Contextual Endpoint Connection Management; Fips140-2 Compliance Validation; Additional Network Security Controls; Endpoint Firewall Options - Xerox AltaLink B8045 Security Manual

Xerox® Security Guide for Office Class Products: AltaLink®  VersaLink®
o
Prevent impersonation (aka spoofing) of a printer/MFP
o
Automatically prevent connection of non-approved print products
o
Smart rules-based policies to govern user interaction with network printing products

Provide simplified implementation of security policies for printers and MFPs by:
o
Providing real time policy violation alerts and logging
o
Enforcing network segmentation policy
o
Isolating the printing products to prevent general access to printers and MFPs in
restricted areas

Automated access to policy enforcement

Provide extensive reporting of printing product network activity
Network Access Control
Cisco ISE

Contextual Endpoint Connection Management

Traditionally network connection management has been limited to managing endpoints by IP address and
use of VLANs and firewalls. This is effective, but highly complex to manage for every endpoint on a
network. Managing, maintaining, and reviewing the ACLs (and the necessary change management and
audit processes to support them) quickly become prohibitively expensive. It also lacks the ability to
manage endpoints contextually.
Connectivity of AltaLink® and VersaLink® devices can be fully managed contextually by Cisco
TrustSec. TrustSec uses Security Group Tags (SGT) that are associated with an endpoint's user, device,
and location attributes. SG-ACLs can also block unwanted traffic so that malicious reconnaissance
activities and even remote exploitation from malware can be effectively prevented.

FIPS140-2 Compliance Validation

When enabled, the product will validate its current configuration to identify cryptographic modules in use.
Modules which are not FIPS 140-2 (Level 1) compliant will be reported.
AltaLink® products include FIPS compliant algorithms of SNMPv3 and Kerberos, however an exception
can be approved to run these in non-FIPS compliant mode when configured for non-FIPS algorithms.
VersaLink® products use encryption algorithms for Kerberos, SMB, SNMPv3, and PDF Direct Print
Service that are not approved by FIPS140-2. They can however operate in FIPS140-2 approved Mode in
order to maintain compatibility with conventional products after an exception is approved by a system
administrator. They do not use FIPS compliant algorithms when in this configuration.

Additional Network Security Controls

Additional network security controls are discussed in the following sections.

Endpoint Firewall Options

Firewall
November 2018
AltaLink® Multifunction VersaLink®
Multifunction
B8045, B8055, B8065, B8075, B405, B605, B615, B7025,
B8090, C8030, C8035, C8045, B7030, B7035, C405, C505,
C8055, C8070 C605, C7020, C7025, C7030
Supported Supported
AltaLink® Multifunction VersaLink®
Multifunction
B8045, B8055, B8065, B8075, B405, B605, B615, B7025,
B8090, C8030, C8035, C8045, B7030, B7035, C405, C505,
C8055, C8070 C605, C7020, C7025, C7030
Stateful Packet Filter IP Whitelisting
VersaLink® Printers
B400, B600, B610, C400, C500,
C600, C7000, C8000, C9000
Supported
VersaLink® Printers
B400, B600, B610, C400, C500,
C600, C7000, C8000, C9000
IP Whitelisting
Page 19