Xerox C500 User Manual

Xerox®
AltaLink® Multi­Function Products
VersaLink® Multi­Function Products
VersaLink® Printers
B8045, B8055, B8065, B8075, B8090
B405, B605, B615, B7025, B7030, B7035
B400, B600, B610
C8030, C8035, C8045, C8055, C8070
C405, C505, C605, C7020, C7025, C7030
C400, C500, C600, C7000, C8000, C9000
Security Guide
Office Class Multi-Function Products &
Single-Function Printers
February 2018 update
Xerox® Product Security Guide and Information Assurance Disclosure
Xerox® Security Guide for Office Class Products: AltaLink® VersaLink®
© 2018 Xerox Corporation. All rights reserved. Xerox and Xerox and Design® are trademarks of Xerox Corporation in the United States and/or other countries. BR25497
Other company trademarks are also acknowledged. Copyright protection claimed includes all forms and matters of copyrightable material and information now
allowed by statutory or judicial law or hereinafter granted including without limitation, material generated from the software programs which are displayed on the screen, such as icons, screen displays, looks, etc.
Changes are periodically made to this document. Changes, technical inaccuracies, and typographic errors will be corrected in subsequent editions.
Xerox® Security Guide for Office Class Products: AltaLink® VersaLink®
Table of Contents
1 Introduction ....................................................................................................................................... 5
Purpose ......................................................................................................................................................... 5
Target Audience ............................................................................................................................................ 5
Disclaimer...................................................................................................................................................... 5
2 Product Description .......................................................................................................................... 6
Physical Components ................................................................................................................................... 6
Architecture ................................................................................................................................................... 6
User Interface ................................................................................................................................................ 7
Scanner ......................................................................................................................................................... 7
Marking Engine ............................................................................................................................................. 7
Controller ....................................................................................................................................................... 7
Controller External Interfaces .......................................................................................................... 7
Front Panel USB (Type A) port(s) ...................................................................................................... 7
10/100/1000 MB Ethernet RJ-45 Network Connector ........................................................................ 8
Rear USB (Type B) Target port .......................................................................................................... 8
Optional Equipment ....................................................................................................................................... 8
RJ-11 Analog Fax and Telephone .................................................................................................. 8
Wireless Network Connector ........................................................................................................... 8
Near Field Communications (NFC) Reader .................................................................................... 8
SMART CARD – CAC/PIV .............................................................................................................. 8
Foreign Product Interface ................................................................................................................ 8
3 User Data Protection ......................................................................................................................... 9
User Data protection while within product ..................................................................................................... 9
Encryption ....................................................................................................................................... 9
TPM Chip ........................................................................................................................................... 9
Media Sanitization (Image Overwrite) ............................................................................................. 9
Immediate Image Overwrite ............................................................................................................... 9
On-Demand Image Overwrite ............................................................................................................ 9
User Data in transit ..................................................................................................................................... 10
Inbound User Data ........................................................................................................................10
Print Job Submission........................................................................................................................ 10
Encrypted Transport ......................................................................................................................... 10
Description ....................................................................................................................................... 10
November 2018 Page 1
Xerox® Security Guide for Office Class Products: AltaLink® VersaLink®
Outbound User Data .....................................................................................................................10
Scanning to Network Repository, Email, Fax Server ....................................................................... 10
Protocol ............................................................................................................................................ 10
Encryption ........................................................................................................................................ 10
Description ....................................................................................................................................... 10
Scanning to User Local USB Storage Product ................................................................................ 11
Add on Apps- Cloud, Google, DropBox, and others .....................................................................11
4 Network Security .............................................................................................................................12
TCP/IP Ports & Services ............................................................................................................................. 12
Listening services (inbound ports) ................................................................................................12
Network Encryption ..................................................................................................................................... 13
IPSec 13
Wireless 802.11 Wi-Fi Protected Access (WPA) ..........................................................................14
TLS 14
Public Key Encryption (PKI) ..........................................................................................................15
Device Certificates ........................................................................................................................... 15
Trusted Certificates .......................................................................................................................... 16
Certificate Validation ........................................................................................................................ 17
Email Signing and Encryption using S/MIME ................................................................................17
SNMPv3 17
Network Access Control .............................................................................................................................. 18
802.1x 18
Cisco Identity Services Engine (ISE) ............................................................................................18
Cisco ISE allows you to deploy the following controls and monitoring of Xerox products: .............. 18
Contextual Endpoint Connection Management .......................................................................................... 19
FIPS140-2 Compliance Validation .............................................................................................................. 19
Additional Network Security Controls .......................................................................................................... 19
Endpoint Firewall Options .............................................................................................................19
IP Whitelisting (IP Address Filtering) ................................................................................................ 20
Stateful Firewall (Advanced IP Filtering) .......................................................................................... 20
5 Device Security: BIOS, Firmware, OS, Runtime, and Operational security controls ...............21
Fail Secure Vs Fail Safe .............................................................................................................................. 22
Pre-Boot Security ........................................................................................................................................ 22
BIOS 22
Embedded Encryption ...................................................................................................................22
Boot Process Security ................................................................................................................................. 22
Firmware Integrity..........................................................................................................................22
November 2018 Page 2
Xerox® Security Guide for Office Class Products: AltaLink® VersaLink®
Runtime Security ......................................................................................................................................... 23
Event Monitoring & Logging ........................................................................................................................ 23
Audit Log 23
Operational Security .................................................................................................................................... 23
Firmware Restrictions ...................................................................................................................23
Service Technician (CSE) Access Restriction ..............................................................................24
Additional Service Details .............................................................................................................24
Backup & Restore (Cloning)........................................................................................................................ 24
EIP Applications .......................................................................................................................................... 24
XCP (eXtensible Customizable Platform) ................................................................................................... 24
6 Configuration & Security Policy Management Solutions ...........................................................25
7 Identification, Authentication, and Authorization ........................................................................26
Authentication ............................................................................................................................................. 26
AltaLink® and VersaLink® devices support the following authentication mode: ..........................26
Local Authentication ......................................................................................................................26
Password Policy ............................................................................................................................... 26
Network Authentication .................................................................................................................27
Smart Card Authentication ............................................................................................................27
Convenience Authentication .........................................................................................................27
Simple Authentication (non-secure) ..............................................................................................28
Authorization (Role Based Access Controls) .............................................................................................. 28
Remote Access .............................................................................................................................28
Local Access .................................................................................................................................28
8 Additional Information & Resources .............................................................................................29
Security @ Xerox®...................................................................................................................................... 29
Responses to Known Vulnerabilities ........................................................................................................... 29
Additional Resources .................................................................................................................................. 29
Appendix A: Product Security Profiles ..............................................................................................30
AltaLink® B8045/B8055/B8065/B8075/B8090 ........................................................................................... 31
AltaLink® C8030 / C8035 / C8045 / C8055 / C8070 ................................................................................. 33
VersaLink® B7025, B7030 B7035 .............................................................................................................. 35
VersaLink® C7000, C7020, C7025, C7030 ................................................................................................ 37
VersaLink® C400, C405 ............................................................................................................................. 39
VersaLink® B400, B405 .............................................................................................................................. 39
VersaLink® C500, C600, C505, C605 ........................................................................................................ 43
VersaLink® B600, B605, B610, B615 ......................................................................................................... 45
VersaLink® C8000, C9000 ......................................................................................................................... 47
November 2018 Page 3
Xerox® Security Guide for Office Class Products: AltaLink® VersaLink®
Appendix B: Security Events ..............................................................................................................49
Xerox AltaLink® Security Events ............................................................................................................... 49
VersaLink® Security Events ....................................................................................................................... 65
November 2018 Page 4
Xerox® Security Guide for Office Class Products: AltaLink® VersaLink®
1 Introduction
Purpose
The purpose of this document is to disclose information for the Xerox ® Office Class printers and multi­function products (hereinafter called as “the product” or “the system”) with respect to product security. Product Security, for this paper, is defined as how image data is stored and transmitted, how the product behaves in a network environment, and how the product may be accessed both locally and remotely. The purpose of this document is to inform Xerox customers of the design, functions, and features of the product with respect to Information Assurance. This document does not provide tutorial level information
about security, connectivity, or the product’s features and functions. This information is readily available
elsewhere. We assume that the reader has a working knowledge of these types of topics.
Target Audience
The target audience for this document is Xerox field personnel and customers concerned with IT security.
Disclaimer
The information in this document is accurate to the best knowledge of the authors and is provided without warranty of any kind. In no event shall Xerox be liable for any damages whatsoever resulting from user's use or disregard of the information provided in this document including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Xerox has been advised of the possibility of such damages.
November 2018 Page 5
Xerox® Security Guide for Office Class Products: AltaLink® VersaLink®
1. Stabilizer.
2. Bypass paper feed tray.
3. Front USB Port(s)*
4. Touch screen user interface.
5. Upper paper tray.
6. Lower paper tray.
7. Paper feed trays.
8. Caster wheels.
9. Rear USB Port(s)*
10. Optional Wi-Fi dongle port*
11. RJ45 Ethernet connection*
12. Service port
(May require disassembly to access).
13. AC Power.
*Denotes a security related component
User
Interface
Marking
Engine
External
Interfaces
Device
Storage
Optional
Interfaces
2 Product Description
Physical Components
AltaLink® and VersaLink® products consist of an input document handler and scanner, marking engine, controller, and user interface. A typical configuration is depicted below. Please note that options including finishers, paper trays, document handers, etc. may vary configuration, however, they are not relevant to security and are not discussed.
Architecture
AltaLink® and VersaLink® products share a common architecture which is depicted below. The following sections describe components in detail.
November 2018 Page 6
Scanner
Controller
Xerox® Security Guide for Office Class Products: AltaLink® VersaLink®
User Interface
The user interface detects soft and hard button actuations and provides text and graphical prompts to the user. The user interface is sometimes referred to as the Graphical User Interface (GUI) or Local UI (LUI) to distinguish it from the remote web server interface (WebUI).
The user interface allows users to access product services and functions. Users with administrative privileges can manage the product configuration settings. User permissions are configurable through Role Based Access Control (RBAC) policies, described in section 7 Identification, Authentication, and Authorization
Scanner
The scanner converts documents from hardcopy to electronic data. A document handler moves originals into a position to be scanned. The scanner provides enough image processing for signal conditioning and formatting. The scanner does not store scanned images.
Marking Engine
The Marking Engine performs copy/print paper feeding and transport, image marking, fusing, and document finishing. The marking engine is comprised of paper supply trays and feeders, paper transport, LED scanner, xerographics, and paper output and finishing. The marking engine is only accessible to the Controller via inter-chip communication with no other access and does not store user data.
Controller
The controller manages document processing using proprietary hardware and algorithms to process documents into high-quality electronic and/or printed reproductions. Documents may be temporarily buffered in RAM during processing. Some models may be equipped with additional storage options such as magnetic Hard Disk Drive (HDD), Solid State Disk (SSD), SD Card, or Flash media. For model specific details please see Appendix A: Product Security Profiles. AltaLink® and VersaLink® products encrypt user data and include media sanitization (overwrite) options that ensure that erased data cannot be recovered, described further in section 3 User Data Protection.
In addition to managing document processing the controller manages all network functions and services. Details can be found in section Network Security.
The controller handles all I/O communications with connected products. The following section provides a description of each interface. Please note that not all interfaces are supported on all models; details about each model can be found in Appendix A: Product Security Profiles.
Controller External Interfaces Front Panel USB (Type A) port(s)
One or more USB ports may be located on the front of the product, near the user interface. Front USB ports may be enabled or disabled by a system administrator. The front USB port supports the following:
Walk-up users may insert a USB thumb drive to store or retrieve documents for scanning and/or
printing from a FAT formatted USB device. The controller will only allow reading/writing of a limited set of known document types (such as DOC, PDF, PNG, JPEG, TIFF, etc.). Other file types including binary executables are not supported.
Note that features that use the front USB ports (such as Scan To USB) can be disabled independently or restricted using role-based access controls.
Connection of optional equipment such as NFC or CAC readers.  Firmware updates may be submitted through the front USB ports. (Note that the product must be
configured to allow local firmware updates, or the update will not be processed.
November 2018 Page 7
Xerox® Security Guide for Office Class Products: AltaLink® VersaLink®
10/100/1000 MB Ethernet RJ-45 Network Connector
This is a standard RJ45 Ethernet network connector and confirms to IEEE Ethernet 802.3 standards.
Rear USB (Type B) Target port
A USB type B port located on the controller board at the rear of the product. This port supports the following:
USB target connector used for printing
Note: This port can be disabled completely by a system administrator.
Optional Equipment
RJ-11 Analog Fax and Telephone
The analog fax module connects to the controller. The fax connection supports the Fax Modem T.30 protocol only and will not accept data or voice communication attempts. An external (EXT) is available to connect an external handset. In this configuration, the FAX card acts as a passive relay.
Wireless Network Connector
VersaLink® products accept an optional wireless module via a proprietary port. AltaLink® products accept an optional wireless kit that can be installed in the rear USB port.
Near Field Communications (NFC) Reader
The system supports an installable RFID reader for authentication and convenience in certain configurations. VersaLink® products accept the RFID reader via USB on the front of the product. AltaLink® products come standard with an RFID reader built into the front panel. This communication cannot write or change any settings on the system. The data exchanged is not encrypted and may include information including system network status, IP address and product location. NFC functionality can be disabled using the embedded web server of the product. NFC functionality requires a software plugin that can be obtained from Xerox sales and support. NFC functionality is supported via optional touch screen user interface or optional dedicated NFC USB dongle.
Information shared over NFC includes: IPv4 Address, IPv6 Address, MAC Address, UUID (a unique identifier on the NFC client), and Fully qualified domain name
SMART CARD – CAC/PIV
All VersaLink® products support CAC/PIV login by enabling the VersaLink® Plug-in feature and then enabling the appropriate plug-in. Additional plug-ins can be downloaded from Xerox.com in the product Support area online.
All VersaLink® products support SIPR network access through a plug-in. The SIPR network plug-in is restricted only to users who have purchased the SIPR kit from Xerox. Contact your Xerox sales representative for details.
Foreign Product Interface
This port is used to connect optional equipment to control access to the machine. A typical application is a coin-operated product where a user must deposit money to enable the machine to print. The information available via the Foreign Product Interface is limited to optically-isolated pulses that can be used to count impressions marked on hardcopy sheets. No user data is transmitted to or from this interface.
November 2018 Page 8
Xerox® Security Guide for Office Class Products: AltaLink® VersaLink®
Note: Solid State storage media such as Solid-State Disk, eMMC, SD-Card, and Flash media cannot be completely sanitized by multi-pass overwriting methods due to the memory wear mapping that occurs. (Additionally, attempts to do so would also greatly erode the operational lifetime of solid state media). Solid State media is therefore not recommended for use in highly secure environments. Please refer to NIST-800-88 “Table A-8: Flash Memory-Based
Storage Product Sanitization” for technical details.
3 User Data Protection
Xerox printers and multifunction products receive, process, and may optionally store user data from several sources including as local print, scan, fax, or copy jobs or mobile and cloud applications, etc. Xerox products protect user data being processed by employing strong encryption. When the data is no longer needed, the Image Overwrite (IIO) feature automatically erases and overwrites the data on magnetic media, rendering it unrecoverable. As an additional layer of protection, an extension of IIO called On-Demand Image Overwrite (ODIO) can be invoked to securely wipe all user data from magnetic media.
User Data protection while within product
This section describes security controls that protect user data while it is resident within the product. For a description of security controls that protect data in transit please refer to the following section that discusses data in transit; also the Network Security section of this document.
Encryption
All user data being processed or stored to the product is encrypted by default. Note that encryption may be disabled to enhance performance on AltaLink® products (though this is not recommended in secure environments). Xerox VersLink products do not have such an option.
The algorithm used in the product is AES-256. The encryption key is automatically created at start up and stored in the RAM. The key is deleted by a power-off, due to the physical characteristics of the RAM.
TPM Chip
Some models include a Trusted Platform Module (TPM). The TPM is compliant with ISO/IEC 11889, the international standard for a secure cryptoprocessor, dedicated to secure cryptographic keys. The TPM is used to securely hold the product storage encryption key. Please refer to Appendix A: Product Security
Profiles for model specific information.
Media Sanitization (Image Overwrite)
AltaLink® and VersaLink® products equipped with magnetic hard disk drives are compliant with NIST Special Publication 800-88 Rev1: Guidelines for Media Sanitization. User data is securely erased using a three-pass algorithm as described in the following link:
https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-88r1.pdf
Immediate Image Overwrite
When enabled, Immediate Image Overwrite (IIO) will overwrites any temporary files that were created on the magnetic hard disk that may contain user data. The feature provides continuous automatic overwriting of sensitive data with minimal impact to performance, robust error reporting, and logging via the Audit Log.
On-Demand Image Overwrite
Complementing the Immediate Image Overwrite is On-Demand Overwrite (ODIO). While IIO overwrites individual files, ODIO overwrites entire partitions. The ODIO feature can be invoked at any time and optionally may be scheduled to run automatically.
November 2018 Page 9
Xerox® Security Guide for Office Class Products: AltaLink® VersaLink®
Encrypted Transport
Description
IPPS (TLS)
Submit print jobs via Secure Internet Printing Protocol. This protocol is based on HTTP and utilizes the TLS suite to encrypt data.
HTTPS (TLS)
Securely submit a print job directly to product via the built-in web server.
Xerox Print Stream Encryption
The Xerox Global Print Driver® supports document encryption when submitting Secure Print jobs to enabled products. Simply check the box to Enable Encryption when adding the Passcode to the print job.
Protocol
Encryption
Description
HTTP
N/A
Unencrypted HTTP protocol.
HTTPS (TLS)
TLS
HTTP encrypted by TLS
FTP
N/A
Unencrypted FTP.
SFTP (SSH)
SSH
FTP encrypted by SSH
SMBv3
Optional
Encryption may be enabled on a Windows share. AltaLink® products currently support SMB encryption. VersaLink® products do not currently support SMB encryption.
SMBv2
N/A
Unencrypted SMB
SMBv1
N/A
(Not used as a transport protocol. Used for network discovery only)
SMTP (email)
S/MIME
The product uses SMTP to transmit data to the email server. Email authentication, encryption, and signing are supported. Please refer to the Network Security section of this document for details.
User Data in transit
This section focuses on the protection of user data (print/scan/other jobs) in transit as they are submitted to the product for processing and/or are sent from the product to other systems. Additional protections are also discussed in the Network Security section of this document.
Inbound User Data Print Job Submission
In addition to supporting network level encryption including IPSec and WPA Xerox products also support encryption of print job data at the time of submission. This can be used to securely transmit print jobs over unencrypted connections or to enhance existing network level security controls.
Outbound User Data Scanning to Network Repository, Email, Fax Server
AltaLink® and VersaLink® multifunction products support scanning of hardcopy documents to external network locations including file repositories and email and facsimile services. In addition to supporting network level encryption including IPSec and WPA Xerox products support the following.
November 2018 Page 10
Xerox® Security Guide for Office Class Products: AltaLink® VersaLink®
AltaLink® Multifunction
VersaLink® Multifunction
VersaLink® Printers
B8045, B8055, B8065, B8075, B8090, C8030, C8035, C8045, C8055, C8070
B405, B605, B615, B7025, B7030, B7035, C405, C505, C605, C7020, C7025, C7030
B400, B600, B610, C400, C500, C600, C7000, C8000, C9000
Local Data Encryption (HDD, SDD, IC, SD Card)
AES-256
AES-256
AES-256
Federal Information Protection Standard 140-2
Yes
Yes
Yes
Media Sanitization NIST 800-171 (Image Overwrite)
All models use magnetic HDD
Models with magnetic HDD. See Appendix A: Product
Security Profiles
Models with magnetic HDD. See Appendix A:
Product Security Profiles
Print Submission
IPPS (TLS)
Supported
Supported
Supported
HTTPS (TLS)
Supported
Supported
Supported
Xerox Print Stream Encryption
Supported
(Not currently supported)
(Not currently supported)
Scan to Repository Server
HTTPS (TLS)
1.2
(Not currently supported)
(Not Applicable)
SFTP (SSH)
SSH-2
(Not currently supported)
(Not Applicable)
SMB (unencrypted)
v1, v2, v3
v3
(Not Applicable)
SMB (with share encryption enabled)
V3
(Not currently supported)
(Not Applicable)
HTTP (unencrypted)
Supported
(Not currently supported)
(Not Applicable)
FTP (unencrypted)
Supported
(Not currently supported)
(Not Applicable)
Scan to Fax Server
HTTPS (TLS)
1.2
(Not currently supported)
(Not Applicable)
SFTP (SSH)
SSH-2
(Not currently supported)
(Not Applicable)
SMB (unencrypted)
v1, v2, v3
v3
(Not Applicable)
SMB (with share encryption enabled)
V3
(Not currently supported)
(Not Applicable)
S/MIME
Supported
Supported
(Not Applicable)
HTTP (unencrypted)
Supported
(Not currently supported)
(Not Applicable)
FTP (unencrypted)
Supported
(Not currently supported)
(Not Applicable)
SMTP (unencrypted)
Supported
Supported
(Not Applicable)
Scan to Email
S/MIME
Supported
Supported
(Not Applicable)
SMTP (unencrypted)
Supported
Supported
(Not Applicable)
Scanning to User Local USB Storage Product
Scan data is transferred directly to the user’s USB product. Filesystem encryption of user products are not supported.
Add on Apps- Cloud, Google, DropBox, and others
The Xerox App Gallery® contains several additional applications that extend the capabilities of Xerox products. Discussion of App security is beyond the scope of this document. Xerox Apps utilize the security framework provided by the 3rd party vendor. (For example, Microsoft O365 or Google apps would utilize Microsoft & Google’s security mechanisms respectively). Please consult documentation for individual Apps and 3rd party security for details.
November 2018 Page 11
Xerox® Security Guide for Office Class Products: AltaLink® VersaLink®
Inbound (Listening Services)
Out Bound (Network Client)
Print Services LPR, IPP, Raw IP, etc.
Management Services SNMP, Web interface, WebServices, etc.
Infrastructure & Discovery Services IPSEC, SSDP, WSD, mDNS, NetBIOS, etc.
Built-in Scan Services FTP, HTTP & HTTPS (TLS), SFTP (SSH), SMB, CIFS, SMTP & SMTPS, POP3 & POPS, etc.
Authentication Services LDAP & LDAPS, SMB, Kerberos.
Infrastructure ISAKMP (IPSec), DHCP & DHCPv6, etc.
Cloud Services Dropbox, Google Drive, OneDrive, and several others.
Port
Type
Service Name
80 or 443
TCP
HTTP including: Web User Interface UPnP Discovery Web Services for Products (WSD) WebDAV
631 or 443
TCP
HTTP (IPP)
137
UDP
NETBIOS (Name Service)
138
UDP
NETBIOS (Datagram Service)
161
UDP
SNMP
427
TCP/UDP
SLP
4 Network Security
Xerox products are designed to offer a high degree of security and flexibility in almost any network environment. This section describes several aspects of the product related to network security.
TCP/IP Ports & Services
Xerox devices are robust, offering support for a wide array of services and protocols. The devices are capable of hosting services as well as acting as a client for others. The diagram below presents a high­level overview of inbound communications (from other hosts on the network into listening services on the device) and outbound connections initiated by the device (acting as a client to external network services).
Listening services (inbound ports)
The following table summarizes all potentially open ports on the product. These ports can be enabled/disabled within the product configuration.
November 2018 Page 12
Xerox® Security Guide for Office Class Products: AltaLink® VersaLink®
445
TCP
CIFS
500 & 4500
UDP
IPSec
515
TCP
LPR
631
TCP
IPP
1900
UDP
SSDP
3702
TCP
WSD (Discovery)
5353
UDP
mDNS
9100
TCP
Raw IP (also known as JetDirect, AppSocket or PDL-datastream)
5909-5999
TCP
Remote Access to local display panel. Port is randomly selected and communications encrypted with TLS 1.2.
53202
TCP
WSD Transfer
53303
TCP
WSD Print
53404
TCP
WSD Scan
AltaLink® Multifunction
VersaLink® Multifunction
VersaLink® Printers
B8045, B8055, B8065, B8075, B8090, C8030, C8035, C8045, C8055, C8070
B405, B605, B615, B7025, B7030, B7035, C405, C505, C605, C7020, C7025, C7030
B400, B600, B610, C400, C500, C600, C7000, C8000, C9000
IPSec Supported IP Versions
IPv4, IPv6
IPv4, IPv6
IPv4, IPv6
Key exchange authentication method
Preshared Key & digital signature, device authentication certificate, server validation certificate
Preshared Key & digital signature
Preshared Key & digital signature
Transport Mode
Transport & Tunnel mode
Transport mode only
Transport mode only
Security Protocol
ESP & AH
ESP only
ESP only
ESP Encryption Method
AES, 3DES, Null
AES, 3DES, DES
AES, 3DES, DES
ESP Authentication Methods
SHA1, SHA256, None
SHA1, SHA256, None
SHA1, SHA256, None
Network Encryption
IPSec
Internet Protocol Security (IPsec) is a network security protocol capable of providing encryption and authentication at the packet level. AltaLink® and VersaLink® products support IPSec for both IPv4 and IPv6 protocols.
November 2018 Page 13
Xerox® Security Guide for Office Class Products: AltaLink® VersaLink®
AltaLink® Multifunction
VersaLink® Multifunction
VersaLink® Printers
B8045, B8055, B8065, B8075, B8090, C8030, C8035, C8045, C8055, C8070
B405, B605, B615, B7025, B7030, B7035, C405, C505, C605, C7020, C7025, C7030
B400, B600, B610, C400, C500, C600, C7000, C8000, C9000
Wi-Fi (802.11)
No Encryption
Supported
Supported
Supported
WEP
RC4
RC4
RC4
WPA2 Personal (PSK)
CCMP (AES), TKIP, TKIP+CCMP (AES)
CCMP (AES)
CCMP (AES)
WPA2 Enterprise
CCMP (AES), TKIP, TKIP+CCMP (AES)
-­PEAPv0 MS-CHAPv2 EAP-TLS EAP-TTLS/PAP
EAP-TTLS/MS-CHAPv2 EAP-TTLS/EAP-TLS
CCMP (AES) + TKIP
-­PEAPv0 MS-CHAPv2 EAP-TLS EAP-TTLS/PAP EAP-TTLS/CHAP EAP-TTLS/MS-CHAPv2
CCMP (AES) + TKIP
-­PEAPv0 MS-CHAPv2 EAP-TLS EAP-TTLS/PAP EAP-TTLS/CHAP EAP-TTLS/MS-CHAPv2
BSSID Roaming Restriction
Supported
(Not Currently Supported)
(Not Currently Supported)
AltaLink® Multifunction
VersaLink® Multifunction
VersaLink® Printers
B8045, B8055, B8065, B8075, B8090, C8030, C8035, C8045, C8055, C8070
B405, B605, B615, B7025, B7030, B7035, C405, C505, C605, C7020, C7025, C7030
B400, B600, B610, C400, C500, C600, C7000, C8000, C9000
TLS Versions Supported
Product Web Interface
1.2, 1.1, 1.0
1.2, 1.1, 1.0
1.2, 1.1, 1.0
Product Web Services
1.2, 1.1, 1.0
1.2, 1.1, 1.0
1.2, 1.1, 1.0
Product IPPS printing
1.2, 1.1, 1.0
1.2, 1.1, 1.0
1.2, 1.1, 1.0
Remote control
1.2
1.2
1.2
Wireless 802.11 Wi-Fi Protected Access (WPA)
Products equipped with WiFi support WPA2 Personal, WPA2 Enterprise, and Mixed Mode compliant with IEEE 802.11i. The wireless network adapters used in Xerox products are certified by the Wi-Fi Alliance.
TLS
AltaLink® and VersaLink® products support the latest version, TLS 1.2.
November 2018 Page 14
Xerox® Security Guide for Office Class Products: AltaLink® VersaLink®
AltaLink® Multifunction
VersaLink® Multifunction
VersaLink® Printers
B8045, B8055, B8065, B8075, B8090, C8030, C8035, C8045, C8055, C8070
B405, B605, B615, B7025, B7030, B7035, C405, C505, C605, C7020, C7025, C7030
B400, B600, B610, C400, C500, C600, C7000, C8000, C9000
Device Certificates
Certificate Length
1024, 2048
1024, 2048
1024, 2048
Supported Hashes
SHA1, SHA256
SHA256, SHA384, SHA512
SHA256, SHA384, SHA512
Product Web Server
Supported
Supported
Supported
IPPS (TLS) Printing
Supported
Supported
Supported
802.1X Client
Supported
Supported
Supported
Email Signing
Supported
Supported
(Not Applicable)
Email Encryption
Supported
Supported
(Not Applicable)
OCSP Signing
Supported
Supported
Supported
IPSec
Supported
(Not currently supported)
(Not currently supported)
Public Key Encryption (PKI)
A digital certificate is a file that contains data used to verify the identity of the client or server in a network transaction. A certificate also contains a public key used to create and verify digital signatures. To prove identity to another product, a product presents a certificate trusted by the other product. The product can also present a certificate signed by a trusted third party and a digital signature proving that it owns the certificate.
A digital certificate includes the following data:
• Information about the owner of the certificate
• The certificate serial number and expiration date
• The name and digital signature of the certificate authority (CA) that issued the certificate
• A public key
• A purpose defining how the certificate and public key can be used
There are four types of certificates:
• A Product Certificate is a certificate for which the printer has a private key. The purpose specified in the certificate allows it to be used to prove identity.
• A CA Certificate is a certificate with authority to sign other certificates.
• A Trusted Certificate is a self-signed certificate from another product that you want to trust.
• A domain controller certificate is a self-signed certificate for a domain controller in your network.
Domain controller certificates are used to verify the identity of a user when the user logs in to the product using a Smart Card.
For protocols such as HTTPS, the printer is the server, and must prove its identity to the client Web browser. For protocols such as 802.1X, the printer is the client, and must prove its identity to the authentication server, typically a RADIUS server.
Device Certificates
AltaLink® and VersaLink® products support both CA signed and self-signed certificates. Product certificates support a bit length of up to 2048 bits.
A CA signed certificate can be created by generating a Certificate Signing Request (CSR), and sending it to a CA or a local server functioning as a CA to sign the CSR. An example of a server functioning as a certificate authority is Windows Server 2008 running Certificate Services. When the CA returns the signed certificate, install it on the printer.
Alternatively, a self-signed certificate may be created. When you create a Product Certificate, the product generates a certificate, signs it, and creates a public key used in SSL/TLS encryption.
November 2018 Page 15
Xerox® Security Guide for Office Class Products: AltaLink® VersaLink®
SFTP
Supported
(Not currently supported)
(Not Applicable)
AltaLink® Multifunction
VersaLink® Multifunction
VersaLink® Printers
B8045, B8055, B8065, B8075, B8090, C8030, C8035, C8045, C8055, C8070
B405, B605, B615, B7025, B7030, B7035, C405, C505, C605, C7020, C7025, C7030
B400, B600, B610, C400, C500, C600, C7000, C8000, C9000
Trusted Certificates
Minimum Length Restriction Options
None, 1024, 2048
1024, 2048
1024, 2048
Maximum Length
4096
4096
4096
Supported Hashes
SHA1/224/256/384/512
SHA1/224/256/384/512
SHA1/224/256/384/512
Supported Formats
.cer, .crt, .der, .pem, PKCS#7 (.p7b), PKCS#12 (.pfx, .p12)
.cer, .der, PKCS#7, PKCS#12 (.pfx, .p12)
.cer, .der, PKCS#7, PKCS#12 (.pfx, .p12)
IPSec
Supported
Supported
Supported
LDAP
Supported
Supported
Supported
Scanning (HTTPS/TLS)
Supported
(Not currently supported)
(Not Applicable)
Scanning (SFTP/SSH)
Used for audit log transfer
(Not currently supported)
(Not Applicable)
802.1X Client
Supported
Supported
Supported
Email Signing
Supported
Supported
(Not Applicable)
Email Encryption
Supported
Supported
(Not Applicable)
OCSP Signing
Supported
Supported
Supported
Trusted Certificates
Public certificates may be imported to the product’s certificate store for validation of trusted external products. The following categories are supported:
• A Trusted Root CA Certificate is a certificate with authority to sign other certificates. These certificates usually are self-signed certificates that come from another product or service that you want to trust.
• An Intermediate CA Certificate is a certificate that links a certificate to a Trusted Root CA Certificate in certain network environments.
• Other Certificates are certificates that are installed on the printer for solution-specific uses. An administrator can specify the minimum encryption key length required for certificates. If a user
attempts to upload a certificate that contains a key that does not meet this requirement, a message appears. The message alerts the user that the certificate they are attempting to upload does not meet the key length requirement.
November 2018 Page 16
Xerox® Security Guide for Office Class Products: AltaLink® VersaLink®
AltaLink® Multifunction
VersaLink® Multifunction
VersaLink® Printers
B8045, B8055, B8065, B8075, B8090, C8030, C8035, C8045, C8055, C8070
B405, B605, B615, B7025, B7030, B7035, C405, C505, C605, C7020, C7025, C7030
B400, B600, B610, C400, C500, C600, C7000, C8000, C9000
Email S/MIME
Versions
v3
v2, v3, v3.2
(Not Applicable)
Digest
SHA1, SHA256, SHA384, SHA512
MD5, SHA1, SHA256
(Not Applicable)
Encryption
3DES, AES128, AES192, AES256
3DES, RC2, AES128, AES192, AES256
(Not Applicable)
AltaLink® Multifunction
VersaLink® Multifunction
VersaLink® Printers
B8045, B8055, B8065, B8075, B8090, C8030, C8035, C8045, C8055, C8070
B405, B605, B615, B7025, B7030, B7035, C405, C505, C605, C7020, C7025, C7030
B400, B600, B610, C400, C500, C600, C7000, C8000, C9000
SNMPv3
Digest
SHA1, MD5
SHA1, MD5
SHA1, MD5
Encryption
DES, AES128
DES, AES128
DES, AES128
Certificate Validation
AltaLink® and VersaLink® devices support certificate validation with configurable checks for OSCP and CRL. Validation checks include:
Validation of certificate path  Certificate expiration  Validation of trusted CA  Signature validation
Email Signing and Encryption using S/MIME
S/MIME (Secure/Multipurpose Internet Mail Extensions) provides Authentication, Message integrity, Non­repudiation, and encryption of email.
SNMPv3
SNMPv3 is the current standard version of SNMP defined by the Internet Engineering Task Force (IETF). It provides three important security features:
• Message integrity to ensure that a packet has not been tampered with in transit
• Authentication to verify that the message is from a valid source
• Encryption of packets to prevent unauthorized access
November 2018 Page 17
Xerox® Security Guide for Office Class Products: AltaLink® VersaLink®
AltaLink® Multifunction
VersaLink® Multifunction
VersaLink® Printers
B8045, B8055, B8065, B8075, B8090, C8030, C8035, C8045, C8055, C8070
B405, B605, B615, B7025, B7030, B7035, C405, C505, C605, C7020, C7025, C7030
B400, B600, B610, C400, C500, C600, C7000, C8000, C9000
Network Access Control
802.1x
Supported
Supported
Supported
Authentication Methods
PSK, AES (CCMP)/TKIP, PEAPv0/MS-CHAPv2, EAP­TLS, EAP-TTLS/PAP, EAP­TTLS/MS-CHAPv2, EAP­TTLS/EAP-TLS
MD5, MS-CHAPv2, PEAP/MS-CHAPv2, EAP-TLS
MD5, MS-CHAPv2, PEAP/MS-CHAPv2, EAP-TLS
Authentication
Authenticator
Product
EAPOL
Network Access Control
802.1x
In 802.1X authentication, when the product is connected to the LAN port of Authenticator such as the switch as shown below, the Authentication Server authenticates the product, and the Authenticator controls access of the LAN port according to the authentication result. The product starts authentication processing at startup when the startup settings for 802.1X authentication are enabled.
(Supplicant)
(e.g. Switch)
Server
Cisco Identity Services Engine (ISE)
Cisco ISE is an intelligent security policy enforcement platform that mitigates security risks by providing a complete view of which users and what products are being connected across the entire network infrastructure. It also provides control over what users can access your network and where they can go. Cisco's ISE includes over 200 Xerox product profiles that are ready for security policy enablement. This allows ISE to automatically detect Xerox products in your network. Xerox products are organized in Cisco ISE under product families, such as AltaLink® and VersaLink®, enabling Cisco ISE to automatically detect and profile new Xerox products from the day they are released. Customers who use Cisco ISE find that including Xerox products in their security policies is simpler and requires minimal effort.
Cisco ISE Profiling Services provides dynamic detection and classification of endpoints connected to the network. ISE collects various attributes for each network endpoint to build an endpoint database. The classification process matches the collected attributes to prebuilt or user-defined conditions, which are then correlated to an extensive library of product profiles. These profiles include a wide range of product types, including tablets, smartphones, cameras, desktop operating systems (for example, Windows®, Mac OS® X, Linux® and others), and workgroup systems such as Xerox printers and MFPs.
Once classified, endpoints can be authorized to the network and granted access based on their profile signature. For example, guests to your network will have different level of access to printers and other end points in your network. As an example, you and your employees can get full printer access when accessing the network from a corporate workstation but be granted limited printer access when accessing the network from your personal Apple® iPhone®.
Cisco ISE allows you to deploy the following controls and monitoring of Xerox products:
November 2018 Page 18
Automatically provision and grant network access rights to printers and MFPs to prevent
inappropriate access (including automatically tracking new printing products connecting to the network):
o Block non-printers from connecting on ports assigned to printers
Xerox® Security Guide for Office Class Products: AltaLink® VersaLink®
AltaLink® Multifunction
VersaLink® Multifunction
VersaLink® Printers
B8045, B8055, B8065, B8075, B8090, C8030, C8035, C8045, C8055, C8070
B405, B605, B615, B7025, B7030, B7035, C405, C505, C605, C7020, C7025, C7030
B400, B600, B610, C400, C500, C600, C7000, C8000, C9000
Network Access Control
Cisco ISE
Supported
Supported
Supported
AltaLink® Multifunction
VersaLink® Multifunction
VersaLink® Printers
B8045, B8055, B8065, B8075, B8090, C8030, C8035, C8045, C8055, C8070
B405, B605, B615, B7025, B7030, B7035, C405, C505, C605, C7020, C7025, C7030
B400, B600, B610, C400, C500, C600, C7000, C8000, C9000
Firewall
Stateful Packet Filter
IP Whitelisting
IP Whitelisting
o Prevent impersonation (aka spoofing) of a printer/MFP o Automatically prevent connection of non-approved print products o Smart rules-based policies to govern user interaction with network printing products
Provide simplified implementation of security policies for printers and MFPs by:
o Providing real time policy violation alerts and logging o Enforcing network segmentation policy o Isolating the printing products to prevent general access to printers and MFPs in
restricted areas
Automated access to policy enforcement  Provide extensive reporting of printing product network activity
Contextual Endpoint Connection Management
Traditionally network connection management has been limited to managing endpoints by IP address and use of VLANs and firewalls. This is effective, but highly complex to manage for every endpoint on a network. Managing, maintaining, and reviewing the ACLs (and the necessary change management and audit processes to support them) quickly become prohibitively expensive. It also lacks the ability to manage endpoints contextually.
Connectivity of AltaLink® and VersaLink® devices can be fully managed contextually by Cisco TrustSec. TrustSec uses Security Group Tags (SGT) that are associated with an endpoint’s user, device, and location attributes. SG-ACLs can also block unwanted traffic so that malicious reconnaissance activities and even remote exploitation from malware can be effectively prevented.
FIPS140-2 Compliance Validation
When enabled, the product will validate its current configuration to identify cryptographic modules in use. Modules which are not FIPS 140-2 (Level 1) compliant will be reported.
AltaLink® products include FIPS compliant algorithms of SNMPv3 and Kerberos, however an exception can be approved to run these in non-FIPS compliant mode when configured for non-FIPS algorithms.
VersaLink® products use encryption algorithms for Kerberos, SMB, SNMPv3, and PDF Direct Print Service that are not approved by FIPS140-2. They can however operate in FIPS140-2 approved Mode in order to maintain compatibility with conventional products after an exception is approved by a system administrator. They do not use FIPS compliant algorithms when in this configuration.
Additional Network Security Controls
Additional network security controls are discussed in the following sections.
Endpoint Firewall Options
November 2018 Page 19
Loading...
+ 49 hidden pages