The Juniper EX switch must be configured to use FIPS 140-2/140-3 validated algorithms for authentication to a cryptographic module.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
high	V-253911	SRG-APP-000179-NDM-000265	JUEX-NM-000340	SV-253911r1082959_rule	2025-03-07	2

Description
Unapproved mechanisms used for authentication to the cryptographic module are not validated and therefore, cannot be relied upon to provide confidentiality or integrity, and DOD data may be compromised. Network devices utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. FIPS 140-2/140-3 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DOD requirements. However, authentication algorithms must configure security processes to use only FIPS-validated and NIST-recommended authentication algorithms.

Description

Unapproved mechanisms used for authentication to the cryptographic module are not validated and therefore, cannot be relied upon to provide confidentiality or integrity, and DOD data may be compromised. Network devices utilizing encryption are required to use FIPS-compliant mechanisms for authenticating to cryptographic modules. FIPS 140-2/140-3 is the current standard for validating that mechanisms used to access cryptographic modules utilize authentication that meets DOD requirements. However, authentication algorithms must configure security processes to use only FIPS-validated and NIST-recommended authentication algorithms.

ℹ️ Check
Verify the password format, and that SSH uses FIPS validated algorithms and random number generator (RNG) as shown in the following example configuration. user@host> show configuration system login { password { : format <sha-256\|sha-512>; } } services { ssh { : ciphers [ aes256-ctr aes256-cbc]; macs [ hmac-sha2-512 hmac-sha2-256 ]; key-exchange [ ecdh-sha2-nistp521 ecdh-sha2-nistp384 ecdh-sha2-nistp256 ]; : } } rng { hmac-drbg; } If the network device is not configured to use FIPS 140-2/140-3 validated authentication algorithms, this is a finding.

ℹ️ Check

Verify the password format, and that SSH uses FIPS validated algorithms and random number generator (RNG) as shown in the following example configuration. user@host> show configuration system login { password { : format <sha-256|sha-512>; } } services { ssh { : ciphers [ aes256-ctr aes256-cbc]; macs [ hmac-sha2-512 hmac-sha2-256 ]; key-exchange [ ecdh-sha2-nistp521 ecdh-sha2-nistp384 ecdh-sha2-nistp256 ]; : } } rng { hmac-drbg; } If the network device is not configured to use FIPS 140-2/140-3 validated authentication algorithms, this is a finding.

✔️ Fix
Configure the password format, SSH algorithms, and the RNG to use only FIPS validated algorithms. 1. Enter configuration mode. 2. Configure the password format. 3. Configure the SSH algorithms. 4. Configure the RNG. 5. Commit the configuration. user@host> configure user@host# set system login password format <sha-256\|sha-512> user@host# set system services ssh ciphers aes256-ctr user@host# set system services ssh ciphers aes256-cbc user@host# set system services ssh macs hmac-sha2-512 user@host# set system services ssh macs hmac-sha2-256 user@host# set system services ssh key-exchange ecdh-sha2-nistp521 user@host# set system services ssh key-exchange ecdh-sha2-nistp384 user@host# set system services ssh key-exchange ecdh-sha2-nistp256 user@host# set system rng hmac-drbg user@host# commit

✔️ Fix

Configure the password format, SSH algorithms, and the RNG to use only FIPS validated algorithms. 1. Enter configuration mode. 2. Configure the password format. 3. Configure the SSH algorithms. 4. Configure the RNG. 5. Commit the configuration. user@host> configure user@host# set system login password format <sha-256|sha-512> user@host# set system services ssh ciphers aes256-ctr user@host# set system services ssh ciphers aes256-cbc user@host# set system services ssh macs hmac-sha2-512 user@host# set system services ssh macs hmac-sha2-256 user@host# set system services ssh key-exchange ecdh-sha2-nistp521 user@host# set system services ssh key-exchange ecdh-sha2-nistp384 user@host# set system services ssh key-exchange ecdh-sha2-nistp256 user@host# set system rng hmac-drbg user@host# commit