There are two configurations of the TOE with identical security functionality under evaluation. The base configuration is as a color digital copier that provides copy and analog fax functions (hereafter referred to as a DC), represented by the CopyCentre models. The other configuration is as a color multi-function device that copies, prints, scans to e-mail, network scans, internet faxes, and analog faxes (hereafter referred to as a MFD), represented by the WorkCentre Pro models. The MFD models contain two internal hard disk drives (referred to as Network Controller HDD and Copy Controller HDD respectively); DC models contain only one internal drive (referred to as the Copy Controller HDD). The evaluated configuration of both the DC and MFD includes the Image Overwrite Security package, a consumer option. The Image Overwrite Security package causes any temporary image files created during a print, network scan, scan-to-email, internet fax (MFD), copy (MFD/DC), or analog fax (MFD/DC) job to be erased from the internal hard disk drive(s) when those files are no longer needed or on demand at the discretion of the system administrator.
","evaluation_configuration":null,"security_evaluation_summary":"The evaluation was carried out in accordance to the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The evaluation demonstrated that the product meets the security requirements contained in the Security Target. The criteria against which the Xerox CopyCentre C2128/C2636/C3545 Copier and WorkCentre Pro C2128/C2636/C3545 Advanced Multifunction System including Image Overwrite Security was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 2.2. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 2.2. Computer Sciences Corporation determined that the evaluation assurance level (EAL) for the product is EAL 2. The product, when configured and installed according to supplied guidance, satisfies all of the security functional requirements stated in the Security Target. A validator, on behalf of the CCEVS Validation Body, monitored the evaluation carried out by Computer Sciences Corporation. The evaluation was completed in September 2005. Results of the evaluation can be found in the Evaluation Technical Report for a Target of Evaluation for Xerox CopyCentre C2128/C2636/C3545 Copier and WorkCentre Pro C2128/C2636/C3545 Advanced Multifunction System including Image Overwrite Securityprepared by Computer Sciences Corporation.
","environmental_strengths":"The TOE provides the following security features:
\r\nImage Overwrite: The CopyCentre and WorkCentre Pro models implement an image overwrite security function that causes temporary image files created during a print, network scan, scan-to-email, internet fax (MFD), copy (MFD/DC), or analog fax (MFD/DC) job to be overwritten using a three pass overwrite procedure as described in DOD 5800.28-M (Immediate Image Overwrite (IIO)). The function can also be manually invoked by the system administrator using the “On-Demand” Image Overwrite (ODIO) function.
\r\nOnce invoked, ODIO cancels all copy, print, network scan, scan-to-email, internet fax, or analog fax, jobs, halts the printer interface (WorkCentre Pro models), and overwrites the contents of the sections for temporary image files on the internal hard disk drive(s). The entire machine then reboots. If the System Administrator attempts to activate diagnostics mode while ODIO is in progress, the request will be queued until the ODIO completes and then the system will enter diagnostic mode.
\r\nAuthentication: The TOE utilizes a simple authentication function through the front panel or web interface. The system administrator must authenticate by entering a 8 to 12 digit PIN prior to being granted access to the tools menu and system administrator functions. The system administrator must change the default PIN after installation is complete. While the system administrator is entering the PIN number, the TOE displays a ‘*’ character for each digit entered to hide the value entered. The authentication mechanism has a PIN space of 108 to 1012.
\r\nThe Web user interface also requires the user to enter a PIN and enter “admin” into the username field. The username prompt provided by the web server is not used, but is provided for historical reasons. The only valid string is “admin”, which is hard coded into the web server and cannot be changed. Additional users cannot be added. The TOE does not associate user attribute or privileges based on username.
\r\nSecurity Management: The TOE utilizes the front panel software module security mechanisms to allow only authenticated system administrators the capability to invoke or abort the ODIO function, enable or disable the IIO function, enable or disable embedded fax, and change the system administrator PIN. Additionally, the TOE utilizes the web server authentication mechanism to allow only authenticated system administrators the capability to manually invoke and abort “On Demand” Image Overwrite through the web interface.
\r\nThe TOE restricts access to the configuration of administrative functions to the system administrator.
\r\nFax-Network Separation: The TOE has an architecture that provides separation between the optional FAX processing board and the network controller. This architecture ensures that a malicious user cannot access network resources from the telephone line via the TOE’s optional FAX modem.
","features":[]}