XEROX WorkCentre 6400 Information Assurance Disclosure Paper
20
Ver. 1.00, May 2010
Page
20 of 44
software. However, there are a few deviations our version of Kerberos takes from the standard Kerberos
implementation from MIT. These deviations are:
1)
The device does not keep a user’s initial authentication and key after the user has been authenticated. In a
standard Kerberos implementation, once a user is authenticated, the device holds onto the authentication for a
programmed timeout (the usual default is 12 hours) or until the user removes it (prior to the timeout period). In
the Xerox implementation, all traces of authentication of the user are removed once they have been
authenticated to the device. The user can send any number of jobs until the user logs off the system, either
manually or through system timeout.
2)
The device ignores clock skew errors. In a standard implementation of Kerberos, authentication tests will fail if a
device clock is 5 minutes (or more) different from the Kerberos server. The reason for this is that given enough
time, someone could reverse engineer the authentication and gain access to the network. With the 5-minute
timeout, the person has just 5 minutes to reverse engineer the authentication and the key before it becomes
invalid. It was determined during the implementation of Kerberos for our device that it would be too difficult for
the user/SA to keep the device clock in sync with the Kerberos server, so the Xerox instantiation of Kerberos has
the clock skew check removed. The disadvantage is that this gives malicious users unlimited time to reverse
engineer the user’s key. However, since this key is only valid to access the Network Scanning features on a
device, possession of this key is of little use for nefarious purposes.
3)
The device ignores much of the information provided by Kerberos for authenticating. For the most part, the
device only pays attention to information that indicates whether authentication has passed. Other information
that the server may return (e.g. what services the user is authenticated for) is ignored or disabled in the Xerox
implementation. This is not an issue since the only service a user is being authenticated for is access to an e-
mail directory. No other network services are accessible from the Local UI.
Xerox has received an opinion from its legal counsel that the device software, including the implementation of a
Kerberos encryption protocol in its network authentication feature, is not subject to encryption restrictions based on
Export Administration Regulations of the United States Bureau of Export Administration (BXA). This means that it
can be exported from the United States to most destinations and purchasers without the need for previous approval
from or notification to BXA. At the time of the opinion, restricted destinations and entities included terrorist-
supporting states (Cuba, Iran, Libya, North Korea, Sudan and Syria), their nationals, and other sanctioned entities
such as persons listed on the Denied Parties List. Xerox provides this information for the convenience of its customers
and not as legal advice. Customers are encouraged to consult with legal counsel to assure their own compliance with
applicable export laws.
2.8.2.6.
Port 110, POP-3 Client
This unidirectional port is used when receiving an Internet Fax (I-Fax) or E-Mail. These jobs may only be printed, and
the port is only open if I-Fax is enabled and while receiving the job. It is not configurable.
2.8.2.7.
Ports 137, 138, 139, NETBIOS
For print jobs, these ports support the submission of files for printing as well as support Network Authentication
through SMB. Port 137 is the standard NetBIOS Name Service port, which is used primarily for WINS. Port 138
supports the CIFS browsing protocol. Port 139 is the standard NetBIOS Session port, which is used for printing. Ports
137, 138 and 139 may be configured in the Properties tab of the device’s web page.
For Network Scanning features, ports 138 and 139 are used for both outbound (i.e. exporting scanned images and
associated data) and inbound functionality (i.e. retrieving Scan Templates). In both instances, these ports are only
open when the files are being stored to the server or templates are being retrieved from the Template Pool. For these
features, SMB protocol is used.
2.8.2.8.
Ports 161, 162, SNMP
These ports support the SNMPv1, SNMPv2c, and SNMPv3 protocols. Please note that SNMP v1 does not have any
password or community string control. SNMPv2 relies on a community string to keep unwanted people from
changing values or browsing parts of the MIB. This community string is transmitted on the network in clear text so
anyone sniffing the network can see the password. Xerox strongly recommends that the customer change the
community string upon product installation. SNMP is configurable, and may be explicitly enabled or disabled in the
Properties tab of the device’s web pages.
SNMP traffic may be secured if an IPSec tunnel has been established between the agent (the device) and the
manager (i.e. the user’s PC).
