background image

Xerox® Security Guide for Light Production Mono Class Products 

 

 

Ports 546, 547: DHCPv6 

These ports are used for DHCPv6. When querying the IPv6 DNS server address, the product 
accesses port 547 of DHCPv6 server and receives the result from DHCPv6 server at port 546. 
The product can query the IPv6 DNS server address when the auto acquisition of IPv6 DNS 
server address is enabled, and a system administrator can disable it from CentreWare Internet 
Services. 

 

Ports 80, 631: IPP (FreeFlow) 

These ports support the Internet Print protocols(IPP). 631 is the standard port number for IPP and 
80 is an added port number. The added port number is configurable. A system administrator can 
disable this service  and  port 80 (turn IPP port OFF/ON)  via Local User Interface or from 
CentreWare Internet Services. IPP is also used in FreeFlow print. In FreeFlow print, only port 631 
is used. A system administrator can disable this port and service (turn FreeFlow port OFF/ON) 
from CentreWare Internet Services. 

 

Port 636: LDAPS 

This is the secure channel port used to access LDAP server using LDAPS (LDAP over TLS) for 
LDAP authentication and for Address Book queries in the Scan to Email feature.  

  

Port 1824: HTTPS (OffBox Validation) 

This port is used to communicate with OffBox Validation server. The protocol and port number can 
be changed by a system administrator on the OffBox Validation server side and cannot be 
changed via local UI or from CentreWare Internet Services.  
 

Port 1900: SSDP 

This port provides the discovery feature that complies with SSDP (Simple Service Discovery 
Protocol). This port number cannot be changed. Whether this port opens depends on whether the 
UPnP discovery feature is/are enabled or disabled.  

 

Port 3702, WSD Discovery 

This port provides the WSD (Web Services on Devices) discovery feature. This port number 
cannot be changed. Whether this port opens depends on whether the WSD print feature is 
enabled or not. 

 

Port 5353: mDNS 

This port provides the discovery feature using Multicast DNS. The port number is fixed to 5353. A 
system administrator can disable this service via local UI or from CentreWare Internet Services.  

Port 9100: raw IP 

This port has a bidirectional function (via pjl back channel), and only allows printing. The port is a 
configurable port and a system administrator can disable this service (and the port) via Local User 
Interface or from CentreWare Internet Services. 

 

Содержание D Series

Страница 1: ...e Disclosure Xerox Security Guide Light Production Mono Class Copier Printers Legacy Printers Legacy Copier Printers D Series Copier Printers 4110 4112 4127 4590 Enterprise Printing System 4110 4112 4...

Страница 2: ...sion 1 0 February 2019 Copyright protection claimed includes all forms and matters of copyrightable material and information now allowed by statutory or judicial law or hereinafter granted including w...

Страница 3: ...CONTROLS 25 4 DEVICE SECURITY BIOS FIRMWARE OS RUNTIME AND OPERATIONAL SECURITY CONTROLS 27 FAIL SECURE VS FAIL SAFE 27 PRE BOOT SECURITY 28 BOOT PROCESS SECURITY 28 RUNTIME SECURITY 28 EVENT MONITORI...

Страница 4: ...Xerox Security Guide for Light Production Mono Class Products APPENDIX B SECURITY EVENTS 51 XEROX LEGACY SECURITY EVENTS 51 D SERIES SECURITY EVENTS 67 1...

Страница 5: ...pect to Information Assurance This document does not provide tutorial level information about security connectivity or the product s features and functions This information is readily available elsewh...

Страница 6: ...luding finishers paper trays document handers etc may vary configuration however they are not relevant to security and are not discussed 1 Optional High Capacity Feeder 2 Bypass paper feed tray 3 Dupl...

Страница 7: ...memory on Controller is accessible Preview Thumbnail feature Scanner The scanner converts documents from hardcopy to electronic data A document handler moves originals into a position to be scanned Th...

Страница 8: ...er Data Protection In addition to managing document processing the controller manages all network functions and services Details can be found in section Network Security The controller handles all I O...

Страница 9: ...r more USB ports may be located on the front of the product near the user interface Front USB ports may be enabled or disabled by a system administrator The front USB port supports the following Walk...

Страница 10: ...ddress and product location NFC functionality can be disabled using the embedded web server of the product NFC functionality requires a software plugin that can be obtained from Xerox sales and suppor...

Страница 11: ...56 The encryption key is automatically created at start up and stored in the RAM The key is deleted by a power off due to the physical characteristics of the RAM TPM Chip The Legacy and D Series produ...

Страница 12: ...protocol is based on HTTP and utilizes the TLS suite to encrypt data HTTPS TLS Securely submit a print job directly to product via the built in web server Xerox Print Stream Encryption The Xerox Glob...

Страница 13: ...ia Sanitization NIST 800 171 Image Overwrite All models use magnetic HDD Models with magnetic HDD See Appendix A Product Security Profiles Models with magnetic HDD See Appendix A Product Security Prof...

Страница 14: ...nt to external network services Inbound Listening Services Out Bound Network Client Print Services LPR IPP Raw IP etc Management Services SNMP Web interface WebServices etc Infrastructure Discovery Se...

Страница 15: ...on Agent 445 TCP Direct Hosting 465 TCP SMTPS Client 500 UDP ISAKMP 515 TCP LPR 524 TCP NetWare NCP Client 547 UDP DHCPv6 Client 631 TCP IPP FreeFlow 636 TCP LDAPS Client 1824 TCP HTTPS OffBox Validat...

Страница 16: ...A system administrator can change the port number from CentreWare Internet Services Port 53 DNS This port is used for DNS This port is used for name queries to the DNS server when the product accesses...

Страница 17: ...operates as a secure channel for SSMI and supports TLSv1 1 and TLSv1 2 When SSL TLS is enabled HTTP connections to SSMI are redirected to HTTPS Since communication through port 443 is encrypted inter...

Страница 18: ...sing protocol Port 445 is a standard direct host port and is used for communication using SMB protocol that does not use NetBIOS over TCP A system administrator can disable each of the 4 ports via Loc...

Страница 19: ...ntreWare Internet Services Ports 80 443 HTTPS Authentication Agent ASC These are used as the destination ports when the product communicates to ApeosWare Authentication Agent AWAA Protocol and port nu...

Страница 20: ...DAP authentication and for Address Book queries in the Scan to Email feature Port 1824 HTTPS OffBox Validation This port is used to communicate with OffBox Validation server The protocol and port numb...

Страница 21: ...d IPv6 protocols Legacy Printers Legacy Copier Printers D Series Copier Printers 4110 4112 4127 4590 EPS 4110 4112 4127 4590 D95 D110 D125 D136 IPSec Supported IP Versions IPv4 IPv6 IPv4 IPv6 IPv4 IPv...

Страница 22: ...x Legacy 4110 4112 4127 and D Series Copier Printer products support TLS 1 2 Legacy Printers Legacy Copier Printers D Series Copier Printers 4110 4112 4127 4590 EPS 4110 4112 4127 4590 D95 D110 D125 D...

Страница 23: ...logs in to the product using a Smart Card For protocols such as HTTPS the printer is the server and must prove its identity to the client Web browser For protocols such as 802 1X the printer is the cl...

Страница 24: ...ficate that contains a key that does not meet this requirement a message appears The message alerts the user that the certificate they are attempting to upload does not meet the key length requirement...

Страница 25: ...D95 D110 D125 D136 Email S MIME Versions v3 v3 v3 Digest SHA1 SHA256 SHA384 SHA512 SHA1 SHA256 SHA384 SHA512 SHA1 SHA2 SHA256 SHA384 SHA512 Encryption 3DES AES128 AES192 AES256 3DES AES128 AES192 AES...

Страница 26: ...g Cisco ISE to automatically detect and profile new Xerox products from the day they are released Customers who use Cisco ISE find that including Xerox products in their security policies is simpler a...

Страница 27: ...udit processes to support them quickly become prohibitively expensive It also lacks the ability to manage endpoints contextually Connectivity of D Series Copier Printer devices can be fully managed co...

Страница 28: ...and D Series products support IP Whitelisting only When enabled all traffic is prohibited regardless of interface wired wireless unless enabled by IP filter rule IPv4 and IPv6 are enabled separately...

Страница 29: ...BIOS is inaccessible and cannot be cleared or reset The BIOS can only be modified by a firmware update which is digitally signed BIOS will fail secure locking the system if integrity is compromised E...

Страница 30: ...ware is protected from tampering by use of digital signatures discussed later in this section The BIOS is designed to fail secure An integrity check is performed immediately when power is applied If v...

Страница 31: ...on audit log settings and data can only be accessed via HTTPS Operational Security Firmware Restrictions The list below describes supported firmware delivery methods and applicable access controls Loc...

Страница 32: ...Workstation PWS Only Xerox authorized service technicians are granted access to the PSW Customer documents or files cannot be accessed during a diagnostic session nor are network servers accessible t...

Страница 33: ...rity Guide for Light Production Mono Class Products 5 Configuration Security Policy Management Solutions Xerox Device Manager and Xerox CentreWare Web available as a free download centrally manage Xer...

Страница 34: ...on Legacy and D Series Copier Printer devices support the following authentication mode Local Authentication Network Authentication Smart Card Authentication CAC PIV SIPR Net Convenience Authenticatio...

Страница 35: ...D and password set for the product authentication to the switch device starts in order to connect to the LAN port 802 1X Authentication In 802 1X authentication when the product is connected to the LA...

Страница 36: ...rted Supported Supported PIV PIV II Supported Supported Supported Net Gemalto Net v1 Gemalto Net v2 Supported Supported Supported Gemalto MD Not Currently Supported Not Currently Supported Not Current...

Страница 37: ...view this information can be disallowed Local Access Without RBAC permissions defined basic information such as Model Serial number Software Version IP address and Host Name can be viewed without auth...

Страница 38: ...he Initial Ticket that the product received using the entered password When the decryption completes in success the user is authenticated In SMB authentication through the negotiation with SMB authent...

Страница 39: ...ion server is encrypted by the supplier s unique code e g Equitrac Corporation Sequence of authentication performed by inserting card to Secure Access card reader is as follows 1 The information on th...

Страница 40: ...s in Xerox software and hardware It can be downloaded from this page http www xerox com information security information security articles whitepapers enus html Additional Resources Below are addition...

Страница 41: ...ox Security Guide for Light Production Mono Class Products Appendix A Product Security Profiles This appendix describes specific details of each Legacy 4110 4112 4127 and D Series Copier Printer produ...

Страница 42: ...system administrator Front Panel Optional USB2 0 Type A port s Users may insert a USB thumb drive to print from or store scanned files to Physical security of this information is the responsibility o...

Страница 43: ...Circuit soldered to circuit board HDD Magnetic Hard Disk Drive SSD Solid State Disk SD Card Secure Digital Card Controller Non Volatile Memory Size Type Use User Modifiable How to Clear Volatile 64MB...

Страница 44: ...ork area N SDRAM is erased when machine is powered off Yes 64MB SDRAM ESS PWBA Temporary storage of program and work area N SDRAM is erased when machine is powered off Yes 1Gbit SDRAM page memory Temp...

Страница 45: ...Optional USB2 0 Type A port s Users may insert a USB thumb drive to print from or store scanned files to Physical security of this information is the responsibility of the user or operator Note that f...

Страница 46: ...BA Permanent storage of program font data User image data not stored N Not Customer Clearable No 16KB EEPROM BP PWBA Permanent storage of machine setting data User image data not stored N Not Customer...

Страница 47: ...ogram and work area N SDRAM is erased when machine is powered off Yes 64MB SDRAM ESS PWBA Temporary storage of program and work area N SDRAM is erased when machine is powered off Yes 1Gbit SDRAM page...

Страница 48: ...an be disabled completely by a system administrator Front Panel Optional USB2 0 Type A port s Users may insert a USB thumb drive to print from or store scanned files to Physical security of this infor...

Страница 49: ...Card Secure Digital Card Controller Hard Disk Table Drive Partition Removable Y N Size User Modifiable Y N Function Process to Clear ide0 a N 3726MB N Resources data storage At the deletion of data id...

Страница 50: ...emporarily stored on this partition when Scan To Server Scan To PC or Scan To Email is used ide0 g PDL data are received and temporarily stored on this partition ide0 h Management data are authenticat...

Страница 51: ...of work area No SDRAM is erased when a main switch is turned off Yes 512KB SRAM ESS PWBA Temporary storage of variables for IISS No SRAM is erased when machine is powered off Yes 4MB SDRAM ESS PWBA Te...

Страница 52: ...ent storage of program data User image data are not stored No Not customer alterable No 16KB EEPROM IIT PWBA Permanent storage of IIT configuration code User image data are not stored No Not customer...

Страница 53: ...ser ID Accounting Account ID 6 Network scan job Job name User Name Completion Status IIO status Accounting User ID Accounting Account ID total number net destination net destination 7 Server fax job J...

Страница 54: ...ers 14 Lan Fax Job Job name User Name Completion Status IIO status Accounting User ID Accounting Account ID Total fax recipient phone numbers fax recipient phone numbers 15 Data Encryption enabled Dev...

Страница 55: ...ript Passwords Device name Device serial number StartupMode enabled disabled System Params Password changed Start Job Password changed 29 Network User Login UsereName Device name Device serial number...

Страница 56: ...bled disabled 42 Network Authentication Enable Disable Configure UserName Device name Device serial number Completion Status Enabled Disabled 43 Device clock UserName Device name Device serial number...

Страница 57: ...Interval Change Device Name Device Serial Number Interface Web LUI Timer affected by change User Name who made this change Session IP if available Completion Status 59 Feature Access Control Enable D...

Страница 58: ...ogin UserName Device Name Device Serial Number Completion Status Success Failed 70 Print from USB Enable Disable User Name Device Name Device Serial Number Completion Status Enabled Disabled 71 USB Po...

Страница 59: ...yption UserName Device name Device serial number Completion Status Enabled for STARTLS Enabled for STARTLS if Avail Enabled for SSL TLS Disabled 81 Email Domain Filtering Rule User name Device Name De...

Страница 60: ...reated Changed 94 FTP SFTP Filing Passive Mode User Name Device Name Device Serial Number Completion Status Enabled Disabled 95 EFax Forwarding Rule User Name Device Name Device Serial Number Fax Line...

Страница 61: ...ning for next attempt Min Remaining for next attempt 104 Plan Conversion Device name Device serial number Completion Status Success if Passcode is ok Failed if Passcode is not ok Locked out if Max Att...

Страница 62: ...ion data 113 Airprint Enable Disable Configure UserName Device name Device serial number Completion Status Enabled Disabled Configured 114 Device cloning enable disable UserName Device name Device ser...

Страница 63: ...Name Device serial number Completion Status Enable Disable 126 Display Device information configure UserName Device Name Device serial number Completion Status Configured 127 Invalid Login Lockout Exp...

Страница 64: ...stall Device Name Device Serial Completion Status Success Fail User readable names for the features being installed 138 Remote Services Data Push Device Name Device Serial Completion Status Success Fa...

Страница 65: ...serial number User name of target user Action Grant or Revoke 150 Manual session logout Device Name Device Serial Number Interface Web LUI CAC User Name who was logged out Session IP if available 151...

Страница 66: ...Serial Number Destination IP address Completion Status Success Failed 164 One Touch App Management User Name Device name Device serial number Onetouch application Display Name Action Install Un insta...

Страница 67: ...lone Add On File name 176 Xerox Configuration Watchdog User name Device Name Device Serial number Completion status Enabled Disabled 177 Xerox Configuration Watchdog Check Complete User name if availa...

Страница 68: ...User Name Device name Device serial number Completion Status Enabled Disabled Configured 183 FTP Browse User Name Device name Device serial number Completion Status Enabled Disabled Configured 184 SFT...

Страница 69: ...ame Completion Success Failed Invalid User ID Failed Invalid Password Failed Host Name or IP Address Method Local Remote Convenience Custom Role System Administrator Customer Engineer Casual Operator...

Страница 70: ...and Time Completion Success Failed 501 Add User User name User Role 501 Edit User User name User Role ID Password CardID Name Permission Role ICCardID Other 501 Delete User User Name 501 Create Mailb...

Страница 71: ...ng Impression Mode Completion Success Failed Designated Mode A3 Mode A4 Mode Billing Meter Values 601 Import Certificate User name Completion Success Failed Category RootCA DeviceEE SSCEE Key Size Iss...

Страница 72: ...tacts Connectivity Permissions System 601 Import Cloning Data 701 Important Parts Completion Replaced 701 Hard Disk Completion Replaced Installed Removed 701 ROM Version Change 801 Communication Relia...

Отзывы: