[a Australian
ACSC Es

 

Australasian Information Security ERHEBEN

      

 

 

    

              

 

 

         
      

 

      

       

    

er.
zu...
sn»
4
rem» 4rde
RC EC rants summer:
Didi iii iii ceci rues
NC CN ohare roma ce
ne MOOD
. De °0 eer
< 4a eradmedrn
a .. ne kedaacnae
= Ba ae eee ee erecmenae-
e .> nr PRET +rapparesirenc
> DEEE tr mire... Le kh ome
< amen nas ee MEET CET .ım>»
< 12002 aa or errant mse secora «mue
> > HA a B>>>» ve . ae > me 4444
= “ann. Pıbaor. RE Ga meena eun<a
> 0... drain ersuchen + «ema
< ieee ara deeds sees 7 rs «moses ...««
A 4m. 1r>A+>A<% ET eens hema ae -u>.«
e FEIERTE RER ET PET SDR pes»
= Ars ar aPpdd Se emma Qu
A «eee cam DP RE TETE merase
= es. eo. ad di ee «va ans
< = >more ns AAA te hee cep ere madcae
= « <<< 020993 H<e MOINE M NES CS >mou«
> a pemss oasaac dODDAd ri rn 00m» A pada
= a mate moine AGA PAA ei er sonora «anon
< > eo<m><. pemana A Ak tr eee cor came maade
> < Ame nn. oon Mr es scorn <o>rm«a< ss
« A dns amon . > a Par EBEAOD db « «mo» «<> «nr
= = -a<ımıa nus. AAA <eAAA4AOD 40410 +1 « >>4n«<
« Ariane r avan « «mar eae aD Drama “Add
a A@onccanard wean > en. .“:«>o>® dasrausareurae
= ıırmnunım aan Avannera> 44 Médine rame
OP dp rrr r+ romero yee . »Ea<<0 0414494 ADOun>««<>rao«> om
<hr ar arccre rene err aces mmeea DHpanimaaamaaar
> nresesraice maar . > <hr re era math ema ara
Odessa cme nen ares» > meer +eomna<amma
corseimmaaaa EE ... oumna<sund«
parenaanamse rare eas maarmasee
Aro iinrae is nine Anm<e < eooams<m<an
emer meme rer. mampa< 800 648 44m roc
Brinrooaen EE no en EN ne ELA EEE
@eonmromnae sacar +» 4>-0>-HAHA AAb<«
ee ss Aaper aaah apaee@n cyber.gov.au :::>
mae peus. : AAA “>E>BHa> AA rs
“>> aa . a<m> PrPe@AAA «<<.
adsd<00@ rare ons > 0011180480 1+>4>0< AAA

     
/- C CO C Australian
Cyber Security
7 Sd Centre

Table of contents

Executive summary 1
Introduction 2
Overview 2
Purpose 2
Identification 2
Target of Evaluation 4
Overview 4
Description of the TOE 4
TOE Functionality 4
TOE physical boundary 4
Architecture 5
Clarification of scope 6

Evaluated functionality 6

Non-TOE hardware/software/firmware 6

Non-evaluated functionality and services 6
Security 6
Usage 6

Evaluated configuration 6
Secure delivery 7

Installation of the TOE 7
Version verification 7
Documentation and guidance 8
Secure usage 8

 

@avre

 
/- C CO C Australian
Cyber Security
7 Sd Centre

Evaluation 9
Overview 9
Evaluation procedures 9
Functional testing 9
Entropy testing 9
Penetration testing 9
Certification 10
Overview 10
Assurance 10
Certification result 10
Recommendations 10
Annex A - References and abbreviations 11
References 11
Abbreviations 11

@avre

  
/- C CO C Australian
Cyber Security
7 Sd Centre

Executive summary

This report describes the findings of the IT security evaluation of Junos OS 19.2R1 executing on the MX204 and EX9251
appliances against a Common Criteria approved Protection Profile.

The Target of Evaluation (TOE) is Juniper Networks, Inc. Junos OS 19.2R1 executing on the MX204 and EX9251
appliances. Each appliance is a secure network device that protects itself largely by offering only a minimal logical
interface to the network and attached nodes. Both the MX204 and EX9251 platforms are powered by the Junos OS
software, Junos OS 19.2R1, which is a special purpose operating system that provides no general purpose computing
capability. Junos OS provides both management and control functions as well as all IP routing.

This report concludes that the TOE has complied with the Collaborative Protection Profile for Network Devices (NDcPP),
version 2.1, 24 September 2018 [4].

The evaluation was conducted in accordance with the Common Criteria and the requirements of the Australasian
Information Security Evaluation Program. The evaluation was performed by Teron Labs and was completed on 9
September 2019.

With regard to the secure operation of the TOE, the Australasian Certification Authority recommends that
administrators:

= ensure that the TOE is operated in the evaluated configuration and that assumptions concerning the TOE security
environment are understood

= configure and operate the TOE according to the vendor’s product administrator guidance
= verify the hash of any downloaded software, as present on the Juniper website.

Potential purchasers of the TOE should review the intended operational environment and ensure that they are
comfortable that the stated security objectives for the operational environment can be suitably addressed.

This report includes information about the underlying security policies and architecture of the TOE, and information
regarding the conduct of the evaluation.

It is the responsibility of the user to ensure that the TOE meets their requirements. For this reason, it is recommended
that a prospective user of the TOE refer to the Security Target and read this Certification Report prior to deciding
whether to purchase the product.

Bae er sss Beet teehee ta ee we
Se ee ee ee eee
cyber.gov.au Fe eke
Doreen rer 604
seas Denen DAAD

 
/- C CO C Australian
Cyber Security
7 Sd Centre

Introduction

Overview

This chapter contains information about the purpose of this document and how to identify the Target of Evaluation
(TOE).

Purpose

The purpose of this Certification Report is to:

= report the certification of results of the IT security evaluation of the TOE against the requirements of the Common
Criteria and NDcPP v2.1 [4]

= provide a source of detailed security information about the TOE for any interested parties.

This report should be read in conjunction with the TOE’s Security Target [8] which provides a full description of the
security requirements and specifications that were used as the basis of the evaluation.

Identification

The TOE is Junos OS 19.2R1 for MX204 and EX9251.

 

Description Version

Evaluation scheme Australasian Information Security Evaluation Program

TOE Juniper Junos OS 19.2R1 for MX204 and EX9251

Software version 19.2R1

Hardware platforms MX204 and EX9251 appliances

Security Target Security Target Junos OS 19.2R1 for MX204 and EX9251, v1.0, dated

September 9, 2019

Evaluation Technical Report Evaluation Technical Report v1.0, dated 09 September 2019
Document reference EFT-T002-ETR 1.0

Criteria Common Criteria for Information Technology Security Evaluation Part 2
Extended and Part 3 Conformant, April 2017, Version 3.1 Rev5

Methodology Common Methodology for Information Technology Security, April 2017
Version 3.1 Rev5

Conformance NDcPPv2.1, 24 September 2018

cyber.gov.au Donner need
Dre

rn Dornen DAAD ©

 
/- C CO C Australian
Cyber Security
7 Sd Centre

Developer Juniper Networks, Inc. 1133 Innovation Way, Sunnyvale California
94089 United States of America

Evaluation facility Teron Labs, Level 7, 221 London Circuit, Canberra, ACT 2601, Australia

cyber.gov.au Donner need
Dre

rn Denen DAAD ©

 
/- C CO C Australian
Cyber Security
7 Sd Centre

Target of Evaluation

Overview

This chapter contains information about the Target of Evaluation (TOE), including a description of functionality
provided, its architectural components, the scope of evaluation, its security policies and its secure usage.

Description of the TOE

The TOE is Juniper Networks, Inc. Junos OS 19.2R1 for MX204 and EX9251.

The Juniper Networks MX204 5G Universal Routing Platform is an Ethernet-optimized edge router with 400-Gbps
capacity that provides both switching and carrier-class Ethernet routing. The MX204 routing appliance delivers an end-
to-end infrastructure security solution for enterprises looking to move business-critical applications to public clouds. It
is a complete routing system that delivers features, functionality, and secure services at scale in the 5G era, which
shares common Junos firmware, features, and technology for compatibility across platforms.

 

The Juniper Networks EX9251 Ethernet Switch is an Ethernet-optimized switch that provides carrier-class Ethernet
switching, ideal for aggregating access switches such as Juniper EX2300, EX3400, EX4300 and EX4600 Ethernet switches
(not included in this evaluation) deployed in campus wiring closes and in on-premises data centres. It is a fixed
configuration switch with a built-in Routing Engine. It has a throughput of up to 400 gigabits per second (Gbps).

The appliances are physically self-contained housing the software, firmware and hardware necessary to perform all
switching functions. The appliances are fixed chassis configuration switches.

TOE Functionality

The TOE functionality that was evaluated is described in section 1.6.3 of the Security Target [8].

TOE physical boundary

The TOE is the Junos OS 19.2R1 firmware running on the appliance chassis listed in the table below. The TOE is
contained within the physical boundary of the specified appliance chassis.

 

 

Chassis Model Routing Engine Processor Firmware (Operating System)

MX204 RE-S-1600x8 Intel Xeon E5 Junos OS 19.2R1

EX9251 EX9251-RE Intel Xeon E5 Junos OS 19.2R1

| Deere nern AAO AO AH AO A>O> OH «> <<
ne Lettre: AO HE «AP HH>>O>A > n>o

cyber.gov.au Dreier "Ad DoA>>A> «A>O ««OH> Q era
er es "OO OH «> «AP AT<AOAH «OA «O >on

ss. ner er ED AAD OO AAP AO OH HA «PO AH A «EA GA A|
/- C CO Australian
Cyber Security
N Sd Centre

The physical TOE boundary of the MX204 and EX9251 appliances is the entire chassis on which the Junos OS firmware

executes. This physical boundary is shown in the figure below.

 

Management
Platform

Syslog Server

 

 

 

 

 

À internal Interface ER] TOE Component

 

} External Interface|_] IT Environment Component

 

The TOE interfaces comprise the following:

= network interfaces which pass traffic

= management interface through which handle administrative actions.

The firmware version reflects the detail reported for the components of the Junos OS when the ‘show version local’

command is executed on the appliance.

Architecture

Each instance of the TOE consists of the following major architectural components:

= Routing Engine (RE) (Control Board) — the RE runs the Junos firmware and provides Layer 3 routing services and
Layer 2 switching services. The RE also provides network management for all operations necessary for the
configuration and operation of the TOE and controls the flow of information through the TOE, including support
for appliance interface control and control plane functions such as chassis component, system management and

user access to the appliance.

= The Packet Forwarding Engine (PFE) — provides all operations necessary for transit packet forwarding:

e The MX204 router has four rate-selectable ports that can be configured as 100-Gigabit Ethernet ports or 40-
Gigabit Ethernet ports, or each port can be configured as four 10-Gigabit Ethernet ports (by using a breakout
cable). The MX204 also has eight 10-Gigabit Ethernet ports. The four rate-selectable ports support QSFP28
and QSFP+ transceivers, whereas the eight 10-Gigabit Ethernet ports support SFP+ transceivers.

®e The EX9251 switch has eight 10-Gigabit Ethernet ports and four rate-selectable ports that can be configured
as 100-Gigabit Ethernet ports or 40-Gigabit Ethernet ports (by using a breakout cable). The 10-Gigabit
Ethernet ports support SFP+ transceivers and rate-selectable ports support QSFP28 and QSFP+ transceivers.

= The Routing Engine and Packet Forwarding Engine perform their primary tasks independently while constantly
communicating through a high-speed internal link. This arrangement provides streamlined forwarding and routing
control and the capability to run internet-scale networks at high speeds.

cybergovau | ee eee as

ns... 444>r0401H<4e
u <A0OHO «<> HH>>O>

*A4-eA--AE-AAEE «A
ee oe eee ee ee)
peared ardeommadre

 
/- C CO C Australian
Cyber Security
7 Sd Centre

Clarification of scope

The evaluation was conducted in accordance with the Common Criteria and associated methodologies.

The scope of the evaluation was limited to those claims made in the Security Target [8].

Evaluated functionality
All tests performed during the evaluation were taken from NDcPP v2.1 [4] and sufficiently demonstrate the security

functionality of the TOE. Some of the tests were combined for ease of execution.

Non-TOE hardware/software/firmware

The TOE relies on the provision of the following items in the network environment:
= Syslog server supporting SSHv2 connections to send audit logs
= SSHv2 client for remote administration

= serial connection client for local administration.

Non-evaluated functionality and services

Potential users of the TOE are advised that some functions and services have not been evaluated as part of the
evaluation. Potential users of the TOE should carefully consider their requirements for using functions and services
outside of the evaluated configuration.

Australian Government users should refer to the Australian Government Information Security Manual [5] for policy
relating to using an evaluated product in an unevaluated configuration. New Zealand Government users should consult
the New Zealand Information Security Manual [6].

The following components are considered outside of the scope of the TOE:
= use of telnet, since it violates the Trusted Path requirement set
= use of File Transfer Protocol, since it violates the Trusted Path requirement set
= use of Simple Network Management Protocol, since it violates the Trusted Path requirement set

= use of Secure Sockets Layer, including management via J-Web, JUNOScript and JUNOScope, since it violates the
Trusted Path requirement set

= use of Command Line Interface account super-user and Linux root account.
Security

The TOE Security Policy is a set of rules that defines how information within the TOE is managed and protected. The
Security Target [8] contains a summary of the functionality that are evaluated.

Usage
Evaluated configuration
The evaluated configuration is based on the default installation of the TOE with additional configuration implemented

as per guidance documentation Junos OS Common Criteria Configuration Guide for MX204 and EX9251 Series Devices,
13 June 2019 [7].

cyber.gov.au ee eee as

pers.
Vmware
@avre

en we sees ss

 
/- C CO C Australian
Cyber Security
N Sd Centre

Secure delivery

There are several mechanisms provided in the delivery process to ensure that a customer receives a product that has
not been tampered with. The customer should perform the following checks upon receipt of a device to verify the
integrity of the platform.

= Shipping label - Ensure that the shipping label correctly identifies the correct customer name and address as well
as the device.

= Outside packaging - Inspect the outside shipping box and tape. Ensure that the shipping tape has not been cut or
otherwise compromised. Ensure that the box has not been cut or damaged to allow access to the device.

= Inside packaging - Inspect the plastic bag and seal. Ensure that the bag is not cut or removed. Ensure that the seal
remains intact.

If the customer identifies a problem during the inspection, they should immediately contact the supplier providing the
order number, tracking number and a description of the identified problem to the supplier.

Additionally, there are several checks that can be performed to ensure that the customer has received a box sent by
Juniper Networks and not a different company masquerading as Juniper Networks. The customer should perform the
following checks upon receipt of a device to verify the authenticity of the device:

= Verify that the device was ordered using a purchase order. Juniper Networks devices are never shipped without a
purchase order.

= When a device is shipped, a shipment notification is sent to the e-mail address provided by the customer when
the order is taken. Verify that this e-mail notification was received and contains the following information:

e purchase order number

e Juniper Networks order number used to track the shipment
e carrier tracking number used to track the shipment

e — list of items shipped including serial numbers

e address and contacts of both the supplier and the customer.

= Verify that the shipment was initiated by Juniper Networks. To verify that a shipment was initiated by Juniper
Networks, you should perform the following tasks:

e Compare the carrier tracking number of the Juniper Networks order number listed in the Juniper Networks
shipping notification with the tracking number on the package received.

« Log on to the Juniper Networks online customer support portal at
https://www.juniper.net/customers/csc/management to view the order status.

e Compare the carrier tracking number or the Juniper Networks order number listed in the Juniper Networks
shipment notification with the tracking number on the package received.

Installation of the TOE

The Configuration Guide [7] contains all relevant information for the secure configuration of the TOE.

Version verification

The verification of the TOE is largely automatic, including the verification using hashes. The TOE cannot load a modified
image. Valid software images can be downloaded from https://www.juniper.net. In addition to the automated

EEE 0. «
eurer ern a
cyber.gov.au Fe eke
Doreen rer 604
seas Denen DAAD

 
/- C CO C Australian
Cyber Security
7 Sd Centre

verification, the site includes individual hashes for each image. The administrator should verify the hash of the software
before installing it into the hardware platform.

Documentation and guidance

It is important that the TOE is used in accordance with guidance documentation in order to ensure secure usage. The
following documentation is available to the consumer when the TOE is purchased. All guidance material is available for

download at https://www.juniper.net:
= Junos® OS Common Criteria Configuration Guide for MX204 and EX9251 Series Devices, 13-06-2019
= Junos® OS CLI User Guide, 5 August 2019
= Junos® OS Installation and Upgrade Guide, 5 August 2019

= Junos® OS User Access and Authentication Feature Guide, 9 July 2019

All Common Criteria guidance material is available at https://www.commoncriteriaportal.org.

The Australian Government Information Security Manual is available at https://www.cyber.gov.au/ism [5]. The New
Zealand Information Security Manual is available at https://www.gcsb.govt.nz/ [6].

Secure usage

The evaluation of the TOE took into account certain assumptions about its operational environment. These
assumptions must hold in order to ensure the security objectives of the TOE are met:

= The network device is assumed to be physically protected in its operational environment and not subject to
physical attacks that compromise the security and/or interfere with the device’s physical interconnections and
correct operation. This protection is assumed to be sufficient to protect the device and the data it contains.

= The device is assumed to provide networking functionality as its core function and not provide
functionality/services that could be deemed as general purpose computing. For example, the device should not
provide a computing platform for general purpose applications (unrelated to networking functionality).

= The administrator(s) for the network device are assumed to be trusted and to act in the best interest of security
for the organisation. This includes being appropriately trained, following policy and adhering to guidance
documentation. Administrators are trusted to ensure passwords/credentials have sufficient strength and entropy.
The network device is not expected to be capable of defending against a malicious administrator that actively
works to bypass or compromise the security of the device.

= The network device firmware and software is assumed to be updated by an administrator on a regular basis in
response to the release of product updates due to known security vulnerabilities.

= The administrator’s credentials (private key) used to access the network device are protected by the platform on
which they reside.

= It is assumed that the TOE is connected to distinct networks in a manner that ensures that the TOE security
policies will be enforced on all applicable network traffic flowing among the attached networks.

Bae er sss Beet teehee ta ee we
Se ee ee ee eee
cyber.gov.au Fe eke
Doreen rer 604
seas Denen DAAD

 
/- C CO C Australian
Cyber Security
7 Sd Centre

Evaluation

Overview

This chapter contains information about the procedures used in conducting the evaluation, the testing conducted as
part of the evaluation and the certification result.

Evaluation procedures
The criteria against which the Target of Evaluation (TOE) has been evaluated are contained in the NDcPP [4] and

Common Criteria for Information Technology Security Evaluation Version 3.1 Revision 5, Parts 2 and 3 (1, 2].

Testing methodology was drawn from Common Methodology for Information Technology Security, April 2017 Version
3.1 Revision 5 [3].

The evaluation was carried out in accordance with the operational procedures of the Australasian Information Security
Evaluation Program [11].

In addition, the conditions outlined in the Arrangement on the Recognition of Common Criteria Certificates in the field
of Information Technology Security were also upheld [10].

Functional testing

All tests performed by the evaluators were taken from the NDcPP [4]. These tests are designed in such a way as to
provide a full coverage of testing for all security functions claimed by the TOE. All Security Functional Requirements
listed in the Security Target and the Protection Profiles were exercised during testing.

Entropy testing

The entropy design description, justification, operation and health tests are assessed and documented in a separate
report [12].

Penetration testing

Vulnerability assessments made against the NDcPP [4] are performed using a set of modified evaluation activities
drawn from the Common Criteria Evaluation Methodology [5] to provide standardised vulnerability testing for TOE-
types evaluated against this cPP. More details can be found in the NDcPP [4] and its supporting document.

The developer performed a vulnerability analysis of the TOE in order to identify any obvious security vulnerability in the
product, and if identified, to show that the security vulnerabilities were not exploitable in the intended environment of
the TOE. This analysis included a search for possible security vulnerabilities in publicly-available information.

The following factors have been taken into consideration during the penetration tests:
= time taken to identify and exploit (elapsed time)
= specialist technical expertise required (specialist expertise)
= knowledge of the TOE design and operation (knowledge of the TOE)
= window of opportunity

= IT hardware/software or other equipment required for the exploitation.

cyber.gov.au ee eee as

pers.
Vmware
@avre

en we sees ss

 
/- C CO C Australian
Cyber Security
7 Sd Centre

Certification

Overview

This chapter contains information about the result of the certification, an overview of the assurance provided and
recommendations made by the certifiers.

Assurance

This certification is focused on the evaluation of product compliance with Protection Profiles that covers the technology
area of network devices. Organisations can have confidence that the scope of an evaluation against an ASD-approved
Protection Profile covers the necessary security functionality expected of the evaluated product and known threats will
have been addressed.

The analysis is supported by testing as outlined in the assurance activities, and a vulnerability survey demonstrating
resistance to penetration attackers with a basic attack potential. Compliance also provides assurance through evidence
of secure delivery procedures. Certification is not a guarantee of freedom from security vulnerabilities.

The effectiveness and integrity of cryptographic functions are also within the scope of product evaluations performed
in line with the Protection Profile (PP). PPs provide assurance by providing a full Security Target, and an analysis of the
Security Functional Requirements in that Security Target, guidance documentation, and a basic description of the
architecture of the TOE.

Certification result

Teron Labs has determined that the TOE upholds the claims made in the Security Target [8] and has met the
requirements of the NDcPP.

After due consideration of the conduct of the evaluation as reported to the certifiers, and of the Evaluation Technical
Report [9], the Australasian Certification Authority certifies the evaluation of the Juniper Junos OS 19.2R1 for MX204
and EX9251 appliances performed by the Australasian Information Security Evaluation Facility, Teron Labs.

Recommendations

Not all of the evaluated functionality present in the TOE may be suitable for Australian and New Zealand Government
users. For further guidance, Australian Government users should refer to the Australian Government Information
Security Manual [5] and New Zealand Government users should consult the New Zealand Information Security Manual

[6].

In addition to ensuring that the assumptions concerning the operational environment are fulfilled, and the guidance
document is followed, the Australasian Certification Authority also recommends that users and administrators:

= ensure that the TOE is operated in the evaluated configuration and that assumptions concerning the TOE security
environment are fulfilled

= configure and operate the TOE according to the vendor’s product administrator guidance

= maintain the underlying environment in a secure manner so that the integrity of the TOE Security Function is
preserved

= verify the hash of any downloaded software, as present on the https://www.juniper.net website.

Bae er sss Beet teehee ta ee we
Se ee ee ee eee
cyber.gov.au Fe eke
Doreen rer 604
seas Denen DAAD

 
/- C CO C Australian
Cyber Security
7 Sd Centre

Annex À — References and abbreviations

References

1. Common Criteria for Information Technology Security Evaluation Part 2: Security functional components April
2017, Version 3.1 Revision 5

2. Common Criteria for Information Technology Security Evaluation Part 3: Security assurance components April
2017, Version 3.1 Revision 5

3. Common Methodology for Information Technology Security Evaluation, Evaluation Methodology, April 2017,
Version 3.1 Revision 5

 

4. collaborative Protection Profile for Network Devices (NDcPP), Version 2.1, 24 September 2018
5. Australian Government Information Security Manual: https://www.cyber.gov.au/ism
6. New Zealand Information Security Manual: https://www.nzism.gcsb.govt.nz/ism-document/
7. Guidance documentation:
Junos® OS Common Criteria Configuration Guide for MX204 and EX9251 Series Devices, 13 June 2019
Junos® OS CLI User Guide, 5 August 2019
Junos® OS Installation and Upgrade Guide, 5 August 2019
Junos® OS User Access and Authentication Feature Guide, 9 July 2019
8. Security Target Junos OS 19.2 R1 for MX204 and EX9251, v1.0, 9 September 2019
9. Evaluation Technical Report - Junos OS 19.2R1 for MX204 and EX9251, v1.0, 9 September 2019
10. ‚Arrangement on the Recognition of Common Criteria Certificates in the field of Information Technology
Security, 2 July 2014
11. AISEP Policy Manual (APM): https://www.cyber.gov.au/publications/aisep-policy-manual
12. Seeding of the Kernel RBG in MX204 and EX9251 Appliances running Junos 19.2R1, Version 1.0, 1 July 2019
Abbreviations
AISEP Australasian Information Security Evaluation Program
ASD Australian Signals Directorate
CCRA Common Criteria Recognition Arrangement
NDcPP CCRA-approved collaborative Protection Profile for Network Devices
TOE Target of Evaluation
cyber.gov.au Donner need
Dre
rn Dornen DAAD ©