The Target of Evaluation (TOE) is Juniper Networks® ACX7024 and ACX7024X routers with Junos® OS Evolved version 24.4R2. The TOE is a network switch composed of hardware and firmware. The firmware is named Junos® OS Evolved which is the single purpose operating system that operates the management functions of all the Juniper Networks® routers.
\r\nThe TOE is the entire network appliance. The TOE is connected to management workstations, to one or more NTP servers, and to a syslog server. The management workstations can be local or remote. The TOE is also connected to the networks which it interconnects.
\r\nThe TOE software is Junos® OS Evolved, which is the Juniper Linux-based operating system for network devices. It implements a flexible Software Defined Networking (SDN) allowing the tailoring of the software to several applications. Junos® OS Evolved is a horizontal software layer that decouples the application processes from the hardware on which the processes run. Effectively, this decoupling creates a general-purpose software infrastructure spanning all different computing resources on the system. Application processes (protocols, services, and so on) run on top of this infrastructure and communicate with each other by publishing and consuming (that is, subscribing to) the state. Junos® OS Evolved implements the routing, filtering, management, and platform functions.
","evaluation_configuration":"The TOE software is provided as an ISO image, as well as necessary TOE updates, running on the following hardware platforms:
\r\nThe evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process. The criteria against which the ACX7024 and ACX7024X routers with Junos® OS Evolved Version 24.4R2 TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 R5. The evaluation methodology used by the evaluation team to conduct the evaluation was the Common Methodology for Information Technology Security Evaluation, Version 3.1, R5 supplemented by that found in the Protection Profiles cited below. The evaluation was completed in January 2026. The product, when delivered and configured as identified in the Common Criteria Evaluated Configuration Guide for ACX7024 and ACX7024X Devices, meets the requirements of the following:
\r\nThe TOE implements an audit function. A rich set of audit data is collected and stored as audit records. Each audit record includes a time stamp stating the exact time at which the audit record was generated. Each audit record also includes sufficient information to allow administrators of the TOE to examine the events and investigate possible security violations and attempts thereof.
\r\nAudit records are stored in log files within the TOE. The administrator also configures the TOE to forward the audit records to an external syslog server. The syslog server is not part of the TOE. Forwarding the audit records to a syslog server takes place over a trusted channel protected with the SSHv2 protocol.
\r\nThe TOE implements cryptographic functionality for the following purposes:
\r\nThe TOE includes several cryptographic libraries for providing this functionality:
\r\nThe TOE also includes a physical, SP800-90B compliant Entropy Source implemented in the TOE hardware for seeding the DRBG with full entropy. In the evaluated configuration, the DRBG is only seeded by the entropy source claimed in FCS_RBG_EXT.1.
\r\nAll cryptographic algorithms implemented in the Junos® OS Evolved OpenSSL Cryptographic Module and the Junos® OS Evolved Kernel Cryptographic Module are validated by the Cryptographic Algorithm Validation Program (CAVP). This fulfills the requirements of NIAP Policy Letter #5. In addition, the SP800-90B compliant Entropy Source is validated by the Entropy Source Validation (ESV).
\r\nIdentification and Authentication
\r\nThe TOE ensures that access to administrative functions is only granted to successfully identified and authenticated users. Illegitimate users are deterred and prevented from gaining access.
\r\nThe TOE implements password-based authentication to local and remote users. Remote authentication, which is implemented over a trusted path using SSHv2, can be also performed using public-key authentication.
\r\nThe external syslog server establishes an SSHv2 session under NETCONF with the TOE so the TOE can send audit records. The TOE identifies and authenticates the external server using SSHv2 public-key authentication.
\r\nSecurity Management
\r\nAuthorized administrators may use a Command Line Interface (CLI) for performing a wide range of security management tasks on the TOE. The CLI may be accessed locally from the console or remotely over a SSH connection. There are no alternative methods of administering the TOE.
\r\nThe TOE implements a set of security measures for protecting its TSF and the corresponding configuration parameters. The TOE implements integrity tests of the TOE and cryptographic algorithm self-tests at start-up and takes protective measures if the tests indicate that the TOE software has been tampered or there is a failure in the self-tests.
\r\nThe TOE protects passwords by hashing their values and not allowing direct access to where they are stored. The TOE also protects cryptographic keys by enforcing access control to the key containers.
\r\nTOE access is restricted to authorized administrators and all administrator access goes through a CLI. Administrators have no root access to the underlying Linux operating system.
\r\nThe TOE also allows upgrading the software in case of vulnerabilities being discovered in the implementation. The integrity of the TOE software is ensured by using a digital signature that is verified before the TOE update.
\r\nThe TOE maintains a system clock that is used for generating time stamps used in the enforcement of security functions.
\r\nTOE Access
\r\nThe TOE allows the display of a banner before and after a user logs in. The TOE also controls idle remote sessions and terminates the session after a period of time.
\r\nThe TOE implements a secure channel for administrators to manage the TOE remotely. Administrators can connect to the TOE from a remote management station using the SSHv2 protocol. Once successfully identified and authenticated, the administrator has access to the Command Line Interface (CLI).
\r\nThe TOE also establishes a secure channel using SSHv2 for sending audit records to an external syslog server.
\r\nThe TOE includes the OpenSSH library version 9.8p1 to implement the SSHv2 protocol. The TOE allows both password-based and public-key-based authentication. The underlying cryptographic algorithms needed for the protocol are provided by the Junos® OS Evolved OpenSSL Cryptographic Module.
","features":[{"id":990,"feature_name":"Asymmetric Key Generation"},{"id":982,"feature_name":"Auditing"},{"id":986,"feature_name":"Cryptographic Hashing"},{"id":985,"feature_name":"Cryptographic Key Establishment"},{"id":988,"feature_name":"Cryptographic Signature Generation"},{"id":991,"feature_name":"Cryptographic Signature Verification"},{"id":989,"feature_name":"DRBG"},{"id":981,"feature_name":"Flaw Remediation"},{"id":992,"feature_name":"IPsec"},{"id":983,"feature_name":"Key Destruction"},{"id":987,"feature_name":"Keyed-hash message authentication"},{"id":12,"feature_name":"Network Router"},{"id":984,"feature_name":"SSH Server"}]}