- DL manuals
- Xerox
- Printer
- WorkCentre 7220
- Information
Xerox WorkCentre 7220 Information
WorkCentre 7220/7225
Information Assurance Disclosure Paper
Version 1.1
Prepared by:
Ralph H. Stoos Jr.
Xerox Corporation
800 Phillips Road
Webster, New York 14580
©2012, 2013 Xerox Corporation. All rights reserved. Xerox and the sphere of connectivity design are trademarks
of Xerox Corporation in the United States and/or other counties.
Other company trademarks are also acknowledged.
Document Version: 1.1 (August 2013).
Summary of WorkCentre 7220
Page 1
Workcentre 7220/7225 information assurance disclosure paper version 1.1 prepared by: ralph h. Stoos jr. Xerox corporation 800 phillips road webster, new york 14580 ©2012, 2013 xerox corporation. All rights reserved. Xerox and the sphere of connectivity design are trademarks of xerox corporation in t...
Page 2
Workcentre 7220-7225 information assurance disclosure paper ver. 1.0, january 2013 page 2 of 61 contributors: michael barrett steve beers bob crumrine mike faraoni gordon farquhar mirelsa fontanes tim hunter larry kovnat tom pierce roger rhodes steve sydorowicz r. Ben wilkie bob zolla ralph h. Stoos...
Page 3
Workcentre 7220-7225 information assurance disclosure paper ver. 1.0, january 2013 page 3 of 61 1. Introduction ..................................................................................................................................5 1.1. Purpose ..............................................
Page 4
Workcentre 7220-7225 information assurance disclosure paper ver. 1.0, january 2013 page 4 of 61 3.3.2. Network scanning ........................................................................................................................................................................ 35 4. Secur...
Page 5
Workcentre 7220-7225 information assurance disclosure paper ver. 1.0, january 2013 page 5 of 61 1. Introduction the workcentre 7220-7225 multifunction systems are among the latest versions of xerox copier and multifunction devices for the general office. 1.1. Purpose the purpose of this document is ...
Page 6
Workcentre 7220-7225 information assurance disclosure paper ver. 1.0, january 2013 page 6 of 61 2. Device description this product consists of an in put document handler and scanner, marking engine including paper path, controller, and user interface. Figure 2-1 workcentre 7220/7225 multifunction sy...
Page 7
Workcentre 7220-7225 information assurance disclosure paper ver. 1.0, january 2013 page 7 of 61 2.1. Security-relevant subsystems 2.1.1. Physical partitioning the security-relevant subsystems of the product are partitioned as shown in figure 2-2. Fax module image output terminal (also known as marki...
Page 8
Workcentre 7220-7225 information assurance disclosure paper ver. 1.0, january 2013 page 8 of 61 2.1.2. Security functions allocated to subsystems security function subsystem image overwrite controller graphical user interface system authentication controller graphical user interface network authenti...
Page 9
Workcentre 7220-7225 information assurance disclosure paper ver. 1.0, january 2013 page 9 of 61 2.2. Controller 2.2.1. Purpose the controller provides both network and direct-connect external interfaces, and enables copy, print, email, network scan, server fax, internet fax, and lanfax functionality...
Page 10
Workcentre 7220-7225 information assurance disclosure paper ver. 1.0, january 2013 page 10 of 61 2.2.2. Memory components volatile memory description type (sram, dram, etc) size user modifiable (y/n) function or use process to clear: ddr3 sdram non ecc – system memory 2gb n executable code, printer ...
Page 11
Workcentre 7220-7225 information assurance disclosure paper ver. 1.0, january 2013 page 11 of 61 hard disk descriptions drive / partition (system, image): removable y / n size: user modifiable: y / n function: process to clear: system disk / system partition no 27gb n with normal operation operating...
Page 12
Workcentre 7220-7225 information assurance disclosure paper ver. 1.0, january 2013 page 12 of 61 2.2.3. External connections the controller printed wiring boards are physically mounted in a tray with external connections available at the right rear of the machine. The tray contains a single controll...
Page 13
Workcentre 7220-7225 information assurance disclosure paper ver. 1.0, january 2013 page 13 of 61 interface description / usage usb target port diagnostics and service; xerox copier assistant usb host ports card readers; sw upgrade; usb printing; scan to usb debug port troubleshooting and monitoring ...
Page 14
Workcentre 7220-7225 information assurance disclosure paper ver. 1.0, january 2013 page 14 of 61 2.2.4. Usb ports the device contains a host connector for a usb flash drive, enabling upload of software upgrades and download of network logs or machine settings files. Autorun is disabled on this port....
Page 15
Workcentre 7220-7225 information assurance disclosure paper ver. 1.0, january 2013 page 15 of 61 2.3. Fax module 2.3.1. Purpose the embedded fax service uses the installed embedded fax card to send and receive images over the telephone interface. The fax card plugs into a custom interface slot on th...
Page 16
Workcentre 7220-7225 information assurance disclosure paper ver. 1.0, january 2013 page 16 of 61 2.4. Scanner 2.4.1. Purpose the purpose of the scanner is to provide mechanical transport to convert hardcopy originals to electronic data. 2.4.2. Hardware the scanner converts the image from hardcopy to...
Page 17
Workcentre 7220-7225 information assurance disclosure paper ver. 1.0, january 2013 page 17 of 61 2.7. System software structure 2.7.1. Open-source components open-source components in the connectivity layer implement high-level protocol services. The security-relevant connectivity layer components a...
Page 18
Workcentre 7220-7225 information assurance disclosure paper ver. 1.0, january 2013 page 18 of 61 2.7.2. Operating system layer in the controller the os layer includes the operating system, network and physical i/o drivers. The controller operating system is wind river linux, kernel v. 2.6.34+. Xerox...
Page 19
Workcentre 7220-7225 information assurance disclosure paper ver. 1.0, january 2013 page 19 of 61 2.7.3. Network protocols figure 2-5 and figure 2.6 are interface diagrams depicting the ipv4 and ipv6 protocol stacks supported by the device, annotated according to the darpa model. Figure 2-5 ipv4 netw...
Page 20
Workcentre 7220-7225 information assurance disclosure paper ver. 1.0, january 2013 page 20 of 61 2.8. Logical access 2.8.1. Network protocols the supported network protocols are listed in appendix d and are implemented to industry standard specifications (i.E. They are compliant to the appropriate r...
Page 21
Workcentre 7220-7225 information assurance disclosure paper ver. 1.0, january 2013 page 21 of 61 2.8.2. Ports the following table summarizes all potentially open ports and subsequent sections discuss each port in more detail. All ports can be disabled if not needed under control of the system admini...
Page 22
Workcentre 7220-7225 information assurance disclosure paper ver. 1.0, january 2013 page 22 of 61 2.8.2.1. Port 22, sftp this port is used to securely encrypt the user name, password, and data being transferred to a network server/repository. 2.8.2.2. Port 23, ntp this port is used to retrieve the ti...
Page 23
Workcentre 7220-7225 information assurance disclosure paper ver. 1.0, january 2013 page 23 of 61 2.8.2.6. Port 80, http the embedded web pages communicate to the machine through a set of unique apis and do not have direct access to machine information: the http port can only access the http server r...
Page 24
Workcentre 7220-7225 information assurance disclosure paper ver. 1.0, january 2013 page 24 of 61 2.8.2.7. Port 88 kerberos this port is only open when the device is communicating with the kerberos server to authenticate a user, or to request a tgt / tgs to access the ldap server. To disable this por...
Page 25
Workcentre 7220-7225 information assurance disclosure paper ver. 1.0, january 2013 page 25 of 61 snmp traffic may be secured if an ipsec tunnel has been established between the agent (the device) and the manager (i.E. The user’s pc). The device supports snmpv3, which is an encrypted version of the s...
Page 26
Workcentre 7220-7225 information assurance disclosure paper ver. 1.0, january 2013 page 26 of 61 2.8.2.18. Port 631, ipp this port supports the internet printing protocol. It is not configurable. This is disabled when the http (web) server is disabled. 2.8.2.19. Port 1900, ssdp this port behaves sim...
Page 27
Workcentre 7220-7225 information assurance disclosure paper ver. 1.0, january 2013 page 27 of 61 2.8.2.27. Ports 53202, 53303, 53404, wsd transfer web service (53202) and print web service (53303 and 53404) for microsoft wsd support. 2.8.2.28. Port 61100, ws web service interface(s) used to get/set ...
Page 28
Workcentre 7220-7225 information assurance disclosure paper ver. 1.0, january 2013 page 28 of 61 3. System access 3.1. Authentication model the authentication model allows for both local and network authentication and authorization. In the local and network cases, authentication and authorization ta...
Page 29
Workcentre 7220-7225 information assurance disclosure paper ver. 1.0, january 2013 page 29 of 61 figure 3-1 authentication and authorization schematic.
Page 30
Workcentre 7220-7225 information assurance disclosure paper ver. 1.0, january 2013 page 30 of 61 3.2. Login and authentication methods there are a number of methods for different types of users to be authenticated. In addition, the connected versions of the product also log into remote servers. A de...
Page 31
Workcentre 7220-7225 information assurance disclosure paper ver. 1.0, january 2013 page 31 of 61 3.2.2.2. Smb authentication (windows 2000/windows 2003/windows 2008) the authentication steps vary somewhat, depending on the network configuration. Listed below are 3 network configurations and the auth...
Page 32
Workcentre 7220-7225 information assurance disclosure paper ver. 1.0, january 2013 page 32 of 61 device and domain controller are on different subnets, sa defines hostname of domain controller authentication steps: ldap server xerox device domain controller 3 4 5 router 3 2 1 dns server 4 6 7 1) the...
Page 33
Workcentre 7220-7225 information assurance disclosure paper ver. 1.0, january 2013 page 33 of 61 3.2.2.3. Common access card (cac1/piv/.Net) with the addition of the cac accessory kit, the device is able to utilize the following cards: • axalto access 64kv2 • oberthur piv v1.08 • gemalto piv 144k • ...
Page 34
Workcentre 7220-7225 information assurance disclosure paper ver. 1.0, january 2013 page 34 of 61 3.2.2.4. Xerox secure access via xerox secure access a customer can enable additional authentication methods to the device with minimal impact on the system software. By using a web service and 3rd party...
Page 35
Workcentre 7220-7225 information assurance disclosure paper ver. 1.0, january 2013 page 35 of 61 3.3. System accounts 3.3.1. Printing the device may be set up to connect to a print queue maintained on a remote print server. The login name and password are sent to the print server in clear text. Ipse...
Page 36
Workcentre 7220-7225 information assurance disclosure paper ver. 1.0, january 2013 page 36 of 61 4. Security aspects of selected features 4.1. Mcafee enhanced security / integrity control xerox has partnered with industry leader mcafee to include the enhanced security feature which uses mcafee embed...
Page 37
Workcentre 7220-7225 information assurance disclosure paper ver. 1.0, january 2013 page 37 of 61 4.2. Audit log the device maintains a security audit log. Recording of security audit log data can be enabled or disabled by the sa. The audit log is implemented as a circular log containing a maximum of...
Page 38
Workcentre 7220-7225 information assurance disclosure paper ver. 1.0, january 2013 page 38 of 61 event id event description entry data 9 email job job name user name completion status iio status accounting user id accounting account id total-number-of-smtp-recipients smtp-recipients 10 audit log dis...
Page 39
Workcentre 7220-7225 information assurance disclosure paper ver. 1.0, january 2013 page 39 of 61 event id event description entry data 24 scan to home job job name or dir name user name completion status (normal/error) iio status accounting user id-name accounting account id-name total-number-net-de...
Page 40
Workcentre 7220-7225 information assurance disclosure paper ver. 1.0, january 2013 page 40 of 61 event id event description entry data 37 ssl username device name device serial number completion status (enabled/disabled/terminated) 38 x509 certificate username device name device serial number comple...
Page 41
Workcentre 7220-7225 information assurance disclosure paper ver. 1.0, january 2013 page 41 of 61 event id event description entry data 53 cpsr backup file name user name completion status (normal / error) iio status 54 cpsr restore file name user name completion status (normal / error) iio status 55...
Page 42
Workcentre 7220-7225 information assurance disclosure paper ver. 1.0, january 2013 page 42 of 61 event id event description entry data 68 fips mode enable/disable/configure username device name device serial number enable/disable/configure 69 xerox secure access login username device name device ser...
Page 43
Workcentre 7220-7225 information assurance disclosure paper ver. 1.0, january 2013 page 43 of 61 event id event description entry data 80 smtp connection encryption username device name device serial number completion status (enabled for startls / enabled for startls if avail / enabled for ssl/tls /...
Page 44
Workcentre 7220-7225 information assurance disclosure paper ver. 1.0, january 2013 page 44 of 61 event id event description entry data 96 eip weblets allow install username device name device serial number completion status (enable installation / block installation) 97 eip weblets install username d...
Page 45
Workcentre 7220-7225 information assurance disclosure paper ver. 1.0, january 2013 page 45 of 61 event id event description entry data 105 ipv4 enable/disable/configure username device name device serial number completion status (enabled wireless/disabled wireless/ configured wireless) (enabled wire...
Page 46
Workcentre 7220-7225 information assurance disclosure paper ver. 1.0, january 2013 page 46 of 61 4.3. Xerox standard accounting xerox standard accounting (xsa), intended primarily for use as an accounting service, can be used as an internal authorization service. Xsa tracks copy, scan (including fil...
Page 47
Workcentre 7220-7225 information assurance disclosure paper ver. 1.0, january 2013 page 47 of 61 4.4. User permissions role based access control (rbac) the user permissions feature has been added to xerox devices to expand control of access to device services and features which will in turn improve ...
Page 48
Workcentre 7220-7225 information assurance disclosure paper ver. 1.0, january 2013 page 48 of 61 4.5. Smart esolutions smart esolutions provides the ability to automatically send data to xerox to be used for billing (meter assistant) and toner replenishment (supplies assistant). The systems administ...
Page 49
Workcentre 7220-7225 information assurance disclosure paper ver. 1.0, january 2013 page 49 of 61 4.7. Image overwrite the image overwrite security feature provides both immediate image overwrite (iio) and on-demand image overwrite (odio) functions. Immediately before a job is considered complete, ii...
Page 50
Workcentre 7220-7225 information assurance disclosure paper ver. 1.0, january 2013 page 50 of 61 4.7.3. Overwrite timing the odio overwrite time is dependent on the type of hard disk in the product. The overwrite times are generally 20 minutes for a standard odio and 60 minutes for a full odio. Iio ...
Page 51
Workcentre 7220-7225 information assurance disclosure paper ver. 1.0, january 2013 page 51 of 61 4.8. Fips 4.8.1. Fips 140-2 compliance you can enable the printer to check its current configuration to ensure that transmitted and stored data is encrypted as specified in fips 140-2 (level 1). Once fip...
Page 52
Workcentre 7220-7225 information assurance disclosure paper ver. 1.0, january 2013 page 52 of 61 4.8.2. Enabling fips 140 mode 1. In centreware is, click properties > security > encryption > fips 140-2. 2. Click enable. 3. Click run configuration check and apply. A pass or fail message appears. If t...
Page 53
Workcentre 7220-7225 information assurance disclosure paper ver. 1.0, january 2013 page 53 of 61 5.1. Responses to known vulnerabilities 5.1.1. Security @ xerox (www.Xerox.Com/security) xerox maintains an evergreen public web page that contains the latest security information pertaining to its produ...
Page 54
Workcentre 7220-7225 information assurance disclosure paper ver. 1.0, january 2013 page 54 of 61 appendices appendix a – abbreviations api application programming interface amr automatic meter reads asic application-specific integrated circuit. This is a custom integrated circuit that is unique to a...
Page 55
Workcentre 7220-7225 information assurance disclosure paper ver. 1.0, january 2013 page 55 of 61 odio on-demand image overwrite pcl printer control language pdl page description language pin personal identification number pwba printed wire board assembly pws common alternative for psw rfc required f...
Page 56
Workcentre 7220-7225 information assurance disclosure paper ver. 1.0, january 2013 page 56 of 61 appendix b – supported mib objects notes : (1) the number of objects shown per mib group represents the number of objects defined by the ietf standard for that mib group. It does not represent the instan...
Page 57
Workcentre 7220-7225 information assurance disclosure paper ver. 1.0, january 2013 page 57 of 61 rfc 3805 - printer mib group workcentre/colorqube rfc 1213 - system group supported rfc 1213 - interface group supported rfc 1514 - storage group supported rfc 1514 - device group supported general group...
Page 58
Workcentre 7220-7225 information assurance disclosure paper ver. 1.0, january 2013 page 58 of 61 additional capabilities / application support workcentre/colorqube ability to change get, set, trap pdu community names supported, default values : get="public", set="private", trap="snmp_trap" printer m...
Page 59
Workcentre 7220-7225 information assurance disclosure paper ver. 1.0, january 2013 page 59 of 61 appendix c –standards controller hardware pci specification (pci local bus specification revision 2.1) 100 megabit ethernet (ieee 802.3) universal serial bus 1.1 parallel (ieee 1284) ieee 1394a (firewire...
Page 60
Workcentre 7220-7225 information assurance disclosure paper ver. 1.0, january 2013 page 60 of 61 printing description languages postscript language reference, third edition pcl6 (pcl5c + pcl xl class 3.0 emulation) tiff 6.0 jpeg portable document format reference manual version 1.3.
Page 61
Workcentre 7220-7225 information assurance disclosure paper ver. 1.0, january 2013 page 61 of 61 appendix e – references kerberos faq http://www.Cmf.Nrl.Navy.Mil/krb/kerberos-faq.Html ip port numbers http://www.Iana.Org/assignments/service-names-port-numbers/service-names-port-numbers.Xml.