The TOE is a multi-function device (hereafter referred to as a MFD) that copies, prints, scans to e-mail, scans to a network repository, and analog faxes from either the platen or the print driver (the latter referred to as LanFax). The MFD contains an internal hard disk drive (referred to as Network Controller HDD). Standard security functions include SSL, IPSec, SNMPv3, a host-based firewall, and an internal audit log. Users may be authenticated to the network or locally at the device. The evaluated configuration also includes the Image Overwrite Security package, a consumer option. The Image Overwrite Security package causes any temporary image files created during a print, network scan, scan-to-email, or LanFax job to be erased from the internal hard disk drive when those files are no longer needed or on demand at the discretion of the system administrator. [Copy and analog fax jobs initiated from the platen do not create files on the Network Controller HDD so no overwrite is needed for these job types.]
","evaluation_configuration":null,"security_evaluation_summary":"The evaluation was carried out in accordance to the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The evaluation demonstrated that the product meets the security requirements contained in the Security Target. The criteria against which the Xerox WorkCentre®/WorkCentre® Pro 232/238/245/255/265/275 Multifunction Systems were evaluated as described in the Common Criteria for Information Technology Security Evaluation, Version 2.2. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 2.2. Computer Sciences Corporation determined that the evaluation assurance level (EAL) for the product is EAL 2 Augmented with ALC_FLR.2. The product, when configured and installed according to supplied guidance, satisfies all of the security functional requirements stated in the Security Target. A validator, on behalf of the CCEVS Validation Body, monitored the evaluation carried out by Computer Sciences Corporation. The evaluation was completed in March 2006. Results of the evaluation can be found in the Evaluation Technical Report for a Target of Evaluation for Xerox WorkCentre®/WorkCentre® Pro 232/238/245/255/265/275 Multifunction Systems prepared by Computer Sciences Corporation.
","environmental_strengths":"The TOE provides the following security features:
\r\nCommunications Security: The WorkCentre®/WorkCentre® Pro models provide secure communications over the SSL, IPSec, and SNMPv3 protocols. Remote management of the device is secured from the Web User Interface using HTTPS/SSL. Alternatively secure remote management is provided using a manager that supports SNMPv3. Secure scanning to a repository is provided using HTTPS/SSL. Secure printing is provided by using IPSec.
\r\nInformation Flow Control: The WorkCentre®/WorkCentre® Pro models implement a static, host-based firewall that limits network access to the device. The system administrator can control access based on source IP address and/or destination network protocol/port. Access rules can be administered via a secure interface provided by the Web UI.
\r\nAuditing:The WorkCentre®/WorkCentre® Pro models generate logs that track events/actions (e.g. print/scan/LanFax job submission) to logged in users, and each log entry contains a timestamp. The audit logs are only available to system administrators and can be securely downloaded via the Web interface for viewing and analysis.
\r\nAuthentication: The WorkCentre®/WorkCentre® Promodels can authenticate users to a remote network authentication server. Supported authentication services include Kerberos (Solaris), Kerberos (Windows 2000), NDS (Novell 4.x, 5.x), and SMB (Windows NT.4x/2000). The system prevents unauthorized use of the installed network options (network scanning, scan-to-email, and LanFax) unless the user is properly authenticated. To access a network service, the user is required to provide a user name and password which is then validated by the remote authentication server.
\r\nTo authenticate the system administrator, the WorkCentre®/WorkCentre® Promodels utilize a simple authentication function accessible through the front panel or web interface. The system administrator must authenticate by entering an 8 to 12 digit PIN prior to being granted access to the tools menu and system administrator functions. The system administrator must change the default PIN after installation is complete. While the system administrator is entering the PIN number, the TOE displays a ‘*’ character for each digit entered to hide the value entered. The authentication mechanism has a PIN space of 12**3 to 12**12.
\r\nThe Web user interface also requires the user to enter a PIN and enter “admin” into the username field. The username prompt provided by the web server is not used, but is provided for historical reasons. The only valid string is “admin”, which is hard coded into the web server and cannot be changed. Additional users cannot be added. The TOE does not associate user attribute or privileges based on username.
\r\nImage Overwrite: The WorkCentre®/WorkCentre® Promodels implement an image overwrite security function (Immediate Image Overwrite (IIO)) that causes temporary image files created during a print, network scan, scan-to-email, or LanFax job to be overwritten using a three pass overwrite procedure as described in DOD 5800.28-M. The function can also be manually invoked by the system administrator using the “On-Demand” Image Overwrite (ODIO) function. [Copy and analog fax jobs initiated from the platen do not create files on the Network Controller HDD so no overwrite is needed for these job types.]
\r\nOnce invoked, ODIO cancels all copy, print, network scan, scan-to-email, LanFax, or analog fax, jobs, halts the printer interface, and overwrites the contents of the sectors used for temporary image files on the internal hard disk drive. The entire machine then reboots. If the System Administrator attempts to activate diagnostics mode while ODIO is in progress, the request will be queued until the ODIO completes and then the system will enter diagnostic mode.
\r\nSecurity Management: The WorkCentre®/WorkCentre® Promodels utilize the front panel software module security mechanisms to allow only authenticated system administrators the capability to invoke or abort the ODIO function, enable or disable the IIO function, enable or disable embedded fax, and change the system administrator PIN. Additionally, the TOE utilizes the web server authentication mechanism to allow only authenticated system administrators the capability to configure SSL, IPSec, and/or SNMPv3, to manage IP filtering rules, to download the audit log, to configure network authentication, or to manually invoke “On Demand” Image Overwrite.
The WorkCentre®/WorkCentre® Promodels restrict the ability to manage administrative functions to the system administrator.
\r\nFax-Network Separation: The WorkCentre®/WorkCentre® Promodels have an architecture that provides separation between the optional FAX processing board and the network controller. This architecture ensures that a malicious user cannot access network resources from the telephone line via the system’s optional FAX modem.
","features":[]}