Security
Security is top-of-mind, especially right here where Juniper experts share their insights on the latest security trends and breakthroughs
Juniper Employee , Juniper Employee Juniper Employee
Security
The Most Comprehensive Common Criteria/ National Information Assurance Partnership (NIAP) Certification Ever
Oct 25, 2018

 

NIAP-assurance-technology.gif       Common Criteria.jpg

 

The following Juniper Networks devices with Junos 13.3 and 13.2X software are both Common Criteria Certified and listed on the NIAP Product Compliant List (PCL)

 

M7i, M10i, M120, M320

MX5, MX10, MX40, MX80, MX104, MX240, MX480, MX960, MX2010, MX2020

T640, T1600, T4000

PTX3000, PTX5000

QFX5100

EX9200, EX8200, EX6200, EX4550, EX4500, EX4300, EX4200, EX3300, EX3200, EX2200.

 

 This is the first time the MX104, MX2010, MX2020, T4000, PTX3000, PTX5000, QFX5100, EX9200, EX4550, EX4300, and EX2200 have been listed on the NIAP PCL.

The Security Target is available here and the Certification Report can be found here.

 

These devices have been Common Criteria Certified against the NIAP Network Device Protection Profile (NDPP) for several months.  Because the Common Criteria Certification was done in Canada, NIAP reviews the results before posting on the NIAP PCL.

Listing on the NIAP PCL is required by Federal policy for many different cases.  First, as the NIAP PCL webpage states- “U.S. Customers (designated approving authorities, authorizing officials, integrators, etc.) may treat these mutually-recognized evaluation results as complying with the Committee on National Security Systems Policy (CNSSP) 11 National Policy Governing the Acquisition of Information Assurance (IA) and IA-Enabled Information Technology (IT) Products - dated June 2013 (https://www.cnss.gov/policies.html)”CNSSP 11 applies to any US Government system carrying classified data at any level and to systems carrying certain command and control traffic regardless of the classification.

NIAP PCL listing is required by the DISA Security Technical Implementation Guide (STIG)s for many product categories.  NIAP PCL listing is required for DoD Cloud providers who are handling Impact Level 5 and 6 information, and in other Federal Government acquisitions that require the NIST 800-53, rev 4- SA-4 (7) control.

Oct 20, 2018
bxrose

Hi Bill,

 

It's great to see Juniper making these efforts to be at the forefront of security and information assurance.  I was also impressed that Juniper has an published document on their secure SDLC coding practices as well.  

 

In doing some research, I found that Juniper seems to work with NIST to keep the CPE dictionary upto date, which is another good effort IMO.  I see that the 2.3 CPE dictionary has JUNOS up tp 17.1 R1, which was relased in March 2017.  How well would you say the process works to update new products and software releases with the NIST CPE dictionary?  Do you think delays in this process could be improved in any way?  When looking for a comprehensive way to scan network devices for vulnerabilities, SCAP comes to mind, but even with a vendor or custom solution, if CPE data is to be relied upon to make remediation or mitigation decisions, there seems to be gaps in that data.

 

Look forward to your input...

Oct 25, 2018
Juniper Employee

Juniper regularly works with Mitre and others in the security community on efforts to improve and standardize reporting.  Currently the CPE dictionary is able to gather information on Juniper products because we publish advisories in JSON and we plan to continue to do so.  We look forward to continuing to work with the community on improvements in the process.

Top Kudoed Authors