Xerox Versant 3100 press User manual

Xerox® Application Security Guide and Information Assurance Disclosure

Xerox®

Security Guide

Entry Production Color Presses

Versant®

2100/3100

Color Digital Press

Versant® 80/180

Color Digital Press

ColorPress®

Production Press

Versant 2100 Press,

Versant 3100 Press

Versant 80 Press,

Versant 180 Press

Color 800/1000 Press

Color 800i/1000i Press

Xerox® Security Guide for Entry Production Color Class Products

Corporation in the United States and/or other countries. BR26363

Other company trademarks are also acknowledged.

Document Version: 1.0 (February 2019).

allowed by statutory or judicial law or hereinafter granted including without limitation, material generated

from the software programs which are displayed on the screen, such as icons, screen displays, looks, etc.

Changes are periodically made to this document. Changes, technical inaccuracies, and typographic

errors will be corrected in subsequent editions.

Xerox® Security Guide for Entry Production Color Class Products

March 2019 Page 1-1

Table of Contents

1INTRODUCTION ................................................................................................................................1-3

PURPOSE .................................................................................................................................................1-3

TARGET AUDIENCE ...................................................................................................................................1-3

DISCLAIMER..............................................................................................................................................1-3

PHYSICAL COMPONENTS...........................................................................................................................1-3

ARCHITECTURE.........................................................................................................................................1-4

USER INTERFACE......................................................................................................................................1-4

SCANNER .................................................................................................................................................1-4

MARKING ENGINE .....................................................................................................................................1-4

CONTROLLER ...........................................................................................................................................1-5

OPTIONAL EQUIPMENT..............................................................................................................................1-5

2USER DATA PROTECTION ..............................................................................................................2-7

USER DATA PROTECTION WHILE WITHIN PRODUCT ......................................................................................2-7

USER DATA IN TRANSIT .............................................................................................................................2-8

3NETWORK SECURITY....................................................................................................................3-10

TCP/IP PORTS &SERVICES....................................................................................................................3-10

NETWORK ENCRYPTION ..........................................................................................................................3-11

NETWORK ACCESS CONTROL..................................................................................................................3-16

CONTEXTUAL ENDPOINT CONNECTION MANAGEMENT...............................................................................3-17

FIPS140-2 COMPLIANCE VALIDATION......................................................................................................3-17

ADDITIONAL NETWORK SECURITY CONTROLS ..........................................................................................3-17

4DEVICE SECURITY: BIOS, FIRMWARE, OS, RUNTIME, AND OPERATIONAL SECURITY

CONTROLS.............................................................................................................................................4-19

FAIL SECURE VS FAIL SAFE.....................................................................................................................4-19

PRE-BOOT SECURITY..............................................................................................................................4-20

BOOT PROCESS SECURITY......................................................................................................................4-20

RUNTIME SECURITY ...................................................................................ERROR!BOOKMARK NOT DEFINED.

EVENT MONITORING &LOGGING .............................................................................................................4-20

OPERATIONAL SECURITY.........................................................................................................................4-21

BACKUP &RESTORE (CLONING)..............................................................................................................4-21

EIP APPLICATIONS..................................................................................................................................4-21

5CONFIGURATION & SECURITY POLICY MANAGEMENT SOLUTIONS.....................................5-22

6IDENTIFICATION, AUTHENTICATION, AND AUTHORIZATION..................................................6-23

AUTHENTICATION....................................................................................................................................6-23

AUTHORIZATION (ROLE BASED ACCESS CONTROLS)................................................................................6-25

7ADDITIONAL INFORMATION & RESOURCES..............................................................................7-26

SECURITY @XEROX®............................................................................................................................7-26

RESPONSES TO KNOWN VULNERABILITIES ...............................................................................................7-26

ADDITIONAL RESOURCES ........................................................................................................................7-26

APPENDIX A: PRODUCT SECURITY PROFILES................................................................................7-27

VERSANT®80/180 ................................................................................................................................7-28

VERSANT®2100/3100...........................................................................................................................7-31

Xerox® Security Guide for Entry Production Color Class Products

March 2019 Page 1-2

COLORPRESS®800/1000/800I/1000I....................................................................................................7-35

APPENDIX B: SECURITY EVENTS ......................................................................................................7-39

XEROX VERSANT®80/180 SECURITY EVENTS........................................................................................7-39

XEROX VERSANT®2100/3100 SECURITY EVENTS..................................................................................7-41

COLORPRESS®SECURITY EVENTS .........................................................................................................7-43

Xerox® Security Guide for Entry Production Color Class Products

March 2019 Page 1-3

Introduction

Purpose

The purpose of this document is to disclose information for the Xerox ® Entry Production Color Presses

(hereinafter referred to as “the product” or “the system”) with respect to product security. Product Security,

for this paper, is defined as how image data is stored and transmitted, how the product behaves in a

network environment, and how the product may be accessed both locally and remotely. Furthermore, this

document is provided to inform Xerox customers of the design, functions, and features of the product with

respect to Information Assurance. This document does not provide tutorial level information about

security, connectivity, or the product’s features and functions as this information is readily available

elsewhere. We assume the reader has a working knowledge of the topics contained within.

Target Audience

The target audience for this document is Xerox field personnel and customers concerned with IT security.

Disclaimer

The information in this document is accurate to the best knowledge of the authors and is provided without

warranty of any kind. In no event shall Xerox be liable for any damages whatsoever resulting from user's

use or disregard of the information provided in this document including direct, indirect, incidental,

consequential, loss of business profits or special damages, even if Xerox has been advised of the

possibility of such damages.

Product Description

Physical Components

Versant® products consist of an input document handler and scanner, marking engine, controller, and

user interface. ColorPress® products do not have an input document handler or scanner. A typical

configuration is depicted below. Please note that options including finishers, paper trays, document

handers, etc. may vary configuration, however, they are not relevant to security and are not discussed.

1. HCF.

2. Bypass paper feed tray.

3. Front USB Port(s)*

4. Touch screen user interface.

5. Toner Door Cover.

8. Main Right Front Door.

9. Paper Tray Module

10. Offset Catch Tray

*Denotes a security related component

Xerox® Security Guide for Entry Production Color Class Products

March 2019 Page 1-4

6. Main Left Front Door.

7. Main Middle Front Door.

Architecture

Versant® and ColorPress® products share a common architecture which is depicted below. The

following sections describe components in detail.

User Interface TRUE FOR VERSANT BUT NOT FOR COLOR PRESS NOTE

(There is no Scanner on Color Press or Versant 2100/3100)

The user interface detects soft and hard button actuations and provides text and graphical prompts to the

user. The user interface is sometimes referred to as the Graphical User Interface (GUI) or Local UI (LUI)

to distinguish it from the remote web server interface (WebUI).

The user interface allows users to access product services and functions. Users with administrative

privileges can manage the product configuration settings. User permissions are configurable through

Role Based Access Control (RBAC) policies, described in section 6Identification, Authentication, and

Authorization

Scanner

The scanner converts documents from hardcopy to electronic data. A document handler moves originals

into a position to be scanned. The scanner provides enough image processing for signal conditioning and

formatting. The scanner does not store scanned images.

Marking Engine

The Marking Engine performs copy/print paper feeding and transport, image marking, fusing, and

document finishing. The marking engine is comprised of paper supply trays and feeders, paper transport,

LED scanner, xerographics, and paper output and finishing. The marking engine is only accessible to the

Controller via inter-chip communication with no other access and does not store user data.

User

Interface

Scanner

Controller

Marking

Engine

External

Interfaces

Device

Storage

Optional

Interfaces

Xerox® Security Guide for Entry Production Color Class Products

March 2019 Page 1-5

Controller

The controller manages document processing using proprietary hardware and algorithms to process

documents into high-quality electronic and/or printed reproductions. Documents may be temporarily

buffered in RAM during processing. Some models may be equipped with additional storage options such

as magnetic Hard Disk Drive (HDD), Solid State Disk (SSD), SD Card, or Flash media. For model

specific details please see Appendix A: Product Security Profiles. Versant® and ColorPress® products

encrypt user data and include media sanitization (overwrite) options that ensure that erased data cannot

be recovered, described further in section 2User Data Protection.

In addition to managing document processing the controller manages all network functions and services.

Details can be found in section Network Security.

The controller handles all I/O communications with connected products. The following section provides a

description of each interface. Please note that not all interfaces are supported on all models; details

about each model can be found in Appendix A: Product Security Profiles.

Controller External Interfaces

Front Panel USB (Type A) port(s)

One or more USB ports may be located on the front of the product, near the user interface. Front USB

ports may be enabled or disabled by a system administrator. The front USB port supports the following:

Walk-up users may insert a USB thumb drive to store or retrieve documents for scanning and/or

printing(Versant cannot print from USB –not an option. from a FAT formatted USB device. The

controller will only allow reading/writing of a limited set of known document types (such as DOC,

PDF, PNG, JPEG, TIFF, etc.). Other file types including binary executables are not supported.

Note that features that use the front USB ports (such as Scan to USB) can be disabled

independently or restricted using role-based access controls.

Connection of optional equipment such as NFC or CAC readers.

Firmware updates may be submitted through the front USB ports. (Note that the product must be

configured to allow local firmware updates, or the update will not be processed.

10/100/1000 MB Ethernet RJ-45 Network Connector

This is a standard RJ45 Ethernet network connector and confirms to IEEE Ethernet 802.3 standards.

Rear USB (Type B) Target port

A USB type B port located on the controller board at the rear of the product. This port supports the

following:

USB target connector used for service.

Note: This port can be disabled completely by a system administrator.

Optional Equipment

RJ-11 Analog Fax and Telephone

The analog fax module connects to the controller. The fax connection supports the Fax Modem T.30

protocol only and will not accept data or voice communication attempts. An external (EXT) is available to

connect an external handset. In this configuration, the FAX card acts as a passive relay.

Wireless Network Connector

Xerox Versant® and ColorPress® products do not offer a wireless connector option.

Xerox® Security Guide for Entry Production Color Class Products

March 2019 Page 1-6

Near Field Communications (NFC) Reader

The system supports an installable RFID reader for authentication and convenience in certain

configurations. Versant® products accept the RFID reader via USB on the front of the product. This

communication cannot write or change any settings on the system. The data exchanged is not encrypted

and may include information including system network status, IP address and product location. NFC

functionality can be disabled using the embedded web server of the product. NFC functionality requires a

software plugin that can be obtained from Xerox sales and support. NFC functionality is supported via

optional touch screen user interface or optional dedicated NFC USB dongle.

Information shared over NFC includes: IPv4 address, IPv6 address, MAC address, UUID (a unique

identifier on the NFC client), and fully qualified domain name

SMART CARD –CAC/PIV

All Versant® products support CAC/PIV login by enabling the Versant® Plug-in feature and then enabling

the appropriate plug-in. Additional plug-ins can be downloaded from Xerox.com in the Support area

online.

Foreign Product Interface

This port is used to connect optional equipment to control access to the machine. A typical application is

a coin-operated product where a user must deposit money to enable the machine to print. The

information available via the Foreign Product Interface is limited to optically-isolated pulses that can be

used to count impressions marked on hardcopy sheets. No user data is transmitted to or from this

interface.

Xerox® Security Guide for Entry Production Color Class Products

March 2019 Page 2-7

User Data Protection

Xerox Entry Production Color Presses receive, process, and may optionally store user data from several

sources including: local print, scan, fax NO FAX ON VERSANT OR CP1000, or copy jobs or mobile and

cloud applications, etc. Xerox products protect user data being processed by employing strong

encryption. When the data is no longer needed, the Image Overwrite (IIO) feature automatically erases

and overwrites the data on magnetic media, rendering it unrecoverable. As an additional layer of

protection, an extension of IIO called On-Demand Image Overwrite (ODIO) can be invoked to securely

wipe all user data from magnetic media.

User Data protection while within product

This section describes security controls that protect user data while it is resident within the product. For a

description of security controls that protect data in transit please refer to the following section that

discusses data in transit; also, the Network Security section of this document.

Encryption

All user data being processed or stored on the product is encrypted by default. Note that encryption

may be disabled to enhance performance on both Versant® and ColorPress® products (though this is not

recommended in secure environments).

The algorithm used in the product is AES-256. The encryption key is automatically created at start up

and stored in the RAM. The key is deleted by a power-off, due to the physical characteristics of the RAM.

TPM Chip

Some models include a Trusted Platform Module (TPM). The TPM is compliant with ISO/IEC 11889, the

international standard for a secure cryptoprocessor, dedicated to secure cryptographic keys. The TPM is

used to securely hold the product storage encryption key. Please refer to Appendix A: Product Security

Profiles for model specific information.

Media Sanitization (Image Overwrite)

ColorPress® and Versant® products equipped with magnetic hard disk drives are compliant with NIST

Special Publication 800-88 Rev1: Guidelines for Media Sanitization. User data is securely erased using a

three-pass algorithm as described in the following link:

https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-88r1.pdf

Immediate Image Overwrite

When enabled, Immediate Image Overwrite (IIO) will overwrite any temporary files that were created on

the magnetic hard disk that may contain user data. The feature provides continuous automatic

overwriting of sensitive data with minimal impact to performance, robust error reporting, and logging via

the Audit Log.

On-Demand Image Overwrite

Complementing the Immediate Image Overwrite is On-Demand Overwrite (ODIO). While IIO overwrites

individual files, ODIO overwrites entire partitions. The ODIO feature can be invoked at any time and

optionally may be scheduled to run automatically.

Note: Solid State storage media such as Solid-State Disk, eMMC, SD-Card, and Flash media cannot be completely

sanitized by multi-pass overwriting methods due to the memory wear mapping that occurs. Additionally, attempts to do so

would also greatly erode the operational lifetime of solid state media. Solid State media is therefore not recommended for

use in highly secure environments. Please refer to NIST-800-88 “Table A-8: Flash Memory-Based Storage Product

Sanitization” for technical details.

Xerox® Security Guide for Entry Production Color Class Products

March 2019 Page 2-8

User Data in Transit

This section focuses on the protection of user data (print/scan/other jobs) in transit as they are submitted

to the product for processing and/or are sent from the product to other systems. Additional protections

are also discussed in the Network Security section of this document.

Inbound User Data

Print Job Submission

In addition to supporting network level encryption including IPSec and WPA, Xerox products also support

encryption of print job data at the time of submission. This can be used to securely transmit print jobs

over unencrypted connections or to enhance existing network level security controls.

Encrypted Transport

Description

IPPS (TLS)

Submit print jobs via Secure Internet Printing Protocol. This protocol is

based on HTTP and utilizes the TLS suite to encrypt data.

HTTPS (TLS)

Securely submit a print job directly to product via the built-in web server.

Xerox Print Stream

Encryption

The Xerox Global Print Driver® supports document encryption when

submitting Secure Print jobs to enabled products. Simply check the box to

Enable Encryption when adding the Passcode to the print job.

Outbound User Data

Scanning to Network Repository, Email, Fax Server

Versant® digital press products support scanning of hardcopy documents to external network locations

including file repositories and email and facsimile services. In addition to supporting network level

encryption including IPSec and WPA, Xerox products support the following:

Protocol

Encryption

Description

HTTP

N/A

Unencrypted HTTP protocol

HTTPS (TLS)

TLS

HTTP encrypted by TLS

FTP

N/A

Unencrypted FTP

SFTP (SSH)

SSH

FTP encrypted by SSH

SMBv3

Optional

Encryption may be enabled on a Windows share.

Versant® and ColorPress® products currently support SMB

encryption.

SMBv2

N/A

Unencrypted SMB

SMBv1

N/A

Not used as a transport protocol. Used for network discovery only.

SMTP (email)

S/MIME

The product uses SMTP to transmit data to the email server. Email

authentication, encryption, and signing are supported. Please refer

to the Network Security section of this document for details.

Scanning to User Local USB Storage Product

Scan data is transferred directly to the user’s USB product. Filesystem encryption of user products are

not supported.

Xerox® Security Guide for Entry Production Color Class Products

March 2019 Page 2-9

Add on Apps- Cloud, Google, DropBox, and others

Xerox Versant® Color Presses support the Xerox App Gallery® which contains several additional

applications that extend the capabilities of Xerox products. Discussion of App security is beyond the

scope of this document. Xerox Apps utilize the security framework provided by the 3rd party vendor. (For

example, Microsoft O365 or Google apps would utilize Microsoft & Google’s security mechanisms

respectively). Please consult documentation for individual Apps and 3rd party security for details.

Versant® 80/180 Press

Versant® 2100/3100

Press

Color 800/100 Press®

Versant 80 Press, Versant

180 Press

Versant 2100 Press,

Versant 3100 Press

Color 800/1000 Presses,

Color 800i/1000i Presses

Local Data Encryption (HDD, SDD, IC, SD Card)

AES-256

Federal Information Protection Standard 140-2

Yes

Media Sanitization NIST 800-171 (Image Overwrite)

All models use magnetic

HDD

Models with magnetic

HDD. See Appendix A:

Product Security Profiles

Models with magnetic

HDD. See Appendix A:

Product Security Profiles

Print Submission

IPPS (TLS)

Supported

HTTPS (TLS)

Supported

Xerox Print Stream Encryption

Supported

(Not currently supported)

Scan to Repository Server

HTTPS (TLS)

1.1/1.2

(Not Applicable)

SFTP (SSH)

SSH-2

(Not Applicable)

SMB (unencrypted)

v1, v2, v3

(Not Applicable)

SMB (with share encryption enabled)

(Not Applicable)

HTTP (unencrypted)

Supported

(Not Applicable)

FTP (unencrypted)

Supported

(Not Applicable)

Scan to Fax Server

HTTPS (TLS)

1.1/1.2

(Not Applicable)

SFTP (SSH)

SSH-2

(Not Applicable)

SMB (unencrypted)

v1, v2, v3

(Not Applicable)

SMB (with share encryption enabled)

(Not Applicable)

S/MIME

Supported

(Not Applicable)

HTTP (unencrypted)

Supported

(Not Applicable)

FTP (unencrypted)

Supported

(Not Applicable)

SMTP (unencrypted)

Supported

(Not Applicable)

Scan to Email

S/MIME

Supported

(Not Applicable)

SMTP (unencrypted)

Supported

(Not Applicable)

Xerox® Security Guide for Entry Production Color Class Products

March 2019 Page 3-10

Network Security

Xerox products are designed to offer a high degree of security and flexibility in almost any network

environment. This section describes several aspects of the product related to network security.

TCP/IP Ports & Services

Xerox devices are robust, offering support for a wide array of services and protocols. The devices are

capable of hosting services as well as acting as a client for others. The diagram below presents a high-

level overview of inbound communications (from other hosts on the network into listening services on the

device) and outbound connections initiated by the device (acting as a client to external network services).

Inbound (Listening Services)

Out Bound (Network Client)

Print Services

LPR, IPP, Raw IP, etc.

Management Services

SNMP, Web interface, WebServices,

etc.

Infrastructure & Discovery Services

IPSEC, SSDP, WSD, mDNS,

NetBIOS, etc.

Built-in Scan Services

FTP, HTTP & HTTPS (TLS), SFTP

(SSH), SMB, CIFS, SMTP &

SMTPS, POP3 & POPS, etc.

Authentication Services

LDAP & LDAPS, SMB, Kerberos.

Infrastructure

ISAKMP (IPSec), DHCP & DHCPv6,

etc.

Cloud Services

No direct APE to the above.

Listening services (inbound ports)

The following table summarizes all potentially open ports on the product. These ports can be

enabled/disabled within the product configuration.

Port

Type

Service Name

TCP

• FTP data (Active) - Client -

TCP

• FTP – Client -

TCP

• SMTP

TCP/UDP

• DNS – Client -

UDP

• BOOTP/DHCP – Client

TCP

• HTTP(CWIS)

TCP

• HTTP(SESAMi Manager)

TCP

• HTTP(WebDAV)

UDP

• Kerberos – Client -

Xerox® Security Guide for Entry Production Color Class Products

March 2019 Page 3-11

110

TCP

• POP3 – Client -

123

UDP

• SNTP – Client -

137

UDP

• NETBIOS – Name Service

138

UDP

• NETBIOS – Datagram Service

161

UDP

• SNMP

162

UDP

• SNMP trap

389

TCP

• LDAP – Client -

427

TCP/UDP

• SLP

443

TCP

• HTTP(CWIS)

500

UDP

• ISAKMP

547

UDP

• DHCPv6 – Client

636

TCP

• LDAPS – Client -

995

TCP

• POPS – Client -

1824

TCP

• HTTPS(OffBox Validation) – Client -

1824

TCP

• Xerox Secure Access

1900

UDP

• SSDP

5353

UDP

• Mdns

9100

TCP

• raw IP

15000

TCP

• Loopback port for the control of SMTP server

Network Encryption

IPSec

Internet Protocol Security (IPsec) is a network security protocol capable of providing encryption and

authentication at the packet level. ColorPress® and Versant® products support IPSec for both IPv4 and

IPv6 protocols.

Versant® 80/180 Press

Versant® 2100/3100

Press

Color 800/100 Press®

Versant 80 Press, Versant 180

Press

Versant 2100 Press, Versant

3100 Press

Color 800/1000 Presses, Color

800i/1000i Presses

IPSec

Supported IP Versions

IPv4, IPv6

Key exchange authentication method

Preshared Key & digital

signature, device

authentication certificate,

server validation certificate

Preshared Key & digital

signature

Preshared Key & digital

signature

Transport Mode

Transport & Tunnel mode

Transport mode only

Security Protocol

ESP & AH

ESP only

ESP Encryption Method

AES, 3DES, Null

AES, 3DES, DES

ESP Authentication Methods

SHA1, SHA256, None

Xerox® Security Guide for Entry Production Color Class Products

March 2019 Page 3-12

Wireless 802.11 Wi-Fi Protected Access (WPA)

Xerox Versant® and ColorPress® products do not offer a wireless network connector option.

TLS

Versant® and ColorPress® products support the latest version, TLS 1.2.

Versant® 80/180 Press

Versant® 2100/3100

Press

Color 800/100 Press®

Versant 80 Press, Versant

180 Press

Versant 2100 Press,

Versant 3100 Press

Color 800/1000 Presses,

Color 800i/1000i Presses

TLS Versions Supported

Product Web Interface

1.2, 1.1, 1.0

Product Web Services

1.2, 1.1, 1.0

Product IPPS printing

1.2, 1.1, 1.0

Remote control

1.2

Xerox® Security Guide for Entry Production Color Class Products

March 2019 Page 3-13

Public Key Encryption (PKI)

A digital certificate is a file that contains data used to verify the identity of the client or server in a network

transaction. A certificate also contains a public key used to create and verify digital signatures. To prove

identity to another product, a product presents a certificate trusted by the other product. The product can

also present a certificate signed by a trusted third party and a digital signature proving that it owns the

certificate.

A digital certificate includes the following data:

• Information about the owner of the certificate

• The certificate serial number and expiration date

• The name and digital signature of the certificate authority (CA) that issued the certificate

• A public key

• A purpose defining how the certificate and public key can be used

There are four types of certificates:

• A Product Certificate is a certificate for which the printer has a private key. The purpose specified in the

certificate allows it to be used to prove identity.

• A CA Certificate is a certificate with authority to sign other certificates.

• A Trusted Certificate is a self-signed certificate from another product that you want to trust.

• A domain controller certificate is a self-signed certificate for a domain controller in your network.

Domain controller certificates are used to verify the identity of a user when the user logs in to the product

using a Smart Card.

For protocols such as HTTPS, the printer is the server, and must prove its identity to the client Web

browser. For protocols such as 802.1X, the printer is the client, and must prove its identity to the

authentication server, typically a RADIUS server.

Device Certificates

Versant® and ColorPress® products support both CA signed and self-signed certificates. Product

certificates support a bit length of up to 2048 bits.

A CA signed certificate can be created by generating a Certificate Signing Request (CSR), and sending it

to a CA or a local server functioning as a CA to sign the CSR. An example of a server functioning as a

certificate authority is Windows Server 2008 running Certificate Services. When the CA returns the signed

certificate, install it on the printer.

Alternatively, a self-signed certificate may be created. When you create a Product Certificate, the product

generates a certificate, signs it, and creates a public key used in SSL/TLS encryption.

Versant® 80/180 Press

Versant® 2100/3100

Press

Color 800/100 Press®

Versant 80 Press, Versant

180 Press

Versant 2100 Press,

Versant 3100 Press

Color 800/1000 Presses,

Color 800i/1000i Presses

Device Certificates

Certificate Length

1024, 2048

Supported Hashes

SHA1, SHA256

SHA256, SHA384,

SHA512

SHA256, SHA384,

SHA512

Product Web Server

Supported

IPPS (TLS) Printing

Supported

802.1X Client

Supported

Email Signing

Supported

(Not Applicable)

Email Encryption

Supported

(Not Applicable)

OCSP Signing

Supported

IPSec

Supported

Xerox® Security Guide for Entry Production Color Class Products

March 2019 Page 3-14

SFTP

Supported

(Not Applicable)

Trusted Certificates

Public certificates may be imported to the product’s certificate store for validation of trusted external

products. The following categories are supported:

• Trusted Root CA Certificate -Certificates with authority to sign other certificates. These certificates

usually are self-signed certificates that come from another product or service that you want to trust.

• Intermediate CA Certificate - Certificates that link a certificate to a Trusted Root CA Certificate in certain

network environments.

• Other Certificates- Certificates that are installed on the printer for solution-specific uses.

An administrator can specify the minimum encryption key length required for certificates. . If a user

attempts to upload a certificate containing a key that does not meet this requirement, a message appears.

The message alerts the user that the certificate they are attempting to upload does not meet the key

length requirement.

Versant® 80/180 Press

Versant® 2100/3100

Press

Color 800/100 Press®

Versant 80 Press, Versant

180 Press

Versant 2100 Press,

Versant 3100 Press

Color 800/1000 Presses,

Color 800i/1000i Presses

Trusted Certificates

Minimum Length Restriction Options

None, 1024, 2048

1024, 2048

Maximum Length

4096

Supported Hashes

SHA1/224/256/384/512

Supported Formats

.cer, .crt, .der, .pem,

PKCS#7 (.p7b),

PKCS#12 (.pfx, .p12)

.cer, .der, PKCS#7,

PKCS#12 (.pfx, .p12)

.cer, .der, PKCS#7,

PKCS#12 (.pfx, .p12)

IPSec

Supported

LDAP

Supported

Scanning (HTTPS/TLS)

Supported

(Not Applicable)

Scanning (SFTP/SSH)

Used for audit log transfer

(Not Applicable)

802.1X Client

Supported

Email Signing

Supported

(Not Applicable)

Email Encryption

Supported

(Not Applicable)

OCSP Signing

Supported

Xerox® Security Guide for Entry Production Color Class Products

March 2019 Page 3-15

Certificate Validation

ColorPress® and Versant® devices support certificate validation with configurable checks for OSCP and

CRL. Validation checks include:

Validation of certificate path

Certificate expiration

Validation of trusted CA

Signature validation

Email Signing and Encryption using S/MIME

S/MIME (Secure/Multipurpose Internet Mail Extensions) provides Authentication, Message integrity, Non-

repudiation, and encryption of email.

Versant® 80/180 Press

Versant® 2100/3100

Press

Color 800/100 Press®

Versant 80 Press, Versant

180 Press

Versant 2100 Press,

Versant 3100 Press

Color 800/1000 Presses,

Color 800i/1000i Presses

Email S/MIME

Versions

(Not Applicable)

Digest

SHA1, SHA256, SHA384,

SHA512

(Not Applicable)

Encryption

3DES, AES128, AES192,

AES256

(Not Applicable)

SNMPv3

SNMPv3 is the current standard version of SNMP defined by the Internet Engineering Task Force (IETF).

It provides three important security features:

• Message integrity to ensure that a packet has not been tampered with in transit

• Authentication to verify that the message is from a valid source

• Encryption of packets to prevent unauthorized access

Versant® 80/180 Press

Versant® 2100/3100

Press

Color 800/100 Press®

Versant 80 Press, Versant

180 Press

Versant 2100 Press,

Versant 3100 Press

Color 800/1000 Presses,

Color 800i/1000i Presses

SNMPv3

Digest

(Not Supported)

Encryption

(Not Supported)

Xerox® Security Guide for Entry Production Color Class Products

March 2019 Page 3-16

Network Access Control

802.1x

In 802.1X authentication, when the product is connected to the LAN port of Authenticator such as the

switch as shown below, the Authentication Server authenticates the product, and the Authenticator

controls access of the LAN port according to the authentication result. The product starts authentication

processing at startup when the startup settings for 802.1X authentication are enabled.

Versant® 80/180 Press

Versant® 2100/3100

Press

Color 800/100 Press®

Versant 80 Press, Versant

180 Press

Versant 2100 Press,

Versant 3100 Press

Color 800/1000 Presses,

Color 800i/1000i Presses

Network Access Control

802.1x

Supported

Authentication Methods

PSK, AES (CCMP)/TKIP,

PEAPv0/MS-CHAPv2,

EAP-TLS, EAP-

TTLS/PAP, EAP-

TTLS/MS-CHAPv2, EAP-

TTLS/EAP-TLS

MD5, MS-CHAPv2,

PEAP/MS-CHAPv2, EAP-

TLS

MD5, MS-CHAPv2,

PEAP/MS-CHAPv2,

EAP-TLS

Cisco Identity Services Engine (ISE)

Cisco ISE is an intelligent security policy enforcement platform that mitigates security risks by providing a

complete view of which users and what products are being connected across the entire network

infrastructure. It also provides control over what users can access on your network and where they can

go. Cisco's ISE includes over 200 Xerox® product profiles that are ready for security policy enablement.

This allows ISE to automatically detect Xerox® products in your network. Xerox® products are organized

in Cisco ISE under product families, such as Versant®, enabling Cisco ISE to automatically detect and

profile new Xerox® products from the day they are released. Customers who use Cisco ISE find that

including Xerox® products in their security policies is simpler and requires minimal effort.

Cisco ISE Profiling Services provides dynamic detection and classification of endpoints connected to the

network. ISE collects various attributes for each network endpoint to build an endpoint database. The

classification process matches the collected attributes to prebuilt or user-defined conditions, which are

then correlated to an extensive library of product profiles. These profiles include a wide range of product

types, including tablets, smartphones, cameras, desktop operating systems (for example, Windows®,

Mac OS® X, Linux® and others), and workgroup systems such as Xerox printers and MFPs.

Once classified, endpoints can be authorized to the network and granted access based on their profile

signature. For example, guests to your network will have different level of access to printers and other

end points in your network. For instance, you and your employees can get full printer access when

accessing the network from a corporate workstation but be granted limited printer access when accessing

the network from your personal Apple® iPhone®.

Cisco ISE allows you to deploy the following controls and monitoring of Xerox® products:

Automatically provision and grant network access rights to printers and MFPs to prevent

inappropriate access (including automatically tracking new printing products connecting to the

network):

oBlock non-printers from connecting on ports assigned to printers

Authentication

Server

Authenticator

(e.g. Switch)

Product

(Supplicant)

EAPOL

Xerox® Security Guide for Entry Production Color Class Products

March 2019 Page 3-17

oPrevent impersonation (aka spoofing) of a printer/MFP

oAutomatically prevent connection of non-approved print products

oSmart rules-based policies to govern user interaction with network printing products

Provide simplified implementation of security policies for printers and MFPs by:

oProviding real time policy violation alerts and logging

oEnforcing network segmentation policy

oIsolating the printing products to prevent general access to printers and MFPs in

restricted areas

Automated access to policy enforcement

Provide extensive reporting of printing product network activity

Versant® 80/180 Press

Versant® 2100/3100

Press

Color 800/100 Press®

Versant 80 Press, Versant

180 Press

Versant 2100 Press,

Versant 3100 Press

Color 800/1000 Presses,

Color 800i/1000i Presses

Network Access Control

Cisco ISE

Supported

(Not Supported)

Contextual Endpoint Connection Management

Traditionally network connection management has been limited to managing endpoints by IP address and

use of VLANs and firewalls. This is effective, but highly complex to manage for every endpoint on a

network. Managing, maintaining, and reviewing the ACLs (and the necessary change management and

audit processes to support them) quickly become prohibitively expensive. It also lacks the ability to

manage endpoints contextually.

Connectivity of Versant® and ColorPress® devices can be fully managed contextually by Cisco

TrustSec. TrustSec uses Security Group Tags (SGT) that are associated with an endpoint’s user, device,

and location attributes. SG-ACLs can also block unwanted traffic so that malicious reconnaissance

activities and even remote exploitation from malware can be effectively prevented.

FIPS140-2 Compliance Validation

When enabled, the product will validate its current configuration to identify cryptographic modules in use.

Modules which are not FIPS 140-2 (Level 1) compliant will be reported.

Versant® products include FIPS compliant algorithms of Kerberos, however an exception can be

approved to run these in non-FIPS compliant mode when configured for non-FIPS algorithms.

Versant® products use encryption algorithms for Kerberos, SMB, and PDF Direct Print Service that are

not approved by FIPS140-2. They can however operate in FIPS140-2 approved Mode in order to

maintain compatibility with conventional products after an exception is approved by a system

administrator. They do not use FIPS compliant algorithms when in this configuration.

Additional Network Security Controls

Additional network security controls are discussed in the following sections.

Endpoint Firewall Options

Versant® 80/180 Press

Versant® 2100/3100

Press

Color 800/100 Press®

Versant 80 Press, Versant

180 Press

Versant 2100 Press,

Versant 3100 Press

Color 800/1000 Presses,

Color 800i/1000i Presses

Firewall

Stateful Packet Filter

IP Whitelisting

Stateful Firewall

Supported

Xerox® Security Guide for Entry Production Color Class Products

March 2019 Page 3-18

IP Whitelist

Supported

IP Whitelisting (IP Address Filtering)

Versant® products support IP Whitelisting only.

When enabled all traffic is prohibited regardless of interface (wired/wireless) unless enabled by IP filter

rule. IPv4 and IPv6 are enabled separately. If IP Filter and IPsec are both enabled, IPsec is evaluated

first. Up to 25 addresses can be enabled for IPv4 and an additional 25 for IPv6. Addresses include IP

and subnet allowing individual system or subnets to be enabled. A system administrator can disable this

feature using the embedded web server.

Stateful Firewall (Advanced IP Filtering)

ColorPress® products support stateful packet inspection that tracks connections and packet flows. Rules

may be configured that examine incoming and outgoing packets. Packets are matched against each rule

in order until a match occurs and allows the packet to be accepted, rejected, or dropped.

Other manuals for Versant 3100 Press

This manual suits for next models

Table of contents

Other Xerox Printer manuals

Xerox

Xerox Phaser 3400 User manual

Xerox

Xerox Phaser 7760 User manual

Xerox

Xerox Phaser 6300 Service manual

Xerox

Xerox Phaser 140 Operating and maintenance instructions

Xerox

Xerox 3117 - Phaser B/W Laser Printer User manual

Xerox

Xerox Phaser 6000 Operating manual

Xerox

Xerox WorkCentre PE114e User manual

Xerox

Xerox Phaser 6700 Operating manual

Xerox

Xerox 7700 User manual

Xerox

Xerox Phaser 3310 User manual

Xerox

Xerox 3130 - Phaser B/W Laser Printer User manual

Xerox

Xerox Phaser 7100 User manual

Xerox

Xerox DocuColor 6060 User manual

Xerox

Xerox 6200DX - Phaser Color Laser Printer User manual

Xerox

Xerox DocuPrint N4525 User manual

Xerox

Xerox Colour 560 Printer User manual

Xerox

Xerox 3400N - Phaser B/W Laser Printer User manual

Xerox

Xerox WorkCentre Pro 423 User manual

Xerox

Xerox DocuPrint N4525 User manual

Xerox

Xerox 8500N - Phaser Color Solid Ink Printer User manual

Xerox

Xerox phaser 3420 User manual

Xerox

Xerox VersaaLink B600 User manual

Xerox

Xerox DocuPrint C525 A User manual

Xerox

Xerox Phaser 7400 User manual

Popular Printer manuals by other brands

Panduit

Panduit COUGAR LS9Q Operator's manual

Canon

Canon LBP113w Getting started

Ricoh

Ricoh SH-P1 M020 Field service manual

Lexmark

Lexmark 18H0500 - Z 54 Color Jetprinter Inkjet... user guide

Canon

Canon i560 Series quick start guide

CIM

CIM PRO THERMAL 2000 Operator's manual

Rimage

Rimage Everest Encore Setup and installation guide

IBM

IBM 102 user guide

Cembre

Cembre Markingenius MG3 Operation and maintenance manual

Brother

Brother P-touch MW-145BT user guide

Star Micronics

Star Micronics TSP200 Series Programmer's manual

Pitney Bowes

Pitney Bowes SendPro P Series Installation instruction

Lexmark

Lexmark T650dtn quick reference

Olivetti

Olivetti PGL2535 Operation guide

TallyGenicom

TallyGenicom 9050N - quick start guide

Epson

Epson L3210 user guide

Ricoh

Ricoh Printer operating instructions

Radio Shack

Radio Shack TRS-80 DWP-210 Operation manual

Xerox Versant 3100 Press User manual

Popular Printer manuals by other brands