Xerox 3030 All in One Printer User Manual
Contents
1. Cryptographic Operations Controller User Data Protection SSL Controller User Data Protection IP Filtering Controller User Data Protection IPSec Controller Network Management Security Controller Fax Flow Security Fax Module Controller Graphical User Interface Security Management Controller Graphical User Interface Table 1 Security Functions allocated to Subsystems Ver 1 3 March 2011 Page 8 of 32 XEROX WorkCentre 3550 Information Assurance Disclosure Paper Xerox 2 2 Controller 2 2 1 Purpose The controller provides both network and direct connect external interfaces and enables copy print email network scan and LanFAX functionality Network scanning and LanFAX are standard features The controller also incorporates a proprietary web server that exports a Web User Interface WebUI through which users can submit jobs and check job and machine status and through which system administrators can remotely administer the machine The controller contains the image path which uses proprietary hardware and algorithms to process the scanned images into high quality reproductions Scanned images may be temporarily buffered in DRAM to enable electronic pre collation sometimes referred to as scan once print many When producing multiple copies of a document the scanned image is processed and buffered in the DRAM in a proprietary format The buffered bitmaps are then read from DRAM and sent to th2. 1 Foreign Device Interface FDI Allows connection of optional access control hardware 2 PEK Product Enablement Key Reader Slot Used for initial product configuration 3 USB 2 0 Target Port Direct connect printing 4 Ethernet 10 100 1000 Network connectivity 5 FAX line 1 RJ 11 Supports FAX Modem T 30 protocol only 6 Extension Telephone Socket EXT RJ11 Allows connection of telephone 7 USB 2 0 Host Port Not Pictured see Figure 2 1 Printing from USB scanning to USB upload of software upgrade files LINE EXT Figure 2 3 Back panel connections 2 2 4 USB Ports Table 3 Controller External Connections The WorkCentre 3550 contains a host connector for a USB flash drive enabling printing from USB scanning to USB and upload of software upgrade files Autorun is disabled on this port No executable files will be accepted by the port Modifying the software upgrade or saved machine settings files will make the files unusable on a WorkCentre 3550 The machine settings that can be saved and restored by a service technician are limited to controller parameters that are needed for normal operation Both ports can be disabled by an Admin via the WebUI USB USB port and location Purpose USB 2 0 Host port Printing from USB scanning to USB upload of software upgrade files USB 2 0 Target port Direct connect printing
3. Table 4 USB Ports 10 Ver 1 3 March 2011 Page 10 of 32 XEROX WorkCentre 3550 Information Assurance Disclosure Paper 2 3 Fax Module 2 3 1 Purpose xerox The embedded FAX service uses the installed embedded fax card to send and receive images over the telephone interface 2 3 2 Hardware The fax card connects directly to the Main Controller processor card The fax card does not have its own processor and local memory but uses the Main processor and reserved Flash memory The card contains a fax only modem that supports the T 30 protocol If anything other than the T 30 protocol is detected the modem will disconnect Internal logical interfaces maintain separation between Fax and network Volatile Memory Description Type SRAM DRAM etc Size User Modifiable Function or Use Process to Clear Y N None n a n a n a n a Additional Information Non Volatile Memory Description Type Flash EEPROM etc Size User Modifiable Function or Use Process to Clear Y N Flash 7MB N FAX Backup None Additional Information 2 4 Scanner 2 4 1 Purpose Table 5 Fax Module memory components The purpose of the scanner is to provide mechanical transport of hardcopy originals and to convert hardcopy originals to electronic data 2 4 2 Hardware The scanner converts the image from hardcopy to electronic data An optional document handler moves originals
4. When the device is configured with an IP address it is as secure as any device inside the firewall The web pages are accessible only to authorized users of the network inside the firewall This service and port may be disabled in User Tools via the Local User Interface or via the TCP IP page in the Properties tab on the Web UI Please note that when this is disabled IPP Port 631 is also disabled HTTP may be secured by enabling Secure Sockets Layer 2 8 2 4 1 Proxy Server The device can be configured to communicate through a proxy server Features that can make use of a proxy server include the Automatic Meter Read feature scanning to a remote repository or retrieving scan templates from a remote template pool 17 Ver 1 3 March 2011 Page 17 of 32 XEROX WorkCentre 3550 Information Assurance Disclosure Paper Xerox 2 8 2 5 Port 88 Kerberos This port is only open when the device is communicating with the Kerberos server to authenticate a user and is only used only to authenticate users in conjunction with the Network Scanning feature To disable this port authentication must be disabled and this is accomplished via the Local User Interface This version of software has Kerberos 5 1 1 with DES Data Encryption Standard and 64 bit encryption The Kerberos code is limited to user authentication and is used to authenticate a user with a given Kerberos server as a valid user on the network Please note that the Kerberos
5. The device may be set up to connect to a print queue maintained on a remote print server The login name and password are sent to the print server in clear text IPSec should be used to secure this channel 3 3 2 Network Scanning Multifunction models only Network Scanning may require the device to log into a server The instances where the device logs into a server are detailed in the following table Users may also need to authenticate for scanning This authentication is detailed in subsequent sections 3 3 2 1 Device log on Scanning feature Device behavior Scan to Network The device logs in to the scan repository as set up by the SA via CWIS Scan to E mail The device logs into an SMTP Server as set up by the SA via CWIS It will only log into the Server when a user attempts to use the scan to email feature At the time the LDAP server must be accessed the device will log into the LDAP server The device uses simple authentication on the SMTP server A network username and password must be assigned to the device The device logs in as a normal user with read only privileges User credentials are not used for this authentication step and are never transmitted over the network Table 8 Device Log On for Scanning Features Please note that when the device logs into any server the device username and password are sent over the network in clear text unless SSL has been enabled or IPSec has been configured to enc
6. Circuit This is a custom integrated circuit that is unique to a specific product Customer Administration Tool Customer Service Engineer Duplex Automatic Document Feeder Handler Dynamic Host Configuration Protocol Domain Name Server A centralized database that maps host names to static IP addresses Dynamic Domain Name Server Maps host names to dynamic static IP addresses Dynamic Random Access Memory Electrically erasable programmable read only memory Exterior Gateway Protocol Gigabyte Hewlett Packard Hypertext transfer protocol International Business Machines Internet Control Message Protocol Internet Engineering Task Force Internet Fax Image Input Terminal the scanner Information Technology Image Output Terminal the marking engine Internet Protocol Internet Protocol Security Internet Protocol Exchange Local Area Network Lightweight Directory Access Protocol Lightweight Directory Access Protocol Server Typically the same server that is used for email It contains information about users such as name phone number and email address It can also include a user s login alias Light Emitting Diode Line Printer Request Local User Interface Media Access Control Management Information Base not applicable Novell Distributed Print Services NETBIOS Extended User Interface Network Basic Input Output System Network Operating System Non Volatile Random Access Memory 27 Xerox D Page 27
7. Input and Output groups and all machines assessed support RO access Therefore RO access to these MIB objects is considered IETF compliant 3 Itis assumed that mandatory IETF string related MIB objects shall contain meaningful data not blank strings 4 The C notation indicates that the previously stated item is a true caveat condition The I notation indicates that the previous stated item should be regarded as information only 5 MIB objects that CANNOT be populated with meaningful data e g a machine may not have paper level sensors hence can only support 0 or 3 for more than 1 sheet for prtInputCurrentLevel will be considered a caveat denoted as C 6 The Printer MIB requires a few groups from RFC 1213 and RFC 1514 to be supported Therefore this assessment will indicate that these groups are supported as long as the basic MIB structures have been implemented SNMP version Network Transport support WorkCentre SNMPv1 RFC 1157 SNMPv2P RFCs 1 40x SNMPv2C RFCs 190x SNMPv3 RFCs 1902 2572 2574 SNMP over UDP IP SNMP over IPX Netware SNMP over NETBEUI Microsoft Networking RFC 1759 Printer MIB Group WorkCentre RFC 1213 System group RFC 1213 Interface group RFC 1514 Storage group RFC 1514 Device group General group 7 objects Covers group 3 objects Localization group 4 objects Responsible Party group 2 objects OPTIONAL System Resources group 4 objects Input gr
8. channel can be secured by establishing an IPSec association between a client and the device A shared secret is used to encrypt the traffic flowing through this tunnel SSL must be enabled in order to set up the shared secret When an IPSec tunnel is established between a client and the machine the tunnel will also be active for administration with SNMPv2 tools HP Open View etc providing security for SNMP SETs and GETS with an otherwise insecure protocol SNMP Traps may not be secure if either the client or the device has just been rebooted IP Filtering can be useful to prevent SNMP calls from non IPSec clients Once an IPSec channel is established between two points it stays open until one end reboots or goes into power saver Only network clients and servers will have the ability to establish an IPSec tunnel with the machine Thus 15 Ver 1 3 March 2011 Page 15 of 32 XEROX WorkCentre 3550 Information Assurance Disclosure Paper Xerox device initiated operations like scanning cannot assume the existence of the tunnel unless a print job or other client initiated action has been previously run since the last boot at either end of the connection 2 8 2 Ports The following table summarizes all potential open ports and subsequent sections discuss each port in more detail Default Type Service name Port 25 TCP SMTP 53 UDP DNS 68 UDP BOOTP DHCP 80 TCP HTTP 88 UDP TCP Kerberos 137 UDP NETBIOS Name Service
9. group 6 objects EGP group 20 objects Transmission group 0 objects SNMP group 28 objects System Object Resources Table objects per RFC 1907 8 objects Additional Capabilities Application Support ability to change GET SET TRAP PDU community names Printer MIB traps SNMP Generic Traps Vendor specific Traps set trap destination address es for any 3rd party Net Mgmt apps polling for IETF status objects using any 3rd party Net Mgmt apps walking IETF MIB tree structure using any 3rd party Net Mgmt app e g HP OpenView etc shareware program New type 2 enumerations from next generation Host Resources MIB supported New type 2 enumerations from next generation Printer MIB supported New Printer MIBv2 objects implemented IETF AppleTalk MIB RFC 1243 implemented Job monitoring via MIBs Vendor specific client application s provided required Windows2000 MIB objects supported Embedded Web Server support Xerox PrinterMap application support Xerox PrintXchange support Novell Distributed Print Services support Dazel Output Management Environment HP OpenView snap in module CA Unicenter snap in module IBM Tivoli NetView snap in module Xerox WorkCentre supported supported supported supported supported supported supported supported supported WorkCentre supported supported supported but this group has been DEPRECATED by the IETF supported support
10. of 32 NVM PCL PDL PIN PWBA RFC SA SLP SNMP SRAM SSDP SSL TCP TIFF UI URL UDP WebUI XCMI XSA Ver 1 3 March 2011 XEROX WorkCentre 3550 Information Assurance Disclosure Paper Non Volatile Memory Printer Control Language Page Description Language Personal Identification Number Printed Wire Board Assembly Required Functional Capability System Administrator Service Location Protocol Simple Network Management Protocol Static Random Access Memory Simple Service Discovery Protocol Secure Sockets Layer Transmission Control Protocol Tagged Image File Format User Interface Uniform Resource Locator User Datagram Protocol Web User Interface the web pages resident in the WorkCentre Pro These are accessible through any browser using the machine s IP address as the URL Xerox Common Management Interface Xerox Standard Accounting 28 Xerox Page 28 of 32 XEROX WorkCentre 3550 Information Assurance Disclosure Paper Xerox 6 2 Appendix B Supported MIB Objects NOTES 1 The number of objects shown per MIB group represents the number of objects defined by the IETF standard for that MIB group It does not represent the instantiation of the MIB group which may contain many more objects 2 Some MIB objects defined within Input and Output groups of the Printer MIB RFC 1759 have a MAX ACCESS of RW However the Printer MIBv2 defines a MIB ACCESS of RO for these MIB objects within the
11. performing DHCP and is not open all of the time To permanently close this port DHCP must be explicitly disabled This is done in User Tools via the Local User Interface or via the TCP IP page in the Properties tab on the WebUI 2 8 2 4 Port 80 HTTP The embedded web pages communicate to the machine through a set of unique APIs and do not have direct access to machine information Network Controller 2S eg vi 7 l n t request gt htt request p f machine server response a information I lt response i XN pad Network Figure 2 6 HTTP The HTTP port can only access the HTTP server residing in the controller The embedded HTTP server is Apache The purpose of the HTTP server is to e Give users information of the status of the device e View the job queue within the device and delete jobs e Allow users to download print ready files and program Scan to File Job Templates e Allow remote administration of the device Many settings that are on the Local UI are replicated in the device s web pages Users may view the properties of the device but not change them without logging into the machine with administrator privileges The HTTP server can only host the web pages resident on the device It does not and cannot act as a proxy server to get outside of the network the device resides on Hence the server cannot access any networks or web servers outside of the customer firewall
12. port numbers http www iana org assignments port numbers 32 Ver 1 3 March 2011 Xerox Page 32 of 32
13. 138 UDP NETBIOS Datagram Service SMB filing and Scan template retrieval 139 TCP NETBIOS SMB filing and Scan template retrieval 161 UDP SNMP 162 UDP SNMP trap 389 UDP LDAP 396 TCP Netware 427 TCP UDP SLP 443 TCP SSL 515 TCP LPR 546 UDP DHCPv6 631 TCP IPP 636 TCP sLDAP 1124 TCP UDP Network Scan Utility 1900 UDP SSDP 3003 TCP HTTP SNMP reply 5200 TCP UPnP 5353 UDP Multicast DNS 6000 UDP SetIP Utility 7000 UDP LTP Utility 9100 TCP Raw IP 9400 TCP TWAIN for Network Utility 9401 TCP TWAIN for Network Utility Table 76 Network Ports Please note that there is no FTP port in this list FTP is only used to export scanned images and to retrieve Scan Job Templates and will open port 21 on the remote device An FTP port is never open on the controller itself 2 8 2 1 Port 25 SMTP This unidirectional port is open only when Scan to E mail or Internet Fax I Fax is exporting images to an SMTP server or when email alerts are being transmitted SMTP messages amp images are transmitted to the SMTP server from the device 2 8 2 2 Port 53 DNS Designating a DNS server will allow the device to resolve domain names This can be configured via the Local UI or WebUI 16 Ver 1 3 March 2011 Page 16 of 32 XEROX WorkCentre 3550 Information Assurance Disclosure Paper Xerox 2 8 2 3 Port 68 DHCP This port is used only when
14. S Layer in the Controller The OS layer includes the operating system network and physical I O drivers The controller operating system is pSOS v2 5 The crypto library for IPSec is provided by the OpenSSL Toolkit IP Filtering is also provided as a loadable kernel module 13 Ver 1 3 March 2011 Page 13 of 32 XEROX WorkCentre 3550 Information Assurance Disclosure Paper xerox e 2 7 3 Network Protocols Figure 2 is an interface diagram depicting the protocol stacks supported by the device annotated according to the DARPA model s s I snmp ot snmp v3 i smtp i LDAP i pops DHCP A j ipp j DNS j lpr j Kerberos j ftp i SMB l NDS j AFP a N NY N 7 ri oe 1 1 1 Sy Ss SS N N CA ssl tls r p j S S N R F Ge Pa se i z N a ae N 4 dr ie NETBIOS O0 M NCP o W ZIP ASP PAP Se g N 7 Lr a Sat Slee 7 oe Laer SOOS VOE ad ff ye weer SAP oY i oe PS Ne Ne A a N Pog l SA Port9100 RRNA ee i i N RON i Me up L Wo top SPX Y V RTMP NBP ATP AEP ed i LE I Se 1 see 1 ee 1 EES 1 Transport Layer sa i ieee i os 1 ee 1 Sai i vies 1 y IPSec Ed j EN i SA 1 eae 1 y an dl ee 1 7K e pv IPX gt ___ gt 4 DDP AARP Internet Layer RE N EE Ee oo 1 BEE EF ar j ss ET T Sloe Zee 1 seseen see 1 sponas ek 1 er a Network Layer lede ed 802 3 Figure 2 4 IPv4 Network Protocol Stack 14 Ver 1 3 Marc
15. Xerox Xerox WorkCentre 3550 Information Assurance Disclosure Paper Version 1 2 Prepared by Mark Bixler Xerox Corporation 800 Phillips Road Webster New York 14580 XEROX WorkCentre 3550 Information Assurance Disclosure Paper xerox e 2011 Xerox Corporation All rights reserved Xerox and the sphere of connectivity design are trademarks of Xerox Corporation in the United States and or other counties Other company trademarks are also acknowledged Document Version 1 3 March 2011 Ver 1 3 March 2011 Page 2 of 32 XEROX WorkCentre 3550 Information Assurance Disclosure Paper Xerox 1 AINGROR HE TOM EE GR ee Ge 5 ER TE 5 1 2 TEE 5 1 3 EE ssaeacs vcr gbsetersacitegechctegecineittnipcectann ited eesescinventdtead 5 2 DEVICE DESCRIPTION iese esse ee ese ie Gee Deed ees ee Deed ee ee ee ee bee ee eed 6 2 1 Security relevant Subsystems uur ee AA AA AA AA 7 2 1 1 Physical Partitioning 2 1 2 Security Functions allocated to Subsystems 2 2 MG OPEN EE EE OE EE EE EE 9 2 2 1 Purpose ae aa 2 2 2 Memory So rele N OE 9 2 2 3 External CONMMOCUHOMS EE EE N Ea 10 2 24 USB EE OE OE EE EE ER 10 2 3 Fax Module 2 3 1 Purpose 2 32 Hairdwalie NE RE ED ee Ge N DE De A E RE N ER Gieeatee 2 4 SCOUT EE N EE EE N 11 2 4 1 Purpose P aa 2A HaidwWale se A A E E A 11 2 5 Local User Interface AU OE EE EE RREA 12 2 5 1 Purpose a 29 2 PG EE EE EE NANN Sa 12 2 6 Marking Engine also know
16. at can be downloaded and forwarded to the well known CA for signing The signed device certificate is then uploaded to the device Alternatively the device will generate a self signed certificate In this case the generic Xerox root CA certificate must be downloaded from the device and installed in the certificate store of the user s browser The device supports only server authentication 2 8 2 12 Port 515 LPR This is the standard LPR printing port which only supports IP printing It is a configurable port and may be explicitly enabled or disabled in the Properties tab of the device s web pages 2 8 2 13 Port 546 DHCPv6 This port is used only when performing DHCPv6 and is not open all of the time To permanently close this port DHCPv6 must be explicitly disabled This is done via the TCP IP page in the Properties tab on the WebUI 2 8 2 14 Port 631 IPP This port supports the Internet Printing Protocol It is not configurable This is disabled when the http server is disabled 19 Ver 1 3 March 2011 Page 19 of 32 D XEROX WorkCentre 3550 Information Assurance Disclosure Paper Xerox 2 8 2 15 Port 636 sLDAP This is the standard LDAP port when using SSL for address book queries in the Scan to Email feature 2 8 2 16 Port 1124 Network Scan Utility This port supports the Xerox Network Scan utility It is not configurable and cannot be disabled 2 8 2 17 Port 1900 SSDP This port behaves s
17. e Image Output Terminal IOT for marking on hardcopy output For long documents the production of hardcopy may begin before the entire original is scanned achieving a level of concurrency between the scan and mark operations The controller operating system is pSOS v2 5 The controller works with the User Interface UI assembly to provide system configuration functions A System Administrator PIN must be entered at the UI in order to access these functions 2 2 2 Memory Components Volatile Memory Type SRAM DRAM Size User Function or Use Process to Sanitize etc Modifiable Y N SDRAM 256 512 Expandable Main Memory Remove power MB to 512 MB Additional Information Non Volatile Memory Type Flash EEPROM Size User Function or Use Process to Sanitize etc Modifiable Y N Flash 32 MB No Operating System PDL None Interpreters Fonts MIB Fax Journal List Fax Dialing Code used for scheduling the marking of jobs Flash ROM 1 MB No Backup None Flash 8 MB No Fax Font Backup None Additional Information At memory listed above contains code for execution and configuration information No user or job data is permanently stored in this location Table 2 Controller memory components Ver 1 3 March 2011 Page 9 of 32 XEROX WorkCentre 3550 Information Assurance Disclosure Paper 2 2 3 External Connections Xerox Interface Description Usage
18. ease see the User Manual for details Each addition is a separate session to the LDAP server 3 2 2 2 SMB Authentication Windows NT 4 or Windows 2000 Windows 2003 This is also an option that may be enabled on the device and is used in conjunction with scan to network and scan to email features The authentication steps vary somewhat depending on the network configuration Listed below are 3 network configurations and the authentication steps Basic Network Configuration Device and Domain Controller are on the same Subnet Authentication Steps 1 The device broadcasts an authentication request that is answered by the Domain Controller 2 The Domain Controller responds back to the device whether or not the user was successfully authenticated If 2 is successful steps 3 5 proceed as described in steps 4 6 of the Kerberos section Device and Domain Controller are on different Subnets SA defines IP Address of Domain Controller Authentication Steps 1 The device sends an authentication request directly to the Domain Controller through the router using the IP address of the Domain Controller 2 The Domain Controller responds back to the device through the router whether or not the user was successfully authenticated If 2 is successful steps 3 5 proceed as described in 4 6 of Kerberos section we Router EER x Subnet 1 S Subnet 2 3 gt F WorkCentre or 4 Domain Con
19. ed supported supported not applicable because Exterior Gateway Protocol not supported by machine not applicable because the group has not yet been defined by the IETF supported supported WorkCentre supported supported printerV1Alert printerV2Alert supported coldStart warmStart authenticationFailure supported xcmJobV1AlertNew xcmJobV2AlertNew for job monitoring alerts supported via Web UI supported supported optional not supported because Host Resources MIBv2 has NOT entered the standards track supported optional not support because Printer MIBv2 has NOT entered the standards track supported via Xerox MIBs CentreWare Services supported supported supported supported supported w Xerox NDPS Gateway solution w improved device status supported supported supported supported Table 9 Supported MIB Objects Ver 1 3 March 2011 30 Page 30 of 32 D XEROX WorkCentre 3550 Information Assurance Disclosure Paper 6 3 Appendix C Standards Controller Software Xerox Function RFC Standard Internet Protocol 950 Internet standard subnetting procedure 919 Broadcasting internet datagrams 922 Transmission Control Protocol TCP 793 User Datagram Protocol 768 Standard for the transmission of IP datagrams over Ethernet 894 networks Standard for the transmission of IP datagra
20. ent Feeder amp Scanner IIT The Network Controller is located on the left rear side of the machine in WorkCentre USB Host Port 3550 products Marking Engine IOT Paper Trays Output Bin Figure 2 1 WorkCentre Multifunction System Ver 1 3 March 2011 Page 6 of 32 XEROX WorkCentre 3550 Information Assurance Disclosure Paper Xerox 2 1 Security relevant Subsystems 2 1 1 Physical Partitioning The security relevant subsystems of the product are partitioned as shown in Figure 2 2 Human Interface Original Documents Power Button 1 i eai Scanner Document Handler Button and TOE intemd wirng proprietary tema Wri Ethemet Port USB Target Image Output TOE Inema Had Port USB Host Ports Terina also Herdcopy Scanner Interface PEK Physical extemal htertace na FPaper output interface Finisher Reader Slot Foreign Device Interface ow of 2 Physical extemal Power Cord Power Suppl Iter foe i Fax hlodule E is TOE Physical Boundary ga gE PSTN RJ 11 Port Figure 2 2 System functional block diagram 7 Ver 1 3 March 2011 Page 7 of 32 XEROX WorkCentre 3550 Information Assurance Disclosure Paper 2 1 2 Security Functions allocated to Subsystems Security Function Subsystem System Authentication Controller Graphical User Interface Network Authentication Controller Graphical User Interface
21. h 2011 Page 14 of 32 XEROX WorkCentre 3550 Information Assurance Disclosure Paper Xerox D S s a i snmp oy snmp v3 i smtp i LDAP i pops f DHCP http j ipp j DNS j Ipr j Kerberos j ftp i NDS i AFP N 1 7 7 Pd 1 1 os N N yN d ra I l s by 1 7 7 7 i i Ne PR Mtl 7 i 1 ssl tls 7 N SS W VN 7 7 gt 1 1 N x N VON s 7 7 7 1 1 XY x i N VON T P pad 1 1 RK a N 7 N ON ar N oa NCP O Y V O ZIPIASPIPAP is OR T T ae FE I 1 N 7 p 1 SSN ON Vf f f yf a H 1 N ae Ne W w if we i Mar es A ot P 1 I oor ve oy SO N NM ne Par Z SAP 1 SN bo dd ee a a f 4 Sn TCO UR TTC INNS 7 i Sc Port9100 SSS EE 7e j NA SO ae i N SAUL GET i Me up L tep 1 SPX Y V RTMP NBP ATP AEP 1 1 1 1 1 1 as 1 1 1 1 1 1 Be 4 eee ee Ged IPSec S i soo o lL EE oe EE id e Pw IPX WV Me DDP AARP Internet Layer 7 2 Network Layer f IEEE 802 1X I IEEE 802 3 Figure 2 5 IPv6 Network Protocol Stack 2 8 Logical Access 2 8 1 Network Protocols The supported network protocols are listed in Appendix C and are implemented to industry standard specifications i e they are compliant to the appropriate RFC and are well behaved protocols There are no Xerox unique additions to these protocols 2 8 1 1 IPSec The device supports IPSec tunnel mode The print
22. ill allow the device to resolve domain names over a multicast protocol This can be configured via the Local UI or WebUI 2 8 2 21 Port 6000 SetIP Utility This port supports the Xerox Set IP utility It is not configurable and cannot be disabled 2 8 2 22 Port 9100 raw IP This allows downloading a PDL file directly to the interpreter This port has limited bi directionality via PJL back channel and allows printing only This is a configurable port and may be disabled in the Properties tab of the device s web pages 2 8 2 23 9400 TWAIN for Network Utility This port supports the Xerox TWAIN for Network utility It is not configurable and cannot be disabled 2 8 2 24 9401 TWAIN for Network Utility This port supports the Xerox TWAIN for Network utility It is not configurable and cannot be disabled 2 8 3 IP Filtering The devices contain a static host based firewall that provides the ability to prevent unauthorized network access based on an IP address or IP address range Filtering rules can be set by the SA using the WebUI 20 Ver 1 3 March 2011 Page 20 of 32 3 3 1 3 2 3 2 1 XEROX WorkCentre 3550 Information Assurance Disclosure Paper Xerox System Access Authentication Model The authentication model allows for the following e Local Authentication Provides access to the scan to network and scan to email services User account information is kept in a local accounts database and the authenticatio
23. imilarly to the SLP port When activated this port is used for service discovery and advertisement The device will advertise itself as a printer and also listen for SSDP queries using this port It is not configurable This port is explicitly enabled disabled in the Properties tab of the device s web pages 2 8 2 18 Port 3003 http SNMP reply This port is used when the http server requests device information The user displays the Web User Interface WebUI and goes to a page where the http server must query the device for settings e g Novell network settings The http server queries the machine via an internal SNMP request hence this port can only open when the http server is active The machine replies back to the http server via this port It sends the reply to the loopback address 127 0 0 0 which is internally routed to the http server This reply is never transmitted on the network Only SNMP replies are accepted by this port and this port is active when the http server is active i e if the http server is disabled this port will be closed If someone attempted to send an SNMP reply to this port via the network the reply would have to contain the correct sequence number which is highly unlikely since the sequence numbers are internal to the machine 2 8 2 19 Port 5200 UPnP This port is used by UPnP This is disabled when SSDP is disabled see 3 2 2 16 2 8 2 20 Port 5353 Multicast DNS Designating a Multicast DNS server w
24. ing stored to the server or templates are being retrieved from the Template Pool For these features SMB protocol is used 18 Ver 1 3 March 2011 Page 18 of 32 D XEROX WorkCentre 3550 Information Assurance Disclosure Paper Xerox 2 8 2 7 Ports 161 162 SNMP These ports support the SNMPv1 SNMPv2c and SNMPv3 protocols Please note that SNMP v1 does not have any password or community string control SNMPv2 relies on a community string to keep unwanted people from changing values or browsing parts of the MIB This community string is transmitted on the network in clear text so anyone sniffing the network can see the password Xerox strongly recommends that the customer change the community string upon product installation SNMP is configurable and may be explicitly enabled or disabled in the Properties tab of the device s web pages SNMP traffic may be secured if an IPSec tunnel has been established between the agent the device and the manager i e the user s PC The device supports SNMPv3 which is an encrypted version of the SNMP protocol that uses a shared secret Secure Sockets Layer must be enabled before configuring the shared secret needed for SNMPv3 2 8 2 8 Port 389 LDAP This is the standard LDAP port used for address book queries in the Scan to Email feature 2 8 2 9 Port 396 Netware This configurable port is used when Novell Netware is enabled to run over IP 2 8 2 10 Port 427 SLP When act
25. into a position to be scanned The scanner provides enough image processing for signal conditioning and formatting The scanner does not store scanned images All other image processing functions are in the main controller Ver 1 3 March 2011 11 Page 11 of 32 XEROX WorkCentre 3550 Information Assurance Disclosure Paper 2 5 2 5 1 Purpose Local User Interface LUI Xerox The LUI detects hard button actuations and provides text and graphical prompts to the user Images are not transmitted to or stored in the LUI The Start hard button is located on the LUI panel 2 5 2 Hardware Volatile Memory Description user image data stored Type SRAM DRAM etc Size User Modifiable Function or Use Process to Clear Y N RAM 2KB N User Interface volatile memory no Power Off System Additional Information All memory listed above contains code for execution and configuration information No user or job data is permanently stored in this location Non Volatile Memory Description Type Flash EEPROM etc Size User Modifiable Function or Use Process to Clear Y N PROM 64KB N No user image data stored None Additional Information All memory listed above contains code for execution and configuration information No user or job data is stored in this location Table 6 User Interface memory components 2 6 Marking Engine also known as the Image Outp
26. is authenticated to the device the user may proceed to use the scan to network and scan to email features The WebUI allows an SA to set up a default authentication domain and as many as 6 additional alternate authentication domains The device will attempt to authenticate the user at each domain server in turn until authentication is successful or the list is exhausted 3 2 2 1 Kerberos Authentication Solaris or Windows 2000 Windows 2003 This is an option that must be enabled on the device and is used in conjunction with scan to network and scan to email features The authentication steps are 1 A User enters a user name and password at the device in the Local UI The device sends an authentication request to the Kerberos Server 2 The Kerberos Server responds with the encrypted credentials of the user attempting to sign on 3 The device attempts to decrypt the credentials using the entered password The user is authenticated if the credentials can be decrypted 4 The device then logs onto and queries the LDAP server trying to match an email address against the user s Login Name 21 Ver 1 3 March 2011 Page 21 of 32 XEROX WorkCentre 3550 Information Assurance Disclosure Paper Xerox F If the LDAP Query is successful the user s email address is placed in the From field Otherwise the default From is used 5 6 The user may then add recipient addresses by accessing the Address Book on the LDAP server Pl
27. ivated this port is used for service discovery and advertisement The device will advertise itself as a printer and also listen for SLP queries using this port It is not configurable This port is explicitly enabled disabled in the Properties tab of the device s web pages 2 8 2 11 Port 443 SSL This is the default port for Secure Sockets Layer communication This port can be configured via the device s web pages SSL must be enabled before setting up either SNMPv3 or IPSec SSL must also be enabled in order to use any of the Web Services Automatic Meter Reads or Network Scanning Validation Service SSL should be enabled so that the device can be securely administered from the web UI When scanning SSL can be used to secure the filing channel to a remote repository SSL uses X 509 certificates to establish trust between two ends of a communication channel When storing scanned images to a remote repository using an https connection the device must verify the certificate provided by the remote repository A Trusted Certificate Authority certificate should be uploaded to the device in this case To securely administer the device the user s browser must be able to verify the certificate supplied by the device A certificate signed by a well known Certificate Authority CA can be downloaded to the device or the device can generate a self signed certificate In the first instance the device creates a Certificate Signing Request CSR th
28. ms over IEEE802 1042 networks ICMP ICMP Echo ICMP Time ICMP Echo Reply and ICMP Destination Unreachable message 732 Reverse Address Resolution Protocol RARP 903 Bootstrap Protocol BOOTP 951 Clarifications and Extensions for the Bootstrap Protocol BOOTP 1542 X 500 Distinguished Name RFC references 1779 2253 2297 2293 SLP 2608 Dynamic Host Configuration Protocol DHCP 2131 DHCP Options and BOOTP Vendor Extensions 2132 X 509 Certificate RFC references 2247 2293 2459 2510 2511 3280 Hyper Text Transfer Protocol version 1 1 HTTP 2616 Line Printer Daemon LPR LPD 1179 File Transfer Protocol FTP 959 SNMPv1 1157 SNMPv2 1901 1905 1906 1908 1909 Structure of Management Information SMI for SNMPv1 1155 1212 Structure of Management Information SMI for SNMPv2 1902 1903 1904 IETF MIBs MIB II 1213 Host Resources 1514 RFC 1759 Printer Printer MIB V2 1759 SNMP Traps 1215 Document Printing Application DPA 10175 AppleTalk Inside AppleTalk Second Edition Table 10 Controller Software Printing Description Languages Postscript Language Reference Third Edition PCL6 PCLSE 5SI emulation PCL6 PCLXL 5M emulation TIFF 6 0 JPEG 31 Ver 1 3 March 2011 Page 31 of 32 XEROX WorkCentre 3550 Information Assurance Disclosure Paper Portable Document Format Reference Manual Version 1 3 6 4 Appendix E References Kerberos FAQ http www nrl navy mil CCS people kenh kerberos fag html IP
29. n as the Image Output Terminal or TOT sees ee ee ee 12 2 6 1 AE oe EE ER EE OR EE EE E ENTRER PAEPAE alo ie el OE ER AE EE OE EE 2 6 3 Control and Data Interfaces 2 7 System Software Structure 2 7 1 Open source components 2 7 2 OS Layer in the Controller 2 7 3 Network Protocols 2 8 Lodical Access RE E E E ee Ge eo GE ee ee se ee 2 8 1 Network Protocols PA PAE oi EE N EE EE NE NE N N EE EN NE oi ie 2 8 3 IP dl ele EE i i oeira a E a ES EPE E R a AE aa EEE a E TE Rii 3 SYSTEM ACCESS wissssccccissccssccssssssstesdesvosessssscdestsossactsonssaesseavesnsesesdsonssasoostserscandaassosesssebsaonsssscsedsatoardbee 21 3 1 Authentication MO d E OR EE N EE Aeae E E NERES ENER SEA GASEN iS ESEE ER Sa 21 Ver 1 3 March 2011 Page 3 of 32 D XEROX WorkCentre 3550 Information Assurance Disclosure Paper 3 2 Login and Authentication Methods sesse seen ee ee ER ee ee ee ee ee ee ee ee ee en ee ee ee ee ee gee 3 2 1 System Administrator Login All product configurations ssssssscsssescecsseesecesssesseennsesescsnsesescnnseeccennseesenneesesenneeeess B22 WSOP CULMS ECA OMT ER EE EE OE Ee 3 3 System ACCOUNTS eer ge es GEN eek VG De N eg Ne GN eg ee 3 3 1 Printing Multifunction models only 3 3 2 Network Scanning Multifunction models only 3 4 DVI OSE NCS SR EE N EE EE 24 4 SECURITY ASPECTS OF SELECTED FEATURES ies seek eie seed ers seek sesse ne bee sedes 25 4 1 SMarteSolutiofis Ee ee c
30. n for this is that given enough time someone could reverse engineer the authentication and gain access to the network With the 5 minute timeout the person has just 5 minutes to reverse engineer the authentication and the key before it becomes invalid It was determined during the implementation of Kerberos for our device that it would be too difficult for the user SA to keep the device clock in sync with the Kerberos server so the Xerox instantiation of Kerberos has the clock skew check removed The disadvantage is that this gives malicious users unlimited time to reverse engineer the user s key However since this key is only valid to access the Network Scanning features on a device possession of this key is of little use for nefarious purposes 3 The device ignores much of the information provided by Kerberos for authenticating For the most part the device only pays attention to information that indicates whether authentication has passed Other information that the server may return e g what services the user is authenticated for is ignored or disabled in the Xerox implementation This is not an issue since the only service a user is being authenticated for is access to an e mail directory No other network services are accessible from the Local UI Xerox has received an opinion from its legal counsel that the device software including the implementation of a Kerberos encryption protocol in its network authentication feature is not
31. n process will take place locally e Network Authentication Provides access to the scan to network and scan to email services User network credentials are used to authenticate the user at the network domain controller e Authorization Provides three levels of access to the CentreWare Internet Services and to the Local User Interface system administrator key user and all users Login and Authentication Methods There are a number of methods for different types of users to be authenticated In addition the connected versions of the product also log into remote servers A description of these behaviors follows System Administrator Login All product configurations Users must authenticate themselves to the device To access the User Tools via the Local UI a PIN is required The customer can set the PIN to anywhere from 4 to 32 alphanumeric characters in length This PIN is stored in the controller NVM and is inaccessible to the user Xerox strongly recommends that this PIN be changed from its default value immediately upon product installation The PIN should be set to a minimum of 8 characters in length and changed at least once per month Longer PINs can be changed less frequently a 9 character PIN would be good for a year The same PIN is used to access the Administration screens in the Web UI 3 2 2 User authentication Users may authenticate to the device using Kerberos LDAP or SMB Domain authentication protocols Once the user
32. oup 72 objects Extended Input group 7 objects OPTIONAL Input Media group 4 objects OPTIONAL Output group 6 objects Extended Output group 7 objects OPTIONAL Output Dimensions group 5 objects OPTIONAL Output Features group 6 objects OPTIONAL Marker group 15 objects Marker Supplies group 9 objects OPTIONAL Marker Colorant group 5 objects OPTIONAL Media Path group 17 objects Channels group 8 objects Interpreter group 12 objects Console group 4 objects Console Display Buffer group 2 objects Console Display Light group 5 objects Alert Table group 8 objects Alert Time group 7 object OPTIONAL 29 Ver 1 3 March 2011 Page 29 of 32 XEROX WorkCentre 3550 Information Assurance Disclosure Paper RFC 1514 Host Resources MIB group System group 7 objects Storage group 8 objects Devices group 6 objects Processor Table 2 objects Network Interface Table 1 object Printer Table 2 objects Disk Storage Table 4 objects Partition Table 5 objects File System Table 9 objects Software Running group 7 objects OPTIONAL Software Running Performance group 2 objects OPTIONAL Software Installed group 7 objects OPTIONAL RFC 1213 MIB II for TCP IP group System group 7 objects Interfaces group 23 objects Address Translation group 3 objects IP group 42 objects ICMP group 26 objects TCP group 19 objects UDP
33. roducts do not establish security for any network environment The purpose of this document is to inform Xerox customers of the design functions and features of the WorkCentre products relative to Information Assurance IA This document does NOT provide tutorial level information about security connectivity PDLs or WorkCentre products features and functions This information is readily available elsewhere We assume that the reader has a working knowledge of these types of topics However a number of references are included in the Appendix 1 2 Target Audience The target audience for this document is Xerox field personnel and customers concerned with IT security 1 3 Disclaimer The information in this document is accurate to the best knowledge of the authors and is provided without warranty of any kind In no event shall Xerox Corporation be liable for any damages whatsoever resulting from user s use or disregard of the information provided in this document including direct indirect incidental consequential loss of business profits or special damages even if Xerox Corporation has been advised of the possibility of such damages Ver 1 3 March 2011 Page 5 of 32 XEROX WorkCentre 3550 Information Assurance Disclosure Paper Xerox 2 Device Description This product consists of an input document handler and scanner marking engine including paper path controller and user interface User Interface UI Docum
34. rypt the traffic 3 4 Diagnostics To access onboard diagnostics from the local user interface Xerox service representatives must enter a unique 4 digit password This PIN is the same for all product configurations and cannot be changed 24 Ver 1 3 March 2011 Page 24 of 32 4 1 XEROX WorkCentre 3550 Information Assurance Disclosure Paper Xerox 4 Security Aspects of Selected Features SMart eSolutions SMart eSolutions provides the ability to automatically send data to Xerox to be used for billing Meter Assistant and toner replenishment Supplies Assistant The Systems Administrator sets up the attributes for the service via the web UI including enable disable participation in SMart eSolutions and time of day for the daily polling to the Xerox Communication Server The device can be set to communicate via a proxy server on the customer s network The proxy server is set to auto detect proxy settings or to manually set proxy address using the WebUI 4 2 1 Meter Assistant Once the connection with the Xerox Communication Server has been established the Meter Assistant service will poll the Xerox Communication server daily over the network The server will check whether it is time in the billing cycle to update the meter readings If so the server will request reads from the device and the device will then respond by sending the meter reads back to the server 4 2 2 Supplies Assistant Once the connection with the Xero
35. server a 3rd party device needs to be set up for each user Once the user is authenticated the Kerberos software has completed its task This code will not and cannot be used to encrypt or decrypt documents or other information This feature is based on the Kerberos program from the Massachusetts Institute of Technology MIT The Kerberos network authentication protocol is publicly available on the Internet as freeware at http web mit edu kerberos www Xerox has determined that there are no export restrictions on this version of the software However there are a few deviations our version of Kerberos takes from the standard Kerberos implementation from MIT These deviations are 1 The device does not keep a user s initial authentication and key after the user has been authenticated Ina standard Kerberos implementation once a user is authenticated the device holds onto the authentication for a programmed timeout the usual default is 12 hours or until the user removes it prior to the timeout period In the Xerox implementation all traces of authentication of the user are removed once they have been authenticated to the device The user can send any number of jobs until the user logs off the system either manually or through system timeout 2 The device ignores clock skew errors In a standard implementation of Kerberos authentication tests will fail if a device clock is 5 minutes or more different from the Kerberos server The reaso
36. subject to encryption restrictions based on Export Administration Regulations of the United States Bureau of Export Administration BXA This means that it can be exported from the United States to most destinations and purchasers without the need for previous approval from or notification to BXA At the time of the opinion restricted destinations and entities included terrorist supporting states Cuba Iran Libya North Korea Sudan and Syria their nationals and other sanctioned entities such as persons listed on the Denied Parties List Xerox provides this information for the convenience of its customers and not as legal advice Customers are encouraged to consult with legal counsel to assure their own compliance with applicable export laws 2 8 2 6 Ports 137 138 139 NETBIOS For print jobs these ports support the submission of files for printing as well as support Network Authentication through SMB Port 137 is the standard NetBIOS Name Service port which is used primarily for WINS Port 138 supports the CIFS browsing protocol Port 139 is the standard NetBIOS Session port which is used for printing Ports 137 138 and 139 may be configured in the Properties tab of the device s web page For Network Scanning features ports 138 and 139 are used for both outbound i e exporting scanned images and associated data and inbound functionality i e retrieving Scan Templates In both instances these ports are only open when the files are be
37. troller i LDAP Server i WorkCentre Pro amp S N Figure 3 1 SMB Authentication with IP Address Device and Domain Controller are on different Subnets SA defines Hostname of Domain Controller Authentication Steps 22 Ver 1 3 March 2011 Page 22 of 32 XEROX WorkCentre 3550 Information Assurance Disclosure Paper Xerox 1 The device sends the Domain Controller hostname to the DNS Server Router 6 EEEEE yo Fo Subnet 2 Subnet 1 4 E S cs WorkCentre or j i a WorkCentre Pro amp 7 gt LDAP Server Domain Controller T A i 1 2 Y DNS Server Figure 3 2 SMB Authentication with Hostname 2 The DNS Server returns the IP Address of the Domain Controller 3 The device sends an authentication request directly to the Domain Controller through the router using the IP address of the Domain Controller 4 The Domain Controller responds back to the device through the router whether or not the user was successfully authenticated If 4 is successful steps 5 7 proceed as described in steps 4 6 of the Kerberos section 3 2 2 3 DDNS The implementation in the device does not support any security extensions 23 Ver 1 3 March 2011 Page 23 of 32 XEROX WorkCentre 3550 Information Assurance Disclosure Paper xerox e 3 3 System Accounts 3 3 1 Printing Multifunction models only
38. usses ske castes sk ee AAAA A De Ee 25 4 2 1 Meter Assistant 4 2 2 Supplies Assistant 4 2 3 SUMMOFY sesse 5 RESPONSES TO KNOWN VULNERABILITIES oe sense ee se ee se ee se ee se ee se ee se ee se ee se ee ee 26 5 1 Security Xerox www xerox com securitY sscssscsscsecssccescsscsscceccneceecssscuscescssccusccsssuccnscssccuscescsuscnccsecsuseneeseesaes 26 6 APPENDICES cinnin NR Ge n IR Gede Ge GR RR Re Res AE RE E Gee ee E 27 6 1 Appendix A Abbreviations se Ge ee ee ee SE ee ee Ge Ee ee ee ani 27 6 2 Appendix B Supported MIB Objects sesse sees ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee eg 29 6 3 Appendix C Standards EE EE EE EE EE 31 6 4 Appendix E Reference es tees es esse ge ee ee ie Re Gee Ge ee ee ge oe 32 Ver 1 3 March 2011 Page 4 of 32 XEROX WorkCentre 3550 Information Assurance Disclosure Paper Xerox 1 Introduction The WorkCentre 3550 multifunction systems are among the latest versions of Xerox copier and multifunction devices for the general office 1 1 Purpose The purpose of this document is to disclose information for the WorkCentre products with respect to device security Device Security for this paper is defined as how image data is stored and transmitted how the product behaves in a networked environment and how the product may be accessed both locally and remotely Please note that the customer is responsible for the security of their network and the WorkCentre p
39. ut Terminal or IOT 2 6 1 Purpose The Marking Engine performs copy print paper feeding and transport image marking and fusing and document finishing Images are not stored at any point in these subsystems 2 6 2 Hardware The marking engine is comprised of paper supply trays and feeders paper transport laser scanner xerographics and paper output The marking engine contains a CPU BIOS RAM and Non Volatile Memory 2 6 3 Control and Data Interfaces Images and control signals are transmitted from the main controller to the marking engine across a proprietary interface Ver 1 3 March 2011 12 Page 12 of 32 XEROX WorkCentre 3550 Information Assurance Disclosure Paper xerox 2 7 System Software Structure 2 7 1 Open source components Open source components in the connectivity layer implement high level protocol services The security relevant connectivity layer components are e Apache 2 2 11 with mod ssl integrated e Expat XML Parser http and https e Unicode e Apache Xerces2 Java e Kerberos 5 e Open1x e sorttable e OpenSLP e Little CMS v1 15 e NetBSD Project e libstdc e ibupnp e CUPS related stuff e UUID library e part of linux kernel e wpa_supplicant e SpiderMonkey Engine e idns e OpenSSL v0 9 8e e Info zip e Open LDAP v2 1 17 e TWAIN sample Data Source and e libpng Application e zlibv2 4 e WTLv8 0 e libtiff e CUPS library e tinyxml e libjpeg v6b e l ibxml2 2 7 2 0
40. x Communication Server has been established the Supplies Assistant service will be automatically enabled by request from the Xerox Communication Server The device will then automatically send supplies data over the network to the Xerox Communication server at a regular interval 4 2 3 Summary The SMart eSolutions communication process means that the device initiates all communication between it and Xerox Only device ID device configuration current firmware versions meter read and supplies information is transferred The information is sent encrypted using https SSL 25 Ver 1 3 March 2011 Page 25 of 32 XEROX WorkCentre 3550 Information Assurance Disclosure Paper Xerox 5 Responses to Known Vulnerabilities 5 1 Security Xerox www xerox com security Xerox maintains an evergreen public web page that contains the latest security information pertaining to its products Please see www xerox com security 26 Ver 1 3 March 2011 Page 26 of 32 6 6 1 PI AMR ASIC CAT CSE DADF DADH DHCP DNS DDNS DRAM EEPROM EGP GB HP HTTP IBM ICMP IETF IFAX IIT IT IOT IP IPSec IPX LAN LDAP LDAP Server LED LPR LUI MAC MIB n a NDPS NETBEUI NETBIOS NOS NVRAM Ver 1 3 March 2011 XEROX WorkCentre 3550 Information Assurance Disclosure Paper APPENDICES Appendix A Abbreviations Application Programming Interface Automatic Meter Reads Application Specific Integrated
Download Pdf Manuals
Related Search