background image

Xerox® Security Guide for Light Production Mono Class Products 

 

Network Access Control 

802.1x 

In 802.1X authentication, when the product is connected to the LAN port of Authenticator such as the 
switch as shown below, the Authentication Server authenticates the product, and the Authenticator 
controls access of the LAN port according to the authentication result. The product starts authentication 
processing at startup when the startup settings for 802.1X authentication are enabled. 

 

 

 

 

 

Legacy Printers 

Legacy Copier/Printers  D-Series® Copier/Printers  

 

 

4110, 4112/4127, 4590 
EPS 

4110, 4112/4127, 4590  

D95/D110/D125/D136 

Network Access Control 

 

802.1x 

Supported 

Supported 

Supported 

 

Authentication Methods 

PSK, AES 
(CCMP)/TKIP, 
PEAPv0/MS-CHAPv2, 
EAP-TLS, EAP-
TTLS/PAP, EAP-
TTLS/MS-CHAPv2, 
EAP-TTLS/EAP-TLS 

MD5, MS-CHAPv2, 
PEAP/MS-CHAPv2, EAP-
TLS 

MD5, MS-CHAPv2, 
PEAP/MS-CHAPv2, EAP-
TLS 

 

 

Cisco Identity Services Engine (ISE) 

Cisco ISE is an intelligent security policy enforcement platform that mitigates security risks by providing a 
complete view of which users and what products are being connected across the entire network 
infrastructure. It also provides control over what users can access your network and where they can go.  
Cisco's ISE includes over 200 Xerox product profiles that are ready for security policy enablement. This 
allows ISE to automatically detect Xerox products in your network.  Xerox products are organized in Cisco 
ISE under product families, such as D-Series® Copier/Printer products, enabling Cisco ISE to 
automatically detect and profile new Xerox products from the day they are released.  Customers who use 
Cisco ISE find that including Xerox products in their security policies is simpler and requires minimal 
effort. 

Cisco ISE Profiling Services provides dynamic detection and classification of endpoints connected to the 
network.  ISE collects various attributes for each network endpoint to build an endpoint database. The 
classification process matches the collected attributes to prebuilt or user-defined conditions, which are 
then correlated to an extensive library of product profiles.  These profiles include a wide range of product 
types, including tablets, smartphones, cameras, desktop operating systems (for example, Windows®, 
Mac OS® X, Linux® and others), and workgroup systems such as Xerox printers and MFPs. 

Once classified, endpoints can be authorized to the network and granted access based on their profile 
signature.  For example, guests to your network will have different level of access to printers and other 
end points in your network.  As an example, you and your employees can get full printer access when 
accessing the network from a corporate workstation but be granted limited printer access when accessing 
the network from your personal Apple® iPhone®. 

Cisco ISE allows you to deploy the following controls and monitoring of Xerox products: 

 

Automatically provision and grant network access rights to printers and MFPs to prevent 
inappropriate access

 

(including automatically tracking new printing products connecting to the 

network):  

o

 

Block non-printers from connecting on ports assigned to printers 

Authentication 

Server  

Authenticator  

(e.g. Switch)  

Product 

(Supplicant) 

EAPOL 

Summary of Contents for D Series

Page 1: ...e Disclosure Xerox Security Guide Light Production Mono Class Copier Printers Legacy Printers Legacy Copier Printers D Series Copier Printers 4110 4112 4127 4590 Enterprise Printing System 4110 4112 4...

Page 2: ...sion 1 0 February 2019 Copyright protection claimed includes all forms and matters of copyrightable material and information now allowed by statutory or judicial law or hereinafter granted including w...

Page 3: ...CONTROLS 25 4 DEVICE SECURITY BIOS FIRMWARE OS RUNTIME AND OPERATIONAL SECURITY CONTROLS 27 FAIL SECURE VS FAIL SAFE 27 PRE BOOT SECURITY 28 BOOT PROCESS SECURITY 28 RUNTIME SECURITY 28 EVENT MONITORI...

Page 4: ...Xerox Security Guide for Light Production Mono Class Products APPENDIX B SECURITY EVENTS 51 XEROX LEGACY SECURITY EVENTS 51 D SERIES SECURITY EVENTS 67 1...

Page 5: ...pect to Information Assurance This document does not provide tutorial level information about security connectivity or the product s features and functions This information is readily available elsewh...

Page 6: ...luding finishers paper trays document handers etc may vary configuration however they are not relevant to security and are not discussed 1 Optional High Capacity Feeder 2 Bypass paper feed tray 3 Dupl...

Page 7: ...memory on Controller is accessible Preview Thumbnail feature Scanner The scanner converts documents from hardcopy to electronic data A document handler moves originals into a position to be scanned Th...

Page 8: ...er Data Protection In addition to managing document processing the controller manages all network functions and services Details can be found in section Network Security The controller handles all I O...

Page 9: ...r more USB ports may be located on the front of the product near the user interface Front USB ports may be enabled or disabled by a system administrator The front USB port supports the following Walk...

Page 10: ...ddress and product location NFC functionality can be disabled using the embedded web server of the product NFC functionality requires a software plugin that can be obtained from Xerox sales and suppor...

Page 11: ...56 The encryption key is automatically created at start up and stored in the RAM The key is deleted by a power off due to the physical characteristics of the RAM TPM Chip The Legacy and D Series produ...

Page 12: ...protocol is based on HTTP and utilizes the TLS suite to encrypt data HTTPS TLS Securely submit a print job directly to product via the built in web server Xerox Print Stream Encryption The Xerox Glob...

Page 13: ...ia Sanitization NIST 800 171 Image Overwrite All models use magnetic HDD Models with magnetic HDD See Appendix A Product Security Profiles Models with magnetic HDD See Appendix A Product Security Prof...

Page 14: ...nt to external network services Inbound Listening Services Out Bound Network Client Print Services LPR IPP Raw IP etc Management Services SNMP Web interface WebServices etc Infrastructure Discovery Se...

Page 15: ...on Agent 445 TCP Direct Hosting 465 TCP SMTPS Client 500 UDP ISAKMP 515 TCP LPR 524 TCP NetWare NCP Client 547 UDP DHCPv6 Client 631 TCP IPP FreeFlow 636 TCP LDAPS Client 1824 TCP HTTPS OffBox Validat...

Page 16: ...A system administrator can change the port number from CentreWare Internet Services Port 53 DNS This port is used for DNS This port is used for name queries to the DNS server when the product accesses...

Page 17: ...operates as a secure channel for SSMI and supports TLSv1 1 and TLSv1 2 When SSL TLS is enabled HTTP connections to SSMI are redirected to HTTPS Since communication through port 443 is encrypted inter...

Page 18: ...sing protocol Port 445 is a standard direct host port and is used for communication using SMB protocol that does not use NetBIOS over TCP A system administrator can disable each of the 4 ports via Loc...

Page 19: ...ntreWare Internet Services Ports 80 443 HTTPS Authentication Agent ASC These are used as the destination ports when the product communicates to ApeosWare Authentication Agent AWAA Protocol and port nu...

Page 20: ...DAP authentication and for Address Book queries in the Scan to Email feature Port 1824 HTTPS OffBox Validation This port is used to communicate with OffBox Validation server The protocol and port numb...

Page 21: ...d IPv6 protocols Legacy Printers Legacy Copier Printers D Series Copier Printers 4110 4112 4127 4590 EPS 4110 4112 4127 4590 D95 D110 D125 D136 IPSec Supported IP Versions IPv4 IPv6 IPv4 IPv6 IPv4 IPv...

Page 22: ...x Legacy 4110 4112 4127 and D Series Copier Printer products support TLS 1 2 Legacy Printers Legacy Copier Printers D Series Copier Printers 4110 4112 4127 4590 EPS 4110 4112 4127 4590 D95 D110 D125 D...

Page 23: ...logs in to the product using a Smart Card For protocols such as HTTPS the printer is the server and must prove its identity to the client Web browser For protocols such as 802 1X the printer is the cl...

Page 24: ...ficate that contains a key that does not meet this requirement a message appears The message alerts the user that the certificate they are attempting to upload does not meet the key length requirement...

Page 25: ...D95 D110 D125 D136 Email S MIME Versions v3 v3 v3 Digest SHA1 SHA256 SHA384 SHA512 SHA1 SHA256 SHA384 SHA512 SHA1 SHA2 SHA256 SHA384 SHA512 Encryption 3DES AES128 AES192 AES256 3DES AES128 AES192 AES...

Page 26: ...g Cisco ISE to automatically detect and profile new Xerox products from the day they are released Customers who use Cisco ISE find that including Xerox products in their security policies is simpler a...

Page 27: ...udit processes to support them quickly become prohibitively expensive It also lacks the ability to manage endpoints contextually Connectivity of D Series Copier Printer devices can be fully managed co...

Page 28: ...and D Series products support IP Whitelisting only When enabled all traffic is prohibited regardless of interface wired wireless unless enabled by IP filter rule IPv4 and IPv6 are enabled separately...

Page 29: ...BIOS is inaccessible and cannot be cleared or reset The BIOS can only be modified by a firmware update which is digitally signed BIOS will fail secure locking the system if integrity is compromised E...

Page 30: ...ware is protected from tampering by use of digital signatures discussed later in this section The BIOS is designed to fail secure An integrity check is performed immediately when power is applied If v...

Page 31: ...on audit log settings and data can only be accessed via HTTPS Operational Security Firmware Restrictions The list below describes supported firmware delivery methods and applicable access controls Loc...

Page 32: ...Workstation PWS Only Xerox authorized service technicians are granted access to the PSW Customer documents or files cannot be accessed during a diagnostic session nor are network servers accessible t...

Page 33: ...rity Guide for Light Production Mono Class Products 5 Configuration Security Policy Management Solutions Xerox Device Manager and Xerox CentreWare Web available as a free download centrally manage Xer...

Page 34: ...on Legacy and D Series Copier Printer devices support the following authentication mode Local Authentication Network Authentication Smart Card Authentication CAC PIV SIPR Net Convenience Authenticatio...

Page 35: ...D and password set for the product authentication to the switch device starts in order to connect to the LAN port 802 1X Authentication In 802 1X authentication when the product is connected to the LA...

Page 36: ...rted Supported Supported PIV PIV II Supported Supported Supported Net Gemalto Net v1 Gemalto Net v2 Supported Supported Supported Gemalto MD Not Currently Supported Not Currently Supported Not Current...

Page 37: ...view this information can be disallowed Local Access Without RBAC permissions defined basic information such as Model Serial number Software Version IP address and Host Name can be viewed without auth...

Page 38: ...he Initial Ticket that the product received using the entered password When the decryption completes in success the user is authenticated In SMB authentication through the negotiation with SMB authent...

Page 39: ...ion server is encrypted by the supplier s unique code e g Equitrac Corporation Sequence of authentication performed by inserting card to Secure Access card reader is as follows 1 The information on th...

Page 40: ...s in Xerox software and hardware It can be downloaded from this page http www xerox com information security information security articles whitepapers enus html Additional Resources Below are addition...

Page 41: ...ox Security Guide for Light Production Mono Class Products Appendix A Product Security Profiles This appendix describes specific details of each Legacy 4110 4112 4127 and D Series Copier Printer produ...

Page 42: ...system administrator Front Panel Optional USB2 0 Type A port s Users may insert a USB thumb drive to print from or store scanned files to Physical security of this information is the responsibility o...

Page 43: ...Circuit soldered to circuit board HDD Magnetic Hard Disk Drive SSD Solid State Disk SD Card Secure Digital Card Controller Non Volatile Memory Size Type Use User Modifiable How to Clear Volatile 64MB...

Page 44: ...ork area N SDRAM is erased when machine is powered off Yes 64MB SDRAM ESS PWBA Temporary storage of program and work area N SDRAM is erased when machine is powered off Yes 1Gbit SDRAM page memory Temp...

Page 45: ...Optional USB2 0 Type A port s Users may insert a USB thumb drive to print from or store scanned files to Physical security of this information is the responsibility of the user or operator Note that f...

Page 46: ...BA Permanent storage of program font data User image data not stored N Not Customer Clearable No 16KB EEPROM BP PWBA Permanent storage of machine setting data User image data not stored N Not Customer...

Page 47: ...ogram and work area N SDRAM is erased when machine is powered off Yes 64MB SDRAM ESS PWBA Temporary storage of program and work area N SDRAM is erased when machine is powered off Yes 1Gbit SDRAM page...

Page 48: ...an be disabled completely by a system administrator Front Panel Optional USB2 0 Type A port s Users may insert a USB thumb drive to print from or store scanned files to Physical security of this infor...

Page 49: ...Card Secure Digital Card Controller Hard Disk Table Drive Partition Removable Y N Size User Modifiable Y N Function Process to Clear ide0 a N 3726MB N Resources data storage At the deletion of data id...

Page 50: ...emporarily stored on this partition when Scan To Server Scan To PC or Scan To Email is used ide0 g PDL data are received and temporarily stored on this partition ide0 h Management data are authenticat...

Page 51: ...of work area No SDRAM is erased when a main switch is turned off Yes 512KB SRAM ESS PWBA Temporary storage of variables for IISS No SRAM is erased when machine is powered off Yes 4MB SDRAM ESS PWBA Te...

Page 52: ...ent storage of program data User image data are not stored No Not customer alterable No 16KB EEPROM IIT PWBA Permanent storage of IIT configuration code User image data are not stored No Not customer...

Page 53: ...ser ID Accounting Account ID 6 Network scan job Job name User Name Completion Status IIO status Accounting User ID Accounting Account ID total number net destination net destination 7 Server fax job J...

Page 54: ...ers 14 Lan Fax Job Job name User Name Completion Status IIO status Accounting User ID Accounting Account ID Total fax recipient phone numbers fax recipient phone numbers 15 Data Encryption enabled Dev...

Page 55: ...ript Passwords Device name Device serial number StartupMode enabled disabled System Params Password changed Start Job Password changed 29 Network User Login UsereName Device name Device serial number...

Page 56: ...bled disabled 42 Network Authentication Enable Disable Configure UserName Device name Device serial number Completion Status Enabled Disabled 43 Device clock UserName Device name Device serial number...

Page 57: ...Interval Change Device Name Device Serial Number Interface Web LUI Timer affected by change User Name who made this change Session IP if available Completion Status 59 Feature Access Control Enable D...

Page 58: ...ogin UserName Device Name Device Serial Number Completion Status Success Failed 70 Print from USB Enable Disable User Name Device Name Device Serial Number Completion Status Enabled Disabled 71 USB Po...

Page 59: ...yption UserName Device name Device serial number Completion Status Enabled for STARTLS Enabled for STARTLS if Avail Enabled for SSL TLS Disabled 81 Email Domain Filtering Rule User name Device Name De...

Page 60: ...reated Changed 94 FTP SFTP Filing Passive Mode User Name Device Name Device Serial Number Completion Status Enabled Disabled 95 EFax Forwarding Rule User Name Device Name Device Serial Number Fax Line...

Page 61: ...ning for next attempt Min Remaining for next attempt 104 Plan Conversion Device name Device serial number Completion Status Success if Passcode is ok Failed if Passcode is not ok Locked out if Max Att...

Page 62: ...ion data 113 Airprint Enable Disable Configure UserName Device name Device serial number Completion Status Enabled Disabled Configured 114 Device cloning enable disable UserName Device name Device ser...

Page 63: ...Name Device serial number Completion Status Enable Disable 126 Display Device information configure UserName Device Name Device serial number Completion Status Configured 127 Invalid Login Lockout Exp...

Page 64: ...stall Device Name Device Serial Completion Status Success Fail User readable names for the features being installed 138 Remote Services Data Push Device Name Device Serial Completion Status Success Fa...

Page 65: ...serial number User name of target user Action Grant or Revoke 150 Manual session logout Device Name Device Serial Number Interface Web LUI CAC User Name who was logged out Session IP if available 151...

Page 66: ...Serial Number Destination IP address Completion Status Success Failed 164 One Touch App Management User Name Device name Device serial number Onetouch application Display Name Action Install Un insta...

Page 67: ...lone Add On File name 176 Xerox Configuration Watchdog User name Device Name Device Serial number Completion status Enabled Disabled 177 Xerox Configuration Watchdog Check Complete User name if availa...

Page 68: ...User Name Device name Device serial number Completion Status Enabled Disabled Configured 183 FTP Browse User Name Device name Device serial number Completion Status Enabled Disabled Configured 184 SFT...

Page 69: ...ame Completion Success Failed Invalid User ID Failed Invalid Password Failed Host Name or IP Address Method Local Remote Convenience Custom Role System Administrator Customer Engineer Casual Operator...

Page 70: ...and Time Completion Success Failed 501 Add User User name User Role 501 Edit User User name User Role ID Password CardID Name Permission Role ICCardID Other 501 Delete User User Name 501 Create Mailb...

Page 71: ...ng Impression Mode Completion Success Failed Designated Mode A3 Mode A4 Mode Billing Meter Values 601 Import Certificate User name Completion Success Failed Category RootCA DeviceEE SSCEE Key Size Iss...

Page 72: ...tacts Connectivity Permissions System 601 Import Cloning Data 701 Important Parts Completion Replaced 701 Hard Disk Completion Replaced Installed Removed 701 ROM Version Change 801 Communication Relia...

Reviews: