Xerox Workcentre 3550 Technical manual

Xerox WorkCentre

3550

Information Assurance Disclosure Paper

Version 1.2

Prepare by:

Mark Bixler

Xerox Corporation

800 Phillips Roa

Webster

, New York 14

580

XEROX WorkCentre

3550

Information Assurance Disclosure Paper

Ver. 1.3, March 2011 Page 2 of 32

Xerox Corporation in the Unite States an /or other counties.

Other company tra emarks are also acknowle ge .

Document Version: 1.3 (March 2011).

XEROX WorkCentre

3550

Information Assurance Disclosure Paper

Ver. 1.3, March 2011 Page 3 of 32

1. INTRODUCTION ..................................................................................................................................5

1.1.

Purpose .................................................................................................................................................................................... 5

1.2.

Target Audience ................................................................................................................................................................... 5

1.3.

Disclai er ............................................................................................................................................................................... 5

2. DEVICE DESCRIPTION .......................................................................................................................6

2.1.

Security-relevant Subsyste s ......................................................................................................................................... 7

2.1.1.

Physical Partitioning .......................................................................................................................................................................7

2.1.2.

Security Functions allocate to Subsystems ........................................................................................................................8

2.2.

Controller ................................................................................................................................................................................ 9

2.2.1.

Purpose ................................................................................................................................................................................................9

2.2.2.

Memory Components ....................................................................................................................................................................9

2.2.3.

External Connections .................................................................................................................................................................. 10

2.2.4.

USB Ports ......................................................................................................................................................................................... 10

2.3

Fax Module .......................................................................................................................................................................... 11

2.3.1.

2.3.2.

Har ware ......................................................................................................................................................................................... 11

2.4.

Scanner ................................................................................................................................................................................. 11

2.4.1.

2.4.2.

Har ware ......................................................................................................................................................................................... 11

2.5.

Local User Interface (LUI) ............................................................................................................................................. 12

2.5.1.

2.5.2.

Har ware ......................................................................................................................................................................................... 12

2.6.

Marking Engine (also known as the I age Output Ter inal or IOT) .......................................................... 12

2.6.1.

2.6.2.

Har ware ......................................................................................................................................................................................... 12

2.6.3.

Control an Data Interfaces .................................................................................................................................................... 12

2.7.

Syste Software Structure ........................................................................................................................................... 13

2.7.1.

Open-source components ......................................................................................................................................................... 13

2.7.2.

OS Layer in the Controller ......................................................................................................................................................... 13

2.7.3.

Network Protocols ........................................................................................................................................................................ 14

2.8.

Logical Access ..................................................................................................................................................................... 15

2.8.1.

Network Protocols ........................................................................................................................................................................ 15

2.8.2.

Ports ................................................................................................................................................................................................... 16

2.8.3.

IP Filtering ....................................................................................................................................................................................... 20

3. SYSTEM ACCESS ................................................................................................................................ 21

3.1.

Authentication Model ..................................................................................................................................................... 21

XEROX WorkCentre

3550

Information Assurance Disclosure Paper

Ver. 1.3, March 2011 Page 4 of 32

3.2.

Login and Authentication Methods ........................................................................................................................... 21

3.2.1.

System A ministrator Login [All pro uct configurations] ........................................................................................... 21

3.2.2.

User authentication ..................................................................................................................................................................... 21

3.3.

Syste Accounts ............................................................................................................................................................... 24

3.3.1.

Printing [Multifunction mo els only] .................................................................................................................................... 24

3.3.2.

Network Scanning [Multifunction mo els only] .............................................................................................................. 24

3.4.

Diagnostics .......................................................................................................................................................................... 24

4. SECURITY ASPECTS OF SELECTED FEATURES ...................................................................... 25

4.1.

SMart eSolutions ............................................................................................................................................................... 25

4.2.1

Meter Assistant .............................................................................................................................................................................. 25

4.2.2

Supplies Assistant ......................................................................................................................................................................... 25

4.2.3

Summary .......................................................................................................................................................................................... 25

5. RESPONSES TO KNOWN VULNERABILITIES ......................................................................... 26

5.1.

Security @ Xerox (www.xerox.co /security) .......................................................................................................... 26

6. APPENDICES ....................................................................................................................................... 27

6.1.

Appendix A – Abbreviations ......................................................................................................................................... 27

6.2.

Appendix B – Supported MIB Objects ....................................................................................................................... 29

6.3.

Appendix C –Standards .................................................................................................................................................. 31

6.4.

Appendix E – References ................................................................................................................................................ 32

XEROX WorkCentre

3550

Information Assurance Disclosure Paper

Ver. 1.3, March 2011 Page 5 of 32

1. Intro uction

The

WorkCentre 3550 multifunction systems

are among the latest versions of Xerox copier an multifunction

evices for the general office.

1.1. Purpose

The purpose of this ocument is to isclose information for the WorkCentre pro ucts with respect to evice security.

Device Security, for this paper, is efine as how image ata is store an transmitte , how the pro uct behaves in a

networke environment, an how the pro uct may be accesse , both locally an remotely. Please note that the

customer is responsible for the security of their network an the WorkCentre pro ucts o not establish security for

any network environment.

The purpose of this ocument is to inform Xerox customers of the esign, functions, an features of the WorkCentre

pro ucts relative to Information Assurance (IA).

This ocument oes NOT provi e tutorial level information about security, connectivity, PDLs, or WorkCentre

pro ucts features an functions. This information is rea ily available elsewhere. We assume that the rea er has a

working knowle ge of these types of topics. However, a number of references are inclu e in the Appen ix.

1.2. Target Au ience

The target au ience for this ocument is Xerox fiel personnel an customers concerne with IT security.

1.3. Disclaimer

The information in this ocument is accurate to the best knowle ge of the authors, an is provi e without warranty

of any kin . In no event shall Xerox Corporation be liable for any amages whatsoever resulting from user's use or

isregar of the information provi e in this ocument inclu ing irect, in irect, inci ental, consequential, loss of

business profits or special amages, even if Xerox Corporation has been a vise of the possibility of such amages.

XEROX WorkCentre

3550

Information Assurance Disclosure Paper

Ver. 1.3, March 2011 Page 6 of 32

2. Device Description

This pro uct consists of an input ocument han ler an scanner, marking engine inclu ing paper path, controller,

an user interface.

Figure 2-1 WorkCentre Multifunction Syste

Document Fee er & Scanner (IIT)

Marking Engine (IOT)

Paper Trays

User Interface (UI)

The Network Controller is

located on the left rear side of

the machine in WorkCentre

3550 products.

Output Bin

USB Host Port

XEROX WorkCentre

3550

Information Assurance Disclosure Paper

Ver. 1.3, March 2011 Page 7 of 32

2.1. Security-relevant Subsystems

2.1.1. Physical Partitioning

The security-relevant subsystems of the pro uct are partitione as shown in Figure 2-2.

Figure 2-2 Syste functional block diagra

XEROX WorkCentre

3550

Information Assurance Disclosure Paper

Ver. 1.3, March 2011 Page 8 of 32

2.1.2. Security Functions allocate to Subsystems

Security Function Subsyste

System Authentication

Controller

Graphical User Interface

Network Authentication

Controller

Graphical User Interface

Cryptographic Operations

Controller

User Data Protection – SSL

Controller

User Data Protection – IP Filtering

Controller

User Data Protection – IPSec

Controller

Network Management Security

Controller

Fax Flow Security

Fax Mo ule

Controller

Graphical User Interface

Security Management

Controller

Graphical User Interface

Table 1 Security Functions allocated to Subsyste s

XEROX WorkCentre

3550

Information Assurance Disclosure Paper

Ver. 1.3, March 2011 Page 9 of 32

2.2. Controller

2.2.1. Purpose

The controller provi es both network an irect-connect external interfaces, an enables copy, print, email, network

scan an LanFAX functionality. Network scanning an LanFAX are stan ar features. The controller also

incorporates a proprietary web server that exports a Web User Interface (WebUI) through which users can submit

jobs an check job an machine status, an through which system a ministrators can remotely a minister the

machine.

The controller contains the image path, which uses proprietary har ware an algorithms to process the scanne

images into high-quality repro uctions. Scanne images may be temporarily buffere in DRAM to enable electronic

pre-collation, sometimes referre to as scan-once/print-many. When pro ucing multiple copies of a ocument, the

scanne image is processe an buffere in the DRAM in a proprietary format. The buffere bitmaps are then rea

from DRAM an sent to the Image Output Terminal (IOT) for marking on har copy output. For long ocuments, the

pro uction of har copy may begin before the entire original is scanne , achieving a level of concurrency between the

scan an mark operations.

The controller operating system is pSOS v2.5. The controller works with the User Interface (UI) assembly to provi e

system configuration functions. A System A ministrator PIN must be entere at the UI in or er to access these

functions.

2.2.2. Memory Components

Volatile Me ory

Type (SRAM, DRAM,

etc)

Size

User

Modifiable

(Y/N)

Function or U

Process to Sanitize

SDRAM 256/512

Expan able

to 512 MB

Main Memory Remove power

Additional Infor ation:

Non-Volatile Me ory

Type (

Flash, EEPROM,

etc)

Size

User

Modifiable

(Y/N)

Function or Use

Process to Sanitize

Flash 32 MB No Operating System, PDL

Interpreters, Fonts, MIB, Fax

Journal List, Fax Dialing, Co e

use for sche uling the

marking of jobs

None

Flash ROM 1 MB No Backup None

Flash 8 MB No Fax/Font Backup None

Additional Infor ation:

All memory liste above contains co e for execution an configuration information. No user or job

ata is permanently store in this location.

Table 2 Controller e ory co ponents

XEROX WorkCentre

3550

Information Assurance Disclosure Paper

Ver. 1.3, March 2011 Page 10 of 32

2.2.3. External Connections

Table 3 Controller External Connections

Figure 2-3 Back panel connections

2.2.4. USB Ports

The WorkCentre 3550 contains a host connector for a USB flash rive, enabling printing from USB, scanning to USB

an uploa of software upgra e files.

Autorun is isable on this port. No executable files will be accepte by the port.

Mo ifying the software upgra e or save machine settings files will make the files unusable on a WorkCentre 3550.

The machine settings that can be save an restore by a service technician are limite to controller parameters that

are nee e for normal operation.

Both ports can be isable by an A min via the WebUI.

USB

USB port and location Purpose

USB 2.0 Host port Printing from USB, scanning to USB, uploa of software upgra e files

USB 2.0 Target port Direct-connect printing

Table 4 USB Ports

Interface Description / Usage

Foreign Device Interface (FDI) Allows connection of optional access

control har ware

PEK (Pro uct Enablement Key)

Rea er Slot

Use for initial pro uct configuration.

USB 2.0 Target Port Direct-connect printing

Ethernet 10/100/1000 Network connectivity

FAX line 1, RJ-11 Supports FAX Mo em T.30 protocol

only

Extension Telephone Socket

(EXT), RJ11

Allows connection of telephone

USB 2.0 Host Port (Not Picture

– see Figure 2-1)

Printing from USB, scanning to USB,

uploa of software upgra e files

XEROX WorkCentre

3550

Information Assurance Disclosure Paper

Ver. 1.3, March 2011 Page 11 of 32

2.3 Fax Mo ule

2.3.1. Purpose

The embe e FAX service uses the installe embe e fax car to sen an receive images over the telephone

interface.

2.3.2. Har ware

The fax car connects irectly to the Main Controller processor car . The fax car oes not have its own processor an local

memory but uses the Main processor an reserve Flash memory. The car contains a fax-only mo em that supports the

T.30 protocol. If anything other than the T.30 protocol is etecte , the mo em will isconnect. Internal logical interfaces

maintain separation between Fax an network.

Volatile Me ory Description

Type (SRAM, DRAM, etc)

Size

Use

r Modifiable

(Y/N)

Function or Use

Process to Clear:

None n/a n/a n/a n/a

Additional Infor ation:

Non-Volatile Me ory Description

Type (Flash, EEPROM, etc)

Size

User Modifiable

(Y/N)

Function or Use

Process to Clear:

Flash

7MB

FAX Backup

None

Addi

tional Infor ation:

Table 5 Fax Module e ory co ponents

2.4. Scanner

2.4.1. Purpose

The purpose of the scanner is to provi e mechanical transport of har copy originals an to convert har copy

originals to electronic ata.

2.4.2. Har ware

The scanner converts the image from har copy to electronic ata. An optional ocument han ler moves originals

into a position to be scanne . The scanner provi es enough image processing for signal con itioning an

formatting. The scanner oes not store scanne images. All other image processing functions are in the main

controller.

XEROX WorkCentre

3550

Information Assurance Disclosure Paper

Ver. 1.3, March 2011 Page 12 of 32

2.5. Local User Interface (LUI)

2.5.1. Purpose

The LUI etects har button actuations, an provi es text an graphical prompts to the user. Images are not

transmitte to or store in the LUI. The Start har button is locate on the LUI panel.

2.5.2. Har ware

Volatile Me ory Description

Type (SRAM, DRAM, etc)

Size

User Modifiable

(Y/N)

Function or Use

Process to Clear:

RAM 2KB N User Interface volatile memory; no

user image ata store

Power Off System

Additional Infor ation:

All memory liste above contains co e for execution an configuration information. No user or job ata is permanently store in this location.

Non-Volatile Me ory Description

Type (Flash, EEPROM, etc)

Size

User Modifiable

(Y/N)

Function or Use

Process to Clear:

PROM 64KB N No user image ata store None

Additional Infor ation:

All memory liste above contains co e for execution an configuration information. No user or job ata is store in this location.

Table 6 User Interface e ory co ponents

2.6. Marking Engine (also known as the Image

Output Terminal or IOT)

2.6.1. Purpose

The Marking Engine performs copy/print paper fee ing an transport, image marking an fusing, an ocument

finishing. Images are not store at any point in these subsystems.

2.6.2. Har ware

The marking engine is comprise of paper supply trays an fee ers, paper transport, laser scanner, xerographics, an

paper output. The marking engine contains a CPU, BIOS, RAM an Non-Volatile Memory.

2.6.3. Control an Data Interfaces

Images an control signals are transmitte from the main controller to the marking engine across a proprietary

interface.

XEROX WorkCentre

3550

Information Assurance Disclosure Paper

Ver. 1.3, March 2011 Page 13 of 32

2.7. System Software Structure

2.7.1. Open-source components

Open-source components in the connectivity layer implement high-level protocol services. The security-relevant

connectivity layer components are:

•Apache 2.2.11, with mo _ssl integrate

(http an https)

•Apache Xerces2 Java

•Open1x

•OpenSLP

•NetBSD Project

•libupnp

•UUID library

•wpa_supplicant

•l ns

•Info-zip

•TWAIN sample Data Source an

Application

•WTL v8.0

•CUPS library

•libjpeg v6b

•libxml2

•Expat XML Parser

•Unico e

•Kerberos 5

•sorttable

•Little CMS v1.15

•libst c++

•CUPS relate stuff

•part of linux kernel

•Spi erMonkey Engine

•OpenSSL v0.9.8e

•Open LDAP v2.1.17

•libpng

•zlib v2.4

•libtiff

•tinyxml

2.7.2. OS Layer in the Controller

The OS layer inclu es the operating system, network an physical I/O rivers. The controller operating system is

pSOS v2.5.

The crypto library for IPSec is provi e by the OpenSSL Toolkit..

IP Filtering is also provi e as a loa able kernel mo ule.

XEROX WorkCentre

3550

Information Assurance Disclosure Paper

Ver. 1.3, March 2011 Page 14 of 32

2.7.3. Network Protocols

Figure 2- is an interface iagram epicting the protocol stacks supporte by the evice, annotate accor ing to the

DARPA mo el.

Figure 2-4 IPv4 Network Protocol Stack

XEROX WorkCentre

3550

Information Assurance Disclosure Paper

Ver. 1.3, March 2011 Page 15 of 32

Figure 2-5 IPv6 Network Protocol Stack

2.8. Logical Access

2.8.1. Network Protocols

The supporte network protocols are liste in Appen ix C an are implemente to in ustry stan ar specifications

(i.e. they are compliant to the appropriate RFC) an are well-behave protocols. There are no ‘Xerox unique’

a itions to these protocols.

2.8.1.1. IPSec

The evice supports IPSec tunnel mo e. The print channel can be secure by establishing an IPSec association

between a client an the evice. A share secret is use to encrypt the traffic flowing through this tunnel. SSL must

be enable in or er to set up the share secret.

When an IPSec tunnel is establishe between a client an the machine, the tunnel will also be active for

a ministration with SNMPv2 tools (HP Open View, etc.), provi ing security for SNMP SETs an GETS with an

otherwise insecure protocol. SNMP Traps may not be secure if either the client or the evice has just been reboote .

IP Filtering can be useful to prevent SNMP calls from non-IPSec clients.

Once an IPSec channel is establishe between two points, it stays open until one en reboots or goes into power

saver,. Only network clients an servers will have the ability to establish an IPSec tunnel with the machine. Thus

XEROX WorkCentre

3550

Information Assurance Disclosure Paper

Ver. 1.3, March 2011 Page 16 of 32

evice-initiate operations (like scanning) cannot assume the existence of the tunnel unless a print job (or other

client initiate action) has been previously run since the last boot at either en of the connection.

2.8.2. Ports

The following table summarizes all potential open ports an subsequent sections iscuss each port in more etail.

Default

Port #

Type Service name

TCP SMTP

UDP DNS

UDP BOOTP/DHCP

TCP HTTP

UDP/TCP Kerberos

137

UDP NETBIOS- Name Service

138

UDP NETBIOS-Datagram Service; SMB filing an Scan template retrieval

139

TCP NETBIOS; SMB filing an Scan template retrieval

161

UDP SNMP

162

UDP SNMP trap

389

UDP LDAP

396

TCP Netware

427

TCP/UDP SLP

443

TCP SSL

515

TCP LPR

546

UDP DHCPv6

631

TCP IPP

636

TCP sLDAP

1124

TCP/UDP Network Scan Utility

1900

UDP SSDP

3003

TCP HTTP/SNMP reply

5200

TCP UPnP

5353

UDP Multicast DNS

6000

UDP SetIP Utility

7000

UDP LTP Utility

9100

TCP Raw IP

9400

TCP TWAIN for Network Utility

9401

TCP TWAIN for Network Utility

Table 76 Network Ports

Please note that there is no FTP port in this list. FTP is only use to export scanne images an to retrieve Scan Job

Templates, an will open port 21 on the remote evice. An FTP port is never open on the controller itself.

2.8.2.1. Port 25, SMTP

This uni irectional port is open only when Scan to E-mail or Internet Fax (I-Fax) is exporting images to an SMTP

server, or when email alerts are being transmitte . SMTP messages & images are transmitte to the SMTP server

from the evice.

2.8.2.2. Port 53, DNS

Designating a DNS server will allow the evice to resolve omain names. This can be configure via the Local UI or

WebUI.

XEROX WorkCentre

3550

Information Assurance Disclosure Paper

Ver. 1.3, March 2011 Page 17 of 32

2.8.2.3. Port 68, DHCP

This port is use only when performing DHCP, an is not open all of the time. To permanently close this port, DHCP

must be explicitly isable . This is one in User Tools via the Local User Interface or via the TCP/IP page in the

Properties tab on the WebUI.

2.8.2.4. Port 80, HTTP

The embe e web pages communicate to the machine through a set of unique APIs an o not have irect access

to machine information:

Figure 2-6 HTTP

The HTTP port can only access the HTTP server resi ing in the controller. The embe e HTTP server is Apache. The

purpose of the HTTP server is to:

•Give users information of the status of the evice;

•View the job queue within the evice an elete jobs;

•Allow users to ownloa print rea y files an program Scan to File Job Templates;

•Allow remote a ministration of the evice. Many settings that are on the Local UI are replicate in the

evice’s web pages. Users may view the properties of the evice but not change them without logging into the

machine with a ministrator privileges.

The HTTP server can only host the web pages resi ent on the evice. It oes not an cannot act as a proxy server to

get outsi e of the network the evice resi es on. Hence the server cannot access any networks (or web servers)

outsi e of the customer firewall.

When the evice is configure with an IP a ress, it is as secure as any evice insi e the firewall. The web pages are

accessible only to authorize users of the network insi e the firewall.

This service (an port) may be isable in User Tools via the Local User Interface or via the TCP/IP page in the

Properties tab on the Web UI. Please note that when this is isable , IPP Port 631 is also isable .

HTTP may be secure by enabling Secure Sockets Layer.

2.8.2.4.1. Proxy Server

The evice can be configure to communicate through a proxy server. Features that can make use of a proxy server

inclu e the Automatic Meter Rea feature, scanning to a remote repository, or retrieving scan templates from a

remote template pool.

Network

Network Controller

http

server

machine

information

request

response

request

response

XEROX WorkCentre

3550

Information Assurance Disclosure Paper

Ver. 1.3, March 2011 Page 18 of 32

2.8.2.5. Port 88, Kerberos

This port is only open when the evice is communicating with the Kerberos server to authenticate a user, an is only

use only to authenticate users in conjunction with the Network Scanning feature. To isable this port,

authentication must be isable , an this is accomplishe via the Local User Interface.

This version of software has Kerberos 5.1.1 with DES (Data Encryption Stan ar ) an 64-bit encryption. The Kerberos

co e is limite to user authentication, an is use to authenticate a user with a given Kerberos server as a vali user

on the network. Please note that the Kerberos server (a 3r party evice) nee s to be set up for each user. Once the

user is authenticate , the Kerberos software has complete its task. This co e will not an cannot be use to encrypt

or ecrypt ocuments or other information.

This feature is base on the Kerberos program from the Massachusetts Institute of Technology (MIT). The Kerberos

network authentication protocol is publicly available on the Internet as freeware at

http://web.mit.e u/kerberos/www/. Xerox has etermine that there are no export restrictions on this version of the

software. However, there are a few eviations our version of Kerberos takes from the stan ar Kerberos

implementation from MIT. These eviations are:

1) The evice oes not keep a user’s initial authentication an key after the user has been authenticate . In a

stan ar Kerberos implementation, once a user is authenticate , the evice hol s onto the authentication for a

programme timeout (the usual efault is 12 hours) or until the user removes it (prior to the timeout perio ). In

the Xerox implementation, all traces of authentication of the user are remove once they have been

authenticate to the evice. The user can sen any number of jobs until the user logs off the system, either

manually or through system timeout.

2) The evice ignores clock skew errors. In a stan ar implementation of Kerberos, authentication tests will fail if a

evice clock is 5 minutes (or more) ifferent from the Kerberos server. The reason for this is that given enough

time, someone coul reverse engineer the authentication an gain access to the network. With the 5-minute

timeout, the person has just 5 minutes to reverse engineer the authentication an the key before it becomes

invali . It was etermine uring the implementation of Kerberos for our evice that it woul be too ifficult for

the user/SA to keep the evice clock in sync with the Kerberos server, so the Xerox instantiation of Kerberos has

the clock skew check remove . The isa vantage is that this gives malicious users unlimite time to reverse

engineer the user’s key. However, since this key is only vali to access the Network Scanning features on a

evice, possession of this key is of little use for nefarious purposes.

3) The evice ignores much of the information provi e by Kerberos for authenticating. For the most part, the

evice only pays attention to information that in icates whether authentication has passe . Other information

that the server may return (e.g. what services the user is authenticate for) is ignore or isable in the Xerox

implementation. This is not an issue since the only service a user is being authenticate for is access to an e-

mail irectory. No other network services are accessible from the Local UI.

Xerox has receive an opinion from its legal counsel that the evice software, inclu ing the implementation of a

Kerberos encryption protocol in its network authentication feature, is not subject to encryption restrictions base on

Export A ministration Regulations of the Unite States Bureau of Export A ministration (BXA). This means that it

can be exporte from the Unite States to most estinations an purchasers without the nee for previous approval

from or notification to BXA. At the time of the opinion, restricte estinations an entities inclu e terrorist-

supporting states (Cuba, Iran, Libya, North Korea, Su an an Syria), their nationals, an other sanctione entities

such as persons liste on the Denie Parties List. Xerox provi es this information for the convenience of its customers

an not as legal a vice. Customers are encourage to consult with legal counsel to assure their own compliance with

applicable export laws.

2.8.2.6. Ports 137, 138, 139, NETBIOS

For print jobs, these ports support the submission of files for printing as well as support Network Authentication

through SMB. Port 137 is the stan ar NetBIOS Name Service port, which is use primarily for WINS. Port 138

supports the CIFS browsing protocol. Port 139 is the stan ar NetBIOS Session port, which is use for printing. Ports

137, 138 an 139 may be configure in the Properties tab of the evice’s web page.

For Network Scanning features, ports 138 an 139 are use for both outboun (i.e. exporting scanne images an

associate ata) an inboun functionality (i.e. retrieving Scan Templates). In both instances, these ports are only

open when the files are being store to the server or templates are being retrieve from the Template Pool. For these

features, SMB protocol is use .

XEROX WorkCentre

3550

Information Assurance Disclosure Paper

Ver. 1.3, March 2011 Page 19 of 32

2.8.2.7. Ports 161, 162, SNMP

These ports support the SNMPv1, SNMPv2c, an SNMPv3 protocols. Please note that SNMP v1 oes not have any

passwor or community string control. SNMPv2 relies on a community string to keep unwante people from

changing values or browsing parts of the MIB. This community string is transmitte on the network in clear text so

anyone sniffing the network can see the passwor . Xerox strongly recommen s that the customer change the

community string upon pro uct installation. SNMP is configurable, an may be explicitly enable or isable in the

Properties tab of the evice’s web pages.

SNMP traffic may be secure if an IPSec tunnel has been establishe between the agent (the evice) an the

manager (i.e. the user’s PC).

The evice supports SNMPv3, which is an encrypte version of the SNMP protocol that uses a share secret. Secure

Sockets Layer must be enable before configuring the share secret nee e for SNMPv3.

2.8.2.8. Port 389, LDAP

This is the stan ar LDAP port use for a ress book queries in the Scan to Email feature.

2.8.2.9. Port 396, Netware

This configurable port is use when Novell Netware is enable to run over IP.

2.8.2.10. Port 427, SLP

When activate , this port is use for service iscovery an a vertisement. The evice will a vertise itself as a printer

an also listen for SLP queries using this port. It is not configurable. This port is explicitly enable / isable in the

Properties tab of the evice’s web pages.

2.8.2.11. Port 443, SSL

This is the efault port for Secure Sockets Layer communication. This port can be configure via the evice’s web

pages. SSL must be enable before setting up either SNMPv3 or IPSec. SSL must also be enable in or er to use any

of the Web Services (Automatic Meter Rea s, or Network Scanning Vali ation Service).

SSL shoul be enable so that the evice can be securely a ministere from the web UI. When scanning, SSL can be

use to secure the filing channel to a remote repository.

SSL uses X.509 certificates to establish trust between two en s of a communication channel. When storing scanne

images to a remote repository using an https: connection, the evice must verify the certificate provi e by the

remote repository. A Truste Certificate Authority certificate shoul be uploa e to the evice in this case.

To securely a minister the evice, the user’s browser must be able to verify the certificate supplie by the evice. A

certificate signe by a well-known Certificate Authority (CA) can be ownloa e to the evice, or the evice can

generate a self-signe certificate. In the first instance, the evice creates a Certificate Signing Request (CSR) that

can be ownloa e an forwar e to the well-known CA for signing. The signe evice certificate is then uploa e

to the evice. Alternatively, the evice will generate a self-signe certificate. In this case, the generic Xerox root CA

certificate must be ownloa e from the evice an installe in the certificate store of the user’s browser.

The evice supports only server authentication.

2.8.2.12. Port 515, LPR

This is the stan ar LPR printing port, which only supports IP printing. It is a configurable port, an may be explicitly

enable or isable in the Properties tab of the evice’s web pages.

2.8.2.13. Port 546, DHCPv6

This port is use only when performing DHCPv6, an is not open all of the time. To permanently close this port,

DHCPv6 must be explicitly isable . This is one via the TCP/IP page in the Properties tab on the WebUI.

2.8.2.14. Port 631, IPP

This port supports the Internet Printing Protocol. It is not configurable. This is isable when the http server is

isable .

XEROX WorkCentre

3550

Information Assurance Disclosure Paper

Ver. 1.3, March 2011 Page 20 of 32

2.8.2.15. Port 636, sLDAP

This is the stan ar LDAP port when using SSL for a ress book queries in the Scan to Email feature.

2.8.2.16. Port 1124, Network Scan Utility

This port supports the Xerox Network Scan utility. It is not configurable an cannot be isable .

2.8.2.17. Port 1900, SSDP

This port behaves similarly to the SLP port. When activate , this port is use for service iscovery an a vertisement.

The evice will a vertise itself as a printer an also listen for SSDP queries using this port. It is not configurable. This

port is explicitly enable / isable in the Properties tab of the evice’s web pages.

2.8.2.18. Port 3003, http/SNMP reply

This port is use when the http server requests evice information. The user isplays the Web User Interface

(WebUI) an goes to a page where the http server must query the evice for settings (e.g. Novell network settings).

The http server queries the machine via an internal SNMP request (hence this port can only open when the http

server is active). The machine replies back to the http server via this port. It sen s the reply to the loopback a ress

(127.0.0.0), which is internally route to the http server. This reply is never transmitte on the network. Only SNMP

replies are accepte by this port, an this port is active when the http server is active (i.e. if the http server is isable ,

this port will be close ). If someone attempte to sen an SNMP reply to this port via the network, the reply woul

have to contain the correct sequence number, which is highly unlikely, since the sequence numbers are internal to the

machine.

2.8.2.19. Port 5200, UPnP

This port is use by UPnP. This is isable when SSDP is isable (see 3.2.2.16).

2.8.2.20. Port 5353, Multicast DNS

Designating a Multicast DNS server will allow the evice to resolve omain names over a multicast protocol. This can

be configure via the Local UI or WebUI.

2.8.2.21. Port 6000, SetIP Utility

This port supports the Xerox SetIP utility. It is not configurable an cannot be isable .

2.8.2.22. Port 9100, raw IP

This allows ownloa ing a PDL file irectly to the interpreter. This port has limite bi- irectionality (via PJL back

channel) an allows printing only. This is a configurable port, an may be isable in the Properties tab of the

evice’s web pages.

2.8.2.23. 9400, TWAIN for Network Utility

This port supports the Xerox TWAIN for Network utility. It is not configurable an cannot be isable .

2.8.2.24. 9401, TWAIN for Network Utility

This port supports the Xerox TWAIN for Network utility. It is not configurable an cannot be isable .

2.8.3. IP Filtering

The evices contain a static host-base firewall that provi es the ability to prevent unauthorize network access

base on an IP a ress or IP a ress range. Filtering rules can be set by the SA using the WebUI.

Other manuals for WorkCentre 3550

Other Xerox All In One Printer manuals

Xerox

Xerox CopyCentre 118 User manual

Xerox

Xerox CopyCentre C75 Instruction Manual

Xerox

Xerox AltaLink B80 series User manual

Xerox

Xerox FaxCentre 2121 User manual

Xerox

Xerox Color Qube 9201 User manual

Xerox

Xerox WorkCentre 7132 User manual

Xerox

Xerox DocuColor 242 User manual

Xerox

Xerox PHASER 8560MFP Operating manual

Xerox

Xerox WorkCentre 6505 Operating manual

Xerox

Xerox WorkCentre 3119 User manual

Xerox

Xerox Phaser 6140N Installation instructions

Xerox

Xerox WorkCenter Pro 215 User manual

Xerox

Xerox Wide Format 6030 User manual

Xerox

Xerox WorkCentre 3215 Operating manual

Xerox

Xerox CopyCentre C20 User manual

Xerox

Xerox WORKCENTRE 7755 User manual

Xerox

Xerox WorkCentre 7655 User manual

Xerox

Xerox PHASER 3635 User manual

Xerox

Xerox Document Centre 426 User manual

Xerox

Xerox 8860MFP - Phaser Color Solid Ink User manual

Xerox

Xerox Phaser 3330 User manual

Xerox

Xerox Wide Format 6204 How to use

Xerox

Xerox 4150 - WorkCentre B/W Laser User manual

Xerox

Xerox 8860MFP - Phaser Color Solid Ink User manual

Popular All In One Printer manuals by other brands

Samsung

Samsung SCX-4623 Series Quick install guide

Konica Minolta

Konica Minolta bizhub press c1070p quick guide

Aticio

Aticio 816 operating instructions

Canon

Canon ImageCLASS MF4690 Driver guide

Sharp

Sharp MX-M850 quick start guide

Epson

Epson WF-4820 Series user guide

Olivetti

Olivetti d-COLOR MF652 Network fax operations

Toshiba

Toshiba e-STUDIO200L/230/280 SERIES Service manual

Lexmark

Lexmark CX410 series Supplies guide

Samsung

Samsung SCX-8030ND Service manual

Ricoh

Ricoh Aficio SP 5210SF Initial guide

Lexmark

Lexmark X940E Service manual

Samsung

Samsung CLX-2160 Series Service manual

Brother

Brother MFC-790CW Quick setup guide

Toshiba

Toshiba e-STUDIO 352 User functions guide

Olivetti

Olivetti Photo Wireless Any_Way user guide

Brother

Brother Work Smart MFC-J875dw Basic user's guide

Lexmark

Lexmark X850e quick reference

Xerox WorkCentre 3550 Technical manual

Popular All In One Printer manuals by other brands