Page 6

JuniperNetworks NetScreen-500 Security Policy

Trace-route: Trace

route

Unset: Unconfigure

system parameters

· Clear/Delete: Clear dynamic system info

· Exec: Exec system commands

· Exit: Exit command console

· Get (Show Status): Get system information

· Ping: Ping other host

· Reset (Self-Tests): Reset system

· Save: Save command

· Set: Configure system parameters

· Trace-route: Trace route

· Unset: Unconfigure system parameters

The NetScreen-500 supports both role-based and identity-based authentication.

· All roles can be authenticated locally (within the NetScreen device); optionally, the

module supports authentication via a RADIUS server for only the User role.

Authentication by use of the RADIUS server is viewed as role-based authentication; all

other methods of authentication are identity-based.

· All other forms of authentication (local database) are classified as identity-based.

· The module supports identity-based authentication for the Cryptographic Officer Role

(local database), the User Role (local database), and the Read-Only Role (local

database).

· User names and passwords are case-sensitive. The password consists of at least six

alphanumeric characters. Since there are 26 uppercase letters, 26 lowercase letters, and

10 digits, the total number of available characters is 62. The probability of someone

guessing a password is 1/(62

6) = 1/56,800,235,584 , which is far less than a 1/1,000,000

random success rate. If three login attempts from the console fail consecutively, the

console will be disabled for one minute. If three login attempts from Telnet or the WebUI

(through VPN with AES encryption) fail consecutively, any login attempts from that

source will be dropped for one minute.

· If there are multiple login failure retries within one minute and since the user is locked out

after three contiguous login failures, the random success rate for multiple retries is

1/(62

6) + 1/ 626) + 1/(626) = 3/(626), which is far less than

1/100,000.

· In order for authentication data to be protected against disclosure, substitution and

modification, passwords are not echoed during entry.

· The NetScreen-500 enforces both identity-based and role-based authentication. Based

on their identity, the operator assumes the correct role.

· Operators must be authenticated using user names and passwords. Authentication will

occur locally. As an option, the user can be authenticated via a RADIUS server. The