Security
Security is top-of-mind, especially right here where Juniper experts share their insights on the latest security trends and breakthroughs
Juniper Employee , Juniper Employee Juniper Employee
Security
The FIPS 140-2 Random Number Generator Crisis Impact on Juniper Networks Products
Jan 9, 2015

 

Random numbers.jpg

 

A few weeks ago, I wrote about the NIST Random Number Transition and the crisis this will cause at the end of 2015. I am not alone in attempting to raise visibility to this issue. There is a very good blog written by Marc Ireland, from InfoGard Laboratories, titled The RNG Transition is Coming! on the same subject.

I recommended, in my blog, that customers, like the US Federal Government, who require FIPS 140-2 encryption, should check the FIPS 140-2 certifications of the products that they use to make sure they use the mandated NIST SP 800-90A deterministic random bit generator DRBG versus the soon to be disallowed legacy random number generators.

I didn’t have space in the earlier blog to share the DRBG status of Juniper products that have been FIPS certified, but I thought it might be helpful to provide a summary overview in a new blog.

 

FIPS 140-2 solutions that use NIST SP 800-90A DRBG

  • Junos devices using Junos 12.1 or later software.
    • Note that the SRX is currently in evaluation for FIPS 140-2. This evaluation uses the new DRBG. NIST has already validated the SRX DRBG.
    • The MX is also currently in evaluation for FIPS 140-2. This evaluation uses the new DRBG as well.
  • Juniper Networks/Pulse Secure MAG and Virtual Appliances which use SA 7.4 or UAC 5.0 and later software.
  • Juniper Networks/Pulse Secure Pulse Desktop Clients which use 5.0 and later software.
  • Juniper Networks/Pulse Secure Pulse Mobile Clients which use 4.0 and later software.

FIPS 140-2 solutions that do not use NIST SP 800-90A DRBG

  • Junos devices using Junos versions prior to 12.1.
  • ScreenOS devices regardless of software version.
  • SA4500FIPS, SA6500FIPS, and IC6500FIPS Appliances regardless of software version.
  • Network and Security Manager (NSM) regardless of software version.
  • Odyssey Clients regardless of software version.
  • Network Connect Client regardless of software version.

My recommendation is that if you have devices which do not use the NIST SP 800-90A DRBG, you begin taking steps now to transition to products which do support NIST SP 800-90A DRBG before the end of 2015.

 

0 Kudos
Feedback