Search the Community
- Tech Cafe
- The New Network
- Security Now
- Industry Solutions and Trends
- Partner Watch
- Community Talk
- Automation & Programmability
- SDN and NFV Era
- Packet-Optical Technologies
- Silicon and Systems
- Data Center Technologists
- Business and Finance
- Basic Cable
- Juniper German Blog
- Juniper France Tech Blog
- Government Trends and Insights
- Information Experience (iX)
- Your Business Edge
- All Things APAC
- AR Voices
- Corporate Social Responsibility
- Customer Stories and Successes
- Security Incident Response
- Application Acceleration
- Community Feedback
- Configuration Library
- Contrail Platform Developers
- Day One Tips
- Ethernet Switching
- Identity & Policy Control - SBR Carrier & SRC
- Intrusion Prevention
- Junos Automation (Scripting)
- Junos Space Developer
- ScreenOS Firewalls (NOT SRX)
- SRX Services Gateway
- Training, Certification, and Career Topics
- Wireless LAN
- Ambassador Program
- Ambassador Program
Juniper Networks continues to demonstrate its commitments to US federal government certifications. Juniper Networks SRX devices have completed their fourth successive National Institute of Standards and Technology (NIST) Federal Information Processing Standards (FIPS) 140-2 certifications. These certifications were with Junos OS 12.3X48 software.
Branch SRX (SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, and SRX650) Services Gateways
SRX1400, 3400, 3600 Services Gateways
SRX5400, SRX5600, SRX5800 Services Gateways
As I have mentioned in the past, US Defense Department policy requires that products used in DoD networks must be selected from a DoD Approved Products List. In the past, this list was called the Unified Capabilities (UC) APL. It has been renamed the DoD Information Network (DoDIN) APL
Products on the DoDIN APL have demonstrated that they meet a demanding set of DoD Cybersecurity and Interoperability requirements. These requirements are contained in the Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIGs) and in the Unified Capabilities Requirements (UCR). In addition to security requirements, the UCR emphasizes dual stack IPv4/IPv6, open standards based interoperability, high availability, and quality of service for mission critical applications.
The EX3400 and EX2300 are the next evolution of Juniper Networks entry level and mid-range campus access switches. These devices provide many enhancements over the older EX3300 and EX2200. The first advantage is that the EX3400 and EX2300 use the Enhanced Layer 2 Software (ELS) CLI like the EX4300, EX4600 and the EX9200. This provides a consistent switching interface.
The EX2300 provides users with the option of 10g uplinks and 10G virtual Chassis connections, increasing bandwidth.
The EX3400 provides many advantages compared to the EX3300, most of which can be found on the back of the switch.
These include- A) two 40G interfaces, that can be used for either network connectivity or Virtual Chassis connections, B) an option for redundant power- eliminating the need for a remote power shelf, and C) field replaceable cooling fans and power supplies.
For more on the EX2300 and EX3400, please see Tarek's post from the Industry Solutions and Trends blog.
The DoDIN APL certification memos can be found at the Defense Information Systems Agency (DISA) Approved Products List Integrated Tracking System (APLITS) website at these links-
Former US President, Ronald Reagan frequently used the Russian proverb “Trust, but verify”. This adage is also frequently used in the blockchain community. The idea is that some things are important enough that they must be verified.
The Cryptographic Module Validation Program (CMVP) is a joint effort between the US National Institute of Science and Technology (NIST) and the Canadian Communications Security Establishment (CSE). CMVP validates cryptographic modules to the Federal Information Processing Standards (FIPS) 140-2 and other standards. FIPS 140-2 is a mandatory standard for the protection of US Government sensitive data.
I am happy to report that the SRX1500, SRX4100, SRX4200, and vSRX security gateways recently completed NIST FIPS 140-2 certification with Junos OS 15.1X49. These products join the already certified SRX300-345, SRX550-M and SRX5400, SRX5600, and SRX5800.
The NIST Certifications are as follows
vSRX- Certificate #3137
SRX1500, SRX4100 and SRX4200- Certificate #3136
SRX300, SRX320, SRX340, SRX345 and SRX550-M- Certificate #3100
SRX5400, SRX5600, and SRX5800- Certificate #2948
As part of our ongoing commitment to government certifications, these devices are already in process for a recertification using Junos 17.4 and are listed on the CMVP Implementation Under Test (IUT) List.
Products on the UC APL have demonstrated that they meet a demanding set of DoD Information Assurance and Interoperability requirements. These requirements are contained in the Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIGs) and in the Unified Capabilities Requirements (UCR). In addition to security requirements, the UCR emphasizes dual stack IPv4/IPv6, open standards based interoperability, high availability, and quality of service for mission critical applications.
The QFX10002 has been certified as an Assured Services Local Area Network (ASLAN) device approved for use in the ASLAN Core, Distribution, and/or Access roles.
The QFX10002 is the first member of the Juniper Networks QFX10000 switch family. The QFX10000 family are highly scalable, high-density devices designed to support the most demanding data center and cloud environments, including mid-sized to large data centers, private clouds and public clouds. The QFX10000 products use Juniper-built Q5 ASICS for unparalleled forwarding performance and the deep packet buffers needed to pass the demanding DoD QoS tests at 100G.
The QFX10002 is certified for use with Junos 15.1X53 software and is certified for 10G, 40G, and 100G use. A single 2U high QFX10002-72Q will support up to 24 100G, 72 40G, or 288 10G interfaces and allows operators to conveniently mix and match these interfaces simply by replacing optics. Unlike some data center optimized switches on the UC APL, which are restricted to use in access applications, the QFX10002 is approved for use anywhere in DoD Local Area Networks.
The Unified Capabilities Approved Product List (UC APL) certification memos can be found at the Defense Information Systems Agency (DISA) Approved Products List Integrated Tracking System (APLITS) website at this link.
...certification to include the QFX10008 and 10016. Like the QFX10002, these devices are certified for...
We have more good news. The Defense Information Systems Agency has expanded the QFX10K certification to include the QFX10008 and 10016. Like the QFX10002, these devices are certified for use as core, distribution, or access, and have certified 10G, 40G, and 100G interfaces.
The QFX10K family of products provides the highes 100G port density on the APL at 30x100G per slot, and the only solution that allows 10G, 40G, and 100G connectivity on the same interface card.
I am happy to report that the National Institute of Standards and Technology (NIST) Cryptographic Module Validation Program (CMVP) has issued five Federal Information Processing Standards (FIPS) 140-2 Certifications for the following Juniper Networks devices:
FIPS Certification #2690-
FIPS Certification #2696-
FIPS Certification #2719-
FIPS Certification #2730-
FIPS Certification #2734-
LN1000 Mobile Secure Router
FIPS 140-2 is a mandatory standard for the protection of sensitive data and is applicable to all Federal Agencies that use cryptographic-based security systems to protect sensitive information in computer and telecommunications systems.
FIPS certification continues to be challenging as NIST requirements evolve including the deprecation of cryptographic algorithms that were once approved and increased focus on important cryptography elements like maintaining sufficient entropy and using strong deterministic random bit generators (DRBG).
Welcome to the first edition of Juniper Channel Minutes! This week Andrea Jaramillo sits down with James Kelly, Cloud Architect to talk about Juniper's new VMware certification, and how Juniper Partners can take advantage of the joint solutions Juniper and VMware are taking to market.
I am pleased to report that the National Institute of Standards and Technology (NIST) has issued a Federal Information Processing Standard (FIPS) 140-2 Certification of the following Juniper Networks devices with Junos 14.1R4 software.
The FIPS certification is #2451.
This is a first time FIPS certification for the EX9200 and the PTX devices and a recertification for the M, MX, and T-series devices. This is Juniper Network’s 56th FIPS certification and this is the most comprehensive single FIPS certification completed to date.
FIPS Certification continues to be challenging as NIST requirements evolve including the deprecation of cryptographic algorithms that were once approved and increased focus on important cryptography elements like maintaining sufficient entropy and using strong deterministic random bit generators (DRBG).
We are pleased to report that the SRX family devices with Junos 12.3X48 recently completed certification against relevant NIAP protection profiles.
This certification is the first Common Criteria Certification against the NIAP Intrusion Protection System Extended Package.
The Security Target for these devices is located here.
The Certification Report can be found here.
The Security Target for these devices is located here.
The Certification Report can be found here.
These certifications join other Juniper Networks certifications that can be found on the NIAP Product Compliant List at this link.
Listing on the NIAP PCL is required by Federal policy for many different cases. First, as the NIAP PCL webpage states- “U.S. Customers (designated approving authorities, authorizing officials, integrators, etc.) may treat these mutually-recognized evaluation results as complying with the Committee on National Security Systems Policy (CNSSP) 11 National Policy Governing the Acquisition of Information Assurance (IA) and IA-Enabled Information Technology (IT) Products - dated June 2013 (https://www.cnss.gov/policies.html)”.
CNSSP 11 applies to any US Government system carrying classified data at any level and to systems carrying certain command and control traffic regardless of the classification.
NIAP PCL listing is required by the DISA Security Technical Implementation Guide (STIG)s for many product categories. NIAP PCL listing is required for DoD Cloud providers who are handling Impact Level 5 and 6 information, and in other Federal Government acquisitions that require the NIST 800-53, rev 4- SA-4 (7) control.
I work for one of the largest Network Service Providers on the globe. Frequently, I will be confronted by multiple-vendor networks, technologies, and architectures. Typically the first time I am encountering a network, the network is usually in a severely degraded state and impacting critical services.
I began my journey down the Juniper certification path with the encouragement of a close friend and colleague. They had recently acquired their JNCIA-M, now replaced by JNCIA-Junos. At this point in my career, I had obtained numerous certifications from other vendors at various technical levels. “Just go take it. What’s the harm?” I had not studied or otherwise prepared. However, I have worked on Juniper M-series routers in an MPLS network. I found the exam to be exactly what my work experience had taught me; this was a stark contrast to other vendor certification programs. I now have full confidence in recommending the Juniper Networks Certification Program (JNCP) for individuals looking for real work experience that employers are desperately seeking.
After passing the JNCIA-M, I decided to proceed further into the JNCP. I have since acquired JNCIS-SP, and I am about to take the JNCIP-SP examination. As the network grows, I find more M, MX, and T series routers being deployed. Even on other vendors, the knowledge I learned studying for Juniper examinations directly applies to other vendors. Sure, the syntax, configuration, and command structure are different but the fundamentals are identical. I am comfortable working in any environment, any equipment, with any vendor and client because of the skill set acquired via the Juniper Networks Certification Program.
Preparation for the JNCIP-SP is no easy task, as the certification is the highest written examination available in the Service Provider track. The first place anyone seeking a Juniper certification should visit is the Exam Objectives (http://www.juniper.net/us/en/training/certification/resources_jncipsp.html). I began to go through each daunting objective one at a time. I needed to reorganize and categorize the objectives to suit my learning style, placing them onto flash cards, and began researching each topic through the use of standards documents, Juniper white papers, and the Juniper Community forums. I drew network diagrams and used spare equipment to simulate production networks. To keep up with the basics of Juniper equipment, the Junos software, and essential network principals, I downloaded the Android applications provided by Juniper for the certifications for the previous examinations in the track. I found this to be extremely helpful; I was able to study while on the go, waiting in lines, or other casual activities.
JNCP has not only provided me with the confidence to work on Juniper equipment, but it has inspired confidence for my employer to acquire Juniper equipment and provide our clients with Juniper routers, switches, and firewalls as well.
JNCP office NOTE: Nick recent passed his JNCIP-SP! Congratulations Nick.
- Blogging Challenge
More than 20 years ago, the National Institute of Standards and Technology (NIST) established the Cryptographic Module Validation Program (CMVP) to validate cryptographic modules to Federal Information Processing Standards (FIPS) 140-1 and then later 140-2 standards. The CMVP is a collaborative effort between NIST and the Canadian Communications Security Establishment (CSE). Modules validated as conforming to FIPS 140-2 are accepted by the federal government agencies of both the US and Canada for the protection of sensitive information.
This certification was #3100.
Earlier in 2017, Juniper Networks SRX5400, SRX5600, and SRX5800 devices completed their fifth successive National Institute of Standards and Technology (NIST) Federal Information Processing Standards (FIPS) 140-2 certification. These most recent certifications were with Junos OS 15.1X49 software.
This certification was #2948.
SRX platforms with Junos 15.1X49 introduce FIPS mode, which simplifies FIPS compliance. Instead of a special software image, FIPS mode is a simple configuration setting to the standard Junos OS image.
SRX devices provide a foundation for implementing a wide array of high performance security protection, including UTM services, next-generation firewall, and dynamic threat defense and intelligence. The application and content awareness of SRX series platforms, combined with the advanced routing capabilities in Junos OS enables enterprises to implement SD-WAN functionality and security.