CC FIPS Documentation #651
Conversation
Chr1st0ph3rTurn3r
requested review from
migolnikov,
iwbarker and
avijitvjuniper
| @@ -0,0 +1,288 @@ | |||
| --- | |||
There was a problem hiding this comment.
This document is the same that is already published correct? Rather than duplicate, please make it a module that is imported instead.
There was a problem hiding this comment.
One of the requirements for the CC FIPS docs is that they are versioned, which would lock it. If we use the existing docs as links, then we cannot guarantee that the documentation won't change. So the individual files, specifically for this version of software are copied into the doc and not updated with the rest of the documentation.
If we could have a separate location just for this doc, that would be better, and solve the issue of someone coming across it.
There was a problem hiding this comment.
Please keep in mind that CC and FIPS are completely independent of each other. The only reason FIPS is a part of this is because we require that FIPS mode is enabled on the SSR. I would suggest renaming the PR to not include FIPS
There was a problem hiding this comment.
One of the requirements for the CC FIPS docs is that they are versioned
An alternative proposed by Teron is that we publish a PDF of the CC-specific doc, which is a snapshot in time of the common web-based doc content for FIPS.
That PDF can then be given a specific version number and posted as a standalone doc, along with the CC ST and guidance documents, which also must be similarly version controlled.
docs/cc_fips_titlepage.md
Outdated
| sidebar_label: SSR Common Criteria and FIPS Installation and User Guide | ||
| --- | ||
|
|
||
| This guide provides installation and configuration information for using SSR Conductors and Routers in a certified Common Criteria and FIPS environment. |
There was a problem hiding this comment.
While this introduction might be sufficient for those well versed in CC, this may not be sufficient for those navigating here without prior knowledge. A better introduction as to why a customer would chose to deploy in this fashion would be helpful.
| @@ -0,0 +1,217 @@ | |||
| --- | |||
There was a problem hiding this comment.
This document is the same that is already published correct? Rather than duplicate, please make it a module that is imported instead.
| @@ -0,0 +1,39 @@ | |||
| --- | |||
| title: Username and Password Policies | |||
There was a problem hiding this comment.
This document is the same that is already published correct? Rather than duplicate, please make it a module that is imported instead.
There was a problem hiding this comment.
@MichaelBaj one of the requirements for this documentation is that it must be versioned. Meaning that once we get SSR CC certified with a particular version and with this specific Guidance doc, it must not be changeable. I am all for reusing this as a module, but it also must be frozen in time,
| @@ -0,0 +1,316 @@ | |||
| --- | |||
There was a problem hiding this comment.
This document is the same that is already published correct? Rather than duplicate, please make it a module that is imported instead.
There was a problem hiding this comment.
All CC documents must be immutable i.e. snapshot or standalone versioned documents, and cannot be updated after publishing without invalidating the CC compliance. i.e. the exact docs used during CC verification must remain available indefinitely and unmodified, it's not permitted to reference CI/CD docs such as our online web pages.
…nd breaking intro into two topics
docs/cc_fips_router_install.md
Outdated
| :::note | ||
| A system reboot is required. | ||
| :::----> | ||
| <!-------> |
| For compliance, the following configuration considerations must be made: | ||
|
|
||
| - FIPS mode must be enabled **during installation**. | ||
| - All configuration procedures must be performed from the PCLI; use of the GUI is not part of the approved use case. |
There was a problem hiding this comment.
the distinction is GUI is allowed during the initial setup process.
| - When installing a router, the [ICMP Session Match](cc_fips_sec_firewall_filtering.md#from-the-command-line) must be set to `identifier-and-type`. | ||
| - Configure the [TCP Half-Open Connections Limit](cc_fips_sec_firewall_filtering.md#tcp-half-open-connection-limit) for firewall. | ||
| - The `password-policy` must define the minimum password length and maximum number of permitted login attempts per user. Please refer to [`configure authority password-policy`](config_command_guide.md#configure-authority-password-policy) for pcli commands and context for assigning these values. | ||
| - Traffic logging must be enabled by setting the following command to `true`: |
There was a problem hiding this comment.
This is a very performance affecting setting. Users should not expect to run more than a handful of sessions while traffic icsa events are being collected.
|
|
||
| - Non-Juniper branded hardware platforms and Juniper branded hardware platforms not explicitly included. | ||
| - Juniper SSR Software for virtual platforms. | ||
| - HTTPS/TLS, IPSec, SNMP, RADIUS. |
There was a problem hiding this comment.
no LDAP either. Basically nothing that uses TLS or IPSec
| @@ -0,0 +1,39 @@ | |||
| --- | |||
| title: Username and Password Policies | |||
There was a problem hiding this comment.
@MichaelBaj one of the requirements for this documentation is that it must be versioned. Meaning that once we get SSR CC certified with a particular version and with this specific Guidance doc, it must not be changeable. I am all for reusing this as a module, but it also must be frozen in time,
docs/cc_fips_titlepage.md
Outdated
| @@ -0,0 +1,20 @@ | |||
| --- | |||
| title: SSR Common Criteria and FIPS Installation and User Guide | |||
There was a problem hiding this comment.
is this replacing our standard fips docs?
There was a problem hiding this comment.
no. I was under the assumption that CC and FIPS were tied together as part of a certification, hence the doc reflects that. I am changing it all in the next push.
docs/cc_fips_conductor_install.md
Outdated
|
|
||
| For serial console issues please refer to [Serial Console Troubleshooting](ts_serial_console_tsing.md). | ||
|
|
||
| #### Install via VGA Console |
There was a problem hiding this comment.
None of the CC certified platforms has a VGA does it?
I think we use serial console on all the qualified SSR platforms, so this can be omitted for CC.
docs/cc_fips_conductor_install.md
Outdated
|
|
||
| 3. Press **Enter** to start the install. | ||
|
|
||
| ## Conductor Installation |
There was a problem hiding this comment.
@migolnikov are we including conductor in CC?
Is conductor running on one of the CC qualified SSR platforms ?
There was a problem hiding this comment.
Yes, conductor is included as a separate device. This is the distributed platform decision we made. There is no reason conductor cannot run on Juniper branded hardware.
There was a problem hiding this comment.
This is the UEFI VGA, not the BIOS Serial.
Please replace with the 'blue' screenshot for fips serial.
|
|
||
| ## Out of Scope Features | ||
|
|
||
| The following functionality and platforms are not supported under Common Criteria. |
There was a problem hiding this comment.
Or "not approved for common ctriteria" or "not certified"
There was a problem hiding this comment.
mixed up titles for these img ?
this one is install VGA interactive, not install serial interactive
docs/cc_fips_conductor_install.md
Outdated
|
|
||
| Upon boot, the following screen is displayed. The default selection is booting to the serial console (115200 baud). You must manually choose the installation process suited for your environment. | ||
|
|
||
|  |
There was a problem hiding this comment.
I think we should remove 27..34 here, and move 35 down to after 44
…t is and is not a plugin.Merge branch 'kagrawal/refactor-monitoring-plugin-docs' into cc-fips-documentation
docs/cc_fips_titlepage.md
Outdated
| - Release Date: December 15, 2023 | ||
|
|
||
| Supported Hardware (must have Software Version 6.2.3-14-R2 installed): | ||
| - SSR 120, SSR 130 |
There was a problem hiding this comment.
This is a stylistic question, why break these systems up on these two bulleted lines? This was done to separate the low-end vs the high-end, but I don't think that matters in this context. I would recommend just listed each device on its own bulleted line.
docs/cc_fips_titlepage.md
Outdated
|
|
||
| | Document Revision | Modification | Date | | ||
| | --- | --- | --- | | ||
| | 0.1 | Initial version for 6.2.3-R2 Common Criteria | December 31, 2023 | |
There was a problem hiding this comment.
Do these pre-release drafts each need to be documented, even following receipt of CC certification?
There was a problem hiding this comment.
No, once finalized it will read only: | 1.0 | Initial version for 6.2.3-R2-14 Common Criteria | March 22, 20023 |
|
|
||
| Common Criteria for information technology is an international agreement signed by several countries that permits the evaluation of security products against a common set of standards. In the Common Criteria Recognition Arrangement (CCRA) at http://www.commoncriteriaportal.org/, the participants agree to mutually recognize evaluations of products performed in other countries. All evaluations are performed using a common methodology for information technology security evaluation. | ||
|
|
||
| For more information on Common Criteria, see http://www.commoncriteriaportal.org/. |
There was a problem hiding this comment.
This URL is listed twice within two sentences. I would remove the first instance.
docs/cc_fips_intro.md
Outdated
|
|
||
| The family of Juniper SSR appliances consists of the Session Smart Networking software executing on Juniper branded platforms. The compliant appliances include the following: | ||
|
|
||
| - SSR 120, SSR 130 |
There was a problem hiding this comment.
Each SSR device should be on its own line.
docs/cc_fips_intro.md
Outdated
| - SSR 120, SSR 130 | ||
| - SSR 1200, SSR 1300, SSR 1400, SSR 1500 | ||
|
|
||
| The software is Juniper SSR software v6.2.3-14R2. The software is deployed in an ISO package file, which includes Enterprise Linux 7.9 with kernel version 4.18.0. |
There was a problem hiding this comment.
missing hyphen after 14 and R2
|
|
||
| 1. Create an event collector input to capture the traffic events. An example input configuration is shown below. | ||
|
|
||
| ```toml |
There was a problem hiding this comment.
This is not part of the 128T config. Specify the file that contains this contents.
|
|
||
| 2. Define an output for where the events are to be sent. In this example, the events are sent to a syslog server. | ||
|
|
||
| ```toml |
There was a problem hiding this comment.
This is not part of the 128T config. Specify the file that contains this contents.
| 1. Create an event collector input to capture the traffic events. An example input configuration is shown below. | ||
|
|
||
| ```toml | ||
| [[inputs.t128_events]] |
There was a problem hiding this comment.
This is not part of the 128T config. Specify the file that contains this contents.
docs/cc_fips_config_audit_event.md
Outdated
| 2024-03-14 21:35:10,274: INFO - Using Manifest package 128T-deprecated-packages-0:6.4.0.1.develop.el7-1.x86_64 | ||
| ``` | ||
|
|
||
| ### All Management Activities of TSF data |
There was a problem hiding this comment.
Target of Evaluation (TOE) Security Functionality. Took me a long time to find that one... It now reads "All Management Activities of Security Functionality Data"
docs/cc_fips_software_upgrades.md
Outdated
| Please refer to [Upgrade Considerations](https://www.juniper.net/documentation/us/en/software/session-smart-router/docs/intro_upgrade_considerations) before upgrading. | ||
|
|
||
| :::important | ||
| **The SSH Root login is not permitted and is not compliant with Common Criteria guidelines.** If the existing version allows SSH Root login, it will be disabled during the upgrade. |
There was a problem hiding this comment.
Logging in as root is not permitted and is not compliant with Common Criteria guidelines.
…e one current change locally that is conflicting. Merge branch 'cc-fips-documentation' of github.com:128technology/docs into cc-fips-documentation
docs/cc_fips_config_audit_event.md
Outdated
| - Types of events available on the router | ||
| - Enabling the Audit events | ||
|
|
||
| ## Event Types | ||
| The events generated by the router are classified into the following categories: | ||
|
|
||
| ### Traffic Events | ||
| Traffic events are generated as sessions as created on the router. These include details such as the protocol, source address, source port, destination address and destination port. In addition, the success or failure status along with a reason code for failure cases are included in the event. | ||
| Traffic events are generated as sessions created on the router. These include details such as the protocol, source address, source port, destination address and destination port. In addition, the success or failure status along with a reason code for failure cases are included in the event. |
There was a problem hiding this comment.
oops, I gave incorrect advice.
Traffic events are generated as sessions are created
Chr1st0ph3rTurn3r
dismissed
migolnikov’s stale review
Very old comments, all have been addressed. Need to push live, Max is out on vacation.
No description provided.