Compliant Product - Junos OS 19.1R2 for MX series with MultiServices MPC
Certificate Date: 2020.02.19CC Certificate Security Target Validation Report
Validation Report Number: CCEVS-VR-VID11012-2020
Product Type: Network Device
Conformance Claim: Protection Profile Compliant
PP Identifier: collaborative Protection Profile for Network Devices Version 2.0 + Errata 20180314
Extended Package for VPN Gateways Version 2.1
CC Testing Lab: Acumen Security
The Target of Evaluation (TOE) is Juniper Networks, Inc. Junos OS 19.1R2 executing on MX-Series 3D Universal Edge Routers Multiservices MPC Line Card. The supported MX-Series chassis are:
The supported Routing Engines employed by the MX-Series Router are:
· RE1800 generation Routing Engines:
o RE-S-1800x4-YYG for MX240, MX480 and MX960 (Intel Xeon LC5518 processor (Jasper Forest family, Nehalum microarchitecture))
o RE-MX2000-1800X4 and REMX2K-1800-32G-S for MX2010 and MX2020 (Intel Xeon LC5518 processor (Jasper Forest family, Nehalum microarchitecture))
· Next Generation Routing Engines (RE-NG):
o RE-S-X6-64G for MX240, MX480 and MX960 (Xeon E5-2608L processor (Haswell))
o REMX2K-X8-64G for MX2010 and MX2020 (Xeon E5-2618L processor (Haswell))
The Multiservices MPC Line Card (MS-MPC) provides IPsec services for the MX-Series Router. A chassis supports one or more MS-MPC cards in order to provide the required connection and throughput capabilities. The MS-MPC interoperates with any of the Routing Engines listed above. The processor on the MS-MPC is the Broadcom XLP832 (EC4400 core). Software for the MS-MPC is included in the software distribution for the Routing Engine and is dynamically loaded to the MS-MPC from the RE on start-up.
A crypto library (XLP) executes on the MS-MPC and provide cryptographic services for IPsec:
- Key agreement and signature services for IKE
- Encryption and message authentication services for ESP
Each of the Routing appliances is a secure network device that protects itself largely by offering only a minimal logical interface to the network and attached nodes. All router platforms are powered by the Junos OS software, Junos OS 19.1R2, which is a special purpose OS that provides no general purpose computing capability. Junos OS provides both management and control functions as well as all IP routing.
The Routing appliances primarily support the definition of, and enforce, information flow policies among network nodes. All information flow between network nodes passes through an instance of the TOE. Information flow is controlled on the basis of network node addresses and protocol. In support of the information flow security functions, the TOE ensures that security-relevant activity is audited, and provides the security tools to manage the security functions and multi-site virtual private network (VPN) gateway functionality.
 YY = 8, 16 or 32 GB memory
Security Evaluation Summary
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the Junos OS 19.1R2 for MX240, MX480, MX960, MX2010 and MX2020 with Multiservices MPC is evaluated as described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 4. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 rev 4. Acumen Security determined that the evaluation is a collaborative Protection Profile for Network Devices (NDcPP) Version 2.0e and [VPN_EP] Network Device Collaborative Protection Profile (NDcPP)/Stateful Traffic Filter Firewall Collaborative Protection Profile (FWcPP) Extended Package VPN Gateway, Version 2.1. The product, when delivered configured as identified in the Operational User Guidance and Preparative Procedures, satisfies all of the security functional requirements stated in the Security Target. The project underwent CCEVS Validator review. The evaluation was completed in February 2020. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.
The logical boundary of the TOE includes those security functions implemented exclusively by the TOE.
Juniper Networks, Inc.