Information Assurance Disclosure Document

Version 1.1
®
®
Xerox Altalink
C8030/C8035/C8040/C8055/C8070
Color Multifunction Printer
Information Assurance Disclosure
Month 00,
0000
<Part
Number>
Xerox® Altalink®
C8030/C8035/C8040/C8055/C8070 Information Assurance Disclosure
© 2017 Xerox Corporation. All rights reserved. Xerox®, Xerox, and Design® are trademarks of Xerox Corporation in the
United States and/or other countries. BR21466
Other company trademarks are also acknowledged.
Document Version: 1.1 (July2017).
Ver. 1.1, July 2017
Page 2 of 41
Xerox® Altalink®
C8030/C8035/C8040/C8055/C8070 Information Assurance Disclosure
Contents
INTRODUCTION ............................................................................................................. 5
1.1.
Purpose ........................................................................................................................................... 5
1.2.
Target Audience ............................................................................................................................. 5
1.3.
Disclaimer ....................................................................................................................................... 5
DEVICE DESCRIPTION .................................................................................................. 6
4
2.1.
Security-relevant Subsystems ...................................................................................................... 7
2.1.1. Physical Partitioning ............................................................................................................................ 7
5
6
7
8
2.2.
Controller ........................................................................................................................................ 7
2.2.1. Purpose ............................................................................................................................................... 7
2.2.2. Memory Components .......................................................................................................................... 8
2.2.3. External Connections ........................................................................................................................ 13
2.2.4. USB Ports .......................................................................................................................................... 14
9
10
2.3.
Optional Fax Module .................................................................................................................... 15
2.3.1. Purpose ............................................................................................................................................. 15
2.3.2. Hardware ........................................................................................................................................... 15
11
12
2.4.
Scanner ......................................................................................................................................... 15
2.4.1. Purpose ............................................................................................................................................. 15
2.4.2. Hardware ........................................................................................................................................... 15
13
2.5.
Graphical User Interface (GUI) .................................................................................................... 15
2.5.1 Purpose .............................................................................................................................................. 15
14
15
2.6.
Marking Engine (Image Output Terminal or IOT) ...................................................................... 15
2.6.1 Purpose .............................................................................................................................................. 15
2.6.2 Hardware ............................................................................................................................................ 15
16
17
2.7.
System Software Structure ......................................................................................................... 16
2.7.1. Operating System Layer in the Controller ......................................................................................... 16
2.7.2. Network Protocols ............................................................................................................................. 17
18
19
2.8
Logical Access ............................................................................................................................. 18
2.8.1 Network Security ................................................................................................................................ 18
2.8.2 Ports ................................................................................................................................................... 19
SYSTEM ACCESS ........................................................................................................ 20
20
3.1.
Authentication Model ................................................................................................................... 20
3.1.1 SIPRNet.............................................................................................................................................. 20
Ver. 1.1, July 2017
Page 3 of 41
Xerox® Altalink®
21
C8030/C8035/C8040/C8055/C8070 Information Assurance Disclosure
3.2.
Login and Authentication Methods ............................................................................................ 22
3.2.1 Network Scanning .............................................................................................................................. 22
SECURITY ASPECTS OF SELECTED FEATURES .................................................... 23
22
4.1.
McAfee Enhanced Security / Integrity Control .......................................................................... 23
4.1.2 Integrity Control (Optional Feature) .................................................................................................... 23
23
24
25
4.2.
Audit Log ....................................................................................................................................... 24
4.2.1 Device Audit Log ................................................................................................................................ 24
4.2.2 Device Protocol Log ........................................................................................................................... 24
4.2.3 Audit Log file format............................................................................................................................ 24
4.3.
User Permissions Role Based Access Control (RBAC) ........................................................... 36
4.4.
Remote Services........................................................................................................................... 36
4.5.
Encrypted Partitions .................................................................................................................... 36
26
27
28
29
4.6
4.6.1
4.6.2
4.6.3
4.6.4
Image Overwrite............................................................................................................................ 36
Algorithm ............................................................................................................................................ 36
User Behavior ..................................................................................................................................... 37
Overwrite Timing ................................................................................................................................ 37
Overwrite Completion Reporting ........................................................................................................ 37
30
4.7
FIPS 140-2 ..................................................................................................................................... 38
4.7.1 FIPS 140-2 Compliance ..................................................................................................................... 38
31
4.8
Email Signing and Encryption to Self ........................................................................................ 38
5.1 Security @ Xerox (www.xerox.com/security) ........................................................................................ 39
APPENDICES ............................................................................................................... 40
Appendix A – Abbreviations..................................................................................................................... 40
Ver. 1.1, July 2017
Page 4 of 41
Xerox® Altalink®
C8030/C8035/C8040/C8055/C8070 Information Assurance Disclosure
Introduction
This document describes the locations, capacities and contents of volatile and non-volatile memory
devices within the Xerox® Altalink® C8030/C8035/C8040/C8055/C8070.
1.1.
Purpose
The purpose of this document is to disclose information for the Xerox® Altalink® products with respect
to device security. Device Security, for this paper, is defined as how image data is stored and
transmitted, how the product behaves in a networked environment, and how the product may be
accessed, both locally and remotely. Please note that the customer is responsible for the security of
their network and the Xerox® Altalink® products do not establish security for any network environment.
The purpose of this document is to inform Xerox customers of the design, functions, and features of
the Xerox® Altalink® products relative to Information Assurance (IA).
This document does NOT provide tutorial level information about security, connectivity, PDLs, or
Xerox® Altalink® products features and functions. This information is readily available elsewhere. We
assume that the reader has a working knowledge of these types of topics. However, a number of
references are included in the Appendix. Additional information also available in the Altalink®
C8030/C8035/C8040/C8055/C8070 System Administrator guide.
1.2.
Target Audience
The target audience for this document is Xerox field personnel and customers concerned with IT
security.
1.3.
Disclaimer
The information in this document is accurate to the best knowledge of the authors, and is provided
without warranty of any kind. In no event shall Xerox Corporation be liable for any damages
whatsoever resulting from user's use or disregard of the information provided in this document
including direct, indirect, incidental, consequential, loss of business profits or special damages, even
if Xerox Corporation has been advised of the possibility of such damages.
Ver. 1.1, July 2017
Page 5 of 41
Xerox® Altalink®
C8030/C8035/C8040/C8055/C8070 Information Assurance Disclosure
Device Description
This product consists of an input document handler and scanner, marking engine including paper path, controller,
and user interface.
Graphical User
Interface (GUI)
Document Feeder &
Scanner (IIT)
Front Panel
USB port
C/Z Folder
Marking Engine (IOT)
Paper Trays
High
Capacity
Feeder
BR Finisher
Figure 1-1 Altalink® C8070 Multifunction System
Ver. 1.1, July 2017
Page 6 of 41
Xerox® Altalink®
2.1.
C8030/C8035/C8040/C8055/C8070 Information Assurance Disclosure
Security-relevant Subsystems
2.1.1. Physical Partitioning
The security-relevant subsystems of the product are partitioned as shown in Figure 2-2.
Human Interface
Original
Documents
Ethernet Port,
USB Target Port, USB
Host Ports, Scanner
Interface, Serial Port,
Foreign Device Interface
rnal w
(prop
r
we
e
Int
rfa
sp
Di
nd
sa
)
TOE internal
wiring
(proprietary)
Image Output
Terminal (also
Paper output interface
known as Marking
Engine)
Hardcopy
(Finisher)
ce
Power Supply
Fax Module
Physical external
interface
Physical external
Interface
rietary
Controller/GUI
Physical external Interfaces
Po
Power Cord
iring
PCI Bus
TOE
inte
Bu
tto
n
Button and TOE internal wiring
(proprietary)
Optical
interface
Scanner /
Document Handler
lay
Power Button
TOE Physical Boundary
PSTN (RJ-11 Port)
Figure 2-2 System functional block diagram
2.2.
Controller
2.2.1. Purpose
The controller provides both network and direct-connect external interfaces, and enables copy, print, email, network
scan, server fax, internet FAX, and LanFax functionality. Network scanning, server fax, internet fax, and LanFax, are
standard features. Image Overwrite, which is included as a standard feature, enables both Immediate and On-Demand
overwrite of any temporary image data created on disk. The controller also incorporates an open-source web server
(Apache) that exports a Web User Interface (WebUI) through which users can submit jobs and check job and machine
status, and through which system administrators can remotely administer the machine.
The controller contains the image path, which uses proprietary hardware and algorithms to process the scanned
images into high-quality reproductions. Scanned images may be temporarily buffered in DRAM to enable electronic
pre-collation, sometimes referred to as scan-once/print-many. When producing multiple copies of a document, the
scanned image is processed and buffered in the DRAM in a proprietary format. Extended buffer space for very large
documents is provided on the network disk. The buffered bitmaps are then read from DRAM and sent to the Image
Ver. 1.1, July 2017
Page 7 of 41
Xerox® Altalink®
C8030/C8035/C8040/C8055/C8070 Information Assurance Disclosure
Output Terminal (IOT) for marking on hardcopy output. For long documents, the production of hardcopy may begin
before the entire original is scanned, achieving a level of concurrency between the scan and mark operations.
The controller operating system is Wind River Linux. Unnecessary services such as rsh, telnet and finger are disabled
in the Operating System. FTP is used in client-only mode by the network-scanning feature for the filing of scanned
images and the retrieval of Scan Templates; however, the controller does not contain an FTP server.
The controller works with the Graphical User Interface (GUI) assembly to provide system configuration functions. A
System Administrator has the ability to access these functions.
2.2.2. Memory Components
General Memory Information
Volatile Memory
All volatile memory listed is cleared after power is removed (decay occurs generally within 20 seconds at room
temperature).
All volatile memory listed is required for normal system operation and during service and diagnostic procedures.
Removal of any volatile memory will void the warranty.
Non-Volatile Memory
All non-volatile memory listed is required for normal system operation and during service and diagnostic
procedures.
Removal of any non-volatile memory will void the warranty.
Non-volatile memory in the system cannot be accessed by accidental keystrokes.
Controller Module
Volatile Memory
Type (SRAM, DRAM, etc.)
Size
User
Modifiable
(Y/N)
Function or Use
Process to
Clear:
DDR3 SDRAM non ECC –
System Memory
4GB
N
Executable code, Printer control
data, temporary storage of job data
Power Off
System
Additional Information:
There is one main blocks of Volatile memory in the controller and that is the System memory. System memory contains a
mixture of executable code, control data and job data. Job data exists in System memory while the job is being processed.
Once the job is complete, the memory is reused for the next job .
Non-Volatile Memory
Type (Flash, EEPROM,
etc.)
SD CARD
Ver. 1.1, July 2017
Size
User Modifiable
(Y/N)
Function or Use
Process to
Clear:
4GB
via Diagnostics
Control set points, configuration
settings, Boot Memory
NA
Page 8 of 41
Xerox® Altalink®
C8030/C8035/C8040/C8055/C8070 Information Assurance Disclosure
SEEPROM
256bytes
Via Diagnostics
Serial Presence Detect Config (for
4Gb DDR3 system memory)
NA
Flash
8MB
Via Diagnostic
BIOS Flash - Contains BIOS code for
processor
NA
Flash
8MB
Via Diagnostic
Boot Flash - Contains Ethernet config
settings and MAC address
NA
Battery Backed SRAM
242bytes
Via Diagnostic
Stores and maintains Time and Date
NA
SEEPROM
8Mb
Via Diagnostics
Programs Balinese FPGA
NA
Additional Information:
All memory listed above contains code for execution and configuration information. No user or job data is stored in these
locations.
Table 1 Controller volatile and non-volatile memory components
Non-Volatile Hard Disk Memory
Drive / Partition
(System, Image):
Removable
Y/N
System Disk / System
partition
No
System Disk / Image
partition
No
User Modifiable:
Y/N
Function:
Process to
Clear:
24GB
N with normal
operation
Operating System,
Fonts, configuration
file storage.
NA
24GB
N with normal
operation
Job Images
Image
Overwrite
Size:
Additional Information:
This System disk contains the Linux Operating System and stores executables, fonts, and settings files. During normal
operation, job files do not remain stored on this disk. One exception is “Print From” “Saved Jobs” feature. Customer jobs saved
on the machine’s hard disk using this feature must be manually deleted by the customer. If On Demand Overwrite and full is
selected all saved jobs will be erased.
The Image partition stores images in a proprietary encoded format in non-contiguous blocks. Customer image data is only
stored to the image partition if EPC memory is full. User data and image data may be completely erased with a full Overwrite
using a three-pass algorithm which conforms to U.S. Department of NIST Special Publication 800-88 Rev1, and the entire
image partition is erased and checked.
Table 2 Hard Disk Drive
Ver. 1.1, July 2017
Page 9 of 41
Xerox® Altalink®
C8030/C8035/C8040/C8055/C8070 Information Assurance Disclosure
RFID Devices
RFID Device and location
Purpose
N/A
No RFID Devices are contained in the device
Media and Storage Descriptions
Type (disk drives, tape
drives, CF/SD/XD
memory cards, etc.):
Removable
Y/N
Size:
User
Modifiable:
Y/N
Function:
Process to
Clear:
None
Ver. 1.1, July 2017
Page 10 of 41
Xerox® Altalink®
C8030/C8035/C8040/C8055/C8070 Information Assurance Disclosure
Marking Engine Modules
Volatile Memory
Type (SRAM,
DRAM, etc.)
Size
User
Modifiable
(Y/N)
Function or Use
Process to Clear:
DRAM (MCU PWBA)
32M x
16 bit
N
Temporary Storage of
variables
Power Off System
RAM (UI PWBA)
1kbyte
N
Temporary Storage of
variables
Power Off System
Non-Volatile Solid State Memory
Type (FLASH,
EEPROM, etc.)
Size
User
Modifiable
(Y/N)
Flash (MCU PWBA)
16Mbit
EEPROM (LED Driver,
PWBA, K)
Function or Use
Process to Sanitize:
N
Permanent storage of program.
User image data are not stored.
Not customer alterable.
128Kbit
N
Permanent storage of setup data.
User image data are not stored.
Not customer alterable.
EEPROM (MM PWBA)
128Kbit
N
Permanent storage of parameters
and setup data. User image data
are not stored.
Not customer alterable.
EEPROM (UI PWBA)
1kbit x 2
N
Permanent storage of setup data.
Storage of UI error log data. User
image data are not stored.
Not customer alterable.
EEPROM (DADF PWBA)
LOW (PF2.01) or
HIGH(PF2.02)
16Kbit
N
Permanent storage of DADF
configuration code. User image
data are not stored.
Not customer alterable.
EEPROM (TM PWBA)
2kbit
N
Permanent storage of TM
configuration code. User image
data are not stored.
Not customer alterable.
Flash or ROM (UI PWBA)
32kbyte
N
Permanent storage of UI
executable code. User image data
are not stored.
Not customer alterable.
ROM (DADF PWBA) LOW
(PF2.01) or HIGH(PF2.02)
256kbit
N
Permanent storage of DADH
configuration code. User image
data are not stored.
Not customer alterable.
EEPROM (IIT)
16Kbit
N
Permanent storage of setup data.
User image data are not stored.
Not customer alterable
Ver. 1.1, July 2017
Page 11 of 41
Xerox® Altalink®
C8030/C8035/C8040/C8055/C8070 Information Assurance Disclosure
Media and Storage
Type (disk drives, tape
drives, CF/SD/XD
memory cards, etc.):
Removable
Y/N
Size:
User
Modifiable:
Y/N
Function:
Process to Clear:
None
Feeder and Finisher Modules
All memory inside the feeder/finisher devices listed below is used for configuration settings and normal operation. Removal
of any memory will void the warranty. Access to any memory is by system programs or diagnostics only. This document lists
the available options. Depending on the configuration purchased, your system will contain on or more of these devices.
NOTE: None of these devices stores any job data or Personally Identifiable Information in electronic form.
Feeder Modules
High Capacity Feeder
High Capacity Tandem Tray Module
Three Tray Module
One Tray Module
Finisher Modules
Integrated Office Finisher
Office Finisher LX
Professional Office Finisher
BR Finisher
BR Booklet Maker Finisher
CZ Folder
Ver. 1.1, July 2017
Page 12 of 41
Xerox® Altalink®
C8030/C8035/C8040/C8055/C8070 Information Assurance Disclosure
2.2.3. External Connections
The controller printed wiring boards are physically mounted in a tray with external connections available at the right
rear of the machine. The tray contains a single controller board. An optional fax board may also be installed. Disk(s)
are mounted on the underside of the tray. Below the controller tray are other connectors that distribute power and
communications to external options such as a finisher or high-capacity paper tray.
Ethernet Connection
Optional FDI Connector Slot
Diagnostic Display
USB Target Port
Dual USB – Host Ports
SIM Card Slot
Optional FAX Card
Figure 2-3 Altalink® C8030/C8035/C8040/C8055/C8070Back panel connections
Interface
Description / Usage
USB Target Port
Diagnostics and service; Xerox Copier Assistant
Dual USB Host Ports
Card readers; SW upgrade; USB Printing; Scan to USB
Ethernet Port
Network Connectivity
Diagnostic LED Readout
Displays status codes for Diagnostics
Foreign Device Interface (FDI)
Allows connection of optional access control hardware.
Optional FAX (Single or Dual)
Allows insertion of optional “Land Line” Fax card
SIM Card Slot
Options enablement
Table 3 Controller External Connections
Ver. 1.1, July 2017
Page 13 of 41
Xerox® Altalink®
C8030/C8035/C8040/C8055/C8070 Information Assurance Disclosure
2.2.4. USB Ports
The Altalink® C8030/C8035/C8040/C8055/C8070 contains a host connector for a USB flash drive, enabling upload of
software upgrades and download of network logs or machine settings files and scan jobs.
Autorun is disabled on this port. No executable files will be accepted by the port.
Modifying the software upgrade, network log or saved machine settings files will make the files unusable on an
Altalink®.
The data in the network log file is encrypted and can only be decrypted by Xerox service personnel at a Xerox location.
USB Port(s)
USB port and location
Purpose
User retrieves print ready files from Flash Media or stores scanned files on Flash Media. Physical
security of this information is the responsibility of the user or operator.
Front panel – 1 Host port
Upload of software upgrades, download of network logs, download and upload of machine
settings for setup cloning.
Optional security devices, such as a CAC reader, access cards, and /or keyboard
communicate with the machine via this port. No job data is transmitted across this interface
when an optional security device is connected.
User retrieves print ready files from Flash Media or stores scanned files on Flash Media. Physical
security of this information is the responsibility of the user or operator.
Rear panel – 2 Host ports
Upload of software upgrades, download of network logs, download and upload of machine
settings for setup cloning.
Optional security devices, such as a CAC reader, communicate with the machine via this port. No
job data is transmitted across this interface when an optional security device is connected.
Rear panel – 1 Target port
User PC direct connection for printing, Xerox Customer Service Engineer PWS connection for
problem diagnosis.
The optional Copy Assistant kit communicates with the machine via this port. No job data is
transmitted across this interface.
Additional Information
A number of devices can be connected to the 3 USB Host ports. Once information has been copied (either as a back-up data set
or as a transfer medium, physical security of this information is the responsibility of the user or operator.)
Table 4 USB Ports
Ver. 1.1, July 2017
Page 14 of 41
Xerox® Altalink®
2.3.
C8030/C8035/C8040/C8055/C8070 Information Assurance Disclosure
Optional Fax Module
2.3.1. Purpose
The embedded FAX service uses the installed embedded fax card to send and receive images over the telephone
interface. The FAX card plugs into a custom interface slot on the controller.
2.3.2. Hardware
The Fax Card is a printed wiring board assembly containing a fax modem and the necessary telephone interface logic.
It connects to the controller via a serial communications interface. The Fax Card is responsible for implementing the
T.30 fax protocol. All remaining fax-specific features are implemented in software on the controller. The fax telephone
lines are connected directly to the Fax Card via RJ-11 connectors.
Name
MODEM #1
Size
NA
Purpose / Explanation
Optional Fax modem 2 ports
Table 5 Fax Module components
2.4.
Scanner
2.4.1. Purpose
The purpose of the scanner is to provide mechanical transport to convert hardcopy originals to electronic data.
2.4.2. Hardware
The scanner converts the image from hardcopy to electronic data. A document handler moves originals into a position
to be scanned. The scanner provides enough image processing for signal conditioning and formatting. The scanner
does not store scanned images. All other image processing functions are in the copy controller.
2.5.
Graphical User Interface (GUI)
2.5.1. Purpose
The GUI detects soft and hard button actuations, and provides text and graphical prompts to the user. The GUI is
sometimes referred to as the Local UI (LUI) to distinguish it from the WebUI, which is exported by the web service that
runs in the controller. Images are not transmitted to or stored in the GUI.
2.6.
Marking Engine (Image Output Terminal or IOT)
2.6.1. Purpose
The Marking Engine performs copy/print paper feeding and transport, image marking and fusing, and document
finishing. Images are not stored at any point in these subsystems.
2.6.2. Hardware
The marking engine is comprised of paper supply trays and feeders, paper transport, LED scanner, xerographics, and
paper output and finishing. The marking engine contains a CPU, BIOS, RAM and Non-Volatile Memory.
Ver. 1.1, July 2017
Page 15 of 41
Xerox® Altalink®
2.7.
C8030/C8035/C8040/C8055/C8070 Information Assurance Disclosure
System Software Structure
2.7.1. Operating System Layer in the Controller
The OS layer includes the operating system, network and physical I/O drivers. The controller operating system is Wind
River Linux, kernel v. 3.10.62+. Xerox may issue security patches for the OS, in which case the Xerox portion of the
version number (i.e. after the ‘+’ sign) will be incremented.
IP Filtering is provided by the kernel.
Figure 2-4 Controller Operating System layer components
Ver. 1.1, July 2017
Page 16 of 41
Xerox® Altalink®
C8030/C8035/C8040/C8055/C8070 Information Assurance Disclosure
2.7.2. Network Protocols
3
Figure 2.
Application Layer
NTP
snmp v1/v2
DHCP
pop3
smtp
LDAP
http
ipp
DNS
lpr
Kerberos
ftp
sftp
SMB
snmp v3
WSD
ssl/tls
NETBIOS
Port 9100
udp
tcp
Transport Layer
IPSec
IPv4
Internet Layer
Network Layer
4
IEEE 802.1X
IEEE 802.3
Figure 2-5 and Figure 2.6 are interface diagrams depicting the
IPv4 and IPv6 protocol stacks supported by the device, annotated according to the DARPA model.
Application Layer
NTP
snmp v1/v2
DHCP
pop3
smtp
LDAP
http
ipp
DNS
lpr
Kerberos
ftp
sftp
SMB
snmp v3
WSD
ssl/tls
NETBIOS
Port 9100
udp
tcp
Transport Layer
IPSec
IPv4
Internet Layer
Network Layer
IEEE 802.1X
IEEE 802.3
Figure 2-5 IPv4 Network Protocol Stack
Ver. 1.1, July 2017
Page 17 of 41
Xerox® Altalink®
C8030/C8035/C8040/C8055/C8070 Information Assurance Disclosure
Application Layer
snmp v1/v2
DHCP
smtp
LDAP
http
ipp
DNS
lpr
Kerberos
ftp
sftp
snmp v3
WSD
ssl/tls
Port 9100
udp
tcp
Transport Layer
IPSec
IPv6
Internet Layer
IEEE 802.1X
IEEE 802.3
Figure 2-6 IPv6 Network Protocol Stack
2.8 Logical Access
2.8.1 Network Security
A variety of network protocols is supported. There are no ‘Xerox unique’ additions to these protocols.
2.8.1.1.
IPSec
The device supports IPSec tunnel and transport mode. The print channel can be secured by establishing an IPSec
association between a client and the device. A shared secret is used to encrypt the traffic flowing through a tunnel.
2.8.1.2.
802.1x
IEEE 802.1X is a security standard for port based network access control. It secures Ethernet and/or Wi-Fi networks
against unauthorized access by requiring device authentication with a central server before network access and data
transmissions are allowed.
2.8.1.3.
IP Filtering
The devices contain a static host-based firewall that provides the ability to prevent unauthorized network access based
on IP address and/or port number. Filtering rules can be set by the SA using the WebUI. An authorized SA can create
rules to (Accept / Reject / Drop) for ALL or a range of IP addresses. In addition to specifying IP addresses to filter, an
authorized SA can enable/disable all traffic over a specified transport layer port
Ver. 1.1, July 2017
Page 18 of 41
Xerox® Altalink®
C8030/C8035/C8040/C8055/C8070 Information Assurance Disclosure
2.8.2. Ports
The following table summarizes all potentially open ports and subsequent sections discuss each port in more detail.
All ports can be disabled if not needed under control of the system administrator .
Default
Port #
68
80
88
110
137
138
139
161
162
427
443
445
500
515
631
3702
4500
5353
5354
59095999
9100
53202
53303
53404
Type
UDP
TCP
UDP
TCP
UDP
UDP
TCP
TCP/UDP
TCP
TCP/UDP
TCP
TCP
TCP
TCP
TCP
TCP/UDP
TCP/UDP
TCP/UDP
TCP
Remote UI
TCP
TCP
TCP
TCP
Service name
DHC ACK Response to DHCP
HTTP
Kerberos
POP3 client
NETBIOS- Name Service
NETBIOS-Datagram Service; SMB filing and Scan template retrieval
NETBIOS Session Service - SMB Authentication, SMB filing
SNMP
SNMPTRAP
SLP
HTTPS – HTTP over TLS
Microsoft-DS
ISAKMP
LPR
IPP
WSD Discovery
IKE Negotiation Port for IPSec
Multicast DNS
Multicast DNS Responder IPC
Remote Access to Local UI if feature is enabled. Ports randomized for
security.
raw IP
WSD Transfer
WSD Print
WSD Scan
Table 6 Network Ports
Ver. 1.1, July 2017
Page 19 of 41
Xerox® Altalink®
C8030/C8035/C8040/C8055/C8070 Information Assurance Disclosure
System Access
3.1.
Authentication Model
The authentication model allows for both local and network authentication and authorization. In the
local and network cases, authentication and authorization take place as separate processes: a user
must be authenticated before being authorized to use the services of the device.
If the device is set for local authentication, user account information will be kept in a local accounts
database (see the discussion in Chapter 4 of Xerox Standard Accounting) and the authentication
process will take place locally. The system administrator can assign authorization privileges on a per
user basis. User access to services will be provided based on the privileges set for each user in the
local accounts database. .
When the device is set for network authentication, the user’s network credentials will be used to
authenticate the user at the network domain controller.
Users can be authorized on an individual basis to access one or any combination of the available
services such as Copy, Fax, Server Fax, Reprint Saved Jobs, Email, Internet Fax, Workflow Scanning
Server, and Extensible Interface Platform Services. Authentication can also be achieved via CAC,
SIPR, smart access cards.
Also, users can be authorized to access one or any combination of the following machine pathways:
Services, Job Status, or Machine Status.
User Permissions, the new authorization method determines your authorization be Role. Roles are
stored in the local account database and users are either directly assigned to the roles in the
database, or the role is associated with an LDAP/SMB group. Once the device determines what
group the user is a member of, it determines what roles in the local database are associated with that
group and define access based on the roles. Assignment of users to the System Administrator role
or the Accounting Administrator is also managed via User Permissions.
Figure 3-1 provides a schematic view of the authentication and authorization subsystem. Use of the
local accounts database or a network database can be set independently for both authentication and
authorization, meaning that it is possible to enable network authentication and local authorization, or
vice versa. Usually authentication and authorization will be configured to use the same database.
3.1.1 SIPRNet
SIPRNet support is included as a customer purchasable option
Ver. 1.1, July 2017
Page 20 of 41
Xerox® Altalink®
C8030/C8035/C8040/C8055/C8070 Information Assurance Disclosure
Local UI
Authentication and Authorization
Subsystem
Web UI
Virtual keyboard / Secure Access / CAC
/ SIPR / Smart Cards
[
[ User presses 'Access' button]
User selects 'Properties' page]
Enable SSL to ensure secure communication between client and device
Get Credentials
Get Credentials
Authentication
Local UI
Web UI
Kerberos / NDS / SMB / LDAP
User authenticated against Local Accounts database
User authenticated by network domain controller
Domain Controller
Authentication Failure
Authentication Failure
Authorization
Authorization against Local Roles Database
Group membership determined at domain controler.
Role definition for the group is in the Local Database.
Domain Controller
Device provides access to authorized services
Authentication and Authorization complete; user continues with tasks
Figure 3-1 Authentication and Authorization schematic
Ver. 1.1, July 2017
Page 21 of 41
Xerox® Altalink®
3.2.
C8030/C8035/C8040/C8055/C8070 Information Assurance Disclosure
Login and Authentication Methods
3.2.1 Network Scanning
Network Scanning may require the device to log into a server. The instances where the device logs
into a server are detailed in the following table. Users may also need to authenticate for scanning.
This authentication is detailed in subsequent sections.
Device log on
Scanning feature
Device behavior
Scan to File, Public Template
The device logs in to the scan repository as set up by the SA in the
Properties tab on the WebUI. The credentials may be the user’s
credentials or system credentials.
The device logs into an LDAP Server as set up by the SA in User Tools.
It will log into the Server when a user is authenticated and the device is
configured for Remote Authorization or Personalization is enabled, and
when the user attempts to access LDAP based scan-to-email address
books. At the time the LDAP server must be accessed, the device will log
into (bind to) the LDAP server.
Scan to E-mail, I-Fax
The device uses a simple bind to the LDAP server unless the device was
able to obtain a TGS for the LDAP server from the Kerberos Server. In
this case, a SASL (GSSAPI) bind is performed... A network username
and password may be assigned to the device. The device logs in as a
normal user, with read only privileges. User credentials may be used if
configured by the SA for this authentication step.
Scan to Fax Server
The device then logs into the SMTP server as set up by the SA in the
Properties tab on the WebUI. The credentials may be the user’s
credentials or system credentials.
The device logs in to the Fax Server as set up by the SA from the
Properties tab on the WebUI. The credentials may be the user’s
credentials or system credentials.
Please note that when the device logs into any server the device username and password are sent over the network
in clear text unless one or more of the following have been enabled:

HTTPS has been enabled

IPSec has been configured to encrypt the traffic

The device is logging into an SMB Server in which case the credentials are hashed.

The device is using NTLM to login to the SMTP server (the device negotiates the most secure authentication
method that both the device and server support).

The LDAP server is being accessed via SASL.
Ver. 1.1, July 2017
Page 22 of 41
Xerox® Altalink®
C8030/C8035/C8040/C8055/C8070 Information Assurance Disclosure
Security Aspects of Selected Features
4.1.
McAfee Enhanced Security / Integrity Control
Xerox has partnered with industry leader McAfee to include the Enhanced Security feature which uses McAfee
Embedded Control. The McAfee agent is included with the device software which enables communication with
McAfee tools such as the ePolicy Orchestrator.
The McAfee Enhanced Security and optional Integrity Control features use “whitelisting” technology to protect your
Xerox devices from attack. On the Xerox device, there are critical files and directories designated read-only and
some designated write-only. If attempts are made to write to a read-only or read from a write-only file or directory, in
addition to being prevented, this creates an event which will be recorded in the device Audit Log. Further, if e-mail
alerts were configured on the Xerox device, an e-mail would be sent to the configured address with details of the
event.
Software upgrades are handled by designating the software upgrade process as a trusted updater. Once the digital
signature is verified, the new software is installed and with it, a new whitelist for the new version. The digital signature
prevents corrupted files from being installed by verification that the file is genuine Xerox software and has not been
modified.
The use of digital signatures and the whitelisting technique, to stop unauthorized reads, writes, and optionally
execution, prevents malicious code from harming your device, regardless of where the attack originated.
4.1.2
Integrity Control (Optional Feature)
Integrity Control is a purchasable software option that combines the standard Enhanced Security features with the
ability to monitor and prevent unauthorized execution of files that were not part of the standard Xerox device software
Ver. 1.1, July 2017
Page 23 of 41
Xerox® Altalink®
4.2.
C8030/C8035/C8040/C8055/C8070 Information Assurance Disclosure
Audit Log
4.2.1 Device Audit Log
The device maintains a security audit log. This feature is enabled by default and is required if McAfee protection is
enabled, but can be disabled by the SA. The audit log is implemented as a circular log containing a maximum of 15000
event entries, meaning that once the maximum number of entries is reached, the log will begin overwriting the earliest
entry. Only a device administrator is authorized to download the log from the device. The log may be downloaded on
demand over a secure http connection, or transmitted to a remote secure sftp server on demand or via a daily
scheduled action. The log may also be retrieved at the LUI into a USB storage device. The log is exported as a tabdelimited file, and then into a compressed (.zip) file format. The log does not clear when it is disabled, and will persist
through power cycles and software upgrades.
The audit log can contain personally identifying information (PII) and should be treated appropriately.
4.2.2 Device Protocol Log
The device has the ability to track secure communication session information for IPSec, TLS, SSH
and HTTPS. When enabled, these logs are each written to separate files and included in the zipped
download file.
4.2.3 Audit Log file format
When the audit log file is downloaded, the administrator receives a zipped archive which includes the
audit log file (and protocol log files if enabled). The naming convention is serial
number_date_time_offset from GMT_auditfile.zip.
The following table lists the events that are recorded in the log:
Event
ID
Event description
1
System startup
2
System shutdown
3
Manual ODIO Standard started
4
Manual ODIO Standard complete
5
Print job
6
Network scan job
Ver. 1.1, July 2017
Entry Data
Device name
Device serial number
Device name
Device serial number
Device name
Device serial number
Device name
Device serial number
Overwrite Status
Job name
User Name
Completion Status
IIO status
Accounting User ID
Accounting Account ID
Job name
User Name
Completion Status
IIO status
Accounting User ID
Accounting Account ID
total-number-net-destination
net-destination.
Page 24 of 41
Xerox® Altalink®
C8030/C8035/C8040/C8055/C8070 Information Assurance Disclosure
Event
ID
Event description
7
Server fax job
8
IFAX
9
Email job
10
Audit Log Disabled
11
Audit Log Enabled
12
Copy
13
Efax
14
Lan Fax Job
15
Data Encryption enabled
16
Manual ODIO Full started
17
Manual ODIO Full complete
18
Data Encryption disabled
Ver. 1.1, July 2017
Entry Data
Job name
User Name
Completion Status
IIO status
Accounting User ID
Accounting Account ID
Total-fax-recipient-phone-numbers
fax-recipient-phone-numbers
net-destination.
Job name
User Name
Completion Status
IIO status
Accounting User ID
Accounting Account ID
total-number-of-smtp-recipients
smtp-recipients
Job name
User Name
Completion Status
IIO status
Accounting User ID
Accounting Account ID
total-number-of-smtp-recipients
smtp-recipients
Device name
Device serial number
Device name
Device serial number
Job name
User Name
Completion Status
IIO status
Accounting User ID
Accounting Account ID
Total-fax-recipient-phone-numbers
fax-recipient-phone-numbers
Job name
User Name
Completion Status
IIO status
Accounting User ID
Accounting Account ID
Total-fax-recipient-phone-numbers
fax-recipient-phone-numbers
Job name
User Name
Completion Status
IIO status
Accounting User ID
Accounting Account ID
Total-fax-recipient-phone-numbers
fax-recipient-phone-numbers
Device name
Device serial number
Device name
Device serial number
Device name
Device serial number
Overwrite Status
Device name
Device serial number
Page 25 of 41
Xerox® Altalink®
Event
ID
C8030/C8035/C8040/C8055/C8070 Information Assurance Disclosure
Event description
20
Scan to Mailbox job
21
Delete File/Dir
23
Scan to Home
24
Scan to Home job
25
Copy store job
26
PagePack login
27
Postscript Passwords
29
Network User Login
30
SA login
31
User Login
32
Service Login
33
Audit log download
34
IIO feature status
Ver. 1.1, July 2017
Entry Data
Job name or Dir name
User Name
Completion Status
IIO status
Job name or Dir name
User Name
Completion Status
IIO status
UserName
Device name
Device serial number
Completion Status (Enabled/Disabled)
Job name or Dir name
User Name
Completion Status (Normal/Error)
IIO status
Accounting User ID-Name
Accounting Account ID-Name
total-number-net-destination
net-destination
Job name or Dir name
User Name
Completion Status (Normal/Error)
IIO status
Device name
Device serial number
Completion Status:
Success: (if Passcode is ok)
Failed: (if Passcode is not ok)
Locked out (if Max Attempts Exceed 5)
Time Remaining:
Hrs (Remaining for next attempt)
Min (Remaining for next attempt)
Device name
Device serial number
StartupMode (enabled/disabled)
System Params Password changed
Start Job Password changed
UsereName
Device name
Device serial number
Completion Status (Success, Failed)
UsereName
Device name
Device serial number
Completion Status (Success or Failed)
UserName
Device name
Device serial number
Completion Status (Success or Failed)
Service name
Device name
Device serial number
Completion status (Success or Failed).
UserName
Device name
Device Serial Number
Completion status (Success or Failed).
UserName
Device name
Device serial number
IIO Status (enabled or disabled)
Page 26 of 41
Xerox® Altalink®
C8030/C8035/C8040/C8055/C8070 Information Assurance Disclosure
Event
ID
Event description
35
SA pin changed
36
Audit log Saved
37
SSL
38
X509 certificate
39
IP sec Enable/Disable/Configure
40
SNMPv3
41
IP Filtering Rules
42
Network Authentication
Enable/Disable/Configure
43
Device clock
44
SW upgrade
45
Cloning
46
Scan Metadata Validation
47
Xerox Secure Access
Enable/Disable/Configure
48
Service login copy mode
49
Smartcard (CAC/PIV) access
50
Process terminated
Ver. 1.1, July 2017
Entry Data
UserName
Device name
Device serial number
Completion status
UserName
Device name
Device serial number
Completion status
UserName
Device name
Device serial number
Completion Status (Enabled/Disabled/Terminated)
UserName
Device name
Device serial number
Completion Status (Created/uploaded/Downloaded).
UserName
Device name
Device serial number
Completion Status (Configured/enabled/disabled/Terminated)
UserName
Device name
Device serial number
Completion Status (Configured/enabled/disabled).
UserName
Device name
Device serial number
Completion Status (Configured/enabled/disabled).
UserName
Device name
Device serial number
Completion Status (Enabled/Disabled)
UserName
Device name
Device serial number
Completion Status (time changed/date changed)
Device name
Device serial number
Completion Status (Success, Failed)
Device name
Device serial number
Completion Status (Success, Failed)
Device name
Device serial number
Completion Status (Metadata Validation Success or Failed)
Device name
Device serial number
Completion status (Configured/enabled/disabled)
Service name
Device name
Device serial number
Completion Status (Success, Failed)
UserName (if valid Card and Password are entered)
Device name
Device serial number
Process Name
Device name
Device serial number
Process name
Page 27 of 41
Xerox® Altalink®
Event
ID
C8030/C8035/C8040/C8055/C8070 Information Assurance Disclosure
Event description
51
ODIO scheduled
53
CPSR Backup
54
CPSR Restore
55
SA Tools Access Admin
57
Session Timer Logout
58
Session Timer Interval Change
59
Feature Access Control
Enable/Disable/Configure
60
Device Clock NTP Enable/Disable
61
Grant / Revoke Admin
62
Smartcard (CAC/PIV)
Enable/Disable/Configure
63
IPv6
Enable/Disable/Configure
64
802.1x
Enable/Disable/Configure
65
Abnormal System Termination
66
Local Authentication
Ver. 1.1, July 2017
Entry Data
Device name
Device serial number
ODIO type (Full or Standard)
Scheduled time
ODIO status (Started/Completed/canceled)
Completion Status (Success/Failed/Canceled)
File Name
User Name
Completion Status (Normal / Error)
IIO Status
File Name
User Name
Completion Status (Normal / Error)
IIO Status
Device serial number
Completion Status (Locked/Unlocked)
Device Name
Device Serial Number
Interface (Web, LUI)
User Name (who was logged out)
Session IP (if available)
Device Name
Device Serial Number
Interface (Web, LUI)(Timer affected by change)
User Name (who made this change)
Session IP (if available)
Completion Status
User Name
Device Name
Device Serial Number
Completion Status (Enabled/Disabled/Configured)
Interface (Web, Local, CAC, SNMP)
Session IP address (if available)
Device Name
Device serial number
Enable/Disable NTP
NTP Server IP Address
Completion Status (Success/Failed)
Device Name
Device Serial Number
User Name (of target user)
Grant or Revoke (the admin right)
Completion Status (Success/Failed)
UserName
Device Name
Device Serial Number
Completion Status (Success/Failed)
UserName
Device Name
Device Serial Number
Completion Status (Success/Failed)
UserName
Device Name
Device Serial Number
Completion Status (Success/Failed)
Device Name
Device Serial Number
UserName
Device Name
Device Serial Number
Completion Status (Enabled/Disabled)
Page 28 of 41
Xerox® Altalink®
Event
ID
C8030/C8035/C8040/C8055/C8070 Information Assurance Disclosure
Event description
67
Web User Interface Authentication
(Enable Network or Local)
68
FIPS Mode
Enable/Disable/Configure
69
Xerox Secure Access Login
70
Print from USB
Enable/Disable
71
USB Port
Enable/Disable
72
Scan to USB
Enable/Disable
73
System Log Download
74
Scan to USB Job
75
Remote UI feature
76
Remote UI session
77
Remote Scan Feature
Enable/Disable
(TWAIN driver)
78
Remote Scan Job Submitted
(TWAIN driver)
Ver. 1.1, July 2017
Entry Data
UserName
Device Name
Device Serial Number
Authentication Method Enabled (Network/Local)
UserName
Device name
Device Serial Number
Enable/Disable/Configure
UserName
Device Name
Device Serial Number
Completion Status (Success/Failed)
User Name
Device Name
Device Serial Number
Completion Status (Enabled/Disabled)
User Name
Device Name
Device Serial Number
USB Port (Front/Rear)
Completion Status (Enabled/Disabled)
User Name
Device Name
Device Serial Number
Completion Status (Enabled/Disabled)
Username
IP of requesting device (if available)
File names downloaded
Destination (IP address or USB device)
Completion status (Success/failed)
Job Name
User Name
Completion Status
IIO Status
Accounting User ID-Name
Accounting Account ID-Name
User Name
Device Name
Device Serial Number
Completion Status
(Enabled/Disabled/Configured)
User Name
Device Name
Device Serial Number
Completion Status
(Initiated/Terminated)
Remote Client IP Address
User Name
Device Name
Device Serial Number
Completion Status (Enable/Disable)
UserName (at client if available)
IP address of submitting client
Device name
Device serial number
Job name (if accepted)
Completion status (accept/reject request)
Page 29 of 41
Xerox® Altalink®
Event
ID
C8030/C8035/C8040/C8055/C8070 Information Assurance Disclosure
Event description
79
Scan to Web Service Job
(Remote Scan Job Competed)
(TWAIN driver)
80
SMTP Connection Encryption
81
Email Domain Filtering Rule
82
Software Self Test Started
83
Software Self Test Complete
84
McAfee Security State
NOTE: ColorQube 8900 ONLY
85
McAfee Security Event
NOTE: ColorQube 8900 ONLY
87
McAfee Agent
NOTE: ColorQube 8900 ONLY
88
89
Digital Certificate Import Failure
User Name
Add/Delete
User Name Password Change
EFax Job Secure Print Passcode
90
91
92
Scan2Mailbox Folder Password
Change
93
EFax Mailbox Passcode
94
FTP/SFTP Filing Passive Mode
Ver. 1.1, July 2017
Entry Data
Job name
UserName
Accounting User ID-Name
Accounting Account ID-Name
Completion status
Destination
UserName
Device name
Device serial number
Completion Status
(Enabled for STARTLS / Enabled for STARTLS if Avail /
Enabled for SSL/TLS / Disabled)
User name
Device Name
Device Serial Number
Completion Status (Feature Enabled/Feature Disabled, Rule
Added / Rule Deleted)
Device Name
Device Serial Number
Device Name
Device Serial Number
Completion Status(Success/Failed/Cancelled)
UserName
Device name
Device serial number
Security Mode
(Enhanced Security / Integrity Control)
Completion Status
(Enabled / Disabled / Pending)
Device name
Device serial number
Type
(Read / Modify / Execute / Deluge)
McAfee message text
User name
Device name
Device serial number
Completion Status
(Enabled / Disabled)
Device name
Device serial number
Security Mode
UserName (managing passcodes)
Device name
Device serial number
Completion Status (Passcode Created/Changed)
UserName (managing passwords)
Device name
Device serial number
Folder Name
Completion Status (Password was Changed)
UserName (managing passcodes)
Device name
Device serial number
Completion Status (Passcode
Created/Changed)
User Name
Device Name
Device Serial Number
Completion Status (Enabled / Disabled)
Page 30 of 41
Xerox® Altalink®
Event
ID
C8030/C8035/C8040/C8055/C8070 Information Assurance Disclosure
Event description
95
EFax Forwarding Rule
96
EIP Weblets Allow
Install
97
EIP Weblets Install
98
EIP Weblets Enable / Disable
99
Network Connectivity Enable /
Disable
100
Address Book Permissions
101
Address Book Export
102
SW upgrade enable / disable
103
Supplies Plan Activation
104
Plan Conversion
Ver. 1.1, July 2017
Entry Data
User Name
Device Name
Device Serial Number
Fax Line 1 or 2 (if applicable)
Completion Status (Rule Edit / Rule Enabled / Rule Disabled)
UserName
Device name
Device serial number
Completion Status (Enable Installation / Block Installation)
UserName
Device name
Device serial number
Weblet Name
Action (Install / Delete)
Completion (Success / Fail)
UserName
Device name
Device serial number
Weblet Name
Completion Status (Enable / Disable)
UserName
Device name
Device serial number
Completion Status
(Enable Wireless / Disable Wireless
(Enable Wired /Disable Wired)
UserName
Machine Name
Machine serial number
Completion Status
(SA Only/Open Access Enabled WebUI) /
(SA Only/Open Access Enabled LocalUI)
UserName
Machine Name
Machine serial number
UserName
Device name
Device serial number
Completion Status (Enable Installation / Disable Installation)
Device name
Device serial number
Completion Status:
Success: (if Passcode is ok)
Failed: (if Passcode is not ok)
Locked out (if Max Attempts Exceed 5)
Time Remaining :
Hrs (Remaining for next attempt)
Min (Remaining for next attempt)
Device name
Device serial number
Completion Status:
Success: (if Passcode is ok)
Failed: (if Passcode is not ok)
Locked out (if Max Attempts Exceed 5)
Time Remaining :
Hrs (Remaining for next attempt)
Min (Remaining for next attempt)
Page 31 of 41
Xerox® Altalink®
Event
ID
C8030/C8035/C8040/C8055/C8070 Information Assurance Disclosure
Event description
105
IPv4
Enable/Disable/Configure
106
SA PIN Reset
107
Convenience Authentication Login
108
Convenience Authentication
Enable/Disable/Configure
109
Efax Passcode Length
110
Custom Authentication Login
111
Custom Authentication
Enable/Disable/Configure
112
Billing Impression Mode
113
Airprint Enable/Disable/Configure
114
Device cloning
enable / disable
115
Save for reprint job
116
Web UI Access/Configure
Ver. 1.1, July 2017
Entry Data
UserName
Device name
Device serial number
Completion Status
(Enabled Wireless/Disabled Wireless/
Configured Wireless)
(Enabled Wired/Disabled Wired/
Configured Wired)
Device serial number
Completion Status (Success/Failed)
UserName
Device name
Device serial number
Completion Status (Success or Failed)
UserName
Device name
Device serial number
Completion Status
(Enabled/Disabled/Configured)
UserName (managing passcodes)
Device name
Device serial number
Completion Status (Passcode Length
Changed)
UserName
Device name
Device serial number
Completion Status (Success or Failed)
UserName
Device name
Device serial number
Completion Status
(Enabled/Disabled/Configured)
UserName
Device name
Device serial number
Mode Set to (A4 Mode, A3 Mode
Completion Status (Success, Failed
Impression data
UserName
Device name
Device serial number
Completion Status
(Enabled/Disabled/Configured)
UserName
Device name
Device serial number
Completion Status
Enable / Disable
UserName
Device name
Device serial number
Completion Status
(Standard Access, Open Access, Restricted)
UserName
Device name
Device serial number
Completion Status
(Standard Access, Open Access, Restricted)
Page 32 of 41
Xerox® Altalink®
Event
ID
C8030/C8035/C8040/C8055/C8070 Information Assurance Disclosure
Event description
117
System log push to Xerox
119
Scan to WebDAV
Job
120
Mopria Print
enable / disable
121
PoS credit card API enable /
disable
122
PoS CC data transfer
data transfer
124
Invalid Login Attempt
Lockout
125
Protocol audit Log enable/Disable
126
Display Device information
configure
127
Invalid Login Lockout
Expires
128
Erase Customer Data
129
Audit log SFTP scheduled
Configure
130
Audit Log SFTP Transfer
Ver. 1.1, July 2017
Entry Data
Username if authenticated
Server destination URL
Log identifier string (filename)
Completion Status
(Success / Failed)
Job name
User Name
Completion Status
IIO status
Accounting User ID-Name
Accounting Account ID-Name
WebDAV destination.
UserName
Device name
Device serial number
Completion Status
Enable / Disable
UserName
Device name
Device serial number
Completion Status
Enable / Disable
Job name or number?
Machine Name
Machine serial number
Destination server
Completion status (Success / Fail)
Device name
Device serial number
Interface (Web UI, Local UI)
Session IP Address if available
UserName
Device Name
Device serial number
Completion Status
Enable / Disable
UserName
Device Name
Device serial number
Completion Status
(Configured)
Device name
Device serial number
Interface (Web UI)
Session IP Address if available
Count of invalid attempts: “attempts xx” where xx = the number
of attempts.
Erase Customer Data
Device serial number
Success / Failed
UserName
Device Name
Device serial number
Completion status (Enable/Disable/Configured)
UserName
Device Name
Device serial number
Destination server
Completion Status
(File Transmitted)
Page 33 of 41
Xerox® Altalink®
Event
ID
C8030/C8035/C8040/C8055/C8070 Information Assurance Disclosure
Event description
131
Remote Software
Download
Enable Disable
132
Airprint & Mopria Scanning
Enable/Disable/Configure
133
Airprint & Mopria Scan Job
Submitted
134
Airprint & Mopria Scan Job
Completed
136
Remote Services NVM Write
137
Remote Services FIK Install
138
Remote Services Data Push
139
Remote Services
140
Restore enable/disable
141
Backup-Restore
file downloaded
142
Backup-Restore
restore installed
143
Google Cloud Services
144
User or Group Role
Assignment
Ver. 1.1, July 2017
Entry Data
UserName
Device name
Device serial number
Completion Status (Enable/Disable)
UserName
Device Name
Device serial number
Completion Status
(Enable/Disable/Configured)
Job name (if accepted)
UserName (if available)
IP address of submitting client
Device name
Device serial number
Completion status
(accept/reject request)
Job name
UserName (if available)
Completion status
Device Name
Device Serial
Completion Status (Success-Fail)
Device Name
Device Serial
Completion Status (Success-Fail)
User-readable names for the features being installed
Device Name
Device Serial
Completion Status (Success-Fail)
User Name,
Device Name,
Device Serial
Status: (“Enabled” / “Disabled”)
User Name
Device name
Device serial number
Completion status
Enable / Disable
File Name
User Name
Interface (WebUI)
IP Address of the destination (if applicable)
Completion Status (Success or Failed)
File Name
User name
Device name
Device IP address
Interface (WebUI)
Completion Status (Success or Failed)
User name
Device name
Device serial number
Completion Status-(Enabled / Disabled / Configured)
User name
Device name
Device serial number
User or group name (assigned)
Role name
Action (added/removed)
Page 34 of 41
Xerox® Altalink®
Event
ID
C8030/C8035/C8040/C8055/C8070 Information Assurance Disclosure
Event description
145
User Permission Role
146
Admin Password Policy Configure
147
Local user account password
policy
148
Restricted admin login
149
Grant / revoke restricted admin
rights
150
Manual session logout
151
IPP Enable/Disable/Configure
152
HTTP Proxy Server
Enable/Disable/Configure
153
Remote Services Software
Download
154
Restricted Admin Permission Role
155
EIP Weblet Installation Security
Policy
159
Send Engineering Logs on Data
Push
Ver. 1.1, July 2017
Entry Data
User name
Device name
Device serial number
Role name
Completion status (Created / Deleted / Configured)
User name
Device name
Device serial number
User name
Device name
Device serial number
User name
Device name
Device serial number
Completion status: “Success” or “Failed”
User name (of user making the change)
Device name
Device serial number
User name (of target user)
Action: “Grant” or “Revoke”
Device Name
Device Serial Number
Interface (Web, LUI, CAC)
User Name (who was logged out)
Session IP (if available)
User name
Device name
Device serial number
Completion status: (“Enabled” / “Disabled” / “Configured”)
User name
Device name
Device serial number
Completion status: (“Enabled” / “Disabled” / “Configured”)
Device Name
Device Serial number
File Name
User name
Device name
Device serial number
Restricted admin role name
Completion status (Created / Deleted / Configured)
User name
Device name
Device serial number
Policy: (“allow installation of encrypted Weblets” / ” allow
installation of both encrypted and unencrypted Weblets”
User name (if available)
Device name
Device serial number
Current setting (“Enabled” / “Disabled”)
Page 35 of 41
Xerox® Altalink®
4.3.
C8030/C8035/C8040/C8055/C8070 Information Assurance Disclosure
User Permissions Role Based Access Control (RBAC)
User Permissions provides permissions based on the authentication of the user through either the Local UI or network
authentication. Commonly referred to as Role Based Access Control it assigns each user the permissions to use the
MFP based on a default role, a customized role or a Non-Logged-In User role.
4.4.
Remote Services
Remote Services provides the ability to transmit data to Xerox to be used for billing and, when contracted, supplies
replenishment. It also has the ability to send status information for self-help diagnosis. Remote Services provides the
ability for Xerox to remotely update the device with new software, licenses, and internal settings (NVM). Xerox
Support may request the device System Administrator to send logging information in order to diagnose a
problem. This level of logging information may contain personally identifying information (PII) and should only be
authorized by a System Administrator with appropriate authority and consents.
The System Administrator may make configuration changes to Remote Services via the Web UI, including
enable/disable participation in Remote Services, permissions for remote updates, and time of day for daily polling to
the Xerox Remote Services Datacenter. The device can be set to communicate to the Xerox Datacenter via a proxy
server on the customer's network. Proxy server settings may be auto-detected or manually set on the Web UI.
4.5.
Encrypted Partitions
All hard disk partitions that store customer data are encrypted with AES256, which utilizes a FIPS 140-2 certified
module and algorithm. Encryption keys are encrypted and stored per current relevant US government standards,
specifications and guidelines.
4.6
Image Overwrite
The Image Overwrite Security feature provides both Immediate Job Overwrite (IJO) and On-Demand Image Overwrite
(ODIO) functions. Immediately before a job is considered complete, IIO will overwrite any temporary files associated
with print, network scan, internet fax, network fax, or e-mail jobs that had been created on the controller Hard Disk.
The ODIO feature can be executed at any time by the SA and will overwrite the entire document image partitions of
the controller Hard disk. Scheduled ODIO may also be configured to run at specific times.
A standard ODIO will overwrite all image data from memory and disks except for Jobs and Folders stored in the Reprint
Saved Jobs feature; Jobs stored in the Scan to Mailbox feature (if installed); Fax Dial Directories (if fax card is installed);
and Fax Mailbox contents (if fax card is installed). A full ODIO will overwrite all image data from memory and disks as
well as the items excluded from a standard ODIO.
4.6.1 Algorithm
The overwrite mechanism for both IJO and ODIO conforms to the NST Special Publication 800-88 Rev1.
The algorithm for the Image Overwrite feature is:
Step 1:
Step 2:
Step 3:
Pattern #1 is written to the sectors containing temporary files (IIO) or to the entire spooling area of the disks
(ODIO). (hex value 0x35 (ASCII “5”)).
Pattern #2 is written to the sectors containing temporary files (IIO) or to the entire spooling area of the disks
(ODIO). (hex value 0xCA (ASCII compliment of 5)).
Pattern #3 is written to the sectors containing temporary files (IIO) or to the entire spooling area of the disks
(ODIO). (hex value 0x97 (ASCII “ú”)).
Ver. 1.1, July 2017
Page 36 of 41
Xerox® Altalink®
Step 4:
C8030/C8035/C8040/C8055/C8070 Information Assurance Disclosure
10% of the overwritten area is sampled to ensure Pattern #3 was properly written. The 10% sampling is
accomplished by sampling a random 10% of the overwritten area.
4.6.2 User Behavior
Once enabled at either the Local UI or Web UI, IJO is invoked automatically immediately prior to the completion of a
print, network scan, embedded fax, internet fax, network fax, or e-mail job. If IIO completes successfully, status is
displayed in the Job Queue. However, if IJO fails, a popup will appear on the Local UI recommending that the user run
ODIO, and a failure sheet will be printed.
ODIO may be invoked either from the Local UI in Tools Pathway or from the CentreWare Internet Services Web UI. All
device functions will be unavailable until the overwrite is completed.
If enabled, a confirmation sheet will be printed at the conclusion of the ODIO process.
Please note that invocation of ODIO will cause currently processing print jobs to be aborted. However, scan jobs will
not be cleaned up properly, and so ODIO might fail. The user should insure that all scan jobs have been completed
before invoking ODIO. Please refer to the customer documentation for a description on how failures are logged.
4.6.3 Overwrite Timing
The ODIO overwrite time is dependent on the type of hard disk in the product. The overwrite times are generally less
than 20 minutes for a Standard ODIO and 60 minutes for a Full ODIO.
IJO is performed as a background operation, with no user-perceivable reduction in copy, print or scan performance.
4.6.4 Overwrite Completion Reporting
Immediate Job Overwrite
When an Immediate Job Overwrite is performed at the completion of each job, the user may view the Completed
Jobs Log at the Local UI. In each job entry there will be an indication if the Job was successfully overwritten or not.
All overwrite actions and completion statuses are logged in Audit Log as well.
On Demand Image Overwrite
Upon completion, an event is written in the Audit Log of the device. This Log may be downloaded by the “admin” user
or any user assigned an admin role. The admin may configure whether or not a Confirmation Report will print through
the CentreWare Web UI on the Properties tab, under Security. The options are On, Errors Only, and Off.
All overwrite actions and completion statuses are logged in Audit Log as well.
Ver. 1.1, July 2017
Page 37 of 41
Xerox® Altalink®
4.7
C8030/C8035/C8040/C8055/C8070 Information Assurance Disclosure
FIPS 140-2
4.7.1
FIPS 140-2 Compliance
You can enable the printer to check its current configuration to ensure that transmitted and stored data is encrypted as
specified in FIPS 140-2 (Level 1). Once FIPS 140 mode is enabled, you can allow the printer to use a protocol or
feature that uses an encryption algorithm that is not FIPS-compliant, but you must acknowledge this in the validation
process. If FIPS mode is enabled, when you enable a non-compliant protocol such as SMB, a message appears to
remind you that the protocol uses an encryption algorithm that is not FIPS-compliant. NOTE: If you enable FIPS 1402 mode, it may not be able to communicate with other network devices that use protocols that do not employ FIPS
140-2 validated algorithms.
SNMPv3 allows device settings to be managed remotely using FIPS compliant data encryption. SNMPv3 protects
the transactions by:
Checking the integrity of the data (including the message origin, time stamp, and message stream)
Encrypting the data [AES-128 ]
Verifying administrator authorization [SHA1 ]
When you enable FIPS 140-2 mode, the printer validates its current configuration by performing the
following checks:

Validates certificates for features where the printer is the server in the client-server relationship. An SSL
certificate for HTTPS is an example.

Validates certificates for features where the printer is the client in the client-server relationship. CA Certificates
for LDAP and Xerox Extensible Interface Platform (EIP 2.0) are examples.

Validates certificates that are installed on the printer, but not used. Certificates for HTTPS, LDAP are examples.

Checks features and protocols for non-compliant encryption algorithms. For example, SMB use encryption
algorithms that are not FIPS 140-2-compliant.

Validates Minimum Certificate Key Length configuration is FIPS compliant (must be 2048 bit).

Performs CAC, PIV, and .NET card validation.

Verifies Digital Signing and Encrypted e-mail is FIPS 140-2 compliant.

IPSec over IPV6 and IPv4 are FIPS 140-2 compliant.
When validation is complete, information and links display in a table at the bottom of the FIPS 140-2 configuration page
of the WebUI.
4.8

Click the appropriate link to disable a non-compliant feature, or protocol.

Click the appropriate link to replace any non-compliant certificates.

Click the appropriate link to acknowledge that you allow the printer to use non-compliant features and protocols.
Email Signing and Encryption to Self
Ver. 1.1, July 2017
Page 38 of 41
Xerox® Altalink®
6
C8030/C8035/C8040/C8055/C8070 Information Assurance Disclosure
The device is capable of signing and encrypting emails when the user is authenticated to the device using a CAC,
.NET or PIV smart card containing appropriate signing and encryption certificates. The device allows signing to
multiple recipients using the SHA256 hash algorithm. The device allows encryption to the authenticated user only,
supporting 3DES and AES encryption.
When enabled, the configuration options allow the system administrator the flexibility for the user to choose signing
and encryption on a job-by-job basis, or require one or the other for all jobs.
NOTE: The crypto algorithms used for smart card authentication and encryption are FIPS validated, but the signing
algorithm is not.
7
8
5.1.
Security @ Xerox (www.xerox.com/security)
Xerox maintains an evergreen public web page that contains the latest security information pertaining to its products.
Please see http://www.xerox.com/security
Xerox has created a document which details the Xerox Vulnerability Management and Disclosure Policy used in
discovery and remediation of vulnerabilities in Xerox software and hardware. It can be downloaded from this page:
http://www.xerox.com/information-security/information-security-articles-whitepapers/enus.html
.
Ver. 1.1, July 2017
Page 39 of 41
Xerox® Altalink®
C8030/C8035/C8040/C8055/C8070 Information Assurance Disclosure
APPENDICES
Appendix A – Abbreviations
API
AMR
Application Programming Interface
Automatic Meter Reads
ASIC
Application-Specific Integrated Circuit. This is a custom integrated circuit that is unique to a specific
product.
CAT
CSE
Customer Administration Tool
Customer Service Engineer
DADF/DADH
DHCP
Duplex Automatic Document Feeder/Handler
Dynamic Host Configuration Protocol
DNS
DDNS
DRAM
Domain Name Server. A centralized database that maps host names to static IP addresses.
Dynamic Domain Name Server. Maps host names to dynamic static IP addresses.
Dynamic Random Access Memory
EEPROM
EGP
Electrically erasable programmable read only memory
Exterior Gateway Protocol
GB
HP
Gigabyte
Hewlett-Packard
HTTP
IBM
Hypertext transfer protocol
International Business Machines
ICMP
IETF
Internet Control Message Protocol
Internet Engineering Task Force
IFAX
IIO
IIT
Internet Fax
Immediate Image Overwrite
Image Input Terminal (the scanner)
IT
IOT
Information Technology
Image Output Terminal (the marking engine)
IP
IPSec
Internet Protocol
Internet Protocol Security
IPX
LAN
Internet Protocol Exchange
Local Area Network
LDAP
LDAP Server
LED
Lightweight Directory Access Protocol
Lightweight Directory Access Protocol Server. Typically the same server that is used for email. It contains
information about users such as name, phone number, and email address. It can also include a user’s
login alias.
Light Emitting Diode
LPR
MAC
Line Printer Request
Media Access Control
MIB
n/a
Management Information Base
not applicable
NDPS
NETBEUI
Novell Distributed Print Services
NETBIOS Extended User Interface
NETBIOS
NOS
NVRAM
Network Basic Input/Output System
Network Operating System
Non-Volatile Random Access Memory
NVM
ODIO
Non-Volatile Memory
On-Demand Image Overwrite
PCL
PDL
Printer Control Language
Page Description Language
Ver. 1.1, July 2017
Page 40 of 41
Xerox® Altalink®
C8030/C8035/C8040/C8055/C8070 Information Assurance Disclosure
PIN
PWBA
Personal Identification Number
Printed Wire Board Assembly
PWS
RFC
Common alternative for PSW
Required Functional Capability
SA
SFTP
System Administrator
Secure File Transfer Protocol
SLP
SNMP
Service Location Protocol
Simple Network Management Protocol
SRAM
SSDP
Static Random Access Memory
Simple Service Discovery Protocol
SSL
TCP
TLS
Secure Sockets Layer
Transmission Control Protocol
Transport Layer Security
TIFF
UI
Tagged Image File Format
User Interface
URL
UDP
Uniform Resource Locator
User Datagram Protocol
WebUI
Web User Interface – the web pages resident in the WorkCentre Pro. These are accessible through any
browser using the machine’s IP address as the URL.
XCMI
XSA
Xerox Common Management Interface
Xerox Standard Accounting
Ver. 1.1, July 2017
Page 41 of 41
Download PDF
Similar pages