background image

Xerox® Security Guide for Entry Production Color Class Products 

March 2019 

  Page  2-7 

 

 

  User Data Protection 

Xerox Entry Production Color Presses receive, process, and may optionally store user data from several 
sources including: local print, scan, fax NO FAX ON VERSANT OR CP1000, or copy jobs or mobile and 
cloud applications, etc.  Xerox products protect user data being processed by employing strong 
encryption.  When the data is no longer needed, the Image Overwrite (IIO) feature automatically erases 
and overwrites the data on magnetic media, rendering it unrecoverable.  As an additional layer of 
protection, an extension of IIO called On-Demand Image Overwrite (ODIO) can be invoked to securely 
wipe all user data from magnetic media. 

User Data protection while within product 

This section describes security controls that protect user data while it is resident within the product.  For a 
description of security controls that protect data in transit please refer to the following section that 
discusses data in transit; also, the 

Network Security

 section of this document.  

Encryption 

All user data being processed 

or stored on the product is encrypted

 by default.  Note that encryption 

may be disabled to enhance performance on both Versant® and ColorPress® products (though this is not 
recommended in secure environments).  

The algorithm used in the product is AES-256.  The encryption key is automatically created at start up 
and stored in the RAM. The key is deleted by a power-off, due to the physical characteristics of the RAM. 

TPM Chip 

Some models include a Trusted Platform Module (TPM).  The TPM is compliant with ISO/IEC 11889, the 
international standard for a secure cryptoprocessor, dedicated to secure cryptographic keys.  The TPM is 
used to securely hold the product storage encryption key.  Please refer to 

Appendix A:  Product Security 

Profiles

 for model specific information. 

Media Sanitization (Image Overwrite) 

ColorPress® and Versant® products equipped with magnetic hard disk drives are compliant with NIST 
Special Publication 800-88 Rev1: Guidelines for Media Sanitization.  User data is securely erased using a 
three-pass algorithm as described in the following link: 

https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-88r1.pdf

 

 

Immediate Image Overwrite 

When enabled, Immediate Image Overwrite (IIO) will overwrite any temporary files that were created on 
the magnetic hard disk that may contain user data.  The feature provides continuous automatic 
overwriting of sensitive data with minimal impact to performance, robust error reporting, and logging via 
the Audit Log. 

On-Demand Image Overwrite 

Complementing the Immediate Image Overwrite is On-Demand Overwrite (ODIO).  While IIO overwrites 
individual files, ODIO overwrites entire partitions.  The ODIO feature can be invoked at any time and 
optionally may be scheduled to run automatically.  

Note:  Solid State storage media such as Solid-State Disk, eMMC, SD-Card, and Flash media cannot be completely 
sanitized by multi-pass overwriting methods due to the memory wear mapping that occurs.  Additionally, attempts to do so 
would also greatly erode the operational lifetime of solid state media.  Solid State media is therefore not recommended for 
use in highly secure environments.  Please refer to NIST-800-

88 “Table A-8: Flash Memory-Based Storage Product 

Sanitization” for technical details.

 

Содержание Versant 3100 Press

Страница 1: ...Xerox Security Guide Entry Production Color Presses Versant 2100 3100 Color Digital Press Versant 80 180 Color Digital Press ColorPress Production Press Versant 2100 Press Versant 3100 Press Versant 8...

Страница 2: ...sion 1 0 February 2019 Copyright protection claimed includes all forms and matters of copyrightable material and information now allowed by statutory or judicial law or hereinafter granted including w...

Страница 3: ...CE VALIDATION 3 17 ADDITIONAL NETWORK SECURITY CONTROLS 3 17 4 DEVICE SECURITY BIOS FIRMWARE OS RUNTIME AND OPERATIONAL SECURITY CONTROLS 4 19 FAIL SECURE VS FAIL SAFE 4 19 PRE BOOT SECURITY 4 20 BOOT...

Страница 4: ...uction Color Class Products March 2019 Page 1 2 COLORPRESS 800 1000 800I 1000I 7 35 APPENDIX B SECURITY EVENTS 7 39 XEROX VERSANT 80 180 SECURITY EVENTS 7 39 XEROX VERSANT 2100 3100 SECURITY EVENTS 7...

Страница 5: ...ument is Xerox field personnel and customers concerned with IT security Disclaimer The information in this document is accurate to the best knowledge of the authors and is provided without warranty of...

Страница 6: ...leges can manage the product configuration settings User permissions are configurable through Role Based Access Control RBAC policies described in section 6 Identification Authentication and Authoriza...

Страница 7: ...rt supports the following Walk up users may insert a USB thumb drive to store or retrieve documents for scanning and or printing Versant cannot print from USB not an option from a FAT formatted USB de...

Страница 8: ...upported via optional touch screen user interface or optional dedicated NFC USB dongle Information shared over NFC includes IPv4 address IPv6 address MAC address UUID a unique identifier on the NFC cl...

Страница 9: ...odule TPM The TPM is compliant with ISO IEC 11889 the international standard for a secure cryptoprocessor dedicated to secure cryptographic keys The TPM is used to securely hold the product storage en...

Страница 10: ...encryption when submitting Secure Print jobs to enabled products Simply check the box to Enable Encryption when adding the Passcode to the print job Outbound User Data Scanning to Network Repository...

Страница 11: ...DD See Appendix A Product Security Profiles Models with magnetic HDD See Appendix A Product Security Profiles Print Submission IPPS TLS Supported Supported Supported HTTPS TLS Supported Supported Supp...

Страница 12: ...e device acting as a client to external network services Inbound Listening Services Out Bound Network Client Print Services LPR IPP Raw IP etc Management Services SNMP Web interface WebServices etc In...

Страница 13: ...encryption and authentication at the packet level ColorPress and Versant products support IPSec for both IPv4 and IPv6 protocols Versant 80 180 Press Versant 2100 3100 Press Color 800 100 Press Versan...

Страница 14: ...ts support the latest version TLS 1 2 Versant 80 180 Press Versant 2100 3100 Press Color 800 100 Press Versant 80 Press Versant 180 Press Versant 2100 Press Versant 3100 Press Color 800 1000 Presses C...

Страница 15: ...to the product using a Smart Card For protocols such as HTTPS the printer is the server and must prove its identity to the client Web browser For protocols such as 802 1X the printer is the client and...

Страница 16: ...does not meet this requirement a message appears The message alerts the user that the certificate they are attempting to upload does not meet the key length requirement Versant 80 180 Press Versant 2...

Страница 17: ...0 Presses Color 800i 1000i Presses Email S MIME Versions v3 Not Applicable Not Applicable Digest SHA1 SHA256 SHA384 SHA512 Not Applicable Not Applicable Encryption 3DES AES128 AES192 AES256 Not Applic...

Страница 18: ...milies such as Versant enabling Cisco ISE to automatically detect and profile new Xerox products from the day they are released Customers who use Cisco ISE find that including Xerox products in their...

Страница 19: ...ints contextually Connectivity of Versant and ColorPress devices can be fully managed contextually by Cisco TrustSec TrustSec uses Security Group Tags SGT that are associated with an endpoint s user d...

Страница 20: ...bled IPsec is evaluated first Up to 25 addresses can be enabled for IPv4 and an additional 25 for IPv6 Addresses include IP and subnet allowing individual system or subnets to be enabled A system admi...

Страница 21: ...mware is verified against a whitelist using cryptographic hashing Event Monitoring Logging The Audit Log feature records security related events Continuous Operational Security Firmware and Diagnostic...

Страница 22: ...tion is used to protect the system user data and configuration including security settings from being retrieved or modified Each device uses its own unique key that is securely generated Encryption is...

Страница 23: ...l Service Details Xerox products are serviced by a tool referred to as the Portable Workstation PWS Only Xerox authorized service technicians are granted access to the PWS Customer documents or files...

Страница 24: ...oducts March 2019 Page 5 22 Configuration Security Policy Management Solutions Xerox Device Manager and Xerox CentreWare Web available as a free download centrally manage Xerox Devices For details ple...

Страница 25: ...ColorPress and Versant devices support the following authentication modes Local Authentication Network Authentication Smart Card Authentication CAC PIV SIPR Net Convenience Authentication Local Authen...

Страница 26: ...sing the XCP Plug in architecture and a Smart Card authentication solution created by 90meter under contract for Xerox Details regarding 90meter can be found online here http www 90meter com Other Sma...

Страница 27: ...support various workflows as well as security needs User permissions include security related permissions and non security related workflow permissions e g walkup user options copy scan paper selecti...

Страница 28: ...erabilities in Xerox software and hardware It can be downloaded from this page http www xerox com information security information security articles whitepapers enus html Additional Resources Below ar...

Страница 29: ...Xerox Security Guide for Entry Production Color Class Products March 2019 Page 7 27 Appendix A Product Security Profiles This appendix describes specific details of each Versant and ColorPress product...

Страница 30: ...letely by a system administrator Front Panel Optional USB2 0 Type A port s Users may insert a USB thumb drive to print from or store scanned files to Physical security of this information is the respo...

Страница 31: ...Integrated Circuit soldered to circuit board HDD Magnetic Hard Disk Drive SSD Solid State Disk SD Card Secure Digital Card Controller Non Volatile Memory Size Type Use User Modifiable How to Clear Vo...

Страница 32: ...ogram and work area N SDRAM is erased when machine is powered off Yes 64MB SDRAM ESS PWBA Temporary storage of program and work area N SDRAM is erased when machine is powered off Yes 1Gbit SDRAM page...

Страница 33: ...0 Type A USB target connector used for printing Xxxx Not possible on Versant or CP1000 Note This port can be disabled completely by a system administrator Front Panel Optional USB2 0 Type A port s Us...

Страница 34: ...rd HDD Magnetic Hard Disk Drive SSD Solid State Disk SD Card Secure Digital Card Controller Non Volatile Memory Size Type Use User Modifiable How to Clear Volatile 8MB Flash MCU PWBA Permanent storage...

Страница 35: ...SDRAM MCU PWBA Temporary storage of variables N SRAM is erased when machine is powered off Yes 4Gbit DRAM SYSTEM MEMORY DIMM Temporary storage of program and work area N SDRAM is erased when machine i...

Страница 36: ...M ESS PWBA Temporary storage of program and work area N SDRAM is erased when machine is powered off Yes 1Gbit SDRAM page memory Temporary storage of variables N SRAM is erased when machine is powered...

Страница 37: ...print on those printer from USB Note This port can be disabled completely by a system administrator Front Panel Optional USB2 0 Type A port s Users may insert a USB thumb drive to print from or store...

Страница 38: ...hardware ID system settings realtime control parameters print job control state performance log information usage counters No Content can be initialized to factory default values Yes Additional Inform...

Страница 39: ...ues No Additional Information The controller operating system memory manager allocates memory dynamically between OS running processes and temporary data which includes jobs in process When a job is c...

Страница 40: ...ta Contains machine specific data hardware ID system settings real time control parameters print job control state performance log information usage counters Contains machine specific data System Admi...

Страница 41: ...to KO authentication failures Detection of unauthorized access 0x0301 Change of Audit Policy Enabling of audit log management function Disabling of audit log management function 0x0401 Job Completion...

Страница 42: ...ess deletion Address change Uploading from remote client Whole address book Downloading to remote client Whole address book Deletion of all addresses Downloading to remote client Whole address book 0x...

Страница 43: ...ement function 0x0401 Job Completion Print Copy Scan Fax Mailbox Report Flow Service Jobs other than the above 0x0501 Change view of Device Setting Change of date time setting local time User registra...

Страница 44: ...ion Color Class Products March 2019 Page 7 42 0x0701 Change Restoration of Device Configuration Replacement of important parts Detection of HDD replacement Change of ROM version 0x0801 Communication R...

Страница 45: ...Xerox Security Guide for Entry Production Color Class Products March 2019 Page 7 43 ColorPress Security Events ColorPress utilizes Windows Event Logging which is outside the scope of this document...

Отзывы: