WHITEPAPER:
imageRUNNER ADVANCE AND imageRUNNER ADVANCE DX SECURITY
INTENT OF THIS DOCUMENT
Canon recognizes the importance of information security and the challenges that your organization faces. This white paper provides information security facts for Canon Multi Function Devices (MFD) imageRUNNER ADVANCE / imageRUNNER ADVANCE DX / imagePRESS C165 systems (hereafter called imageRUNNER ADVANCE). It provides details on imageRUNNER ADVANCE security technology for networked and stand-alone environments, as well as an overview of Canon’s device architecture, framework and product technologies as related to document and information security.
This White Paper is primarily intended for the administrative personnel of a customer charged with responsibility for the configuration and maintenance of imageRUNNER ADVANCE systems. The information in this document may be used to more clearly understand the many imageRUNNER ADVANCE securityrelated configuration capabilities offered by Canon. The imageRUNNER ADVANCE system offers a number of standard and optional capabilities that, when used by a customer, can help facilitate effective management and security of data processed and stored by the system. Ultimately, it is the customer’s responsibility to select the method(s) most appropriate for securing their information.
Canon does not warrant that use of the information contained within this document will prevent malicious attacks or prevent misuse of your imageRUNNER ADVANCE systems.
Products shown with optional accessories/equipment. The features reviewed in this white paper include both standard and optional solutions for imageRUNNER ADVANCE systems. Specifications and availability subject to change without notice.
4 | DEVICE SECURITY WHITEPAPER
00
Contents
Introduction............................................................................................ |
2 |
Device Security..................................................................................... |
5 |
Data Security........................................................................................ |
17 |
Network Security............................................................................... |
32 |
Security Monitoring & Management........................................... |
47 |
Logging & Auditing.......................................................................... |
49 |
Canon Solutions & Regulatory Requirements........................ |
52 |
Conclusion........................................................................................... |
54 |
Appendix............................................................................................... |
55 |
Disclaimer.............................................................................................. |
61 |
1 | DEVICE SECURITY WHITEPAPER
01
Introduction
Security Market Overview
In today’s digital world, risks to networks and devices come in more forms and from more directions than ever before. From identity theft and intellectual property loss to infection by viruses and Trojan horses, IT administrators today find themselves playing an additional role of security officer to adequately protect information and assets from threats from the outside as well as within.
Nearly every day destructive threats emerge, and undiscovered vulnerabilities are exposed, proving that you can never be too secure. IT administrators need a holistic security strategy that can be applied at every level of the organization
— from servers, desktops and devices such as MFDs, to the networks that connect them all.
As if the risks to computers, networks and devices weren’t difficult enough to address, increased governmental regulations add an additional layer of strict compliance standards that must be met. Legislation such as the General Data Protection Regulation and Sarbanes-Oxley Act (SOX), Financial Conduct Authority (FCA) all require that IT administrators ensure the confidentiality, integrity and availability information receives the utmost attention.
Imaging & Printing Security Overview
Any networked Multifunction Device is potentially at risk of being attacked through the network. For this reason, MFDs require security measures just like PCs. Techniques of malicious adversaries evolve every day, and it is required not only to take actions against existing attack methods but also to provide a multilayered defence with multiple proactive protection methods. Furthermore, because an MFD is also a document handling device, in addition to IT device security measures, document-specific security measures such as preventing printout leakage is also required.
The Canon imageRUNNER ADVANCE Security White Paper has been designed to provide detailed information on how imageRUNNER ADVANCE systems can address a wide variety of security concerns. Canon imageRUNNER ADVANCE systems offer many standard security capabilities, as well as a number of advanced security options that may be added for a higher level of confidentiality, integrity and availability of your mission critical information.
Canon continues to take information security measures to gain customer’s trust and to be proactive in acquiring and maintaining third-party accreditation.
2 | DEVICE SECURITY WHITEPAPER
01
Introduction
Key Security Concentration Areas
Canon recognizes the vital need to help prevent data loss, protect against unwanted device use, and mitigate the risk of information being compromised. As a result, all imageRUNNER ADVANCE systems include many standard security features to help safeguard information. Canon imageRUNNER ADVANCE security capabilities fall into five key areas:
•Device Security
•Data Security
•Network Security
•Security Monitoring / Management Tools
•Logging & Auditing
NOTE: Please refer to Table 9.2 in Appendix for the Security Features Table illustrating Device compatibility, and where a feature is standard or optional on the device.
Canon dedicates a significant amount of time and resources to continually improve the security capabilities of its imageRUNNER ADVANCE devices. Numerous robust capabilities are available for administrators to restrict access to the device’s features and functions at a granular level, while maintaining high availability and productivity.
3 | DEVICE SECURITY WHITEPAPER
01
Introduction
Note:
Depending on the model, some features are within the standard feature set of the device, while others require additional accessories. Document Scan Lock and Tracking***, Encrypted Secure Print, Secure Watermark Encrypted PDF**, Fax, Control Card System, Removable HDD***, HDD Data Erase Scheduler, and IEEE2600 Common Criteria Certification are available as options. IEEE2600 Common Criteria Certification may not be available at time of launch. Check the price list for availability.
*Only available with 3rd edition models and imageRUNNER ADVANCE DX models. McAfee Embedded Control requires Unified Firmware Platform v3.9 or later
**Standard with DX models, 3rd edition and 2nd edition models. Optional with 1st edition models.
***Not available on imageRUNNER ADVANCE DX models.
****Standard with DX models. Available on 3rd edition, 2nd edition and 1st edition models with Unified Firmware Platform V3.10.
†There is no Removable HDD Kit option for DX models, but DX models (excluding C3700 Series) can have their HDD removed. When the connector reaches its service life, it must be purchased and replaced by a service technician.
4 | DEVICE SECURITY WHITEPAPER
02
Device Security
imageRUNNER ADVANCE Controller Security
The imageRUNNER ADVANCE series is built upon a platform that provides powerful enhancements to security and productivity. The architecture centres on an operating system powered by an embedded version of Linux, which is quickly becoming the most widely adopted platform for sophisticated devices. The source version used by imageRUNNER ADVANCE devices has been hardened by removing all unnecessary drivers and services so that only the ones essential to its operation are included.
The nature of embedded Linux and the hardening of the operating system drastically reduce the exposure to exploits as compared to a desktop or server version of a Linux or Windows operating system. Canon strives to develop products that meet or exceed our customer’s security requirements. Some of the security related activities include independent testing by security consulting companies of Canon imageRUNNER ADVANCE devices during various phases of the development process to flush out any potential vulnerability prior to production. Also, Canon has collaborated with industry initiatives, such as the development of the IEEE 2600 CC Certification standards for hardcopy device and system security.
Authentication
Canon imageRUNNER ADVANCE systems include a number of authentication options which administrators can use to ensure that only approved walk-up and network-based users can access the device and its functions, such as print, copy and Scan and Send features. Beyond limiting access to only authorized users, authentication also provides the ability to control usage of colour output, and total print counts by department or user.
Device-Based Authentication
uniFLOW Online Express
uniFLOW Online Express is a server-less and Cloud-based login application for imageRUNNER ADVANCE devices (standard on third generation imageRUNNER ADVANCE), which provides an easy and convenient solution for user authentication. Ideal for small to medium size businesses, uniFLOW Online Express’ simple user authentication includes card log-in (requires an additional option), PIN code, or user name and password, using local or Active Directory (AD), with minimal IT requirements. Utilising AMS (Access Management System), found on all imageRUNNER ADVANCE devices, uniFLOW Online Express allows comprehensive control of access on a per-user basis. In addition, uniFLOW Online Express delivers simplified tracking, allowing organizations to obtain a simple overview of user or device usage activity.
5 | DEVICE SECURITY WHITEPAPER
02
Device Security
User Authentication (UA)
The User Authentication (UA) is a new Multifunctional Embedded Application Platform, known asMEAP, ogin service which is available on the imageRUNNER ADVANCE C3300 Series, third generation imageRUNNER ADVANCE, imageRUNNER ADVANCE DX and imagePRESS C165 model. User Authentication combines the SSO-H and Department ID functions available on other imageRUNNER ADVANCE Models. UA can manage up to 5,000 user accounts within 1,000 department codes.
Department ID Mode
An embedded feature within imageRUNNER ADVANCE systems, the Department ID Management mode permits administrators to control device access. If Department ID authentication is enabled, end users are required to enter a fourdigit password before they are able to access the device. Up to 1,000 Department IDs can be configured and each can be configured with device function limitations, such as limiting, printing, copying and access to Advance Boxes, Mail Boxes and facsimile.
Access to Advanced Boxes, Mail Boxes, and Scan and Send (if applicable) can each be turned “On” or “Off” from the Limit Functions screen located under Department ID Management.
The settings can be made under Settings / Registration >Management Settings > User Management > Department ID Management
Single Sign-On Hybrid (SSO-H) Login
Single Sign-On Hybrid (SSO-H) is a Multifunctional Embedded Application Platform (MEAP) login service that can be used stand-alone with user data registered locally on the device or in conjunction with an Active Directory (AD) network environment. SSO-H supports the following modes:
•Local Device Authentication – with credentials stored in the device
•Domain Authentication – in this mode, user authentication can be linked to an Active Directory environment on the network
•Domain Authentication + Local Device Authentication
When used in Domain Authentication mode, a user must successfully authenticate using valid credentials on the system’s control panel, Remote UI utility, or web browser when accessed via a network prior to gaining access to any of the device functions.
6 | DEVICE SECURITY WHITEPAPER
02
Device Security
SSO-H ships as standard with MEAP capable imageRUNNER ADVANCE systems* and can support up to 200 trusted domains plus the users that belong to the same domain as the device. Canon imageRUNNER ADVANCE systems also ship with SSO-H, which supports direct authentication against an Active Directory domain using Kerberos or NTLMv2 as the authentication protocol. SSO-H does not require any additional software to perform the user authentication as it is able to directly communicate with the Active Directory domain controllers. In Local Device Authentication mode, SSO-H can support up to 5,000 users. For a combined use of Domain Authentication and Local Device Authentication, an LDAP server can be configured instead of Domain Authentication.
*This feature is not pre-packaged on third generation imageRUNNER ADVANCE models, imageRUNNER ADVANCE DX and imagePRESS C165.
Card-Based Authentication
uniFLOW Card Authentication
When combined with the optional uniFLOW, imageRUNNER ADVANCE systems are able to securely authenticate users through contactless cards, chip cards, magnetic cards and PIN codes. uniFLOW supports HID Prox, MIFARE, Legic, Hitag and Magnetic cards natively using its own reader, as well as others through custom integrations. Certain models of RF Ideas Card Readers can also be integrated to support authentication using radio-frequency identification
(RFID) cards.
Access Control
Canon imageRUNNER ADVANCE systems support a number of access control options to help you manage the use of device settings and functions in addition to specific capabilities of certain functions. Canon offers solutions that can lock down the entire device, or simply lock down specific functions (e.g. Send-to- Email), while leaving other applications available for general use. With the power and flexibility of MEAP, some solutions can be customized to meet your
specific requirements.
Access Management System
The Access Management System, which is standard on imageRUNNER ADVANCE systems, can be used to tightly control access to device functionality. Restrictions can be assigned to users and groups, to restrict entire functions or restrict specific features within a function. Access restrictions are managed in units called “roles”.
Roles contain information that determines which of the various functions of the device may be used or not.
7 | DEVICE SECURITY WHITEPAPER
02
Device Security
Roles can be set up based on individual user’s job title or responsibilities or by group, enabling the administrator to create roles specific to certain departments or workgroups. Since the administrator is not limited to restricting all or none of a particular function, the roles can be as specific as is required for a number of business needs. Beyond the Base roles which contain default access restrictions, up to 100 new Custom roles can be registered for up to 5,000 users (when user is used). The administrator can also define whether to allow unregistered users to log in as guests and then specify settings for guest user’s roles. The following describes the various Base access levels (roles) that are available:
|
Privileges by Access Level |
|
|
Predefined Role |
Access Privileges |
|
|
Administrator |
Given privileges to operate all device functions. |
|
|
Network Manager/Admin |
Network manager mainly manages the settings related to the network under |
|
Settings/Registration. |
|
|
Device Manager/Admin |
Device Manager can specify settings related to management settings for |
|
paper type and function settings for Send/Receive. |
Power User |
Given privileges to operate all device functions, except managing the |
|
device itself. |
General User |
Given privileges to operate all device functions, except managing the device |
|
itself and specifying/registering address book. |
|
|
Limited User |
Restricted from device management, all send functions and only allowed |
|
2-sided printing and copying. |
Guest |
Restricted from device management, all send functions and only allowed |
|
2-sided printing and copying. |
|
|
The following functions and features can be restricted:
Gen 2 |
Gen 3 / DX |
||
|
|
|
|
Dep ID w/o AMS (with |
Auth (SSO-H or ULM) |
Auth (UA) w/o AMS Max 32 |
Auth (UA or ULM) w/ |
any Auth (DA, SSO-H or |
|
functions |
AMS |
ULM) |
|
|
|
MAX 3 functions |
MAX 32 functions |
MAX 32 functions |
MAX 32 functions |
|
|
|
|
Store/Access Files, Fax/i-Fax |
Copy |
Copy |
Copy |
inbox |
|
|
|
Send/Fax |
Scan and Sent |
Scan and Sent |
Scan and Sent |
|
|
|
|
Other |
Fax |
Fax |
Fax |
|
|
|
|
|
Secured Print |
Secured Print |
Secured Print |
|
|
|
|
|
Access Store Files |
Access Store Files |
Access Store Files |
|
|
|
|
|
Scan and Store |
Scan and Store |
Scan and Store |
|
|
|
|
|
Fax/i-Fax Inbox |
Fax/i-Fax Inbox |
Fax/i-Fax Inbox |
|
|
|
|
|
Hold |
Hold |
Hold |
|
|
|
|
|
Scanner |
Scanner |
Scanner |
|
|
|
|
|
Printer |
Printer |
Printer |
|
|
|
|
|
Tutorial |
Tutorial |
Tutorial |
|
|
|
|
|
Web Access |
Web Access |
Web Access |
|
|
|
|
|
MEAP Applications |
Dest./Fwd. Setting |
Dest./Fwd. Setting |
|
|
|
|
|
|
Web Access favorite |
Web Access favorite |
|
|
|
|
|
|
MEAP Applications |
MEAP Applications |
|
|
|
|
8 | DEVICE SECURITY WHITEPAPER
02
Device Security
When the Access Management System has been enabled, users must log in to the device using ULM, UA or SSO-H user authentication. Access Management System supports authentication through local device authentication as well as Active Directory using SSO-H, which includes support for Kerberos Authentication. Once a user logs into the device with their user name and password, the device can determine which roles are assigned to that particular user. Restrictions are applied based on the assigned roles. If an entire function is restricted, it will appear greyed out to the user after authentication.
Function Level Authentication
Canon imageRUNNER ADVANCE systems offer the ability to limit the use of specific functions by authorized users by requiring authentication to use sensitive functions with Function Level Authentication. Function Level Authentication is a part of Access Management System and works with ULM, UA, or SSO-H for authentication. It enables administrators to choose precisely which functions are permitted by walk-up and network users without entering credentials versus the ones that require a user to login. For example, administrators may choose to allow all users to make black-and-white copies while prompting users to login if they choose to output colour or use the Scan and Send function.
9 | DEVICE SECURITY WHITEPAPER
02
Device Security
Password-Protected System Settings
As a standard feature, imageRUNNER ADVANCE systems setup screens support password protection to restrict device setting changes from the control panel and Remote UI tool. System Administrators can set network information, system configuration, enable, and disable network and printing protocols among many other options. Canon highly recommends setting an administrator password at time of installation since it controls critical device settings.
Remote UI Default Password Change
To ensure good security practice, unique passwords should be used for each device or require the user to change the default password to a unique password before use. This prevents trivial remote access to the device until the default password/PIN for the Administrator/System Manager account is changed. This changes the ability to access the Remote UI through your web browser when the default password/PIN of “7654321” is currently set on the device. Depending on the series of device, access to the RUI will be prevented or the RUI will be disabled until the default password is changed.
10 | DEVICE SECURITY WHITEPAPER
02
Device Security
Scan and Send Security
On devices that have Scan and Send enabled, certain information such as fax numbers and e-mail addresses may be considered confidential and sensitive. For these devices, there are additional security features to prevent confidential information from being accessed.
Address Book Password
Administrative and individual passwords can be set for Address Book Management functions. A system administrator can define the specific Address Book data that can be viewed by users, effectively masking private details. This password may be set separately so individuals other than the System Manager can administer the Address Book.
By setting a password for an Address Book, the ability to Store, Edit, or Erase individual and group e-mail addresses in the Address Book is restricted. Therefore, only individuals with the correct password for an Address Book will be able to make modifications.
This is not the same functionality when password protecting an Address Book. Administrators who are looking to Import/Export an Address Book, can elect to set a password when exporting the File. That password is then required to Import the Address Book. The Address Book Import/Export function is available through the Remote UI utility.
Access Code for Address Book
End-users will also have the capacity to place an access number code on addresses in the Address Book. When registering an address, users can then enter an Access Number to restrict the display of that entry in the Address Book. This function limits the display and use of an address in the Address Book to those users who have the correct code. The Access Number can be turned on or off, depending on the level of security the end-user finds necessary.
Settings/Registration > Set Destination > Register Destinations > Register New Destinations, from here the user can register a new e-mail address, fax number, I-Fax, file or group address and set an access code for that specific address entry in the address book.
Destination Restriction Function
Data transmission to a new destination through the Scan and Send and Fax function can be restricted, prohibiting transmissions to locations other than the destinations registered or permitted by the System Manager.
By restricting sending of faxes, e-mails, I-faxes, and files to new destinations using the procedure below, data can only be sent to previously registered destinations. As you can no longer enter or send to new destinations, setting this mode with an Address Book PIN increases security when sending. Sending is only allowed in the following cases when this mode is set:
•If you specify a destination stored in the Address Book
•If you specify a destination obtained via an LDAP server
•If you specify a destination by pressing a one-touch button
•If you recall stored [Favourite Settings] including destinations
•If you select [Send to Myself]
11 | DEVICE SECURITY WHITEPAPER
02
Device Security
SMB Protocol Support Chart (Send to SMB)
Series |
SMB 1.0 |
SMB 2.0 |
SMB 3.0 |
Special FW |
|
For |
|||||
supported |
supported |
supported |
|||
|
SMB2.0/3.0 |
||||
|
|
|
|
||
|
|
|
|
|
|
iR 1435 / 1435+ series |
YES |
YES |
- |
- |
|
|
|
|
|
|
|
iR 1643 series |
YES |
YES |
YES |
- |
|
|
|
|
|
|
|
iR 2500 series |
YES |
- |
- |
YES |
|
|
|
|
|
|
|
iR 1700 series |
YES |
- |
- |
YES |
|
|
|
|
|
|
|
iR ADV 400iF/500iF |
YES |
- |
- |
YES |
|
|
|
|
|
|
|
iR ADV 3200 series |
YES |
- |
- |
YES |
|
|
|
|
|
|
|
iR ADV 4000 series |
YES |
- |
- |
YES |
|
|
|
|
|
|
|
iR ADV 4200 series |
YES |
- |
- |
YES |
|
|
|
|
|
|
|
iR ADV 715iF II/III series |
YES |
YES |
YES |
- |
|
|
|
|
|
|
|
iR ADV 4500/II/III series |
YES |
YES* |
YES* |
- |
|
|
|
|
|
|
|
iR ADV DX 4700 series |
YES |
YES |
YES |
- |
|
|
|
|
|
|
|
iR ADV 6000 series |
YES |
- |
- |
YES |
|
|
|
|
|
|
|
iR ADV 6200 series |
YES |
- |
- |
YES |
|
|
|
|
|
|
|
iR ADV 6500/II/III series |
YES |
YES* |
YES* |
- |
|
|
|
|
|
|
|
iR ADV DX 6700 series |
YES |
YES |
YES |
- |
|
|
|
|
|
|
|
iR ADV 8000 series |
YES |
- |
- |
YES |
|
|
|
|
|
|
|
iR ADV 8200 series |
YES |
- |
- |
YES |
|
|
|
|
|
|
|
iR ADV 8500/II/III series |
YES |
YES* |
YES* |
- |
|
|
|
|
|
|
|
iR ADV DX 8700 series |
YES |
YES |
YES |
- |
|
|
|
|
|
|
|
iR ADV C250iF/C350iF |
YES |
- |
- |
YES |
|
|
|
|
|
|
|
iR ADV C255iF/C355iF |
YES |
YES* |
YES* |
- |
|
|
|
|
|
|
|
iR ADV C256iF/II/III C356iF/II/III |
YES |
YES* |
YES* |
- |
|
|
|
|
|
|
|
iR ADV C3300 series |
YES |
YES |
- |
YES |
|
|
|
|
|
|
|
iR ADV C3500/II/III series |
YES |
YES* |
YES* |
- |
|
|
|
|
|
|
|
iR ADV DX C3700 series |
YES |
YES |
YES |
- |
|
|
|
|
|
|
|
iR ADV C5000 series |
YES |
- |
- |
YES |
|
|
|
|
|
|
|
iR ADV C5200 series |
YES |
- |
- |
YES |
|
|
|
|
|
|
|
iR ADV C5500/II/III series |
YES |
YES* |
YES* |
- |
|
|
|
|
|
|
|
iR ADV C5700 series |
YES |
YES |
YES |
- |
|
|
|
|
|
|
|
iR ADV C7000 series |
YES |
- |
- |
YES |
|
|
|
|
|
|
|
iR ADV C7200 series |
YES |
- |
- |
YES |
|
|
|
|
|
|
|
iR ADV C7500/II/III series |
YES |
YES* |
YES* |
- |
|
|
|
|
|
|
|
iR ADV DX C7700 series |
YES |
YES |
YES |
- |
|
|
|
|
|
|
|
iR ADV C475iF III series |
YES |
YES |
YES |
- |
|
|
|
|
|
|
|
imagePRESS C165 |
YES |
YES |
YES |
- |
|
|
|
|
|
|
12 | DEVICE SECURITY WHITEPAPER
02
Device Security
Print Driver Security Features
Print Job Accounting
A standard feature in Canon’s printer drivers, print job accounting requires users to enter an administrator-defined password prior to printing, thereby restricting device access to those who are authorized to print. Printing restrictions can be set using Department ID credentials, User Account Credentials, or through the Access Management System.
Custom Driver Configuration Tool
Administrators can create custom driver profiles for users to limit access to print features and specify default settings, thereby protecting the device against unauthorized use, enforcing internal policies and better controlling output costs. Security conscious settings that can be defined and enforced include duplex output, secure print, B&W only on colour devices, watermarks and custom print profiles, as well as hiding any desired functions.
USB Block
USB Block allows the System Administrator to help protect the imageRUNNER ADVANCE systems against unauthorized access through the built-in USB interface. Access to the device’s USB interface for desktop access and the device’s host mode for other USB devices can each be permitted or disabled.
Go to Settings / Registration > Preferences > External Interface > USB Settings.
All imageRUNNER ADVANCE models and select imageRUNNER models have the ability to restrict USB usage for memory, but allow USB usage for peripherals such as keyboards and card readers. Canon’s USB feature provides the capability to view and print from the devices only for non-executable files, such as .pdf, .jpg, . tiff, and .png. Executable files cannot be performed on the device, and this prevents viruses from spreading if being accessed.
Third Party MEAP Application and Development
Canon actively collaborates with leading third-party software companies to develop custom solutions for imageRUNNER ADVANCE systems, known as MEAP applications. Each MEAP enabled device includes a number of safeguards to help ensure the security and integrity of information stored on the device.
Access to the Software Development Kit for MEAP is tightly restricted and controlled through licensing. Once an application has been developed, it is thoroughly reviewed by Canon to ensure that it meets strict guidelines for operability and security. Following the review, the application is digitally signed with a special encrypted signature to protect the integrity of the application. If the application is modified in any way, the signature code will not match, and the application will not be permitted to run on the device. These safety measures make it virtually impossible for an altered or rogue MEAP application to be executed on an imageRUNNER ADVANCE system.
13 | DEVICE SECURITY WHITEPAPER
02
Device Security
Security Measures to Protect Against Malware and
Tampering of Firmware/Applications
Since its inception, the imageRUNNER ADVANCE series has been designed with security in mind. Security measures to protect against malware/firmware tampering have been implemented that do not allow for installation or execution of programs without a digital signature applied by Canon when updating firmware, executing processes or installing MEAP applications. In order to further assist in the prevention of data disclosure due to unknown or springboard attacks, additional security enhancements have been made for the third generation imageRUNNER ADVANCE 3rd edition, imageRUNNER ADVANCE DX and imagePRESS C165.
The following program tampering detection function is introduced to counter unknown attacks:
•Verify System at Startup
•McAfee Embedded Control
Note: These features are only available on third generation imageRUNNER ADVANCE 3rd edition models, imageRUNNER ADVANCE DX and imagePRESS C165, and must be enabled. McAfee Embedded Control requires Unified Firmware Platform (UFP) v3.9 or later
Verify System at Startup
Once enabled, the Verify System at Startup function runs a process during startup to verify that tampering of boot code, OS, firmware and MEAP applications has not occurred. If tampering of one of these areas is detected, the system will not start. By using the hardware as the ‘Root of Trust’, enhanced security against software tampering is provided. Furthermore, standard cryptographic technologies (hash, digital signature) are used for verification.
In order to use this function, the administrator should set “Verify System at
Startup” to ON (Default: OFF).
•Settings/Registration > Management Settings > Security Settings > Verify System at Startup
When this function is turned ON, warmup time is increased because the verification process is performed when the device is started. However, it does not affect the time to wake up from sleep mode or the restore time for quick startup, because the verification process is only performed at device startup.
If tampering of boot code, OS, firmware or MEAP applications is detected, the device boot process is halted and an error code is displayed on the control panel. In order to recover from that state, it may be necessary to reinstall the firmware and/or MEAP application.
14 | DEVICE SECURITY WHITEPAPER
02
Device Security
McAfee Embedded Control
Once enabled, McAfee Embedded Control allows only known programs contained in the dynamic whitelist to be executed on the MFD. Other programs not listed in the whitelist are considered unauthorized and will not be permitted to execute. This helps prevent worms, viruses, spyware, and other malware from compromising the device. A log of all prevented executions is available in the Audit Log when Runtime Intrusion Detection is enabled. McAfee Embedded Control delivers the following:
•Provides file integrity of Canon authorized firmware/applications against the whitelist to help prevent tampering.
•Helps prevent the execution of unknown software code (malware) not on the whitelist.
•Helps prevent unauthorized rewriting of registered software modules.
•Detects tampering of the whitelist itself.
•Permits only authorized system processes to implement changes on device.
To turn on McAfee Embedded Control, it is necessary to turn on Verify System at Startup (Default OFF).
•Settings/Registration > Management Settings > Security Settings > Verify System at Startup
The administrator will also need to set “McAfee Embedded Control” to ON (Default OFF).
•Settings/Registration > Management Settings > Security Settings > McAfee Embedded Control
15 | DEVICE SECURITY WHITEPAPER
02
Device Security
Whitelists are created in each storage partition in which native device software modules are installed. McAfee Embedded Control checks the value held in the whitelist in advance of the module executing, and verifies the value generated by the execution of the module during operation. If the two values match, the verification is successful. If the two values do not match, the verification is unsuccessful, and execution of the module fails. The following outlines what will occur if the verification is unsuccessful:
(a)The firmware verification process begins when the execution module registered in whitelist is started. If verification fails, the execution is blocked and an error code (E614-xxxx) is displayed.
(b)When attempted execution of a non-registered software module is detected, the execution stops and the event is reported in the audit log.
(c)When attempts to rewrite or delete a registered software module located on the whitelist is detected, the attempt is blocked and a record of the error code is saved in the audit log.
(d)Validation of the whitelist itself is performed at startup of any software module. If tampering of the whitelist is detected, the execution is blocked and an error code is displayed. The error code is displayed according to the location of the software module where tampering was detected.
•Error code example: (E614-xxxx for firmware, E602-xxxx for MEAP application)
(e)The whitelist is updated as required when the system firmware is updated or when authorized MEAP applications are installed. In order to maintain consistency, when the software module is updated, the whitelist itself and the transaction log recording the change history of the whitelist are also updated.
Audit Log Related to Runtime System Protection Function
All recordable activities related to the Verify System at Startup and Runtime Intrusion Detection with McAfee Embedded Control processes are listed in the Device Management Log and can be notified in real time to a Security Admin through integration with a SIEM system.
16 | DEVICE SECURITY WHITEPAPER
03
Data Security
Protecting your organization’s confidential information is a mission that Canon takes seriously. From your documents, faxes and e-mails to the underlying data on the internal hard disk drive and in memory, Canon has built in many controls to help ensure that your information does not become compromised.
Secure Printing
Secured Print / Encrypted Secured Print
Encrypted Secured Print and Secured Print are print functions that hold a job in queue until the user enters the appropriate password at the device. This ensures that the user is in close proximity before the document is printed and minimises unattended documents left at the device. The imageRUNNER ADVANCE system requires the user to set a password in the print driver window when sending a print job from a connected PC. The same password is also required for releasing the job at the device. When using the Encrypted Secured Print software*, security is further enhanced by using AES 256-Bit Encryption to protect the print job data while in transit across the network. On systems equipped with the optional Encrypted Secured Print, administrators can use the print job restriction feature to permit only encrypted print jobs at the designated device.
*the third Generation imageRUNNER ADVANCE, imageRUNNER ADVANCE DX and imagePRESS C165 has this feature as standard.
Secured Print Screen from the Printer Driver |
Print Jobb Status Screen |
uniFLOW Secure Print
Exclusive to Canon is uniFLOW, which is optional modular software designed to reduce costs, improve productivity and enhance security. From a security perspective, uniFLOW provides secure printing capabilities by holding jobs at the server until released by the user at any desired imageRUNNER ADVANCE system. From their desktop, users print documents by choosing the uniFLOW server as the printer. At the chosen device, users can be authenticated using a wide variety of supported methods. If successful, access to the uniFLOW MEAP client application from the device’s control panel is granted and the required job(s) can be selected and released from their queue of pending documents.
17 | DEVICE SECURITY WHITEPAPER
Loading...