NIAP: Compliant Product
  NIAP  »»  Product Compliant List  »»  Compliant Product  
Compliant Product - Junos OS 18.3R1-S1 for MX240, MX480, MX960, MX2010, MX2020, EX9204, EX9208 and EX9214 with MPC7E-10G/Ex9200-40XS

Certificate Date:  2019.10.01

Validation Report Number:  CCEVS-VR-VID10988-2019

Product Type:    Network Device

Conformance Claim:  Protection Profile Compliant

PP Identifier:    collaborative Protection Profile for Network Devices Version 2.1
  Extended Package for MACsec Ethernet Encryption Version 1.2

CC Testing Lab:  Acumen Security

CC Certificate [PDF] Security Target [PDF] Validation Report [PDF]

Assurance Activity [PDF]

Administrative Guide [PDF]

Product Description

The Target of Evaluation (TOE) is Juniper Networks, Inc. Junos OS 18.3R1-S1 executing on MX-Series 3D Universal Edge Routers and EX9200-Series Ethernet Switch with MACsec Line Cards.  The supported chassis are:

·         MX240

·         MX480

·         MX960

·         MX2010

·         MX2020

·         EX9204

·         EX9208

·         EX9214

The supported next generation Routing Engines employed by the MX-Series Router and EX9200-Series Ethernet Switch are:

·         RE-S-X6-64G and RE-S-X6-128G for MX240, MX480 andMX960

·         EX9200-RE2 for EX9204, EX9208 and EX9214

·         REMX2K-X8-64G and REMX2K-X8-128G  for MX2010 and MX2020

The line cards containing the MACsec module, which are required for deployment in the TOE, are:

·         MPC7E-10G in the MX-Series Router

·         EX9200-40XS in the EX-Series Router

Evaluated Configuration

Each of the MX-Series/EX9200-Series appliances is a secure network device that protects itself largely by offering only a minimal logical interface to the network and attached nodes. All MX-Series/EX9200-Series platforms are powered by the Junos OS firmware, Junos OS 18.3R1-S1, which is a special purpose OS that provides no general purpose computing capability. Junos OS provides both management and control functions as well as all IP routing.

The MX-Series/EX9200-Series appliances primarily support the definition of, and enforce, information flow policies among network nodes.  All information flow from one network node to another passes through an instance of the TOE. Information flow is controlled on the basis of network node addresses and protocol. In support of the information flow security functions, the TOE ensures that security-relevant activity is audited, and provides the security tools to manage all of the security functions.

Security Evaluation Summary

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the Junos OS 18.3R1-S1 for MX240, MX480, MX960, MX2010, MX2020, EX9204, EX9208 and EX9214 with MPC7E-10G/Ex9200-40XS is evaluated as described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 5.  The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 rev 5.  Acumen Security determined that the evaluation is a collaborative Protection Profile for Network Devices (NDcPP) Version 2.1 and Network Device collaborative Protection Profile (NDcPP) Extended Package MACsec Ethernet Encryption (MACSECEP) Version 1.2.  The product, when delivered configured as identified in the Operational User Guidance and Preparative Procedures, satisfies all of the security functional requirements stated in the Security Target. The project underwent CCEVS Validator review.  The evaluation was completed in September 2019.  Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.

Environmental Strengths

The logical boundary of the TOE includes those security functions implemented exclusively by the TOE.


Security Functionality


Security Audit

Junos auditable events are stored in the syslog files on the appliance, and can be sent to an external log server.

Export of audit information to a secure, remote server is achieved by setting up an event trace monitor that sends event log messages by using NETCONF over SSH to the remote system event logging server.


Auditable events include start-up and shutdown of the audit functions, authentication events, as well as the events listed in 10. Audit records include the date and time, event category, event type, username, and the outcome of the event (success or failure). Local syslog storage limits are configurable and are monitored. In the event of storage limits being reached the oldest logs will be overwritten.

Cryptographic Support

The TOE provides an SSH server to support protected communications for administrators to establish secure sessions and to connect to external syslog servers.

The TOE requires that applications exchanging information with it are successfully authenticated prior to any exchange (i.e. applications connecting over SSH).

Communication over point-to-point links between Juniper appliances can be secured using MACsec.

The TOE includes cryptographic modules that provide the underlying cryptographic services, including key management and protection of stored keys, algorithms, random bit generation and crypto-administration.  The cryptographic modules provide confidentiality and integrity services for authentication and for protecting communications with connecting applications.

Identification and Authentication

The TOE supports Role Based Access Control. All users must be authenticated to the TOE prior to carrying out any management actions. The TOE supports password based authentication and public key based authentication. Based on the assigned role, a user is granted a set of privileges to access the system.

Administrative users must provide unique identification and authentication data before any administrative access to the system is granted. Authentication data entered and stored on the TOE is protected.

Security Management

The TOE provides a Security Administrator role that is responsible for:

• the configuration and maintenance of cryptographic elements related to the establishment of secure connections to and from the evaluated product

• the regular review of all audit data;

• initiation of trusted update function;

• administration of MACsec functionality;

• all administrative tasks (e.g., creating the security policy).

The devices are managed through a Command Line Interface (CLI). The CLI is accessible through local (serial) console connection or remote administrative (SSH) session.

Protection of the TSF

The TOE protects all passwords, pre-shared keys, symmetric keys and private keys from unauthorized disclosure. Passwords are stored in encrypted format. Passwords are stored using sha256 or sha512. The TOE executes self-tests during initial start-up to ensure correct operation and enforcement of its security functions. An administrator can install software updates to the TOE. The TOE internally maintains the date and time.

TOE Access

Prior to establishing an administration session with the TOE, a banner is displayed to the user. The banner messaging is customizable. The TOE will terminate an interactive session after a period of inactivity.  A user can terminate their local CLI session and remote CLI session by entering exit at the prompt.

Trusted Path/Trusted Channel

The TOE supports SSH v2 for secure communication to Syslog server. The TOE supports SSH v2 (remote CLI) for secure remote administration.

Vendor Information

Juniper Networks, Inc.
Geetha Naik
Site Map              Contact Us              Home