Lexmark Security Features Lexmark cutting-edge security for printers and MFPs Corporate data is your most valuable asset. Lexmark helps you keep it that way! Lexmark Security Features You’re about to add a new device to your network. Is it safe? Are you sure? Does it prevent unauthorised access? Does it compromise the security of your network? How do you know? There are so many critical questions to consider before ‘inviting’ a new printer or MFP into your business. Like anything running on your network, printers and MFPs are complex devices that can present risks if not secured properly. Lexmark creates network devices with security in mind. Our printers and MFPs are armed with a robust range of high-end features that protect your data and documents throughout your workflow, from the data travelling through your network to the pages landing in the output tray. Have a look through this brochure to see what we’re doing to keep your business safe. Secure Remote Management Powerful features to manage your devices securely and efficiently The Certificate Management feature allows To manage a fleet of networked printers in certificates, EWS and LDAP SSL or any other an efficient and effective manner, remote service that uses SSL. management is a must. But remote management HTTPS: HTTPS provides a means to securely needs to be secure. The device must only allow manage networked printers and MFPs. It allows authorised people to configure it, while keeping Web traffic to be encrypted so that remote other unauthorised users out. management via the 'devices' embedded Web The process of managing the device must also page can be performed securely. be secured so that the network traffic associated SNMPv3: SNMP is a standard network- with the remote management can’t be sniffed, stolen, or abused. Lexmark devices include a variety of features to make remote device management easier and more secure. These features can be configured through the device’s embedded Web page. the devices to integrate with a public key infrastructure (PKI) environment by allowing devices to setup trusted communication transports for 802.1x, IPSec, certificate authorisation for validating domain controller management protocol. Version 3 of the protocol includes extensive security capabilities. Lexmark printers and MFPs support SNMPv3, including the authentication and dataencryption components, allowing for secure remote management of the devices. SNMPv1 Audit Logging: By enabling Audit Logging, and SNMPv2 are also supported and can be Lexmark devices have the ability to track configured and/or disabled independently. security-related events. The features of this function include: tracking event types, export capabilities, log full behaviour and more. The IPv6: IPv6 is supported on printers and MFPs to allow connectivity to IPv6 networks. benefits of enabling Audit Logging include Secure Password Reset: The Secure Password mitigating exposures through event tracking, Reset feature can reset the access-control proactively tracking and identifying potential risks, setting on the device’s security menu to allow and integration with your intrusion-detection access in the event that an administrative system for proactive real-time tracking. There are password is lost or forgotten, or when the over 100 variables and events tracked within the device has lost network connectivity. This is device. accomplished using a firmware setting on the Digitally Signed Firmware Updates: Printers and MFPs automatically inspect downloaded device’s embedded Web page and adjusting a jumper on the device system board. firmware upgrades for the appropriate Lexmark Backup Password: Backup Password provides digital signatures. Firmware that’s not correctly access to the security menu of the device packaged and signed by Lexmark is rejected. regardless of the assigned protection method This ensures that non-approved firmware is or the availability of that method. For example, never run on the devices, which avoids exposing if an LDAP server or network is unavailable, them to malicious software, such as viruses and an administrator would still have access to worms. the security menu of the device to make the Certificate Management: Printers and MFPs use certificates for HTTPS, SSL, IPSec, and 802.1x authentications. necessary adjustments for accessing the device. Lexmark Security Features Secure Network Interfaces Protecting your devices from hackers and viruses By filtering out traffic on specific network ports, protocols such as telnet, FTP, SNMP, HTTP and many others can be disallowed explicitly. 802.1x: 802.1x port authentication allows printers and MFPs to join wired and wireless networks by requiring the devices to authenticate prior to accessing the network. 802.1x port authentication can be used with the Wi-Fi Protected Access feature of an optional wireless print server to provide WPA Enterprise security support. IPSec: IPSec secures all network traffic to and from Lexmark devices with encryption and authentication, allowing data to be sent to printers and MFPs securely. IPSec allows scanned data to be transmitted over the network in an encrypted format. This can protect the contents of jobs that are scanned to any destination, including servers running Lexmark Document Distributor, email and network storage. Secure SNTP: Lexmark devices support the use of Secure Network Time Protocol (SNTP), which is used for clock synchronisation of various devices on the network. To support the main requirement Hardening a networked device is the process of securing the for an SNTP implementation, Lexmark devices support an device’s network interfaces. This includes eliminating unneeded or Authenticator and Authorisation field within our SNTP configuration. unused features and functions to prevent their abuse, locking down any interfaces that remain, and securing the data hosted by the device. Lexmark printers and MFPs include a variety of mechanisms to facilitate the device hardening processes. Fax/Network Separation: Lexmark offers a variety of MFP devices that provide capability for both network and fax modem. In securitycritical network environments, the combination of these two features on a single device may be a concern. However, Lexmark designs TCP Connection Filtering: Printers and MFPs can be configured its MFPs to operate in such a way that the device hardware and to allow TCP/IP connections only from a specified list of TCP/ firmware keep these mechanisms separate, which prevents any IP addresses. This disallows all TCP connections from other direct interaction between the modem and network adapter. In addresses, which protects the device against unauthorised printing addition, the modem can only accept image dataw associated with and configuration. TCP Connection Filtering is configured by a fax transmission. Any other data, whether for remote access or populating the restricted server list field. network or firmware updates, is declared invalid and will cause the Port Filtering: The network ports through which printers and MFPs listen to or transmit network traffic are configurable, allowing a huge degree of control over the device’s network activity. device to disconnect the telephone connection. Lexmark Security Features Secure Data on Hard Disk Encrypting, wiping and physically defending your stored data To extend the capabilities and functionality of our devices, Lexmark equips some of its printers and multifunction products with internal hard disks to store images of documents for job processing. Lexmark offers effective security controls to enhance the security of data that is stored on or passes through the hard disk, or to impede malicious users from gaining physical access to the hard disk. Physical Lock Support: Lexmark printers Lexmark devices include standard and MFPs support Kensington-style locks, features that can substantially reduce this which allow the devices to be physically vulnerability. secured. Locking a printer or MFP also locks down the metal cage that houses hard disks and optional components, helping to prevent tampering or theft. Protected USB Ports: Lexmark laser printers and MFPs include support for USB devices, which may cause concern in security-critical environments. However, Non-Volatile Memory Wipe: The non- Lexmark’s USB host ports have various volatile memory wipe provides a tool for mechanisms in place to keep them from erasing all contents stored on the various being used in a malicious manner. These forms of flash memory contained on the protections include, among others, access device. This feature is a complete clearing of restriction through authentication, file-type all settings, solutions, jobs and faxes on the parameters, device-interaction scheduling, device. It was designed to be utilised when boot-support interdiction, and the ability to the Lexmark device is to be retired, recycled disable the USB host port completely. or otherwise removed from a customer’s secure environment. Secure Access Everyday operation made simpler and safer Network scan and print data are overlooked areas when it comes to network security. Hard Disk Encryption: Hard disks in Documents routinely contain sensitive printers and MFPs can be configured to information, like financial data, information use encryption. An Advanced Encryption that personally identifies customers or Standard (AES) key, up to 256-bits, is employees, and account information. internally generated by the printer or MFP LDAP Address Book Lookup: When sending emails or faxes, users can look up the recipients’ email addresses and fax numbers. Lexmark MFPs use LDAP to perform lookups by directing queries to your corporate directory server. Secure LDAP: All LDAP traffic to and from Lexmark devices can be secured with TLS/ SSL. LDAP information such as credentials, names, email addresses and fax numbers exchanged over a TLS/SSL connection ensures the information is encrypted to preserve the confidentiality and privacy of the data. and used to encrypt all data on the hard disk. The key is stored non-contiguously on Authentication and Authorisation: Device the device, making the contents of the hard functions can be restricted so that users disk accessible only on the original printer or must authenticate prior to accessing the MFP. The data on a stolen hard disk would functions of the device, such as copy, not be accessible even if the hard disk were fax, scan to email, scan to network folder, installed in an identical model of printer or workflow scripts and/or embedded MFP. applications. Lexmark devices can be Secure Hard Disk Wiping: The data on a hard disk can be sanitised so that no residual data can be read. Hard disk wiping can be configured for manual, automatic or scheduled mode. A multi-pass wipe is offered, which conforms to National Institute of Standard Technology (NIST) and Department of Defense (DOD) standards. Printing and imaging devices are commonly configured to authenticate users against located in high-traffic areas with only basic Internal accounts, passwords and/or PINs. physical security. In this environment, it’s Lexmark devices can also be configured very easy for confidential information to end to authenticate users against a corporate up in the wrong hands, either accidentally or directory via NTLM, Kerberos 5, LDAP, and/ intentionally. or LDAP+GSSAPI. Lexmark Security Features These authentication methods are secure Over 50 access controls are available, Confidential Print: Print jobs are held in if it is done over an SSL channel and providing greater flexibility for your unique RAM or on the hard disk until the intended compatible with Active Directory and other environment. Examples of available access recipient enters the appropriate PIN and directory-server platforms. In addition controls include those for device functions releases the job for printing. Held jobs to authentication, device functions can (copy, print, fax, scan to-email, FTP, held can be set to expire after an elapsed time be restricted via user or group-based jobs, address book and others), security (configurable from one hour to one week). In authorisation, which limits particular device menus, firmware updates, embedded addition, a limit can be set on the number of functions to a user/group membership within applications, device menu settings (reports, times a PIN can be entered incorrectly before a corporate directory infrastructure. paper, settings, network/ports and others), the corresponding jobs are purged. operator-panel lockout, remote management settings and more. Auto-Insertion of Sender’s Email Address: When a user authenticates in order to scan a document to email, the email address of the sender is automatically looked up and inserted into the ‘From’ field. This lets the recipient see clearly that the email was generated by that individual, not anonymously or from the MFP. Security Templates: Security templates are used to restrict access and are made from one or more building blocks. Security templates are defined by the device administrator and appear in the Access Control drop-down menu. The templates are applied to specific menus and workflows on the Lexmark device. The breadth that a security template can cover is large, providing control over some of the most important security settings on the Lexmark device. strengthened security to your corporate unauthorised use of a device by restricting environment by protecting sensitive the number of consecutive failed logins. information as it is printed via encryption When this limit is exceeded, the device and decryption capabilities on your network is locked for a predetermined amount of devices. This level of printing security is ideal time specified by the administrator. These for businesses handling highly confidential, settings can be configured when utilising personnel, financial, medical, technical or login restrictions on the Lexmark device. proprietary business information. In addition, the home screen and remote login timeouts can be adjusted within the login restriction configuration settings. With Audit Logging enabled, the device will track the security events related to the login restrictions. can be configured to hold rather than print incoming faxes during scheduled times. Incoming faxes are held securely on the hard disk until the proper credentials have been entered on the Lexmark device. Examples of credentials include a PIN, password and user Panel Lock feature allows a device to be network ID and password. put in a locked state so that the operator panel cannot allow any user operations or configuration. It cannot copy or scan jobs, it cannot be reconfigured via the operator panel, and incoming jobs will not sit exposed in the output bin. If the device has a hard disk, incoming print and fax jobs are stored on the hard disk instead of being printed. The device can be unlocked by entering an to choose from a drop-down list of available the held jobs will be printed and the device security templates to control local and will resume its normal operation. disable functions entirely. Incoming Fax Holding: Lexmark devices Operator Panel Lock: The Operator authorised user’s credentials, at which time and workflows. It also provides the ability to PrintCryption™ Application Solution brings Login Restrictions: You can prevent Access controls: Access controls allow you remote access to specific menus, functions PrintCryption Card: The Lexmark Lexmark Security Features Common Criteria Fax Security Q&A Can my MFP’s data be accessed through an IEEE 2600: Many Lexmark MFPs have achieved the Common Criteria Validation, but our products have also been designed to meet the most strict operational environment standard outlined by the IEEE 2600 Working Group. The working group was formed to create security standards for Hardcopy Devices, drawn from the collective experience of dozens of individuals from major hardcopy device manufacturers, test labs, government agencies, and other organizations. In 2008, the IEEE 2600 standards were adopted by the National Information Assurance Partnership (NIAP) to be used as a basis for a product evaluation otherwise known as a protection profile. outside telephone connection? No, not with Lexmark devices! Although some devices allow for remote access and control – via protocols such as Telnet – Lexmark products are not equipped for such activity. Lexmark MFPs do not allow any kind of configuration by telephone. Likewise, there is no diagnostic mode that external mechanisms could use to control the modem’s behaviour or to reconfigure it. The only thing your analogue telephone modem can Things to know about Lexmark USB host ports do is send and receive fax information. Are the fax card and network card What these ports CAN do: Display images from your USB thumb drive, display flash files by name (if a flash file is selected, the printer firmware will be updated as long as firmware updates are allowed in the security settings), select the jobs to print, and allow you to scan data directly to a USB thumb drive if it is available in a supported scan format. What these ports CANNOT do: Connect or use any form of USB device other than mass storage ones, card readers or human interface devices (HID); submit or process PCL, PostScript or other printer-data streams; submit any sort of data; record any sort of data from the printer; execute code; or boot the printer from a USB-attached device. completely linked to each other? The internal network-adapter functions are implemented separately from the modem and both reside in different component groups. A cable connects the fax card to a child card, while the network adapter is directly on the MFP’s main board. The fax connection and the interaction with the network adapter are handled by the Lexmark firmware, which is configured to prevent direct interaction between the fax and the network components. Can I update my MFP’s firmware through the telephone? No executable code can be accepted by your Lexmark fax modem or firmware. They’re designed to accept only image data. If the incoming data does not represent an image, then the data is declared as invalid. It is not possible to package changed firmware – or any other type of code – as a fax job and reach the MFP in working order. Disabling USB drives: You can easily disable the USB port on your Lexmark device through your devices embedded Web server. This is particularly important for companies whose security policies or regulations forbid such functions. Elevated security: The USB port provided on the front of your device is designed to restrict the type of operations that can be carried out, in order to avoid security exposures to the product or customer environment. Additionally, device administrators have the ability to restrict access to USB host ports through the use of authentication and authorisation function access controls, which can be tailored to meet the corporate network security policies. Lexmark Security Features Multifunction Printers 25x X9 6x X9 92 X8 4x X7 5x X7 48 X6 46 X5 44 X5 43 X5 66 X5 64 X4 63 X4 64 X4 63 X3 64 X3 0x X2 X2 50 25 C9 92 C9 48 C7 46 C7 46 C7 44 C5 43 C5 C5 50 40 C5 W8 x x T65 0 E46 0 E36 E26 s 5x Pro 40 Pro 00 550 0 Single Function Printers Mod els rity F unct ion Secu Monochrome Printers Colour Printers A4 Paper Size A3 Paper Size Secure Remote Management Audit Logging Digitally Signed Firmware Updates Certificate Management 1 1 1 1 HTTPS SNMPv3 IPv6 Secure Password Reset Backup Password Secure Network Interfaces TCP Connection Filtering Port Filtering 802.1x 1 1 4 4 IPSec Secure SNTP Fax/Network Separation Secure Settings and Data on Hard Disk Hard Disk Encryption 2 Hard Disk Wiping 2 Physical Lock Support Non-Volatile Memory Wipe Secure Access Protected USB Ports (Schedule USB Devices) LDAP Address Book Lookup Secure LDAP Authentication 4 4 4 4 4 4 4 4 4 4 4 4 4 Authorisation Auto-Insertion of Sender's Email Address Security Templates Access Controls Login Restrictions Operator Panel Lock Confidential Print PrintCryption Card (Optional) Incoming Fax Holding Common Criteria Certified (MFPs) DW models only / Through the wireless port on wireless models only Available on selected models with hard disk standard or support optional hard disk upgrade 3 Optional for X463 and X86xdeV3 models 4 For administration menus access: user name and password for the embedded web server and PIN for front panel access 1 2 3 3 Lexmark Security Features Lexmark security features Output security is a very complex topic that requires a number of important aspects to be addressed. Lexmark printers and MFPs are armed with a wide range of state-of-the-art features that help you protect your devices, your infrastructure, your documents and your sensitive data. Company Stamp For more information on Lexmark products and services please visit www.lexmark.com Lexmark reserves the right to change specifications or other product information without notice. References in this publications to Lexmark products or services do not imply that Lexmark intends them available in all countries in which Lexmark operates. LEXMARK PROVIDES THIS PUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND. EITHER EXPRESS OR IMPLIED. INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Buyers should consult other sources of information, including benchmark data, to evaluate the performance of a solution they are considering buying. Lexmark and Lexmark with diamond design are trademarks of Lexmark International, Inc, registered in the United States and or other countries. All other trademarks are the property of their respective owners. © 2011 Lexmark International. Inc. 740 W. New Circle Rd.. Lexington. KY 40550.
* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project