. #C1045 and HMAC Cert.#C1045N/AKTSTriple-DES Certs. #C1045 and HMACCerts. # C1045C1045RSAPUB 186-4SHSPUB 180-4Triple-DES4SP 800-67PKCS1 V1 5SHA-256SHA-384TCBCn 2048 (SHA 256)n 4096 (SHA 256)key establishment methodologyprovides between 128 and 256bits of encryption strengthkey establishment methodologyprovides 112 bits of encryptionstrengthSigGen, SigVer3Message Digest GenerationKey Size: 192Encrypt, DecryptTable 6 – OpenSSL Approved Cryptographic FunctionsCAVPCert.C1049AlgorithmStandardAESPUB 197-38ADRBGSP 800-90ACVL (KAS)SP800-56A5ModeCBCCTRHMACECCDHFFC DHN/A6N/A7KAS-SSCCKGSP800-56A Rev3SP800-133Rev2(SSH)ECCDHSection 4Key Lengths, Curves,or ModuliKey Sizes: 128, 192,256SHA-256P-256P-384P-521MODP-2048 (ID 14)MODP-2048 (ID 24)P-256P-384FunctionsEncrypt, DecryptRandom Bit GenerationKey Agreement Scheme (SSH)Key Agreement (IKE/SSH)Key Agreement (IKE)Key Agreement (IKE)Asymmetric key generation usingunmodified DRBG output3RSA 4096 SigVer was not tested by the CAVP; however, it is Approved for use per CMVP guidance,because RSA 2048 SigVer was tested and testing for RSA 4096 SigVer is not available.4Use of Triple-DES in this module is only allowed until December 31st, 2023, as per SP 800-131A.5Use of ECDH with SSH in this module is only allowed until December 31st, 2020.6Vendor affirmed as per IG D.1-rev3.7Vendor Affirmed.8 RSA 4096 KeyGen was not tested by the CAVP; however, it is Approved for use perCMVP guidance, because RSA 2048 KeyGen was tested and testing for RSA 4096 KeyGen is not available.Copyright Juniper, 2020Version 1.1Juniper Networks Public Material – May be reproduced only in its original entirety (without revision).Page 12 of 35
ECDSAC1049HMACP-256 (SHA 256)P-384 (SHA 384)P-521 (SHA 512)SigGen, KeyGen, SigVerSHA-1Key size: 160 bits,λ 160Message AuthenticationSHA256Key size: 256 bits,λ 256Message AuthenticationDRBG PrimitiveSHA512Key size: 512 bits,λ 512Message AuthenticationPUB 186-4PUB 198AES Cert. #C1049 and HMACCert. #C1049N/AKTSTriple-DES Cert. # C1049 andHMAC Cert. # C1049RSAPUB 186-4C1049SHSPUB 180-4TripleDES10SP 800-67n 2048 (SHA 256)n 4096 (SHA 256)n 2048 (SHA 256)n 4096 (SHA 256)n 2048 (SHA 256)n 4096 (SHA 256)SHA-1SHA256SHA384SHA512TCBCKey Size: 192key establishment methodologyprovides between 128 and 256bits of encryption strengthkey establishment methodologyprovides 112 bits of encryptionstrengthKeyGen8SigGenSigVer9Message Digest Generation,KDF PrimitiveEncrypt, DecryptTable 7 – OpenSSH Approved Cryptographic FunctionsCAVPCert.C1050AlgorithmCVLStandardModeSP 800-135SSHKey Lengths, Curves, orModuliSHA 1, 256, 384FunctionsKey Derivation8RSA 4096 KeyGen was not tested by the CAVP; however, it is Approved for use per CMVP guidance,because RSA 2048 KeyGen was tested and testing for RSA 4096 KeyGen is not available.9RSA 4096 SigVer was not tested by the CAVP; however, it is Approved for use per CMVP guidance,because RSA 2048 SigVer was tested and testing for RSA 4096 SigVer is not available.10Use of Triple-DES in this module is only allowed until December 31st, 2023, as per SP 800-131A.Copyright Juniper, 2020Version 1.1Juniper Networks Public Material – May be reproduced only in its original entirety (without revision).Page 13 of 35
Table 8 – LibMD Approved Cryptographic B 198SHA-256C1043SHSPUB 180-4Key Lengths, Curves, orModuliKey size:160 bits,λ 160Key size:256bits,λ 256SHA-1SHA-256SHA-512FunctionsPassword HashingMessage Digest GenerationTable 9 – Kernel Approved Cryptographic FunctionsCAVPCert.C1044AlgorithmStandardModeDRBGSP 800-90AHMACHMACPUB 198SHA-256SHSPUB 180-4SHA-1SHA-2562.2Key Lengths, Curves, orModuliSHA-256Key size:256 bits,λ 256FunctionsRandom Bit GenerationDRBG PrimitiveMessage AuthenticationDRBG PrimitiveAllowed AlgorithmsTable 10 – Allowed Cryptographic FunctionsAlgorithmElliptic Curve DiffieHellman [IG] D.811CaveatProvides between 128 and 256 bits ofencryption strength.NDRNG [IG] 7.14Scenario 1aThe module generates a minimum of256 bits of entropy for key generation.2.3Usekey agreement; key establishmentSeeding the DRBGAllowed ProtocolsTable 11 – Protocols Allowed in FIPS ModeProtocol12IKEv1Key ExchangeDiffie-Hellman (L 2048, N 256),Diffie-Hellman (L 2048, N 2047)EC Diffie-Hellman P-256EC Diffie-HellmanP-384AuthRSA 2048RSA 4096Pre-SharedSecretCipherIntegrityTriple-DES CBC13AES CBC128/192/256HMAC-SHA-256HMAC-SHA-38411Use of ECDH with SSH in this module is only allowed until December 31st, 2020.12RFC 2409 governs the generation of the Triple-DES encryption key for use with the IKEv1 protocol13Use of Triple-DES in this module is only allowed until December 31st, 2023, as per SP 800-131A.Copyright Juniper, 2020Version 1.1Juniper Networks Public Material – May be reproduced only in its original entirety (without revision).Page 14 of 35
IKEv214Diffie-Hellman (L 2048, N 256)Diffie-Hellman (L 2048, N 2047)EC Diffie-Hellman P-256EC Diffie-HellmanP-384ECDSA P-256ECDSA P-384RSA 2048RSA 4096Pre-SharedSecretECDSA P-256ECDSA P-384Triple-DES CBC15AES CBC128/192/256AES GCM16128/256HMAC-SHA-256HMAC-SHA-384Triple-DES CBC17AES CBCIKEv1128/192/256AES GCM18HMAC-SHA1-96128/192/256IPsec ESPHMAC-SHA-256Triple-DES CBC19IKEv2 with optional:128AES CBC Diffie-Hellman (L 2048, N 256)IKEv2128/192/256 EC Diffie-Hellman P-256AES GCM20 EC Diffie-Helman P-384128/192/256Triple-DES CBC25Diffie-Hellman (L 2048, N 2047)HMAC-SHA-1-96AES CBC22EC Diffie-Hellman P-256RSA 2048HMAC-SHA-1SSHv221128/192/256EC Diffie-Hellman P-38423ECDSA P-256HMAC-SHA-256AES CTREC Diffie-Hellman P-52124HMAC-SHA-512128/192/256No part of these protocols, other than the KDF, have been tested by the CAVP and CMVP. The IKE and SSHalgorithms allow independent selection of key exchange, authentication, cipher and integrity. In referenceto the Allowed Protocols in Table 10 above: each column of options for a given protocol is independentIKEv1 with optional: Diffie-Hellman (L 2048, N 256) EC Diffie-Hellman P-256 EC Diffie-Helman P-38414IKEv2 generates the SKEYSEED according to RFC7296, from which all keys are derived, including TripleDES keys.15Use of Triple-DES in this module is only allowed until December 31st, 2023, as per SP 800-131A.16The AES GCM IV is generated according to RFC5282 and is used only in the context of the IPSec protocolas allowed in IG A.5. Rekeying is triggered after 232 AES GCM transformations.17Use of Triple-DES in this module is only allowed until December 31st, 2023, as per SP 800-131A.18The AES GCM IV is generated according to RFC4106 and is used only in the context of the IPSec protocolas allowed in IG A.5. Rekeying is triggered after 232 AES GCM transformations.19Use of Triple-DES in this module is only allowed until December 31st, 2023, as per SP 800-131A.20The AES GCM IV is generated according to RFC4106 and is used only in the context of the IPSec protocolas allowed in IG A.5. Rekeying is triggered after 232 AES GCM transformations.21RFC 4253 governs the generation of the Triple-DES encryption key for use with the SSHv2 protocol22Use of ECDH with SSH in this module
Juniper Networks Public Material – May be reproduced only in its original entirety (without revision). Juniper Networks SRX1500, SRX4100, SRX4200 and SRX4600 Services Gateways Non-Proprietary FIPS 140-2 Cryptographic Module Security Policy Version: 1.1 Date: July 30, 2020 Juniper Networks, Inc. 1133 Innovation Way Sunnyvale, California 94089 USA
Juniper Networks SRX1500, SRX4100 and SRX4200 Services Gateways Non-Proprietary FIPS 140-2 Cryptographic Module Security Policy Version: 1.3 Date: February 21, 2018 Juniper Networks, Inc. 1133 Innovation Way Sunnyvale, California 94089 USA 408.745.2000 1.888 JUNIPER www.juniper.net
The SRX1500 Services Gateway runs Juniper Networks Junos operating system, a proven, carrier-hardened network OS that powers the top 100 service provider networks worldwide. These rigorously tested carrier-class routing features of IPv4/IPv6, OSPF, BGP, and multicast have been proven in
A combination of hardware and software architectures on the SRX1500 add significant performance improvements to a small 1 U form factor. The key to the SRX1500 hardware is the security flow accelerator, a programmable high-speed Layer 4 firewall chip, and a robust x86-based security compute engine for advanced security services like application
have partnered with Juniper Networks and worked closely with members of the Juniper Net-works Technical Certification Program to develop this Official Study Guide for the Juniper Networks Certified Internet Associate certification. Just as Juniper Networks is comm
Junos OS, the industry-leading operating system that keeps the world’s largest and most mission-critical enterprise networks secure. Product Description The Juniper Networks SRX1500 Services Gateway is a high-performance next-generation firewall and security services gateway that protects mission-critical enterprise campuses,
Juniper Networks SRX300, SRX340, and SRX345 Services Gateways Non-Proprietary FIPS 140-2 Cryptographic Module Security Policy Version: 2.4 Date: December 22, 2017 Juniper Networks, Inc. 1133 Innovation Way Sunnyvale, California 94089 USA 408.745.2000 1.888 JUNIPER www.juniper.net
Juniper Networks Junos operating system—that power the world’s largest service provider networks. The Juniper Networks EX Series Ethernet Switches are fully compatible with the Juniper Networks Unified Access Control (UAC), delivering an extra layer of
ORGANIZATIONAL BEHAVIOR AND HUMAN PERFORMANCE 18, 131--145 (1977) Hierarchical Level and Leadership Style ARTHUR G. JAGO AND VICTOR H. VROOM School of Organization and Management, Yale University This research investigates the relationship between the hierarchical level of managerial personnel and individual differences in their leadership styles, specifically the degree to which they are .
