Xerox WORKCENTRE 7755 Information Manual page 16

Information assurance disclosure paper
Hide thumbs Also See for XEROX WORKCENTRE 7755:
Table of Contents

Advertisement

XEROX WorkCentre 7755/7765/7775 Information Assurance Disclosure Paper
timeout (the usual default is 12 hours) or until the user removes it (prior to the timeout period). In the Xerox
implementation, all traces of authentication of the user are removed once they have been authenticated to the device.
The user can send any number of jobs until the user logs off the system, either manually or through system timeout.
2)
The device ignores clock skew errors. In a standard implementation of Kerberos, authentication tests will fail if a device
clock is 5 minutes (or more) different from the Kerberos server. The reason for this is that given enough time, someone
could reverse engineer the authentication and gain access to the network. With the 5-minute timeout, the person has
just 5 minutes to reverse engineer the authentication and the key before it becomes invalid. It was determined during
the implementation of Kerberos for our device that it would be too difficult for the user/SA to keep the device clock in
sync with the Kerberos server, so the Xerox instantiation of Kerberos has the clock skew check removed. The
disadvantage is that this gives malicious users unlimited time to reverse engineer the user's key. However, since this
key is only valid to access the Network Scanning features on a device, possession of this key is of little use for nefarious
purposes.
3)
The device ignores much of the information provided by Kerberos for authenticating. For the most part, the device only
pays attention to information that indicates whether authentication has passed. Other information that the server
may return (e.g. what services the user is authenticated for) is ignored or disabled in the Xerox implementation. This is
not an issue since the only service a user is being authenticated for is access to an e-mail directory. No other network
services are accessible from the Local UI.
Xerox has received an opinion from its legal counsel that the device software, including the implementation of a Kerberos
encryption protocol in its network authentication feature, is not subject to encryption restrictions based on Export
Administration Regulations of the United States Bureau of Export Administration (BXA). This means that it can be exported
from the United States to most destinations and purchasers without the need for previous approval from or notification to
BXA. At the time of the opinion, restricted destinations and entities included terrorist-supporting states (Cuba, Iran, Libya,
North Korea, Sudan and Syria), their nationals, and other sanctioned entities such as persons listed on the Denied Parties
List. Xerox provides this information for the convenience of its customers and not as legal advice. Customers are
encouraged to consult with legal counsel to assure their own compliance with applicable export laws.
2.8.2.6.
Port 110, POP-3 Client
This unidirectional port is used when receiving an Internet Fax (I-Fax) or E-Mail. These jobs may only be printed, and the
port is only open if I-Fax is enabled and while receiving the job. It is not configurable.
2.8.2.7.
Ports 137, 138, 139, NETBIOS
For print jobs, these ports support the submission of files for printing as well as support Network Authentication through
SMB. Port 137 is the standard NetBIOS Name Service port, which is used primarily for WINS. Port 138 supports the CIFS
browsing protocol. Port 139 is the standard NetBIOS Session port, which is used for printing. Ports 138 and 139 may be
configured in either (1) User Tools via the Local User Interface, or (2) in the Properties tab of the device's web pages, but
Port 137 can only be configured via the web.
For Network Scanning features, ports 138 and 139 are used for both outbound (i.e. exporting scanned images and
associated data) and inbound functionality (i.e. retrieving Scan Templates). In both instances, these ports are only open
when the files are being stored to the server or templates are being retrieved from the Template Pool. For these features,
SMB protocol is used.
2.8.2.8.
Ports 161, 162, SNMP
These ports support the SNMPv1, SNMPv2c, and SNMPv3 protocols. Please note that SNMP v1 does not have any password
or community string control. SNMPv2 relies on a community string to keep unwanted people from changing values or
browsing parts of the MIB. This community string is transmitted on the network in clear text so anyone sniffing the network
can see the password. Xerox strongly recommends that the customer change the community string upon product
installation. SNMP is configurable, and may be explicitly enabled or disabled in the Properties tab of the device's web pages.
SNMP traffic may be secured if an IPSec tunnel has been established between the agent (the device) and the manager (i.e.
the user's PC).
The device supports SNMPv3, which is an encrypted version of the SNMP protocol that uses a shared secret. Secure Sockets
Layer must be enabled before configuring the shared secret needed for SNMPv3.
2.8.2.9.
Port 389, LDAP
This is the standard LDAP port used for address book queries in the Scan to Email feature.
2.8.2.10. Port 396, Netware
This configurable port is used when Novell Netware is enabled to run over IP.
Ver. 1.01, April 2010
16
Page 16 of 40

Advertisement

Table of Contents
loading

This manual is also suitable for:

Workcentre 7765Workcentre 7775

Table of Contents