Page 2
WorkCentre 7220-7225 Information Assurance Disclosure Paper Contributors: Michael Barrett Steve Beers Bob Crumrine Mike Faraoni Gordon Farquhar Mirelsa Fontanes Tim Hunter Larry Kovnat Tom Pierce Roger Rhodes Steve Sydorowicz R. Ben Wilkie Bob Zolla Ralph H. Stoos Jr. Ver. 1.0, January 2013...
The information in this document is accurate to the best knowledge of the authors, and is provided without warranty of any kind. In no event shall Xerox Corporation be liable for any damages whatsoever resulting from user's use or disregard of the information provided in this document including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Xerox Corporation has been advised of the possibility of such damages Ver.
WorkCentre 7220-7225 Information Assurance Disclosure Paper 2. Device Description This product consists of an in put document handler and scanner, marking engine including paper path, controller, and user interface. Document Feeder & Scanner (IIT) Graphical User Interface (GUI) Front Panel...
WorkCentre 7220-7225 Information Assurance Disclosure Paper 2.1. Security-relevant Subsystems 2.1.1. Physical Partitioning The security-relevant subsystems of the product are partitioned as shown in Figure 2-2. Human Interface Original Power Button Documents Scanner / Document Handler Ethernet Port, Image Output USB Target Port, USB...
WorkCentre 7220-7225 Information Assurance Disclosure Paper 2.1.2. Security Functions allocated to Subsystems Security Function Subsystem Controller Image Overwrite Graphical User Interface System Authentication Controller Graphical User Interface Network Authentication Controller Graphical User Interface Security Audit Controller Cryptographic Operations Controller User Data Protection – SSL Controller User Data Protection –...
WorkCentre 7220-7225 Information Assurance Disclosure Paper 2.2. Controller 2.2.1. Purpose The controller provides both network and direct-connect external interfaces, and enables copy, print, email, network scan, server fax, internet FAX, and LanFAX functionality. Network scanning, server fax, internet fax, and LanFax, are standard features.
WorkCentre 7220-7225 Information Assurance Disclosure Paper 2.2.2. Memory Components Volatile Memory Description Type (SRAM, DRAM, etc) Size User Modifiable Function or Use Process to Clear: (Y/N) DDR3 SDRAM non ECC – Executable code, Printer control Power Off System System Memory...
Page 11
WorkCentre 7220-7225 Information Assurance Disclosure Paper Hard Disk Descriptions Drive / Partition Removable Size: User Modifiable: Function: Process to (System, Image): Y / N Y / N Clear: 27GB System Disk / System partition N with normal Operating Diagnostic operation...
Below the controller tray are other connectors that distribute power and communications to external options such as a finisher or high-capacity paper tray. Figure 2-3 WorkCentre 7220-7255 Back panel connections Ver. 1.0, January 2013 Page 12 of 61...
Page 13
WorkCentre 7220-7225 Information Assurance Disclosure Paper Interface Description / Usage USB Target Port Diagnostics and service; Xerox Copier Assistant USB Host Ports Card readers; SW upgrade; USB Printing; Scan to USB Debug Port Troubleshooting and Monitoring Ethernet Network Connectivity Diagnostic LED Readout...
Modifying the software upgrade, network logging or saved machine settings files will make the files unusable on a device . The data in the network logging file is encrypted and can only be decrypted by Xerox service. The machine settings that can be saved and restored by a service technician are limited to controller and fax parameters that are needed for normal operation.
WorkCentre 7220-7225 Information Assurance Disclosure Paper 2.3. Fax Module 2.3.1. Purpose The embedded FAX service uses the installed embedded fax card to send and receive images over the telephone interface. The FAX card plugs into a custom interface slot on the controller.
WorkCentre 7220-7225 Information Assurance Disclosure Paper 2.4. Scanner 2.4.1. Purpose The purpose of the scanner is to provide mechanical transport to convert hardcopy originals to electronic data. 2.4.2. Hardware The scanner converts the image from hardcopy to electronic data. A document handler moves originals into a position to be scanned.
The OS layer includes the operating system, network and physical I/O drivers. The controller operating system is Wind River Linux, kernel v. 2.6.34+. Xerox may issue security patches for the OS, in which case the Xerox portion of the version number (i.e.. after the ‘+’ sign) will be incremented.
WorkCentre 7220-7225 Information Assurance Disclosure Paper 2.7.3. Network Protocols Figure 2-5 and Figure 2.6 are interface diagrams depicting the IPv4 and IPv6 protocol stacks supported by the device, annotated according to the DARPA model. Figure 2-5 IPv4 Network Protocol Stack Figure 2-6 IPv6 Network Protocol Stack Ver.
2.8.1. Network Protocols The supported network protocols are listed in Appendix D and are implemented to industry standard specifications (i.e. they are compliant to the appropriate RFC) and are well-behaved protocols. There are no ‘Xerox unique’ additions to these protocols.
5909- Remote UI Remote Access to Local UI. Ports randomized for security. 5999 9100 raw IP 28002 WS: Scan Template Management, Scan Extension, Xerox Secure Access, Authentication & Authorization Configuration, Device Configuration 53202 WSD Transfer 53303 WSD Print 53404 WSD Scan...
Page 22
WorkCentre 7220-7225 Information Assurance Disclosure Paper 2.8.2.1. Port 22, SFTP This port is used to securely encrypt the user name, password, and data being transferred to a network server/repository. 2.8.2.2. Port 23, NTP This port is used to retrieve the time from a network server.
Page 23
WorkCentre 7220-7225 Information Assurance Disclosure Paper 2.8.2.6. Port 80, HTTP The embedded web pages communicate to the machine through a set of unique APIs and do not have direct access to machine information: Network Controller request http request machine server...
Page 24
(Cuba, Iran, Libya, North Korea, Sudan and Syria), their nationals, and other sanctioned entities such as persons listed on the Denied Parties List. Xerox provides this information for the convenience of its customers and not as legal advice. Customers are encouraged to consult with legal counsel to assure their own compliance with applicable export laws.
Page 25
CA for signing. The signed device certificate is then uploaded to the device. Alternatively, the device will generate a self-signed certificate. In this case, the generic Xerox root CA certificate must be downloaded from the device and installed in the certificate store of the user’s browser.
Page 26
WorkCentre 7220-7225 Information Assurance Disclosure Paper 2.8.2.18. Port 631, IPP This port supports the Internet Printing Protocol. It is not configurable. This is disabled when the http (web) server is disabled. 2.8.2.19. Port 1900, SSDP This port behaves similarly to the SLP port. When activated, this port is used for service discovery and advertisement.
WorkCentre 7220-7225 Information Assurance Disclosure Paper 2.8.2.27. Ports 53202, 53303, 53404, WSD Transfer Web Service (53202) and Print Web Service (53303 and 53404) for Microsoft WSD support. 2.8.2.28. Port 61100, WS Web Service interface(s) used to get/set proxy configuration specific to Extensible Interface Platform services.
If the device is set for local authentication, user account information will be kept in a local accounts database (see the discussion in Chapter 4 of Xerox Standard Accounting) and the authentication process will take place locally. The system administrator can assign authorization privileges on a per user basis. User access to services will be provided based on the privileges set for each user in the local accounts database.
Page 29
WorkCentre 7220-7225 Information Assurance Disclosure Paper Figure 3-1 Authentication and Authorization schematic Ver. 1.0, January 2013 Page 29 of 61...
WorkCentre 7220-7225 Information Assurance Disclosure Paper 3.2. Login and Authentication Methods There are a number of methods for different types of users to be authenticated. In addition, the connected versions of the product also log into remote servers. A description of these behaviors follows.
WorkCentre 7220-7225 Information Assurance Disclosure Paper 3.2.2.2. SMB Authentication (Windows 2000/Windows 2003/Windows 2008) The authentication steps vary somewhat, depending on the network configuration. Listed below are 3 network configurations and the authentication steps. Basic Network Configuration: Device and Domain Controller are on the same...
Page 32
WorkCentre 7220-7225 Information Assurance Disclosure Paper Device and Domain Controller are on different Subnets, SA defines Hostname of Domain Controller Authentication Steps: Xerox Device Router LDAP Server Domain Controller DNS Server The device sends the Domain Controller hostname to the DNS Server.
Page 33
WorkCentre 7220-7225 Information Assurance Disclosure Paper 3.2.2.3. Common Access Card (CAC1/PIV/.NET) With the addition of the CAC accessory kit, the device is able to utilize the following cards: Axalto Access 64kV2 • Oberthur PIV V1.08 • Gemalto PIV 144K •...
This includes biometric and card access. Xerox Secure Acess is a Web Service that allows a 3rd party to use its own mechanisms, including accessing the customers authentication servers, to authenticate a user. The device can also take in additional information about the user to allow for two-factor authentication.
WorkCentre 7220-7225 Information Assurance Disclosure Paper 3.3. System Accounts 3.3.1. Printing The device may be set up to connect to a print queue maintained on a remote print server. The login name and password are sent to the print server in clear text. IPSec should be used to secure this channel.
WorkCentre 7220-7225 Information Assurance Disclosure Paper 4.2. Audit Log The device maintains a security audit log. Recording of security audit log data can be enabled or disabled by the SA. The audit log is implemented as a circular log containing a maximum of 15000 event entries, meaning that once the maximum number of entries is reached, the log will begin overwriting the earliest entry.
Page 38
WorkCentre 7220-7225 Information Assurance Disclosure Paper Event Event description Entry Data Email job Job name User Name Completion Status IIO status Accounting User ID Accounting Account ID total-number-of-smtp-recipients smtp-recipients Audit Log Disabled Device name Device serial number Audit Log Enabled...
Page 39
WorkCentre 7220-7225 Information Assurance Disclosure Paper Event Event description Entry Data Scan to Home job Job name or Dir name User Name Completion Status (Normal/Error) IIO status Accounting User ID-Name Accounting Account ID-Name total-number-net-destination net-destination Copy store job Job name or Dir name...
Page 40
WorkCentre 7220-7225 Information Assurance Disclosure Paper Event Event description Entry Data UserName Device name Device serial number Completion Status (Enabled/Disabled/Terminated) X509 certificate UserName Device name Device serial number Completion Status (Created/uploaded/Downloaded). IP sec Enable/Disable/Configure UserName Device name Device serial number...
Page 41
WorkCentre 7220-7225 Information Assurance Disclosure Paper Event Event description Entry Data CPSR Backup File Name User Name Completion Status (Normal / Error) IIO Status CPSR Restore File Name User Name Completion Status (Normal / Error) IIO Status SA Tools Access Admin...
Page 42
WorkCentre 7220-7225 Information Assurance Disclosure Paper Event Event description Entry Data FIPS Mode UserName Enable/Disable/Configure Device name Device Serial Number Enable/Disable/Configure Xerox Secure Access Login UserName Device Name Device Serial Number Completion Status (Success/Failed) Print from USB User Name Enable/Disable...
Page 43
WorkCentre 7220-7225 Information Assurance Disclosure Paper Event Event description Entry Data SMTP Connection Encryption UserName Device name Device serial number Completion Status (Enabled for STARTLS / Enabled for STARTLS if Avail / Enabled for SSL/TLS / Disabled) Email Domain Filtering Rule...
Page 44
WorkCentre 7220-7225 Information Assurance Disclosure Paper Event Event description Entry Data EIP Weblets Allow UserName Install Device name Device serial number Completion Status (Enable Installation / Block Installation) EIP Weblets Install UserName Device name Device serial number Weblet Name Action (Install / Delete)
Page 45
WorkCentre 7220-7225 Information Assurance Disclosure Paper Event Event description Entry Data IPv4 UserName Enable/Disable/Configure Device name Device serial number Completion Status (Enabled Wireless/Disabled Wireless/ Configured Wireless) (Enabled Wired/Disabled Wired/ Configured Wired) SA PIN Reset Device serial number Completion Status (Success/Failed)
WorkCentre 7220-7225 Information Assurance Disclosure Paper 4.3. Xerox Standard Accounting Xerox Standard Accounting (XSA), intended primarily for use as an accounting service, can be used as an internal authorization service. XSA tracks copy, scan (including filing and email), print and fax usage by individual user system administrator can enable/disable the feature by service (Copy, Print, Scan, or Fax via the LUI or Web UI, add or delete users, and set usage limits by service for each user.
4.4. User Permissions Role Based Access Control (RBAC) The User Permissions feature has been added to Xerox devices to expand control of access to device services and features which will in turn improve security, enable cost control for media and consumables, and will eliminate unauthorized pages.
Once the connection with the Xerox Communication Server has been established, the Meter Assistant service will poll the Xerox Communication server daily over the network. The server will check whether it is time in the billing cycle to update the meter readings. If so, the server will request reads from the device, and the device will then respond by sending the meter reads back to the server.
WorkCentre 7220-7225 Information Assurance Disclosure Paper 4.7. Image Overwrite The Image Overwrite Security feature provides both Immediate Image Overwrite (IIO) and On-Demand Image Overwrite (ODIO) functions. Immediately before a job is considered complete, IIO will overwrite any temporary files associated with print, network scan, internet fax, network fax, or e-mail jobs that had been created on the controller Hard Disk.
WorkCentre 7220-7225 Information Assurance Disclosure Paper 4.7.3. Overwrite Timing The ODIO overwrite time is dependent on the type of hard disk in the product. The overwrite times are generally 20 minutes for a Standard ODIO and 60 minutes for a Full ODIO.
Validates certificates for features where the printer is the client in the client-server relationship. • Certificates for LDAP, Xerox Extensible Interface Platform (EIP 2.0), and Smart eSolutions are examples. Validates certificates that are installed on the printer, but not used. Certificates for HTTPS, LDAP, or SNMPv3 •...
WorkCentre 7220-7225 Information Assurance Disclosure Paper 4.8.2. Enabling FIPS 140 Mode In CentreWare IS, click Properties > Security > Encryption > FIPS 140-2. Click Enable. Click Run Configuration Check and Apply. A pass or fail message appears. If the configuration check passes, click Reboot Machine to save and restart the printer.
Please see http://www.xerox.com/security Xerox has created a document which details the Xerox Vulnerability Management and Disclosure Policy used in discovery and remediation of vulnerabilities in Xerox software and hardware. It can be downloaded from this page: http://www.xerox.com/information-security/information-security-articles-whitepapers/enus.html Ver. 1.0, January 2013...
WorkCentre 7220-7225 Information Assurance Disclosure Paper APPENDICES Appendix A – Abbreviations Application Programming Interface Automatic Meter Reads ASIC Application-Specific Integrated Circuit. This is a custom integrated circuit that is unique to a specific product. Customer Administration Tool Customer Service Engineer...
Page 55
WorkCentre 7220-7225 Information Assurance Disclosure Paper ODIO On-Demand Image Overwrite Printer Control Language Page Description Language Personal Identification Number PWBA Printed Wire Board Assembly Common alternative for PSW Required Functional Capability System Administrator SFTP Secure File Transfer Protocol Service Location Protocol...
WorkCentre 7220-7225 Information Assurance Disclosure Paper Appendix B – Supported MIB Objects NOTES : (1) The number of objects shown per MIB group represents the number of objects defined by the IETF standard for that MIB group. It does not represent the instantiation of the MIB group which may contain many more objects.
Page 57
WorkCentre 7220-7225 Information Assurance Disclosure Paper RFC 3805 - Printer MIB Group WorkCentre/ColorQube RFC 1213 - System group supported RFC 1213 - Interface group supported RFC 1514 - Storage group supported RFC 1514 - Device group supported General group [7 objects]...
Page 58
= Network Connectivity, Job Monitoring, Scan-to-File, and Scan-to-LAN FAX features supported via Xerox MIBs Vendor-specific MIBs provided to customer supported w/ caveat = planned support within 2 - 3Q00 via Xerox web site, URL = www.xerox.com Vendor-specific client application(s) provided...
WorkCentre 7220-7225 Information Assurance Disclosure Paper Appendix C –Standards Controller Hardware PCI Specification (PCI Local Bus Specification Revision 2.1) 100 Megabit Ethernet (IEEE 802.3) Universal Serial Bus 1.1 Parallel (IEEE 1284) IEEE 1394a (FireWire) Controller Software Function RFC/Standard Internet Protocol...
Page 60
WorkCentre 7220-7225 Information Assurance Disclosure Paper Printing Description Languages Postscript Language Reference, Third Edition PCL6 (PCL5C + PCL XL class 3.0 emulation) TIFF 6.0 JPEG Portable Document Format Reference Manual Version 1.3 Ver. 1.0, January 2013 Page 60 of 61...
WorkCentre 7220-7225 Information Assurance Disclosure Paper Appendix E – References Kerberos FAQ http://www.cmf.nrl.navy.mil/krb/kerberos-faq.html IP port numbers http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xml Ver. 1.0, January 2013 Page 61 of 61...
Need help?
Do you have a question about the WorkCentre 7220 and is the answer not in the manual?
Questions and answers