Lexmark cutting-edge security for printers and MFPs

Lexmark cutting-edge security for printers and MFPs
Lexmark Security Features
Lexmark cutting-edge security for
printers and MFPs
Corporate data is your most valuable asset.
Lexmark helps you keep it that way!
Lexmark Security Features
You’re about to add a new device to your network. Is it safe? Are you sure? Does it prevent unauthorised access? Does it compromise the
security of your network? How do you know? There are so many critical questions to consider before ‘inviting’ a new printer or MFP into your
business. Like anything running on your network, printers and MFPs are complex devices that can present risks if not secured properly.
Lexmark creates network
devices with security in mind.
Our printers and MFPs are
armed with a robust range of
high-end features that protect
your data and documents
throughout your workflow,
from the data travelling
through your network to the
pages landing in the output
tray. Have a look through this
brochure to see what we’re
doing to keep your business
Secure Remote Management
Powerful features to manage
your devices securely and
The Certificate Management feature allows
To manage a fleet of networked printers in
certificates, EWS and LDAP SSL or any other
an efficient and effective manner, remote
service that uses SSL.
management is a must. But remote management
HTTPS: HTTPS provides a means to securely
needs to be secure. The device must only allow
manage networked printers and MFPs. It allows
authorised people to configure it, while keeping
Web traffic to be encrypted so that remote
other unauthorised users out.
management via the 'devices' embedded Web
The process of managing the device must also
page can be performed securely.
be secured so that the network traffic associated
SNMPv3: SNMP is a standard network-
with the remote management can’t be sniffed,
stolen, or abused. Lexmark devices include
a variety of features to make remote device
management easier and more secure. These
features can be configured through the device’s
embedded Web page.
the devices to integrate with a public key
infrastructure (PKI) environment by allowing
devices to setup trusted communication
transports for 802.1x, IPSec, certificate
authorisation for validating domain controller
management protocol. Version 3 of the
protocol includes extensive security capabilities.
Lexmark printers and MFPs support SNMPv3,
including the authentication and dataencryption components, allowing for secure
remote management of the devices. SNMPv1
Audit Logging: By enabling Audit Logging,
and SNMPv2 are also supported and can be
Lexmark devices have the ability to track
configured and/or disabled independently.
security-related events. The features of this
function include: tracking event types, export
capabilities, log full behaviour and more. The
IPv6: IPv6 is supported on printers and MFPs to
allow connectivity to IPv6 networks.
benefits of enabling Audit Logging include
Secure Password Reset: The Secure Password
mitigating exposures through event tracking,
Reset feature can reset the access-control
proactively tracking and identifying potential risks,
setting on the device’s security menu to allow
and integration with your intrusion-detection
access in the event that an administrative
system for proactive real-time tracking. There are
password is lost or forgotten, or when the
over 100 variables and events tracked within the
device has lost network connectivity. This is
accomplished using a firmware setting on the
Digitally Signed Firmware Updates: Printers
and MFPs automatically inspect downloaded
device’s embedded Web page and adjusting a
jumper on the device system board.
firmware upgrades for the appropriate Lexmark
Backup Password: Backup Password provides
digital signatures. Firmware that’s not correctly
access to the security menu of the device
packaged and signed by Lexmark is rejected.
regardless of the assigned protection method
This ensures that non-approved firmware is
or the availability of that method. For example,
never run on the devices, which avoids exposing
if an LDAP server or network is unavailable,
them to malicious software, such as viruses and
an administrator would still have access to
the security menu of the device to make the
Certificate Management: Printers and MFPs
use certificates for HTTPS, SSL, IPSec, and
802.1x authentications.
necessary adjustments for accessing the device.
Lexmark Security Features
Secure Network Interfaces
Protecting your devices from hackers
and viruses
By filtering out traffic on specific network ports, protocols such
as telnet, FTP, SNMP, HTTP and many others can be disallowed
802.1x: 802.1x port authentication allows printers and MFPs to join
wired and wireless networks by requiring the devices to authenticate
prior to accessing the network. 802.1x port authentication can be
used with the Wi-Fi Protected Access feature of an optional wireless
print server to provide WPA Enterprise security support.
IPSec: IPSec secures all network traffic to and from Lexmark
devices with encryption and authentication, allowing data to be
sent to printers and MFPs securely. IPSec allows scanned data to
be transmitted over the network in an encrypted format. This can
protect the contents of jobs that are scanned to any destination,
including servers running Lexmark Document Distributor, email and
network storage.
Secure SNTP: Lexmark devices support the use of Secure Network
Time Protocol (SNTP), which is used for clock synchronisation of
various devices on the network. To support the main requirement
Hardening a networked device is the process of securing the
for an SNTP implementation, Lexmark devices support an
device’s network interfaces. This includes eliminating unneeded or
Authenticator and Authorisation field within our SNTP configuration.
unused features and functions to prevent their abuse, locking down
any interfaces that remain, and securing the data hosted by the
device. Lexmark printers and MFPs include a variety of mechanisms
to facilitate the device hardening processes.
Fax/Network Separation: Lexmark offers a variety of MFP devices
that provide capability for both network and fax modem. In securitycritical network environments, the combination of these two features
on a single device may be a concern. However, Lexmark designs
TCP Connection Filtering: Printers and MFPs can be configured
its MFPs to operate in such a way that the device hardware and
to allow TCP/IP connections only from a specified list of TCP/
firmware keep these mechanisms separate, which prevents any
IP addresses. This disallows all TCP connections from other
direct interaction between the modem and network adapter. In
addresses, which protects the device against unauthorised printing
addition, the modem can only accept image dataw associated with
and configuration. TCP Connection Filtering is configured by
a fax transmission. Any other data, whether for remote access or
populating the restricted server list field.
network or firmware updates, is declared invalid and will cause the
Port Filtering: The network ports through which printers and MFPs
listen to or transmit network traffic are configurable, allowing a huge
degree of control over the device’s network activity.
device to disconnect the telephone connection.
Lexmark Security Features
Secure Data on Hard Disk
Encrypting, wiping and
physically defending your
stored data
To extend the capabilities and functionality
of our devices, Lexmark equips some of
its printers and multifunction products
with internal hard disks to store images of
documents for job processing. Lexmark
offers effective security controls to enhance
the security of data that is stored on or
passes through the hard disk, or to impede
malicious users from gaining physical access
to the hard disk.
Physical Lock Support: Lexmark printers
Lexmark devices include standard
and MFPs support Kensington-style locks,
features that can substantially reduce this
which allow the devices to be physically
secured. Locking a printer or MFP also locks
down the metal cage that houses hard disks
and optional components, helping to prevent
tampering or theft.
Protected USB Ports: Lexmark laser
printers and MFPs include support for
USB devices, which may cause concern
in security-critical environments. However,
Non-Volatile Memory Wipe: The non-
Lexmark’s USB host ports have various
volatile memory wipe provides a tool for
mechanisms in place to keep them from
erasing all contents stored on the various
being used in a malicious manner. These
forms of flash memory contained on the
protections include, among others, access
device. This feature is a complete clearing of
restriction through authentication, file-type
all settings, solutions, jobs and faxes on the
parameters, device-interaction scheduling,
device. It was designed to be utilised when
boot-support interdiction, and the ability to
the Lexmark device is to be retired, recycled
disable the USB host port completely.
or otherwise removed from a customer’s
secure environment.
Secure Access
Everyday operation made
simpler and safer
Network scan and print data are overlooked
areas when it comes to network security.
Hard Disk Encryption: Hard disks in
Documents routinely contain sensitive
printers and MFPs can be configured to
information, like financial data, information
use encryption. An Advanced Encryption
that personally identifies customers or
Standard (AES) key, up to 256-bits, is
employees, and account information.
internally generated by the printer or MFP
LDAP Address Book Lookup: When
sending emails or faxes, users can look
up the recipients’ email addresses and
fax numbers. Lexmark MFPs use LDAP to
perform lookups by directing queries to your
corporate directory server.
Secure LDAP: All LDAP traffic to and from
Lexmark devices can be secured with TLS/
SSL. LDAP information such as credentials,
names, email addresses and fax numbers
exchanged over a TLS/SSL connection
ensures the information is encrypted to
preserve the confidentiality and privacy of the
and used to encrypt all data on the hard
disk. The key is stored non-contiguously on
Authentication and Authorisation: Device
the device, making the contents of the hard
functions can be restricted so that users
disk accessible only on the original printer or
must authenticate prior to accessing the
MFP. The data on a stolen hard disk would
functions of the device, such as copy,
not be accessible even if the hard disk were
fax, scan to email, scan to network folder,
installed in an identical model of printer or
workflow scripts and/or embedded
applications. Lexmark devices can be
Secure Hard Disk Wiping: The data on
a hard disk can be sanitised so that no
residual data can be read. Hard disk wiping
can be configured for manual, automatic
or scheduled mode. A multi-pass wipe
is offered, which conforms to National
Institute of Standard Technology (NIST) and
Department of Defense (DOD) standards.
Printing and imaging devices are commonly
configured to authenticate users against
located in high-traffic areas with only basic
Internal accounts, passwords and/or PINs.
physical security. In this environment, it’s
Lexmark devices can also be configured
very easy for confidential information to end
to authenticate users against a corporate
up in the wrong hands, either accidentally or
directory via NTLM, Kerberos 5, LDAP, and/
Lexmark Security Features
These authentication methods are secure
Over 50 access controls are available,
Confidential Print: Print jobs are held in
if it is done over an SSL channel and
providing greater flexibility for your unique
RAM or on the hard disk until the intended
compatible with Active Directory and other
environment. Examples of available access
recipient enters the appropriate PIN and
directory-server platforms. In addition
controls include those for device functions
releases the job for printing. Held jobs
to authentication, device functions can
(copy, print, fax, scan to-email, FTP, held
can be set to expire after an elapsed time
be restricted via user or group-based
jobs, address book and others), security
(configurable from one hour to one week). In
authorisation, which limits particular device
menus, firmware updates, embedded
addition, a limit can be set on the number of
functions to a user/group membership within
applications, device menu settings (reports,
times a PIN can be entered incorrectly before
a corporate directory infrastructure.
paper, settings, network/ports and others),
the corresponding jobs are purged.
operator-panel lockout, remote management
settings and more.
Auto-Insertion of Sender’s Email Address:
When a user authenticates in order to scan
a document to email, the email address
of the sender is automatically looked up
and inserted into the ‘From’ field. This
lets the recipient see clearly that the email
was generated by that individual, not
anonymously or from the MFP.
Security Templates: Security templates
are used to restrict access and are made
from one or more building blocks. Security
templates are defined by the device
administrator and appear in the Access
Control drop-down menu. The templates
are applied to specific menus and workflows
on the Lexmark device. The breadth that
a security template can cover is large,
providing control over some of the most
important security settings on the Lexmark
strengthened security to your corporate
unauthorised use of a device by restricting
environment by protecting sensitive
the number of consecutive failed logins.
information as it is printed via encryption
When this limit is exceeded, the device
and decryption capabilities on your network
is locked for a predetermined amount of
devices. This level of printing security is ideal
time specified by the administrator. These
for businesses handling highly confidential,
settings can be configured when utilising
personnel, financial, medical, technical or
login restrictions on the Lexmark device.
proprietary business information.
In addition, the home screen and remote
login timeouts can be adjusted within the
login restriction configuration settings. With
Audit Logging enabled, the device will track
the security events related to the login
can be configured to hold rather than print
incoming faxes during scheduled times.
Incoming faxes are held securely on the hard
disk until the proper credentials have been
entered on the Lexmark device. Examples of
credentials include a PIN, password and user
Panel Lock feature allows a device to be
network ID and password.
put in a locked state so that the operator
panel cannot allow any user operations or
configuration. It cannot copy or scan jobs,
it cannot be reconfigured via the operator
panel, and incoming jobs will not sit exposed
in the output bin. If the device has a hard
disk, incoming print and fax jobs are stored
on the hard disk instead of being printed.
The device can be unlocked by entering an
to choose from a drop-down list of available
the held jobs will be printed and the device
security templates to control local and
will resume its normal operation.
disable functions entirely.
Incoming Fax Holding: Lexmark devices
Operator Panel Lock: The Operator
authorised user’s credentials, at which time
and workflows. It also provides the ability to
PrintCryption™ Application Solution brings
Login Restrictions: You can prevent
Access controls: Access controls allow you
remote access to specific menus, functions
PrintCryption Card: The Lexmark
Lexmark Security Features
Common Criteria
Fax Security Q&A
Can my MFP’s data be accessed through an
IEEE 2600: Many Lexmark MFPs have achieved the Common Criteria Validation,
but our products have also been designed to meet the most strict operational
environment standard outlined by the IEEE 2600 Working Group. The working
group was formed to create security standards for Hardcopy Devices, drawn from
the collective experience of dozens of individuals from major hardcopy device
manufacturers, test labs, government agencies, and other organizations. In 2008,
the IEEE 2600 standards were adopted by the National Information Assurance
Partnership (NIAP) to be used as a basis for a product evaluation otherwise known
as a protection profile.
outside telephone connection?
No, not with Lexmark devices! Although some
devices allow for remote access and control –
via protocols such as Telnet – Lexmark products
are not equipped for such activity. Lexmark
MFPs do not allow any kind of configuration by
telephone. Likewise, there is no diagnostic mode
that external mechanisms could use to control
the modem’s behaviour or to reconfigure it. The
only thing your analogue telephone modem can
Things to know about Lexmark USB host ports
do is send and receive fax information.
Are the fax card and network card
What these ports CAN do: Display images from your USB thumb drive, display
flash files by name (if a flash file is selected, the printer firmware will be updated as
long as firmware updates are allowed in the security settings), select the jobs to
print, and allow you to scan data directly to a USB thumb drive if it is available in a
supported scan format.
What these ports CANNOT do: Connect or use any form of USB device other
than mass storage ones, card readers or human interface devices (HID); submit
or process PCL, PostScript or other printer-data streams; submit any sort of data;
record any sort of data from the printer; execute code; or boot the printer from a
USB-attached device.
completely linked to each other?
The internal network-adapter functions are
implemented separately from the modem and
both reside in different component groups.
A cable connects the fax card to a child card,
while the network adapter is directly on the
MFP’s main board. The fax connection and the
interaction with the network adapter are handled
by the Lexmark firmware, which is configured to
prevent direct interaction between the fax and
the network components.
Can I update my MFP’s firmware through the
No executable code can be accepted by your
Lexmark fax modem or firmware. They’re
designed to accept only image data. If the
incoming data does not represent an image,
then the data is declared as invalid. It is not
possible to package changed firmware – or any
other type of code – as a fax job and reach the
MFP in working order.
Disabling USB drives: You can easily disable the USB port on your Lexmark
device through your devices embedded Web server. This is particularly important
for companies whose security policies or regulations forbid such functions.
Elevated security: The USB port provided on the front of your device is designed
to restrict the type of operations that can be carried out, in order to avoid
security exposures to the product or customer environment. Additionally, device
administrators have the ability to restrict access to USB host ports through the
use of authentication and authorisation function access controls, which can be
tailored to meet the corporate network security policies.
Lexmark Security Features
Multifunction Printers
Pro 00
Single Function Printers
rity F
Monochrome Printers
Colour Printers
A4 Paper Size
A3 Paper Size
Secure Remote Management
Audit Logging
Digitally Signed Firmware Updates
Certificate Management
Secure Password Reset
Backup Password
Secure Network Interfaces
TCP Connection Filtering
Port Filtering
Secure SNTP
Fax/Network Separation
Secure Settings and Data on Hard Disk
Hard Disk Encryption 2
Hard Disk Wiping 2
Physical Lock Support
Non-Volatile Memory Wipe
Secure Access
Protected USB Ports (Schedule USB Devices)
LDAP Address Book Lookup
Secure LDAP
Auto-Insertion of Sender's Email Address
Security Templates
Access Controls
Login Restrictions
Operator Panel Lock
Confidential Print
PrintCryption Card (Optional)
Incoming Fax Holding
Common Criteria Certified (MFPs)
DW models only / Through the wireless port on wireless models only
Available on selected models with hard disk standard or support optional hard disk upgrade
Optional for X463 and X86xdeV3 models
For administration menus access: user name and password for the embedded web server
and PIN for front panel access
Lexmark Security Features
Lexmark security features
Output security is a very complex topic that requires a number of important aspects to be
addressed. Lexmark printers and MFPs are armed with a wide range of state-of-the-art
features that help you protect your devices, your infrastructure, your documents and your
sensitive data.
Company Stamp
For more information on Lexmark products and services please visit www.lexmark.com
Lexmark reserves the right to change specifications or other product information without notice. References in this
publications to Lexmark products or services do not imply that Lexmark intends them available in all countries in
PURPOSE. Buyers should consult other sources of information, including benchmark data, to evaluate the performance
of a solution they are considering buying. Lexmark and Lexmark with diamond design are trademarks of Lexmark
International, Inc, registered in the United States and or other countries. All other trademarks are the property of their
respective owners. © 2011 Lexmark International. Inc. 740 W. New Circle Rd.. Lexington. KY 40550.
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF