Administration guide
PlotWave - ColorWave Systems
Security information
Copyright
© 2014, Océ
All rights reserved. No part of this work may be reproduced, copied, adapted, or transmitted in any form or by any means without written permission from Océ.
Océ makes no representation or warranties with respect to the contents hereof and specifically disclaims any implied warranties of merchantability or fitness for any particular purpose.
Further, Océ reserves the right to revise this publication and to make changes from time to time in the content hereof without obligation to notify any person of such revision or changes.
Edition 2014-06 |
GB |
Trademarks
Océ, and its wide-format printing systems are registered trademarks of Océ.
Microsoft®, Windows®, Windows XP®, Windows XP® embedded, Windows Server® 2003, Windows® Vista™, Windows Server® 2008, Windows ® 7, Windows 8, Windows Server 2012, Windows Embedded Standard® 2009 are either registered trademarks or trademarks of Microsoft® Corporation in the United States and/or other countries.
Linux® is a registered trademark of Linus Torvalds.
McAfee is a registered trademark or trademark of McAfee, Inc. or its subsidiaries in the United States and other countries.
Symantec and Norton are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
Products in this publication are referred to by their general trade names. In most, if not all cases, these designations are claimed as trademarks or registered trademarks of their respective companies.
Contents
Chapter 1 |
|
Océ Security policy............................................................................................................. |
9 |
The Océ Security policy ................................................................................................................................ |
10 |
Downloads and support for your product.................................................................................................... |
12 |
Overview of the security features available per Océ System .................................................................... |
13 |
Chapter 2
Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300
............................................................................................................................................ |
17 |
Security on Océ PlotWave 300/350, PlotWave 900 R1.x and ColorWave 300........................................... |
18 |
Overview................................................................................................................................................... |
18 |
Security overview for the Océ PlotWave 300, the Océ PlotWave 350, the Océ PlotWave 900 |
|
R1.x and the Océ ColorWave 300 systems ..................................................................................... |
18 |
System and Network security................................................................................................................. |
19 |
Ports - Protocols................................................................................................................................. |
19 |
Security Patches................................................................................................................................ |
24 |
Security levels.................................................................................................................................... |
26 |
Prevent any outgoing connection to the Internet .......................................................................... |
29 |
Security of the USB connection (Océ PlotWave 300/350, Océ ColorWave 300)........................... |
30 |
Antivirus ............................................................................................................................................ |
31 |
Roles and Passwords........................................................................................................................ |
32 |
Data Security ........................................................................................................................................... |
35 |
E-Shredding....................................................................................................................................... |
35 |
IPsec (on Océ PlotWave 300/350, Océ PlotWave 900 1.2 and higher 1.x, Océ ColorWave 300).... |
|
38 |
|
Prevent USB Direct Print and Scan to USB (Océ PlotWave 300/350, Océ ColorWave 300)......... |
54 |
HTTPS with Océ PlotWave 900 R1.x................................................................................................ |
56 |
Smart Inbox management................................................................................................................ |
60 |
Security on Océ PlotWave 750 and Océ PlotWave 900 R2.x ...................................................................... |
61 |
Overview................................................................................................................................................... |
61 |
Security overview for the Océ PlotWave 750 and the Océ PlotWave 900 R2.x systems............. |
61 |
System and Network security................................................................................................................. |
62 |
Ports - Protocols................................................................................................................................. |
62 |
Security Patches................................................................................................................................ |
67 |
Security levels.................................................................................................................................... |
70 |
Prevent any outgoing connection to the Internet .......................................................................... |
72 |
Antivirus ............................................................................................................................................ |
73 |
Roles and Passwords........................................................................................................................ |
74 |
Audit log............................................................................................................................................. |
76 |
Data Security ........................................................................................................................................... |
77 |
E-Shredding....................................................................................................................................... |
77 |
IPsec ................................................................................................................................................... |
80 |
HTTPS (on Océ PlotWave 750 and PlotWave 900 R2.x)................................................................. |
86 |
Smart Inbox management and job management........................................................................... |
93 |
Chapter 3 |
|
Security on Océ PlotWave 500 and PlotWave 340/360................................................. |
95 |
Overview......................................................................................................................................................... |
96 |
Security overview for the Océ PlotWave 500 and PlotWave 340/360 systems................................... |
96 |
5
Contents |
|
System and Network security....................................................................................................................... |
97 |
Ports - Protocols....................................................................................................................................... |
97 |
Applications, protocols and ports used in the Océ PlotWave 500 and PlotWave 340/360 |
|
systems............................................................................................................................................... |
97 |
Security Patches..................................................................................................................................... |
101 |
Install the Océ Remote patch.......................................................................................................... |
101 |
Protocol protection................................................................................................................................ |
103 |
Network protocols protection ........................................................................................................ |
103 |
Prevent any outgoing connection to the Internet ............................................................................... |
105 |
Security of the USB connection ........................................................................................................... |
106 |
The USB connection on the printer user interface ...................................................................... |
106 |
Antivirus ................................................................................................................................................. |
107 |
Roles and Passwords............................................................................................................................. |
108 |
Roles and profiles............................................................................................................................ |
108 |
Passwords policy and behaviour in the Océ PlotWave 500 and PlotWave 340/360 systems... |
109 |
Access control........................................................................................................................................ |
111 |
Audit log................................................................................................................................................. |
112 |
Data security................................................................................................................................................. |
113 |
E-Shredding in Océ PlotWave 500 and PlotWave 340/360 systems.................................................. |
113 |
E-shredding presentation................................................................................................................ |
113 |
Enable the e-shredding in Océ Express WebTools....................................................................... |
114 |
E-shredding process and system behaviour................................................................................. |
116 |
IPsec ....................................................................................................................................................... |
117 |
IPsec presentation .......................................................................................................................... |
117 |
Configure the IPsec settings in the Océ controller ....................................................................... |
119 |
Configure the IPsec settings on a workstation or a print server.................................................. |
121 |
Troubleshooting: Disable 'Access control' and IPsec (Océ PlotWave 500 and PlotWave 340/360 |
|
systems)........................................................................................................................................... |
130 |
HTTPS (for Océ PlotWave 500 and PlotWave 340/360)....................................................................... |
132 |
Encrypt print data and manage the system configuration using HTTPS.................................... |
132 |
Request and import a CA-signed certificate.................................................................................. |
137 |
Prevent 'Print from USB' and/or 'Scan to USB' on Océ PlotWave 500 and PlotWave 340/360....... |
143 |
How to prevent 'Print from USB' and/or 'Scan to USB'............................................................... |
143 |
Smart Inbox management and job management............................................................................... |
144 |
Chapter 4 |
|
Security on Océ ColorWave 550/600/650 (and Poster Printer).................................. |
145 |
Security on Océ ColorWave 550, ColorWave 600 (Poster Printer), ColorWave 650 R2.x (Poster Printer) |
|
....................................................................................................................................................................... |
146 |
Overview................................................................................................................................................. |
146 |
Security overview for the Océ ColorWave 600/650 (Poster Printer) and the Océ ColorWave 550 |
|
systems............................................................................................................................................. |
146 |
System and Network security............................................................................................................... |
148 |
Ports - Protocols............................................................................................................................... |
148 |
Security Patches.............................................................................................................................. |
151 |
Protocol protection.......................................................................................................................... |
153 |
Prevent any outgoing connection to the Internet ........................................................................ |
154 |
Security of the USB connection .................................................................................................... |
155 |
Operating System and software protection.................................................................................. |
156 |
Roles and Passwords...................................................................................................................... |
157 |
Access control.................................................................................................................................. |
159 |
Data Security.......................................................................................................................................... |
160 |
E-Shredding on Océ ColorWave 600 and Océ ColorWave 650 (PP) and Océ ColorWave 550.. 160 |
|
IPsec on Océ ColorWave 550 v2.3.1 and higher and Océ ColorWave 650 (PP) v2.3.1 and higher |
|
........................................................................................................................................................... |
163 |
How to prevent 'Print from USB' on Océ ColorWave 550/650 (and PP) ..................................... |
176 |
Smart Inbox management and job management......................................................................... |
177 |
Security on Océ ColorWave 650 R3.x......................................................................................................... |
178 |
Overview................................................................................................................................................. |
178 |
6
|
Contents |
Security overview for the Océ ColorWave 650 R3.x system........................................................ |
178 |
System and Network security............................................................................................................... |
179 |
Ports - Protocols............................................................................................................................... |
179 |
Security Patches.............................................................................................................................. |
182 |
Protocol protection.......................................................................................................................... |
184 |
Prevent any outgoing connection to the Internet ........................................................................ |
186 |
Security of the USB connection .................................................................................................... |
187 |
Antivirus .......................................................................................................................................... |
188 |
Roles and Passwords...................................................................................................................... |
189 |
Access control.................................................................................................................................. |
191 |
Audit log........................................................................................................................................... |
192 |
Data security........................................................................................................................................... |
193 |
E-Shredding..................................................................................................................................... |
193 |
IPsec ................................................................................................................................................. |
194 |
HTTPS (on Océ ColoWave 650 R3.x).............................................................................................. |
199 |
How to prevent 'Print from USB' on Océ ColorWave 550/650 (and PP) ..................................... |
206 |
Smart Inbox management and job management......................................................................... |
207 |
Index................................................................................................................................. |
209 |
7
Contents
8
Chapter 1
Océ Security policy
The Océ Security policy
Definition
At Océ, security is an integral part of system development, and the company is taking a proactive approach to the improvement of security-related issues. Océ is working to address security requirements across all of its digital document systems.
For its printing systems connected to the network, Océ strives to ensure the:
-Security of the system on the network
-Security of the data sent to the printers, with a focus on protecting sensitive documents from being captured by un-authorised persons
-Security of the configuration and data on the controller
NOTE
See the Table of the security features on page 13 to get an overview of the security features available per Océ system.
System security and security on the network
Faced with system vulnerabilities, viruses, worms and in order to maximise the protection of the Océ print systems from hackers and networking attacks, Océ has reinforced the security of the Océ systems by:
•Introducing the Océ Security levels to offer network security protection against virus / worm attacks or system vulnerabilities (on Windows Operating Systems).
Once the Security Interface is activated, you can define the level of security according to your system needs. Notice that the higher level of security you set, the fewer printing and scanning functionalities you get.
•Implementing network protocols protection features (by use of the Océ Security levels filtering or by configuring each network protocol for firewall filtering)
•Protecting the system roles and passwords. The main network and system settings are protected against change. Only authorised users can configure or change these settings
•Regularly checking the relevance of Microsoft flaws and delivering security patches whenever it is necessary.
•Providing OS and software protection mechanism. The internal system software is protected against alteration
•Make the USB connection secure (on systems with USB slot)
•Restricting the access to the printer to allowed stations only
•Allowing the installation of an Antivirus software on the Océ system controller
•Being compliant with IPv6 and then benefiting from IPv6 secured assets
NOTE
The availability of the security features depends on the products. See the Overview of the security features available per Océ System on page 13.
Data security on the network
To ensure the security of the print data sent on the network, Océ has implemented:
•The HTTPS (HTTP over SSL) protocol to encrypt the configuration management data, submitted print data and saved scan data:
Find all information about Use the Océ self-signed certificate with Internet Explorer on page 56.
10 Chapter 1 - Océ Security policy
The Océ Security policy
•The e-shredding feature to overwrite any user data (print/copy/scan) when it is deleted from the system.
This feature prevents the recovery of any deleted user data.
•The IPsec configuration, that provides authentication, data confidentiality and integrity in the network communication between devices.
A strong mechanism of encryption guarantees the confidentiality of the user print and scan data on the network.
•The Smart Inbox and Job protection by:
-Limiting and restricting the access to the print and scan job data with the Smart Inbox management capability
-Managing the visibility of jobs and their availability through job submission tools with the job management settings
Chapter 1 - Océ Security policy |
11 |
Downloads and support for your product
Downloads
User guides, printer drivers and other resources can change without prior notice. To stay up-to- date, you are advised to download the latest resources from:
"http://downloads.oce.com"
Before you use your product, you must always download the latest safety information for your product: make sure that you read and understand all safety information in the manual entitled 'Safety Guide' .
Support
For support information please contact your Canon local representative.
Find your local contact for support from:
"http://www.canon.com/support/"
12 Chapter 1 - Océ Security policy
Overview of the security features available per Océ System
Security features in the Océ PlotWave and Océ ColorWave 300 systems
|
Océ PlotWave 300 |
Océ PlotWave 340 |
Océ PlotWave 750 |
|
|
Océ PlotWave 350 |
Océ PlotWave 360 |
Océ PlotWave 900 |
|
|
Océ PlotWave 900 |
Océ PlotWave 500 |
R2.x |
|
|
R1.x |
|
|
|
|
Océ ColorWave 300 |
|
|
|
|
|
|
|
|
Operating System |
Windows Embedded |
Windows Embedded |
Windows Embedded |
|
|
Standard 2009 |
Standard 7 SP1 |
Standard 7 SP1 |
|
|
or |
|
|
|
|
Windows XP embed- |
|
|
|
|
ded SP3 |
|
|
|
|
See Security overview |
|
|
|
|
on page 18 |
|
|
|
|
|
|
|
|
Firewall |
Yes |
Yes |
Yes |
|
|
|
|
|
|
MS Security flaws / |
Yes |
Yes |
Yes |
|
Security patches |
|
|
|
|
|
|
|
|
|
Network protocols |
Océ Security levels - 3 |
Yes. Protection config- |
Océ Security levels - 4 |
|
protection |
levels |
urable per protocol |
levels |
|
|
|
|
|
|
OS and software in |
- |
- |
- |
|
tegrity mechanism |
|
|
|
|
|
|
|
|
|
Antivirus |
Compatible with 2 an- |
Compatible with 2 an- |
Compatible with 2 an- |
|
|
tivirus brands |
tivirus brands |
tivirus brands |
|
|
|
|
|
|
IPv6 |
Yes (IPV6 and IPV4 |
Yes (IPv6 only or IPv6 |
Yes (IPv6 only or IPv6 |
|
|
combination) |
and IPv4 combination) |
and IPv4 combination) |
|
|
|
|
|
|
SMB authentication |
NTLMV1 |
NTLMV2 |
NTLMV2 |
|
|
|
|
|
|
Feature to encrypt da |
IPsec for: |
- IPsec |
- IPsec |
|
ta on the network |
Océ PlotWave 300 |
- HTTPS |
- HTTPS |
|
|
Océ PlotWave 350 |
|
|
|
|
Océ PlotWave 900 1.2 |
|
|
|
|
and higher |
|
|
|
|
Océ ColorWave 300 |
|
|
|
|
HTTPS for: |
|
|
|
|
Océ PlotWave 900 |
|
|
|
|
|
|
|
|
Password protection |
Yes for: |
Yes for: |
Yes for: |
|
|
- User settings |
- User settings |
- User settings |
|
|
- Administration set- |
- Administration set- |
- Administration set- |
|
|
tings |
tings |
tings |
|
|
- Settings on the print- |
- Settings on the print- |
- Settings on the print- |
|
|
er user panel |
er user panel |
er user panel |
|
|
|
|
|
|
Data overwrite |
E-shredding |
E-shredding |
E-shredding |
|
|
|
|
|
4 |
Access control |
- |
IP filtering |
- |
|
|
|
|
|
|
Chapter 1 - Océ Security policy |
13 |
Overview of the security features available per Océ System
Smart Inbox manage |
- Smart Inbox restric- |
- Smart Inbox capabili- |
- Smart Inbox capabili- |
ment |
tion |
ty can be disabled |
ty can be disabled |
|
- Remote view restric- |
- Remote view restric- |
- Remote view restric- |
|
tion (except Océ Plot- |
tion |
tion |
|
Wave 900) |
|
|
|
|
|
|
Océ Publisher Express |
- |
Access restriction |
Access restriction |
access |
|
|
|
|
|
|
|
Actions on jobs |
- |
Remote action restric- |
Remote action restric- |
|
|
tion |
tion |
|
|
|
|
Security features in the Océ ColorWave systems (except Océ ColorWave 300)
|
Océ ColorWave 600 (PP) |
Océ ColorWave 650 R3.x |
|
|
Océ ColorWave 650 R2.x |
|
|
|
Océ ColorWave 650 PP |
|
|
|
Océ ColorWave 550 |
|
|
|
|
|
|
Operating System |
Linux and WES 2009 for: |
Windows Embedded Standard 7 |
|
|
- Océ ColorWave 650 (multifunc- |
SP1 |
|
|
tional) |
|
|
|
- Océ ColorWave 550 (multifunc- |
|
|
|
tional) |
|
|
|
Linux for: |
|
|
|
- Océ ColorWave 650 (printer only) |
|
|
|
- Océ ColorWave 550 (printer only) |
|
|
|
- Océ ColorWave 600 (PP) |
|
|
|
- Océ ColorWave 650 PP |
|
|
|
|
|
|
Firewall |
Yes |
Yes |
|
|
|
|
|
MS Security flaws / |
Yes for Océ ColorWave 650 / 550 |
Yes |
|
Security patches |
(multifunctional) |
|
|
|
N/A for Océ ColorWave 600 (PP), |
|
|
|
ColorWave 650 PP, Océ Color- |
|
|
|
Wave 650 (printer only) and Océ |
|
|
|
ColorWave 550 (printer only) |
|
|
|
|
|
|
Network protocols |
Yes. Protection configurable per |
Yes. Protection configurable per |
|
protection |
protocol |
protocol |
|
|
|
|
|
OS and software in |
Yes |
- |
|
tegrity mechanism |
|
|
|
|
|
|
|
Antivirus |
- |
Compatible with 2 antivirus |
|
|
|
brands |
|
|
|
|
|
IPv6 |
Yes (IPv6 only or IPv6 and IPv4 |
Yes (IPv6 only or IPv6 and IPv4 |
|
|
combination) |
combination) |
|
|
|
|
|
SMB authentication |
NTLMV1 |
NTLMV2 or NTLMV1 (can be set in |
|
|
|
Océ Express WebTools) |
4 |
|
|
|
|
14 Chapter 1 - Océ Security policy
Overview of the security features available per Océ System
Feature to encrypt da |
IPsec for: |
- IPsec |
ta on the network |
Océ ColorWave 550 v2.3.1 and |
- HTTPS |
|
higher |
|
|
Océ ColorWave 650 v2.3.1 and |
|
|
higher |
|
|
Océ ColorWave 650 PP v2.3.1 and |
|
|
higher |
|
|
|
|
Password protection |
Yes for: |
Yes for: |
|
- User settings |
- User settings |
|
- Administration settings |
- Administration settings |
|
- Settings on the printer user panel |
- Settings on the printer user panel |
|
|
|
Data overwrite |
E-shredding for: |
E-shredding |
|
Océ ColorWave 650 2.0.1 and |
|
|
higher |
|
|
Océ ColorWave 650 PP 2.1 and |
|
|
higher |
|
|
Océ ColorWave 600 1.5 and higher |
|
|
Océ ColorWave 600 PP 1.6.1 and |
|
|
higher |
|
|
Océ ColorWave 550 2.2 and higher |
|
|
|
|
Access control |
Access restriction to the printer |
IP filtering |
|
for: |
|
|
Océ ColorWave 550 v2.3.1 and |
|
|
higher |
|
|
Océ ColorWave 650 v2.3.1 and |
|
|
higher |
|
|
Océ ColorWave 650 PP v2.3.1 and |
|
|
higher |
|
|
|
|
Smart Inbox manage |
- |
- Smart Inbox capability can be |
ment |
|
disabled |
|
|
- Remote view restriction |
|
|
|
Océ Publisher Express |
- |
Access restriction |
access |
|
|
|
|
|
Actions on jobs |
Remote action restriction |
Remote action restriction |
|
|
|
Chapter 1 - Océ Security policy |
15 |
Overview of the security features available per Océ System
16 Chapter 1 - Océ Security policy
Chapter 2
Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300
Security on Océ PlotWave 300/350, PlotWave 900 R1.x and ColorWave 300
Introduction
The Océ PlotWave 300, the Océ PlotWave 350, the Océ PlotWave 900 R1.x and Océ ColorWave 300 are equipped with the following security features:
Security overview
Operating System |
- Windows XP Service Pack 3 for all versions of |
|
Océ PlotWave 300, Océ PlotWave 350, and Océ |
|
ColorWave 300 prior to R1.5 and Océ PlotWave |
|
900 R1.x |
|
- Windows Embedded Standard 2009 for Océ |
|
PlotWave 300 R1.5, Océ PlotWave 350 R1.5, |
|
Océ ColorWave 300 R1.5 and higher versions |
|
|
Firewall |
Yes |
|
|
Network protocols protection |
3 Océ Security Levels |
|
|
MS Security patches |
Océ released patches |
|
|
Antivirus |
Compatible with 2 Antivirus brands |
|
|
IPV6 |
Yes |
|
|
Data encryption on the network |
- IPsec for Océ PlotWave 300, Océ PlotWave |
|
350, Océ PlotWave 900 from R1.2, and Océ Col- |
|
orWave 300 |
|
- HTTPS for Océ PlotWave 900 |
|
|
Data overwrite |
E-shredding |
|
|
Password protection |
Yes for: |
|
- User settings |
|
- Administration settings |
|
- Settings on the printer user panel* |
|
|
* Except on Océ PlotWave 900 R1.2.
18 Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300
System and Network security
Printing applications: security levels, ports and protocols used by the Océ systems
Application /Function |
System |
Supported security lev |
Port used on the |
|
||
ality |
|
els (x) and open port |
controller: protocol |
|
||
|
|
|
|
|
|
|
|
|
N* |
M* |
H* |
|
|
|
|
|
|
|
|
|
Océ Wide-format |
Océ PlotWave 300/ |
x |
x(1) |
x(2) |
TCP 515: LPR |
|
Printer Driver for Mi- |
PlotWave 350/ Plot- |
TCP 515 |
TCP |
TCP |
TCP 65200: Océ |
|
crosoft Windows |
Wave 900 R1.x |
TCP |
515 |
515 |
back-channel(**) |
|
(WPD or WPD2) |
Océ ColorWave 300 |
65200 |
TCP |
|
TCP 80: HTTP (for |
|
|
|
TCP 80 |
65200 |
|
advanced account- |
|
|
|
UDP |
TCP 80 |
|
ing) |
|
|
|
515 |
|
|
UDP 515: Océ proto- |
|
|
|
|
|
|
col (for printer dis- |
|
|
|
|
|
|
covery) |
|
|
|
|
|
|
|
|
Océ Adobe® Post- |
Océ PlotWave 300/ |
x |
x |
x |
TCP 515: LPR |
|
Script® 3™ driver |
PlotWave 350/ Plot- |
TCP 515 |
TCP |
TCP |
|
|
|
Wave 900 R1.x |
|
515 |
515 |
|
|
|
Océ ColorWave 300 |
|
|
|
|
|
|
|
|
|
|
|
|
Océ Publisher Express |
Océ PlotWave 300/ |
x |
x |
|
TCP 80: HTTP |
|
|
PlotWave 350/ Plot- |
TCP 80 |
TCP 80 |
|
|
|
|
Wave 900 R1.x |
|
|
|
|
|
|
Océ ColorWave 300 |
|
|
|
|
|
|
|
|
|
|
|
|
Océ Publisher Express |
Océ PlotWave 900 |
x |
x |
x |
TCP 443: HTTPS |
|
over SSL |
|
TCP 443 |
TCP |
TCP |
|
|
|
|
|
443 |
443 |
|
|
|
|
|
|
|
|
|
Océ Publisher Select |
Océ PlotWave 300/ |
x |
x |
|
TCP 80: HTTP |
|
|
PlotWave 350/ Plot- |
TCP 515 |
TCP |
|
TCP 65200: Océ |
|
|
Wave 900 R1.x |
TCP |
515 |
|
back-channel(**) |
|
|
Océ ColorWave 300 |
65200 |
TCP |
|
TCP 515: LPR |
|
|
|
TCP 80 |
65200 |
|
UDP 515: Océ proto- |
|
|
|
UDP |
TCP 80 |
|
col (for printer dis- |
|
|
|
515 |
|
|
covery) |
4 |
|
|
|
|
|
|
|
Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300 |
19 |
Applications, protocols and ports used in the Océ PlotWave 300, the Océ PlotWave 350, the Océ PlotWave 900 R1.x and Océ ColorWave 300 systems
Application /Function |
System |
Supported security lev |
Port used on the |
||
ality |
|
els (x) and open port |
controller: protocol |
||
|
|
|
|
|
|
|
|
N* |
M* |
H* |
|
|
|
|
|
|
|
Océ Publisher Mobile |
Océ PlotWave 300/ |
x |
|
|
TCP 515: LPR (3) |
|
PlotWave 350/ Plot- |
TCP 515 |
|
|
TCP 21: FTP (4) |
|
Wave 900 R1.x |
TCP |
|
|
TCP 4242: FTP pas- |
|
Océ ColorWave 300 |
4242 |
|
|
sive mode(6) |
|
|
ICMP |
|
|
ICMP: ping |
|
|
UDP |
|
|
|
|
|
|
|
UDP 515: Océ proto- |
|
|
|
515 |
|
|
|
|
|
|
|
col (for printer dis- |
|
|
|
TCP 21 |
|
|
|
|
|
|
|
covery) |
|
|
|
(4) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Océ Mobile WebTools |
Océ PlotWave 350 |
x |
x |
|
TCP 80: HTTP |
|
Océ PlotWave 900 |
TCP 80 |
TCP 80 |
|
|
|
R1.2 and higher |
|
|
|
|
|
|
|
|
|
|
Océ ReproDesk Studio |
Océ PlotWave 300/ |
x |
x |
|
TCP 515: LPR |
|
PlotWave 350/ Plot- |
TCP 515 |
TCP |
|
TCP 65200: Océ |
|
Wave 900 R1.x |
TCP |
515 |
|
back-channel(**) |
|
Océ ColorWave 300 |
65200 |
TCP |
|
|
|
|
|
65200 |
|
|
|
|
|
|
|
|
Novell NDPS printing |
Océ PlotWave 300/ |
x |
x |
x |
TCP 515: LPR |
|
PlotWave 350/ Plot- |
TCP 515 |
TCP |
TCP |
|
|
Wave 900 R1.x |
|
515 |
515 |
|
|
Océ ColorWave 300 |
|
|
|
|
|
|
|
|
|
|
LPR printing (com- |
Océ PlotWave 300/ |
x |
x |
x |
TCP 515: LPR |
mand line) |
PlotWave 350/ Plot- |
TCP 515 |
TCP |
TCP |
|
|
Wave 900 R1.x |
|
515 |
515 |
|
|
Océ ColorWave 300 |
|
|
|
|
|
|
|
|
|
|
FTP printing |
Océ PlotWave 300/ |
x |
x(5) |
|
TCP 21: FTP |
|
PlotWave 350/ Plot- |
TCP 21 |
TCP 21 |
|
TCP 4242: FTP (6) |
|
Wave 900R1.x |
TCP |
|
|
|
|
Océ ColorWave 300 |
4242 |
|
|
|
|
|
|
|
|
|
Notes:
•* Levels: N: Normal - M: Medium - H: High
•(**) Océ back-channel is an Océ proprietary protocol used to retrieve information from the printer (status, media loaded...) and to display it in the application or driver.
•(1) LPR printing with back-channel and advanced accounting
•(2) LPR printing. No back-channel. No advanced accounting
•(3) Océ Publisher Mobile v 2.2 and later for Android, and for Océ Publisher Mobile v 2.3 and later for iOS
•(4) Only for Océ Publisher Mobile v 2.0 to v 2.2 for iOS
•(5) FTP active mode only
•(6) Data channel for FTP passive mode
20 Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300
Applications, protocols and ports used in the Océ PlotWave 300, the Océ PlotWave 350, the Océ PlotWave 900 R1.x and Océ ColorWave 300 systems
Scanning / copying applications: security levels, ports and protocols used by the Océ systems
Application /Function |
System |
Supported security lev |
Port used on the |
|||
ality |
|
els (x) and open port |
controller: protocol |
|||
|
|
|
|
|
|
|
|
|
N* |
M* |
H* |
|
|
|
|
|
|
|
|
|
Scan to File Remote |
Océ PlotWave 300/ |
x |
|
|
- |
|
SMB |
PlotWave 350 |
|
|
|
|
|
|
Océ ColorWave 300 |
|
|
|
|
|
|
|
|
|
|
|
|
|
Océ PlotWave 900 |
x |
x |
x |
- |
|
|
R1.x |
|
|
|
|
|
|
|
|
|
|
|
|
Scan to File Remote |
Océ PlotWave 300/ |
x |
x(1) |
x(1) |
- |
|
FTP |
PlotWave 350/ Plot- |
|
|
|
|
|
|
Wave 900 R1.x |
|
|
|
|
|
|
Océ ColorWave 300 |
|
|
|
|
|
|
|
|
|
|
|
|
Scan data retrieval by |
Océ PlotWave 300/ |
x |
x(2) |
|
TCP 21: FTP |
|
FTP |
PlotWave 350/ Plot- |
TCP 21 |
TCP 21 |
|
TCP 4242: FTP (3) |
|
|
Wave 900 R1.x |
TCP |
|
|
|
|
|
Océ ColorWave 300 |
4242 |
|
|
|
|
|
|
|
|
|
|
|
Scan data retrieval |
Océ PlotWave 300/ |
x |
x |
|
TCP 80: HTTP |
|
from Smart Inbox |
PlotWave 350/ Plot- |
TCP 80 |
TCP 80 |
|
|
|
(Scans) |
Wave 900 R1.x |
|
|
|
|
|
|
Océ ColorWave 300 |
|
|
|
|
|
|
|
|
|
|
|
|
Scan data retrieval |
Océ PlotWave 900 |
x |
x |
x |
TCP 443: HTTPS |
|
from Smart Inbox |
R1.x |
TCP 443 |
TCP |
TCP |
|
|
(Scans) over SSL |
|
|
443 |
443 |
|
|
|
|
|
|
|
|
|
Océ Matrix Logic |
Océ PlotWave 900 |
x |
x |
x |
TCP 80: HTTP |
|
|
R1.x |
TCP 80 |
TCP 80 |
TCP |
TCP 443: HTTPS |
|
|
|
TCP 443 |
TCP |
443 |
|
|
|
|
|
443 |
|
|
|
|
|
|
|
|
|
Notes:
•* Levels: N: Normal - M: Medium - H: High
•(1) FTP passive mode only: the FTP server on the remote workstation must support FTP passive mode
•(2) FTP active mode only
•(3) Data channel for FTP passive mode
Control management: security levels, ports and protocols used by the Océ systems
Application /Function |
System |
Supported security lev |
Port used on the |
|
||
ality |
|
els (x) and open port |
controller: protocol |
|
||
|
|
|
|
|
|
|
|
|
N* |
M* |
H* |
|
|
|
|
|
|
|
|
|
PING |
Océ PlotWave 300/ |
x |
x |
x |
ICMP |
|
|
PlotWave 350/ Plot- |
|
|
|
|
|
|
Wave 900 R1.x |
|
|
|
|
|
|
Océ ColorWave 300 |
|
|
|
|
4 |
|
|
|
|
|
|
|
Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300 |
21 |
Applications, protocols and ports used in the Océ PlotWave 300, the Océ PlotWave 350, the Océ PlotWave 900 R1.x and Océ ColorWave 300 systems
Application /Function |
System |
Supported security lev |
Port used on the |
|
||
ality |
|
els (x) and open port |
controller: protocol |
|
||
|
|
|
|
|
|
|
|
|
N* |
M* |
H* |
|
|
|
|
|
|
|
|
|
SNMP based applica- |
Océ PlotWave 300/ |
x |
|
|
UDP 161: SNMP |
|
tions |
PlotWave 350/ Plot- |
UDP |
|
|
|
|
|
Wave 900 R1.x |
161 |
|
|
|
|
|
Océ ColorWave 300 |
|
|
|
|
|
|
|
|
|
|
|
|
WSD |
Océ PlotWave 350 |
x |
x |
x |
TCP 80: HTTP |
|
|
|
TCP 80 |
TCP 80 |
TCP |
UDP 3702: WSD dis- |
|
|
|
UDP |
UDP |
80 |
covery |
|
|
|
3702 |
3702 |
UDP |
|
|
|
|
|
|
3702 |
|
|
|
|
|
|
|
|
|
Océ Express WebT- |
Océ PlotWave 300/ |
x |
x |
|
TCP 80: HTTP |
|
ools |
PlotWave 350/ Plot- |
TCP 80 |
TCP 80 |
|
|
|
|
Wave 900 R1.x |
|
|
|
|
|
|
Océ ColorWave 300 |
|
|
|
|
|
|
|
|
|
|
|
|
Océ Express WebT- |
Océ PlotWave 900 |
x |
x |
x |
TCP 443: HTTPS |
|
ools over SSL |
R1.x |
TCP 443 |
TCP |
TCP |
|
|
|
|
|
443 |
443 |
|
|
|
|
|
|
|
|
|
Name resolution(**) |
Océ PlotWave 300/ |
x |
|
|
Outgoing connec- |
|
|
PlotWave 350 |
|
|
|
tion: |
|
|
Océ ColorWave 300 |
|
|
|
- local port (on con- |
|
|
|
|
|
|
troller): UDP(/TCP) |
|
|
Océ PlotWave 900 |
x |
x |
x |
||
|
<dynamic value> |
|
||||
|
R1.x |
|
|
|
|
|
|
|
|
|
- remote port (on |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
DNS server): UDP(/ |
|
|
|
|
|
|
TCP) 53 |
|
|
|
|
|
|
|
|
DHCP |
Océ PlotWave 300/ |
x |
x |
x |
Outgoing connec- |
|
|
PlotWave 350/ Plot- |
|
|
|
tion: |
|
|
Wave 900 R1.x |
|
|
|
- local port (on con- |
|
|
Océ ColorWave 300 |
|
|
|
troller) : UDP 68 |
|
|
|
|
|
|
- remote port (on |
|
|
|
|
|
|
DNS server): UDP 67 |
|
|
|
|
|
|
|
|
Océ Account Center |
Océ PlotWave 300/ |
x |
x |
|
TCP 80: HTTP |
|
Advanced accounting |
PlotWave 350/ Plot- |
TCP 80 |
TCP 80 |
|
|
|
(WPD) |
Wave 900 R1.x |
|
|
|
|
|
|
Océ ColorWave 300 |
|
|
|
|
|
|
|
|
|
|
|
|
Accounting informa- |
Océ PlotWave 300/ |
x |
x(1) |
|
TCP 21: FTP |
|
tion retrieval by FTP |
PlotWave 350/ Plot- |
TCP 21 |
TCP 21 |
|
TCP 4242: FTP (2) |
|
|
Wave 900 R1.x |
TCP |
|
|
|
|
|
Océ ColorWave 300 |
4242 |
|
|
|
|
|
|
|
|
|
|
|
Browse Océ systems |
Océ PlotWave 300/ |
x |
|
|
UDP 137: NetBios |
|
on the network with |
PlotWave 350/ Plot- |
UDP |
|
|
over TCP/IP |
|
Windows network |
Wave 900 R1.x |
137 |
|
|
|
|
neighbourhood |
Océ ColorWave 300 |
|
|
|
|
4 |
|
|
|
|
|
|
|
22 Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300
Applications, protocols and ports used in the Océ PlotWave 300, the Océ PlotWave 350, the Océ PlotWave 900 R1.x and Océ ColorWave 300 systems
Application /Function |
System |
Supported security lev |
Port used on the |
||
ality |
|
els (x) and open port |
controller: protocol |
||
|
|
|
|
|
|
|
|
N* |
M* |
H* |
|
|
|
|
|
|
|
Océ Service Logic |
Océ PlotWave 300/ |
x |
x(1) |
|
TCP 21: FTP |
|
PlotWave 350/ Plot- |
TCP 21 |
TCP 21 |
|
TCP 4242: FTP (2) |
|
Wave 900 R1.x |
TCP |
|
|
|
|
Océ ColorWave 300 |
4242 |
|
|
|
|
|
|
|
|
|
IPsec |
Océ PlotWave 300/ |
x |
|
|
UDP 500 |
|
PlotWave 350 |
UDP |
|
|
UDP 4500 |
|
Océ ColorWave 300 |
500 |
|
|
|
|
Océ PlotWave 900 |
UDP |
|
|
|
|
R1.2 and higher |
4500 |
|
|
|
|
|
|
|
|
|
Océ Remote Meter |
Océ PlotWave 300/ |
x |
|
|
UDP 161: SNMP |
Reading Manager |
PlotWave 350/ Plot- |
UDP |
|
|
|
|
Wave 900 R1.x |
161 |
|
|
|
|
Océ ColorWave 300 |
|
|
|
|
|
|
|
|
|
|
Océ Remote Service |
Océ PlotWave 300 |
x |
x |
x |
HTTPS outgoing |
|
R1.5 and higher |
|
|
|
connection required: |
|
PlotWave 350 R1.5 |
|
|
|
TCP/IP port 443 (3) |
|
and higher |
|
|
|
|
|
Océ PlotWave 900 |
|
|
|
|
|
R1.x |
|
|
|
|
|
Océ ColorWave 300 |
|
|
|
|
|
R1.5 and higher |
|
|
|
|
|
|
|
|
|
|
Notes:
•* Levels: N: Normal - M: Medium - H: High
•(**) The name resolution is mainly used to determine the IP address of the scan destination during Scan fo File operation
•(1) FTP active mode only
•(2) Data channel for FTP passive mode
•(3) TCP/IP port 443 must be opened and must allow response back on the IT infrastructure firewall.
Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300 |
23 |
Security Patches
Introduction
You can install the Océ Remote patches (Security patches) in the following versions of the systems:
•Océ PlotWave 300 1.2.1 and higher
•Océ PlotWave 350 1.0 and higher
•Océ PlotWave 900 1.x
•Océ ColorWave 300 1.2.1 and higher
Before you begin
Find the Océ Security patch from the Océ Downloads website on http://downloads.oce.com:
Open the product page and go to the Security tab to download the available security patches.
Install the Océ Remote patch
Procedure
1.Open the Océ Express Webtools
2.Open the 'Support' tab
3.Select 'Update'
The Authentication window opens.
24 Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300
Install the Océ Remote patch (on Océ PlotWave 300/350, PlotWave 900 R1.x and Océ ColorWave 300)
4.Log in as the System administrator or Power user
All the patches successfully applied (when any) are displayed
5.Click on the 'Update' icon (top right corner) to open the wizard
6.Click OK
7. Browse to the Océ Remote patch and click OK to install it
8.Click OK to confirm the update
The system restarts to apply the patch.
Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300 |
25 |
Security levels
Introduction
Océ defined 3 levels of security according to the customer needs. The presentation below can help you to select the most suitable level.
High security level
The High level is the most secure mode for printing and scanning.
The compliant applications are based on:
•the LPR protocol for printing
•the HTTPS protocol (Océ PlotWave 900 only) for printing
•the FTP protocol for scanning.
Target:
•This level provides you the most secure mode while using the basic feature for printing and scanning. Only some Océ applications are available. See the security levels supported per application/functionality on page 19.
•This security level may also be used when you want to be protected whenever a vulnerability has been discovered and the corresponding patch cannot be yet installed. As soon as the patch can be installed, you can go back to the original security level.
Medium security level
The Medium level is compliant with all the Océ applications available for printing and scanning which do not present a high risk (as reported by most popular network scanners).
Target:
This level is recommended if you need to be secured while you want to use the Océ applications for printing and/or scanning (you can use the system including more functions than with the High security level).
Normal security level
This mode offers all the functionalities.
Target:
•You can select this level if you want to use some features not covered by MEDIUM security level.
•This level is more dedicated for small network infrastructure where security is less required versus features.
Introduction
The [Security] wizard on the printer user panel gives the option to check or change the security level of the system.
26 Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300
Before you begin
The System Administrator or a Power User can protect the security settings with a password.
When the protection is activated, you must type the password in the printer user panel before you can change the security level.
Procedure
1.From the [HOME] screen select the [System] tab.
2.Select the [Setup] tab.
3.Use the scroll wheel to go to the [Security]([Configure settings]) wizard.
4.Open this section with the confirmation button.
5.The screen displays the security level and the active network access options:
6.Two options are possible:
•Press the [Back] key in case you only want to check the security settings.
•Press the [Next >] key in case you want to adapt the security level.
Enter the password if requested and follow the wizard to adapt the security level.
Protect the security level by a password
Procedure
1.Open the Océ Express Webtools in a web browser (http://Printer IP address or hostname)
2.In the 'Preferences' tab, select 'System settings'
3.In the 'Printer Properties', goes to 'Password to change security level'
4.Click on the value to edit it
5.Log in as the System Administrator or as a Power User
6.Select 'New'
7.Type and re-type a numeric password
8.Confirm to activate the password.
Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300 |
27 |
Result
You must type the password in the printer user panel when you want change the security level.
Set the security level in Océ PlotWave 900 R1.1 and higher R1.x versions
Introduction
The security user interface is available through the Océ Express WebTools application.
NOTE
You need to be logged on as the System Administrator to access the security level interface and change the security levels.
Procedure
1.Open the Océ Express Webtools in a web browser (http://Printer IP address or hostname)
2.On the [Configuration] tab, select [Connectivity]
3.Go to the Security section
4.Click on 'Edit' or double click on the value to open the [Security level] window
5.Set the security level and click 'OK'
6.Restart the printer when prompted
Result
After you set the Security level to 'High', you must open Océ Express Web Tools by means of the HTTPS protocol: type https://Printer IP address or hostname in the web browser.
28 Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300
Prevent any outgoing connection to the Internet
Introduction
Some features of the following systems allow or request a connection over the Internet to work properly:
•Océ PlotWave 300 R1.5 and higher
•Océ PlotWave 350 R1.5 and higher
•Océ ColorWave 300 R1.5 and higher
When the Security Policy in a company prevents any outgoing network traffic over the Internet, perform all the following actions in Express WebTools:
St |
In the Express WebT |
Action |
Detail |
|
ep |
ools section |
|
|
|
|
|
|
|
|
1 |
Support - Remote Serv- |
Stop the Remote assistance if is ac- |
Click 'Stop remote assis- |
|
|
ice - Remote assistance |
tivated |
tance' until it changes into |
|
|
|
|
'Allow remote assistance' . |
|
|
|
|
The two blinking arrows |
|
|
|
|
on the right side disap- |
|
|
|
|
pear. |
|
|
|
|
|
|
2 |
Preferences - System |
Disable Online Services |
Set 'Océ Online Services |
|
|
Defaults - Service rela- |
|
connection enabled' to |
|
|
ted information |
|
'Disabled' |
|
|
|
|
|
|
3 |
Configuration - Scan |
Delete any scan destination going to |
Uncheck 'Scan destination |
|
|
destination [X] |
the Internet: |
[X]: enabled' |
|
|
|
FTP sites reachable through the In- |
|
|
|
|
ternet |
|
|
|
|
|
|
|
4 |
Support - About - Shut- |
Restart the system |
|
|
|
down - Restart |
|
|
|
|
|
|
|
Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300 |
29 |
Security of the USB connection (Océ PlotWave 300/350, Océ ColorWave 300)
Introduction
A USB connection is available on the Océ PlotWave 300, Océ PlotWave 350 and Océ ColorWave 300 Local user interface.
This USB connection is used to:
•Install and upgrade the controller software
•Backup and restore the controller configuration
•Scan to the USB storage device
•Print from the USB storage device
Security on the USB port
General USB port protection:
•Booting from the USB device is not possible.
•Executing any programme present on the USB device is not possible
The Autorun is disabled and no operation on the controller can execute a programme on the USB device.
•Propagating on network any infected file present on the USB device plugged on the USB port is not possible
Read from / write to USB device protection
•Protection of the USB READ operation:
- when restoring a controller configuration from the Local User Interface.
In that case, any file infected by a virus appears as an invalid backup file. The controller software detects it and rejects the restore operation.
- when printing from the USB device.
Any print file infected by a virus will never compromise controller's software integrity.
•Protection of the USB WRITE operation:
- during the backup of the controller configuration, from the Local User Interface.
The backup is performed by the internal controller software. It cannot contaminate the USB device by any threat.
- when making a Scan To File to the USB device:
The Scan To File operation to USB device is performed by the internal controller software. It cannot contaminate the USB device by any threat.
Disable the USB features
You can disable:
•The direct printing operation from USB. See How to prevent 'Print from USB' on page 54
•The scanning operation to USB. See 1- Disable any 'USB stick' scan destination on page 54
30 Chapter 2 - Security on Océ PlotWave 300/350, PlotWave 750, PlotWave 900 and ColorWave 300