A few weeks ago, I wrote about the NIST Random Number Transition and the crisis this will cause at the end of 2015. I am not alone in attempting to raise visibility to this issue. There is a very good blog written by Marc Ireland, from InfoGard Laboratories, titled The RNG Transition is Coming! on the same subject.
I recommended, in my blog, that customers, like the US Federal Government, who require FIPS 140-2 encryption, should check the FIPS 140-2 certifications of the products that they use to make sure they use the mandated NIST SP 800-90A deterministic random bit generator DRBG versus the soon to be disallowed legacy random number generators.
I didn’t have space in the earlier blog to share the DRBG status of Juniper products that have been FIPS certified, but I thought it might be helpful to provide a summary overview in a new blog.
FIPS 140-2 solutions that use NIST SP 800-90A DRBG
- Junos devices using Junos 12.1 or later software.
- Note that the SRX is currently in evaluation for FIPS 140-2. This evaluation uses the new DRBG. NIST has already validated the SRX DRBG.
- The MX is also currently in evaluation for FIPS 140-2. This evaluation uses the new DRBG as well.
- Juniper Networks/Pulse Secure MAG and Virtual Appliances which use SA 7.4 or UAC 5.0 and later software.
- Juniper Networks/Pulse Secure Pulse Desktop Clients which use 5.0 and later software.
- Juniper Networks/Pulse Secure Pulse Mobile Clients which use 4.0 and later software.
FIPS 140-2 solutions that do not use NIST SP 800-90A DRBG
- Junos devices using Junos versions prior to 12.1.
- ScreenOS devices regardless of software version.
- SA4500FIPS, SA6500FIPS, and IC6500FIPS Appliances regardless of software version.
- Network and Security Manager (NSM) regardless of software version.
- Odyssey Clients regardless of software version.
- Network Connect Client regardless of software version.
My recommendation is that if you have devices which do not use the NIST SP 800-90A DRBG, you begin taking steps now to transition to products which do support NIST SP 800-90A DRBG before the end of 2015.