background image

2

2

2-3

2-3

Functions > Basic Function > Target Function

Functions > Basic Function > Target Function

Purpose of iR-ADV Security Kit-B1 for IEEE 2600.1 Common Criteria Certification: 
iR-ADV Security Kit-B1 for IEEE 2600.1 Common Criteria Certification is assumed to 
be used in a large-scale and high-level environment and the aim is to provide functions 
which comply with such environment.

Target Function

In IEEE 2600.1 PP (Protection Profile), functions which are targeted for CC certification can 
be selected. 
PP defines the section where a security requirement common to print, scan, copy and 
fax is described as the common section (hereinafter called "Common"), andthe security 
requirements specific to each of 7 independent functions of print, scan, copy, fax, document 
management, removable HDD function and network asthe Packages.

1 PRINT:2600.1-PRT

SFR Package for Hardcopy Device 

Print Functions

Print function

2 SCAN:2600.1-SCN

SFR Package for Hardcopy Device 

Scan Functions

Scan function

3 COPY:2600.1-CPY

SFR Package for Hardcopy Device 

Copy Functions

Copy function

4 FAX:2600.1-FAXSFR Package for 

Hardcopy Device FAX Functions

Fax function Including scan function for fax or printing of a 

document received via telephone line.

5 Document storage: 2600.1-DSR 

SFR Package for Hardcopy Device 

Docum ent Storage andRetrieval 

Functions

Document management function. Management of 

documents kept among jobs. A function which enables 

temporary storage after a job or retrieval upon execution of 

a succeeding job.

6 Removable HDD function: 

2600.1-NVS SFR Package for 

Hardcopy Device Nonvolatile 

StorageFunctions

Removable HDD function. It counteracts against exposure 

of documents stored in nonvolatile storage due to the 

analysis or restoration of stored data.   The target is 

described as a removable storage, and is limited to one 

which can be removed by an end user instead of a service 

technician.  MFP function (option) corresponds to this 

function. 

7 Network: 2600.1-SMI 

SFR Package for Hardcopy Device 

Shared-medium 

Network communication function. This function is intended 

for LAN/WAN and wired/wireless network since the network 

mentioned here is targeted for media which performs 

communication with external devices and to which multiple 

users can access simultaneously. Communication functions 

such as USB, serial and parallel with short distance 

connection and low risk of data being stolen are excluded.

SFR stands for Security Functional Requirement.

T-2-2

The iR-ADV Security Kit-B1 for IEEE 2600.1 Common Criteria includes the security function 
that it functions and met entirely of seven kinds of above.

Reference: 
Item No.6, Removable HDD function, specifies the following harms to be prevented that are 
inflicted by a malicious third person who takes away the HDD whena removable HDD kit is 
installed in the host machine.  
- Stealing and seeing the information 
- Putting invalid files such as virus in HDD and placing it back to the host machine 
In the IEEE2600 certification configuration, HDD Data Encryption & Mirroring Kit (the target 
of CC certification is the encrypted IC on the Encryption Board)which is already separately 
CC certified is a prerequisite, and all data in the HDD is encrypted.  As the data in the HDD is 
encrypted, the data which does notroute through the HDD Data Encryption Board cannot be 
retrieved. 

The data in the HDD removed from the host machine cannot be read since it is encrypted. 
Even if invalid data has been added to HDD, the Main Controller cannot recognize it since it 
does not route through the HDD Data Encryption Board.   
Therefore, whether there is a removable HDD kit does not matter to the IEEE2600 
certification configuration.

Содержание iR-ADV Security Kit-B1

Страница 1: ...4 3 2 1 iR ADV Security Kit B1 for IEEE 2600 1 Service Manual February 27 2012 Revision 0 Specifications Functions Installation Maintenance ...

Страница 2: ...rmation as the need arises In the event of major changes in the contents of this manual over a long or short period Canon will issue a new edition of this manual The following paragraph does not apply to any countries where such provisions are inconsistent with local law Trademarks The product names and company names used in this manual are the registered trademarks of the individual companies Cop...

Страница 3: ...lation Points to Note About Installation 3 2 Before Installation 3 2 Handling the Options with VOID Seal 3 2 Installation Overview 3 The following shows installation overview of Installation Procedure for iR ADV Security Kit B1 for IEEE 2600 1 Common Criteria Certification 3 Checking the Operation After Making the Settings 3 5 Checking the Ping When IPSec is in Operation 3 5 Setting by the Device ...

Страница 4: ...switch closing the front door and closing the delivery unit door which results in supplying the machine with power 2 In the digital circuits 1 is used to indicate that the voltage level of a given signal is High while 0 is used to indicate Low The voltage value however differs from circuit to circuit In addition the asterisk as in DRMD indicates that the DRMD signal goes on when 0 In practically a...

Страница 5: ...1 1 Specifications Specifications Product compositions ...

Страница 6: ...with Function matter of the security and Guarantee requirements as a result of the evaluation based on the specifiedevaluation standards and evaluation methods 1 IEEE Std 2600 1TM 2009 is a protection profile of the evaluation assurance level EAL3 ALC_FLR 2 2 Products combining the following are target products for certification in addition to iR ADV Security Kit B1 for IEEE 2600 1 Common Criteria...

Страница 7: ... options is the same as that when IEEE 2600 1 CC certification was obtained on the touch paneldisplay There are following mentions in iR ADV Security Kit B1 for IEEE 2600 1 Common Criteria Certification of Administrator Guide After the operations are completed the administrator must confirm that the machine is operating normally as a 2600 1 model 1 Press Counter Check of the Control Panel 2 Press ...

Страница 8: ...Press Version Information MEAP Contents version F 1 7 F 1 8 10 14 6 Press OK after checking that the versions are the same as the following on the version information screen MEAP Contents 10 14 Note Since versions are not given to any options other than HDD Data Encryption Mirroring Kit they are aggregated in the Controller Version ACCESS MANAGEMENT SYSTEM and iR ADV Security Kit B1 for IEEE 2600 ...

Страница 9: ...2 2 Functions Functions Basic Function New Function ...

Страница 10: ...e which satisfies consumers needs In IEEE 2600 series PPs are classified into 4 categories as shown below depending on the operation environment of the usage type Protection Profile 2600 1 Protection Profile 2600 2 Protection Profile 2600 3 Protection Profile 2600 4 Security Target Specifications of Company A Security Target Security Target ST Each Benda defines it every product CC Common Criteria...

Страница 11: ...ration of stored data The target is described as a removable storage and is limited to one which can be removed by an end user instead of a service technician MFP function option corresponds to this function 7 Network 2600 1 SMI SFR Package for Hardcopy Device Shared medium Network communication function This function is intended for LAN WAN and wired wireless network since the network mentioned h...

Страница 12: ... as image data generated by a job from being reused HDD complete deletion function 4 Protection function for user data in the nonvolatile memory such as HDD To prevent leakage of information due to the HDD unit taken away HDD encryption function 5 Protection function for network data To prevent LAN data from being stolen IPSec 6 Protection function for user data transfer To counter the attacks by ...

Страница 13: ...tion Settings Setting items Displayed Screen Setting value IEEE 2600 1 certification machine Setting value at the time of shipment Report with TX Image Send Common Settings TX Report OFF ON Send Fax Settings Fax TX Report Use Remote Fax Send Fax Settings Remote Fax Settings Use Remote Fax OFF OFF Restrict Printer Jobs 3 Printer Restrict Printer Jobs ON OFF Use Fax Memory Lock 4 Receive Forward Com...

Страница 14: ...in Preferences Settings Registration 7 Indicates an item displayed when the Remote Operator s Software Kit is enabled Setting value IEEE 2600 1 1 The Advanced Box is disabled since it is not targeted for audit log 2 Memory media is disabled since the information may be carried away Setting value IEEE 2600 1 Setting value at the time of shipment 3 A general user cannot change the setting to 0 min o...

Страница 15: ...the MIB access restriction setting since the use of MIB allows the user to change the devicesetting without the user authentication from Remote UI SNMPv1 SNMPv3 Setting value IEEE 2600 1 Setting value at the time of shipment 6 OFF is set for the image display of TX report since images printed in the TX report may result in the leakage of information T 2 10 F 2 2 T 2 11 Setting value IEEE 2600 1 Se...

Страница 16: ...Setting value IEEE 2600 1 Setting value at the time of shipment T 2 14 T 2 15 T 2 16 11 ON is selected for Use I Fax Memory Lock to prevent the received I Fax job from being printed without limit Setting value IEEE 2600 1 Setting value at the time of shipment 12 The number of digits for Mail Box PIN is fixed to 7 however since the PIN less than 7 digits created before the execution of Unified Secu...

Страница 17: ...e at the time of shipment 14 ON restricted is set for Device Information Delivery Settings Restrict Receiving for Each Function Settings Registration Value so that the setting will not be changed by the device information delivery from other devices Setting value IEEE 2600 1 Setting value at the time of shipment T 2 19 T 2 20 15 Audit Log Retrieval Setting value IEEE 2600 1 Setting value at the ti...

Страница 18: ... registering editing deleting importing and exporting users in the authentication application SSO H Logs generated when registering editing deleting importing and exporting roles in the authentication application SSO H Job log 1001 Operation of PRINT COPY SCAN Transmission reception log 8193 Transmission of SEND Mail Box document operation log 8197 and Mail Box authentication log 8199 Target box M...

Страница 19: ...t guaranteed to be stored in chronological order since those of different storage destinations or typesare collected 2 The number of managed logs is 20 000 Delete logs from device after export can also be selected at the time of log export When the log collection function is stopped after it once started logs which have been collected up to that point continue to be kept instead of being deleted 3...

Страница 20: ...3 3 Installation Installation Points to Note About Installation Installation Overview Checking the Operation After Making the Settings ...

Страница 21: ... by the field remedy the machine is excluded from IEEE2600 1 CC certification To maintain the status of IEEE2600 1CC certification install the firmware for the host machine from the CD included in the package of iR ADV Security Kit B1 for IEEE 2600 1 Common Criteria Certification Handling the Options with VOID Seal LMS options are sealed by the VOID seal seal to prevent falsification Check that th...

Страница 22: ...4035 4025 Series Service Manual Installation Installing the Encryption Mirroring Board Refer to imageRUNNER ADVANCE 4051 4045 4035 4025 Series Service Manual Installation Combination of HDD Options 2 Installing the System 1 Remove the VOID seal from the IEEE2600 certification kit take out the CD ROM and register the firmware to SST 2 Install the registered firmware after formatting according to th...

Страница 23: ...atches with the version described in the User s Guide Controller version 9100 0 408 Scanner version 201 101 Canon MFP Security Chip 2 01 Refers to the encryption board included in the HDD Data Encryption Mirroring Kit 2 Counter check screen Device configuration check Check that the following 4 options are displayed ACCESS MANAGEMENT SYSTEM Data erase Security Kit B1 for IEEE2600 1 3 Counter check ...

Страница 24: ...nection work performed by the user Under this environment the response of ping can be confirmed which has been sent to the PC with which the encryption communication has been established The procedure introduces the setting by which the communication only between a device connected to the local network and a PC on which Windows7 operates isenabled Setting by the Device Complete the device setting ...

Страница 25: ...hentication Method Shared Key Enter canon here This character string is used in the PC setting of the next section F 3 5 F 3 6 IPSec Network Settings Leave everything as they are by default Validity 480 mins Size 0 MB PFS OFF Auth Encryption Auto Reference You can compare it when You output a list of IPSec policy when a change entered later Settings Registration Preferences Network TCP IP Settings...

Страница 26: ... Advanced Security IPsec Settings Windows Firewall with Advanced Security on Local Computer IPsec defaults Customize Key exchage Main Mode Advanced Customize Edit Security Method Add Integrity algorithm SHA 1 Encryption algorithm AES CBC 128 Key exchange algorithm Diffie Hellman Group 2 Do not choose Use Deffie Hellman for enhanced security in Key exchange options Data protection Quick Mode Select...

Страница 27: ...tallation Checking the Operation After Making the Settings IPSec defaults Customize IPsec Setting Create a new IP Security Policy Select Start Control Panel System and Security Administrative Tools Local Security Policy Select the Windows Firewall Properties F 3 10 F 3 11 IPSec defaults Customize F 3 12 ...

Страница 28: ...orithm AES CBC 128 Key exchange algorithm Diffie Hellman Group 2 Do not choose Use Deffie Hellman for enhanced security in Key exchange options F 3 13 Note Delete the security method that is set by default Data protection Quick Mode Select Require encryption for all connection security rules that use these settings Add Intergrity and Encryption Algorithms Protocol ESP recommended Algorithms AES CB...

Страница 29: ...tication Add First Authentication Method Preshared key not recommended Ex canon Note This character string is used in the Device setting of the befor section F 3 15 F 3 16 Connection Security Rules The setting can be done in the wizard format The following shows each setting screen to be checked after the setting Control Panel All Control Panel Items Administrative Tools Windows Firewall with Adva...

Страница 30: ...ection Security Rules Installation Checking the Operation After Making the Settings Connection Security Rules Rule Type Custom Endpoints Any IP address F 3 19 F 3 20 Requirements Require authentication for inbound and outbound connetions Authentication Method Default F 3 21 F 3 22 ...

Страница 31: ...Security Policy Protocol and Ports Protocol type Any Profile Select Domain Private Public F 3 23 F 3 24 Name Any Ex test Assigning the Security Policy IPsec communication starts when a policy is assigned Control Panel All Control Panel Items Administrative Tools Windows Firewall with Advanced Security Select the created policy and assign it by right clicking the mouse F 3 25 F 3 26 ...

Страница 32: ...Settings PING Command Enter the IP address of the PC whose policy has been set Press the Start button Connection is successful when Response from the host is displayed F 3 27 F 3 28 Reference When the IP address of a PC is determined by the DHCP server the IP address cannot be located even by referring to the network setting Select Start All Programs Accessories Command Prompt and check the IP add...

Страница 33: ...4 4 Maintenance Maintenance Notes when service Reference matter in market service ...

Страница 34: ... when applying problem correction firmware be sure to notify the user Firmware update via CDS is handled as special upgrading which is differentiated from the normal firmware delivery since its version is that of IEEE2600certification Obtain the ID and password information in advance for the CDS special upgrading Recovery after Servicing Work When the setting of iR ADV Security Kit B1 for IEEE 260...

Страница 35: ...ions Which Operates Normally Reference matter in market service Functions Which Operates Normally Version upgrade by SST Installation of IPSec Board encrypts communication In the case of communication between SST and the host machine system can be installed by SST vianetwork in the same way as the normal service since IPSec function is not used ...

Отзывы: