Download  Print this page

Xerox AltaLink B8045 Security Manual

Office class multi-function products & single-function printers
Hide thumbs

Advertisement

Office Class Multi-Function Products &
AltaLink
Multi-
®
Function Products
B8045, B8055, B8065,
B8075, B8090
C8030, C8035, C8045,
C8055, C8070
February 2018 update
Xerox
Security Guide
Single-Function Printers
VersaLink
Function Products
B405, B605, B615,
B7025, B7030, B7035
C405, C505, C605,
C7020, C7025, C7030
Xerox® Product Security Guide and Information Assurance Disclosure
®
Multi-
VersaLink
®
Printers
B400, B600, B610
C400, C500, C600,
C7000, C8000, C9000
®

Advertisement

Table of Contents
loading

  Summary of Contents for Xerox AltaLink B8045

  • Page 1 B8045, B8055, B8065, B405, B605, B615, B400, B600, B610 B8075, B8090 B7025, B7030, B7035 C8030, C8035, C8045, C405, C505, C605, C400, C500, C600, C8055, C8070 C7020, C7025, C7030 C7000, C8000, C9000 February 2018 update Xerox® Product Security Guide and Information Assurance Disclosure...
  • Page 2 Xerox® Security Guide for Office Class Products: AltaLink®  VersaLink® © 2018 Xerox Corporation. All rights reserved. Xerox and Xerox and Design® are trademarks of Xerox Corporation in the United States and/or other countries. BR25497 Other company trademarks are also acknowledged.
  • Page 3: Table Of Contents

    Xerox® Security Guide for Office Class Products: AltaLink®  VersaLink® Table of Contents Introduction ............................5 Purpose ................................. 5 Target Audience ............................5 Disclaimer..............................5 Product Description .......................... 6 Physical Components ........................... 6 Architecture ..............................6 User Interface ..............................7 Scanner .................................
  • Page 4 Network Access Control ..........................18 802.1x Cisco Identity Services Engine (ISE) ....................18 Cisco ISE allows you to deploy the following controls and monitoring of Xerox products: ....18 Contextual Endpoint Connection Management ..................19 FIPS140-2 Compliance Validation ......................19 Additional Network Security Controls ......................19 Endpoint Firewall Options ......................19...
  • Page 5 Xerox® Security Guide for Office Class Products: AltaLink®  VersaLink® Runtime Security ............................23 Event Monitoring & Logging ........................23 Audit Log 23 Operational Security ............................ 23 Firmware Restrictions ........................23 Service Technician (CSE) Access Restriction ................24 Additional Service Details ......................24 Backup &...
  • Page 6 Xerox® Security Guide for Office Class Products: AltaLink®  VersaLink® Appendix B: Security Events ......................49 Xerox AltaLink® Security Events ....................... 49 VersaLink® Security Events ........................65 November 2018 Page 4...
  • Page 7: Introduction

    1 Introduction Purpose The purpose of this document is to disclose information for the Xerox ® Office Class printers and multi- function products (hereinafter called as “the product” or “the system”) with respect to product security. Product Security, for this paper, is defined as how image data is stored and transmitted, how the product behaves in a network environment, and how the product may be accessed both locally and remotely.
  • Page 8: Product Description

    Xerox® Security Guide for Office Class Products: AltaLink®  VersaLink® 2 Product Description Physical Components AltaLink® and VersaLink® products consist of an input document handler and scanner, marking engine, controller, and user interface. A typical configuration is depicted below. Please note that options including finishers, paper trays, document handers, etc.
  • Page 9: User Interface

    Xerox® Security Guide for Office Class Products: AltaLink®  VersaLink® User Interface The user interface detects soft and hard button actuations and provides text and graphical prompts to the user. The user interface is sometimes referred to as the Graphical User Interface (GUI) or Local UI (LUI) to distinguish it from the remote web server interface (WebUI).
  • Page 10: 10/100/1000 Mb Ethernet Rj-45 Network Connector

    NFC functionality requires a software plugin that can be obtained from Xerox sales and support. NFC functionality is supported via optional touch screen user interface or optional dedicated NFC USB dongle.
  • Page 11: User Data Protection

    Xerox products protect user data being processed by employing strong encryption. When the data is no longer needed, the Image Overwrite (IIO) feature automatically erases and overwrites the data on magnetic media, rendering it unrecoverable.
  • Page 12: User Data In Transit

    Inbound User Data Print Job Submission In addition to supporting network level encryption including IPSec and WPA Xerox products also support encryption of print job data at the time of submission. This can be used to securely transmit print jobs over unencrypted connections or to enhance existing network level security controls.
  • Page 13: Scanning To User Local Usb Storage Product

    Add on Apps- Cloud, Google, DropBox, and others The Xerox App Gallery® contains several additional applications that extend the capabilities of Xerox products. Discussion of App security is beyond the scope of this document. Xerox Apps utilize the security framework provided by the 3 party vendor.
  • Page 14: Network Security

    Xerox® Security Guide for Office Class Products: AltaLink®  VersaLink® 4 Network Security Xerox products are designed to offer a high degree of security and flexibility in almost any network environment. This section describes several aspects of the product related to network security.
  • Page 15: Network Encryption

    Xerox® Security Guide for Office Class Products: AltaLink®  VersaLink® CIFS 500 & 4500 IPSec 1900 SSDP 3702 WSD (Discovery) 5353 mDNS 9100 Raw IP (also known as JetDirect, AppSocket or PDL-datastream) 5909-5999 Remote Access to local display panel. Port is randomly selected and communications encrypted with TLS 1.2.
  • Page 16: Wireless 802.11 Wi-Fi Protected Access (Wpa)

    Wireless 802.11 Wi-Fi Protected Access (WPA) Products equipped with WiFi support WPA2 Personal, WPA2 Enterprise, and Mixed Mode compliant with IEEE 802.11i. The wireless network adapters used in Xerox products are certified by the Wi-Fi Alliance. AltaLink® Multifunction VersaLink® VersaLink® Printers...
  • Page 17: Public Key Encryption (Pki)

    Xerox® Security Guide for Office Class Products: AltaLink®  VersaLink® Public Key Encryption (PKI) A digital certificate is a file that contains data used to verify the identity of the client or server in a network transaction. A certificate also contains a public key used to create and verify digital signatures. To prove identity to another product, a product presents a certificate trusted by the other product.
  • Page 18: Trusted Certificates

    Xerox® Security Guide for Office Class Products: AltaLink®  VersaLink® SFTP Supported (Not currently supported) (Not Applicable) Trusted Certificates Public certificates may be imported to the product’s certificate store for validation of trusted external products. The following categories are supported: •...
  • Page 19: Certificate Validation

    Xerox® Security Guide for Office Class Products: AltaLink®  VersaLink® Certificate Validation AltaLink® and VersaLink® devices support certificate validation with configurable checks for OSCP and CRL. Validation checks include:  Validation of certificate path  Certificate expiration  Validation of trusted CA ...
  • Page 20: Network Access Control

    ISE under product families, such as AltaLink® and VersaLink®, enabling Cisco ISE to automatically detect and profile new Xerox products from the day they are released. Customers who use Cisco ISE find that including Xerox products in their security policies is simpler and requires minimal effort.
  • Page 21: Contextual Endpoint Connection Management

    Xerox® Security Guide for Office Class Products: AltaLink®  VersaLink® Prevent impersonation (aka spoofing) of a printer/MFP Automatically prevent connection of non-approved print products Smart rules-based policies to govern user interaction with network printing products  Provide simplified implementation of security policies for printers and MFPs by:...
  • Page 22: Ip Whitelisting (Ip Address Filtering)

    Xerox® Security Guide for Office Class Products: AltaLink®  VersaLink® Stateful Firewall Supported (Not currently supported) (Not currently supported) IP Whitelist Supported Supported Supported IP Whitelisting (IP Address Filtering) VersaLink® products support IP Whitelisting only. When enabled all traffic is prohibited regardless of interface (wired/wireless) unless enabled by IP filter rule.
  • Page 23: Device Security: Bios, Firmware, Os, Runtime, And Operational Security Controls

    Xerox® Security Guide for Office Class Products: AltaLink®  VersaLink® 5 Device Security: BIOS, Firmware, OS, Runtime, and Operational security controls AltaLink® and VersaLink® products have robust security features that are designed to protect the system from a wide range of threats. Below is a summary of some of the key security controls.
  • Page 24: Fail Secure Vs Fail Safe

    Unlike open operating systems such as servers and user workstations in which software may be installed by users, Xerox products are based on embedded systems and the contents are managed by Xerox. The only means of modifying the contents of a device is by applying a firmware update package.
  • Page 25: Runtime Security

    Firmware Restrictions The list below describes supported firmware delivery methods and applicable access controls.  Local Firmware Upgrade via USB port: Xerox service technicians can update product firmware using a USB port and specially configured USB November 2018 Page 23...
  • Page 26: Service Technician (Cse) Access Restriction

    The CSE (Customer Service Engineer) Access Restriction allows customers to create an additional password that is independent of existing administrator passwords. This password must be supplied to allow service of the product. This password is not accessible to Xerox support and cannot be reset by Xerox service personnel.
  • Page 27: Configuration & Security Policy Management Solutions

    Xerox Device Manager and Xerox CentreWare® Web (available as a free download) centrally manage Xerox Devices. Additionally, AltaLink® products come with McAfee built in and can be managed with McAfee ePO™ providing an enhanced security posture supporting proactive monitoring, threat detection, and remediation capabilities.
  • Page 28: Identification, Authentication, And Authorization

    The local user database stores user credential information. The printer uses this information for local authentication and authorization, and for Xerox ® Standard Accounting. When you configure local authentication, the printer checks the credentials that a user provides against the information in the user database.
  • Page 29: Network Authentication

    Xerox® Security Guide for Office Class Products: AltaLink®  VersaLink® Network Authentication When configured for network authentication, user credentials are validated by a remote authentication server. AltaLink® VersaLink® VersaLink® Printers Multifunction Multifunction B8045, B8055, B8065, B8075, B405, B605, B615, B7025,...
  • Page 30: Simple Authentication (Non-Secure)

    Control Lists) are stored in the local user database. Authorization privileges (referred to as permissions) can be assigned on a per user or group basis. Please note that Xerox products are designed to be customizable and support various workflows as well as security needs. User permissions include security-related permissions and non-security related workflow permissions (e.g.
  • Page 31: Additional Information & Resources

    Xerox® Security Guide for Office Class Products: AltaLink®  VersaLink® 8 Additional Information & Resources Security @ Xerox® Xerox maintains an evergreen public web page that contains the latest security information pertaining to its products. Please see http://www.xerox.com/security. Responses to Known Vulnerabilities Xerox has created a document which details the Xerox Vulnerability Management and Disclosure Policy used in discovery and remediation of vulnerabilities in Xerox software and hardware.
  • Page 32: Appendix A: Product Security Profiles

    Xerox® Security Guide for Office Class Products: AltaLink®  VersaLink® Appendix A: Product Security Profiles This appendix describes specific details of each AltaLink® and VersaLink® product. November 2018 Page 30...
  • Page 33: Altalink® B8045/B8055/B8065/B8075/B8090

    Xerox® Security Guide for Office Class Products: AltaLink®  VersaLink® AltaLink® B8045/B8055/B8065/B8075/B8090 Physical Overview Locking Caster Upper Rear Cover Tray 5 Lower Rear Cover Left Side Door USB Memory Port, for service only USB Port USB Memory Card Connections Document Cover...
  • Page 34 Xerox® Security Guide for Office Class Products: AltaLink®  VersaLink® Controller Non-Volatile Storage SD Card Optional Required Contains User Data (E.g. Print, Scan, Fax) Encryption Support Configurable Always-On NIST 800-171 Overwrite Support Contains Configuration Settings Encryption Support Configurable Always-On Factory...
  • Page 35: Altalink® C8030 / C8035 / C8045 / C8055 / C8070

    Xerox® Security Guide for Office Class Products: AltaLink®  VersaLink® AltaLink® C8030 / C8035 / C8045 / C8055 / C8070 Physical Overview Leveler Foot Circuit Breaker Tray 5 Rear Right Cover Left Tray USB Memory Card Connections and SIM Slot...
  • Page 36 Xerox® Security Guide for Office Class Products: AltaLink®  VersaLink® Controller Non-Volatile Storage SD Card Optional Required Contains User Data (E.g. Print, Scan, Fax) Encryption Support Configurable Always-On NIST 800-171 Overwrite Support Contains Configuration Settings Encryption Support Configurable Always-On Factory...
  • Page 37: Versalink® B7025, B7030 B7035

    Xerox® Security Guide for Office Class Products: AltaLink®  VersaLink® VersaLink® B7025, B7030 B7035 Physical Overview 11. Stabilizer 18. Caster wheels 12. Bypass paper feed tray 19. USB3.0 (Target Type B)* 13. USB2.0 (Host Type A)* 20. Optional Wi-Fi dongle port* 14.
  • Page 38 Xerox® Security Guide for Office Class Products: AltaLink®  VersaLink® Controller Non-Volatile Storage SD Card Optional Required Contains User Data (E.g. Print, Scan, Fax) Encryption Support Always-On Always-On NIST 800-171 Overwrite Support Contains Configuration Settings Encryption Support Always-On Always-On Factory...
  • Page 39: Versalink® C7000, C7020, C7025, C7030

    Xerox® Security Guide for Office Class Products: AltaLink®  VersaLink® VersaLink® C7000, C7020, C7025, C7030 Physical Overview Stabilizer Caster wheels Bypass paper feed tray USB3.0 (Target Type B)* USB2.0 (Host Type A)* 10. Optional Wi-Fi dongle port* Touch screen user interface.
  • Page 40 Xerox® Security Guide for Office Class Products: AltaLink®  VersaLink® Controller Non-Volatile Storage SD Card Optional Required Contains User Data (E.g. Print, Scan, Fax) Encryption Support Always-On Always-On NIST 800-171 Overwrite Support Contains Configuration Settings Encryption Support Always-On Always-On Factory...
  • Page 41: Versalink® C400, C405

    Xerox® Security Guide for Office Class Products: AltaLink®  VersaLink® VersaLink® B400, B405 Physical Overview Upper Paper Tray 10. Lower Paper Tray Special Paper Feed 11. Optional SSD Install Location Front Bezel 12. SSD Install Location Cover USB 2.0 (A) 13.
  • Page 42 Xerox® Security Guide for Office Class Products: AltaLink®  VersaLink® Controller Non-Volatile Storage SD Card Required Optional Contains User Data (E.g. Print, Scan, Fax) Encryption Support Always-On NIST 800-171 Overwrite Support Contains Configuration Settings Encryption Support Always-On Always-On Factory Factory...
  • Page 43 Xerox® Security Guide for Office Class Products: AltaLink®  VersaLink® VersaLink® C400, C405 Physical Overview Upper Paper Tray Lower Paper Tray Special Paper Feed 10. Service Panel Front Bezel 11. RJ-11 Fax and Telephone Connector USB 2.0 (A) 12. RJ-11 Fax and Telephone Connector Touch Screen User Interface, Power Button 13.
  • Page 44 Xerox® Security Guide for Office Class Products: AltaLink®  VersaLink® Controller Non-Volatile Storage SD Card Required Optional Contains User Data (E.g. Print, Scan, Fax) Encryption Support Always-On NIST 800-171 Overwrite Support Contains Configuration Settings Encryption Support Always-On Always-On Factory Factory...
  • Page 45: Versalink® C500, C600, C505, C605

    Xerox® Security Guide for Office Class Products: AltaLink®  VersaLink® VersaLink® C500, C600, C505, C605 Physical Overview Paper feed tray. Document output tray. Paper feed tray. 10. Document output tray extension. Bypass paper feed tray. 11. Jam clearance panel. Front bezel.
  • Page 46 Xerox® Security Guide for Office Class Products: AltaLink®  VersaLink® Controller Non-Volatile Storage SD Card Required Optional Contains User Data (E.g. Print, Scan, Fax) Encryption Support Always-On NIST 800-171 Overwrite Support Contains Configuration Settings Encryption Support Always-On Always-On Factory Factory...
  • Page 47: Versalink® B600, B605, B610, B615

    Xerox® Security Guide for Office Class Products: AltaLink®  VersaLink® VersaLink® B600, B605, B610, B615 Physical Overview Document feeder. Optional Wi-Fi dongle connection. Touch screen user interface. Optional RJ11 Fax USB2.0(A). USB2.0(A) Document output tray. 10. USB3.0(B) Bypass paper feed.
  • Page 48 Xerox® Security Guide for Office Class Products: AltaLink®  VersaLink® Controller Non-Volatile Storage SD Card Required Optional Contains User Data (E.g. Print, Scan, Fax) Encryption Support Always-On NIST 800-171 Overwrite Support Contains Configuration Settings Encryption Support Always-On Always-On Factory Factory...
  • Page 49: Versalink® C8000, C9000

    Connection of optional equipment such as NFC or CAC readers. Note: This port can be disabled completely by a system administrator. Product Service Port Used only by Xerox service technicians. Port is covered by a metal plate. Encryption and Overwrite...
  • Page 50 Xerox® Security Guide for Office Class Products: AltaLink®  VersaLink® Controller Non-Volatile Storage SD Card Optional Required Contains User Data (E.g. Print, Scan, Fax) Encryption Support Always-On Always-On NIST 800-171 Overwrite Support Contains Configuration Settings Encryption Support Always-On Always-On Factory...
  • Page 51: Appendix B: Security Events

    Xerox® Security Guide for Office Class Products: AltaLink®  VersaLink® Appendix B: Security Events Xerox AltaLink® Security Events Event Description System startup Device name Device serial number System shutdown Device name Device serial number Manual ODIO Standard started Device name...
  • Page 52 Xerox® Security Guide for Office Class Products: AltaLink®  VersaLink® Email job Job name User Name Completion Status IIO status Accounting User ID Accounting Account ID total-number-of-smtp-recipients smtp-recipients Audit Log Disabled Device name Device serial number Audit Log Enabled Device name...
  • Page 53 Xerox® Security Guide for Office Class Products: AltaLink®  VersaLink® Scan to Home UserName Device name Device serial number Completion Status (Enabled/Disabled) Scan to Home job Job name or Dir name User Name Completion Status (Normal/Error) IIO status Accounting User ID-Name...
  • Page 54 Xerox® Security Guide for Office Class Products: AltaLink®  VersaLink® SA pin changed UserName Device name Device serial number Completion status Audit log Saved UserName Device name Device serial number Completion status UserName Device name Device serial number Completion Status (Enabled/Disabled/Terminated)
  • Page 55 Xerox® Security Guide for Office Class Products: AltaLink®  VersaLink® Smartcard (CAC/PIV) access UserName (if valid Card and Password are entered) Device name Device serial number Process Name Process terminated Device name Device serial number Process name ODIO scheduled Device name...
  • Page 56 Xerox® Security Guide for Office Class Products: AltaLink®  VersaLink® IPv6 UserName Enable/Disable/Configure Device Name Device Serial Number Completion Status (Success/Failed) 802.1x UserName Enable/Disable/Configure Device Name Device Serial Number Completion Status (Success/Failed) Abnormal System Termination Device Name Device Serial Number...
  • Page 57 Xerox® Security Guide for Office Class Products: AltaLink®  VersaLink® Remote UI feature User Name Device Name Device Serial Number Completion Status (Enabled/Disabled/Configured) Remote UI session User Name Device Name Device Serial Number Completion Status (Initiated/Terminated) Remote Client IP Address...
  • Page 58 Xerox® Security Guide for Office Class Products: AltaLink®  VersaLink® McAfee Security Event Device name NOTE: ColorQube 8900 ONLY Device serial number Type (Read / Modify / Execute / Deluge) McAfee message text McAfee Agent User name NOTE: ColorQube 8900 ONLY...
  • Page 59 Xerox® Security Guide for Office Class Products: AltaLink®  VersaLink® Network Connectivity Enable / UserName Disable Device name Device serial number Completion Status (Enable Wireless / Disable Wireless (Enable Wired /Disable Wired) Address Book Permissions UserName Machine Name Machine serial number...
  • Page 60 Xerox® Security Guide for Office Class Products: AltaLink®  VersaLink® Convenience Authentication UserName Enable/Disable/Configure Device name Device serial number Completion Status (Enabled/Disabled/Configured) Efax Passcode Length UserName (managing passcodes) Device name Device serial number Completion Status (Passcode Length Changed) Custom Authentication Login...
  • Page 61 Xerox® Security Guide for Office Class Products: AltaLink®  VersaLink® Scan to WebDAV Job name User Name Completion Status IIO status Accounting User ID-Name Accounting Account ID-Name WebDAV destination. Mopria Print UserName enable / disable Device name Device serial number...
  • Page 62 Xerox® Security Guide for Office Class Products: AltaLink®  VersaLink® Audit Log SFTP Transfer UserName Device Name Device serial number Destination server Completion Status (File Transmitted) Remote Software UserName Download Device name Enable Disable Device serial number Completion Status (Enable/Disable) Airprint &...
  • Page 63 Xerox® Security Guide for Office Class Products: AltaLink®  VersaLink® Backup-Restore File Name restore installed User name Device name Device IP address Interface (WebUI) Completion Status (Success or Failed) Google Cloud Services User name Device name Device serial number Completion Status-(Enabled / Disabled / Configured)
  • Page 64 Xerox® Security Guide for Office Class Products: AltaLink®  VersaLink® Remote Services Software Device Name Download Device Serial number File Name Restricted Admin Permission Role User name Device name Device serial number Restricted admin role name Completion status (Created / Deleted / Configured)
  • Page 65 Xerox® Security Guide for Office Class Products: AltaLink®  VersaLink® Job Data Removal Standard Device name complete Device serial number Completion Status (“Success” / “Failed”) Job Data Removal Full started Device name Device serial number Job Data Removal Full complete...
  • Page 66 Xerox® Security Guide for Office Class Products: AltaLink®  VersaLink® User name (if available. “SYSTEM”, if executed as a Xerox Configuration Watchdog Remediation Complete scheduled event) Device name Device serial number Completion status (“Success” | “Failed”) ThinPrint Feature User Name...
  • Page 67: Versalink® Security Events

    Xerox® Security Guide for Office Class Products: AltaLink®  VersaLink® VersaLink® Security Events Event Description Started normally (cold boot) Started normally (warm boot) Started (NVM initialized) Started (Hard Disk initialized) Shutdown requested Completion: (“Success” / “Failed”) Image Overwriting started Scheduled On Demand Completion: (“Success”...
  • Page 68 Xerox® Security Guide for Office Class Products: AltaLink®  VersaLink® File Name Copy Action Details Scan Encrypted, Signed, Destination Name, Sender Name Action Details, Destination Name, Sender Name Mailbox Action Details Print Reports Job Flow Service Completion: (“Success” / “Failed”)
  • Page 69 Xerox® Security Guide for Office Class Products: AltaLink®  VersaLink® Auto Clear Timer Service Rep. Restricted Operation Print Reports Button External Code Integrity Check Authorization Access Method: (“Local” / “EWS” ) View Security Setting Host Name or IP Address Change Contract Type User name Completion: (“Success”...
  • Page 70 Xerox® Security Guide for Office Class Products: AltaLink®  VersaLink® Category: (“Apps” / “Contacts” / “Connectivity”/ “Permissions”/ “System”) Import Cloning Data Completion: (“Replaced”) Important Parts Completion: (“Replaced” / “Installed” / “Removed”) Hard Disk Completion: (“Updated”) Software ROM Type: (“IOT” / “UI”/ “Controller”/ “FAX”)