Fax/Network Data Security and Lexmark Multifunction Products. Version 3.3



Similar documents
NERC CIP Requirements and Lexmark Device Security

Safe and Secure Faxing with Dialogic Brooktrout Fax Boards

HP LaserJet MFP Analog Fax Accessory 300 Send Fax Driver Guide

Miami University. Payment Card Data Security Policy

DATA SECURITY AGREEMENT. Addendum # to Contract #

User Authentication Job Tracking Fax Transmission via RightFax Server Secure Printing Functions HDD/Memory Security Fax to Ethernet Connection

Network Security Policy

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

Are your multi-function printers a security risk? Here are five key strategies for safeguarding your data

Securing Network Print Jobs


Sample Career Ladder/Lattice for Information Technology

User Authentication Job Tracking Fax Transmission via RightFax Server Secure Printing Functions HDD/Memory Security Fax to Ethernet Connection Data

Executive Summary and Purpose

Evaluation. Common Criteria. Questions & Answers Xerox and Canon. Xerox Advanced Multifunction Systems

STRATEGIC POLICY. Information Security Policy Documentation. Network Management Policy. 1. Introduction

Columbus Police Division Directive. I. Definitions. May 15, REVISED. Division Computer Systems

SOFTWARE SETUP GUIDE DIGITAL MULTIFUNCTIONAL SYSTEM

University of Wisconsin-Madison Policy and Procedure

Telecommunications systems (Part 1)

Samsung device management solutions Manage, monitor and diagnose multiple print devices easily and cost effectively

PDFSealer User s Guide. ITEKSOFT Corporation Copyright All rights reserved

MCOLES Information and Tracking Network. Security Policy. Version 2.0

S E C U R I T Y A S S E S S M E N T : B o m g a r B o x T M. Bomgar. Product Penetration Test. September 2010

User Document. Adobe Acrobat 7.0 for Microsoft Windows Group Policy Objects and Active Directory

Access Control BUSINESS REQUIREMENTS FOR ACCESS CONTROL

Oracle Enterprise Manager

An Oracle White Paper December Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance

Three significant risks of FTP use and how to overcome them

INFORMATION SECURITY California Maritime Academy

Glossary of Telco Terms

T.38 fax transmission over Internet Security FAQ

Temperature & Humidity SMS Alert Controller

Release Notes for Dominion SX Firmware 3.1.6

use it Messaging Fax Over IP (FoIP) Overview

SOFTWARE SETUP GUIDE DIGITAL MULTIFUNCTIONAL SYSTEM

Oracle Retail Point-of-Service with Mobile Point-of-Service

Oracle Utilities Integration for Device Operations

Secure Configuration Guide

COMPUTER, INTERNET, & USE POLICY

technical brief browsing to an installation of HP Web Jetadmin. Internal Access HTTP Port Access List User Profiles HTTP Port

MISSISSIPPI DEPARTMENT OF HEALTH COMPUTER NETWORK AND INTERNET ACCESS POLICY

Application Note. Terminal Server G6

GSC/VRC IP Converter. Installation and Operation Manual

MULTIFUNCTIONAL DIGITAL SYSTEMS. Operator s Manual for AddressBook Viewer

PROCEDURE FOR TELEPHONY SYSTEM OF LAKEHEAD UNIVERSITY

University of Cincinnati Limited HIPAA Glossary

Information Security and Electronic Communications Acceptable Use Policy (AUP)

Installing Cable Modem Software Drivers

Oracle Enterprise Manager

Oracle Enterprise Manager Ops Center. Ports and Protocols. Ports and Protocols 12c Release 3 ( )

SUN COBALT Qube 3 Appliance FAQ

PA-DSS Implementation Guide for. Sage MAS 90 and 200 ERP. Credit Card Processing

GFI White Paper: GFI FaxMaker and HIPAA compliance

Oracle Enterprise Manager

Secure Data Center Operations Gilbert Held Payoff

Lab Developing ACLs to Implement Firewall Rule Sets

Oracle Health Sciences Network. 1 Introduction. 1.1 General Security Principles

FB-500A User s Manual

im5530 / im6030 / im7230 / im8530 For Océ and Imagistics Models

Lexmark Printers and Multifunction Products: Hard Disk and Non-Volatile Memory Guide

Solutions for Increasing the Number of PC Parallel Port Control and Selecting Lines

Lexmark Fax over IP. Pete Davidson. Document Version 1.0. October 4, 2012

Multiplexing. Multiplexing is the set of techniques that allows the simultaneous transmission of multiple signals across a single physical medium.

DIVISION OF INFORMATION SECURITY (DIS)

Data Loss Prevention Program

NEC Express5800 Series NEC ESMPRO AlertManager User's Guide

SNAP Printer Web Server Users Manual

Network Management Card Wizard--1. Introduction... 1 Using the Network Management Card Wizard... 5

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement... 2

HIPAA Security Compliance for Konica Minolta bizhub MFPs

Hardware and Software Requirements

Computer Network. Interconnected collection of autonomous computers that are able to exchange information

Oracle Retail Clearance Optimization Engine. Overview. About Patch Releases. Release Notes Release

MULTIFUNCTIONAL DIGITAL SYSTEMS. Network Fax Guide

Sharpen your document and data security HP Security solutions for imaging and printing

RIU-IP Remote IP Interface User Guide

VPN over Satellite A comparison of approaches by Richard McKinney and Russell Lambert

E-Book Security Assessment: NuvoMedia Rocket ebook TM

March

HANDBOOK 8 NETWORK SECURITY Version 1.0

S E C U R I T Y A S S E S S M E N T : B o m g a r A p p l i a n c e s

TALECH SAAS SERVICES ORDER FORM. Fax:

PIR-1 Owner s Manual

CONTACT: Russell Marchetta Bratskeir & Co. (973) (212) russell.marchetta@ricoh-usa.com jgreen@bratskeir.com

Functional Enhancements

Transcription:

Fax/Network Data Security and Lexmark Multifunction Products Version 3.3 October 2010 1

Contents Overview... 3 Applicable Products... 3 The Proposed Concern... 4 The Practical Considerations... 5 No Control of the Device via Phone Line... 5 Modem and INA are Separate by Design... 6 Modem is Configured for Fax Only... 6 No Support for the PS Fax mechanism... 7 Phone Line Does Not Provide Means to Update Firmware... 7 Summary... 8 2

Overview Lexmark offers a variety of multifunction products that provide both network capability and fax modem capability. In environments where network security is critical, the combination of these two features on a single device has caused some concern. The purpose of this document is to address those concerns by exploring the conceivable ways that security could be breached by this device, and to describe the reasons why the design and implementation of Lexmark MFPs make this sort of abuse impractical. Applicable Products This document applies to the following MFPs: Lexmark X463 Lexmark X464 Lexmark X466 Lexmark X651 Lexmark X652 Lexmark X654 Lexmark X656 Lexmark X658 Lexmark X734 Lexmark X736 Lexmark X738 Lexmark X772 Lexmark X782 Lexmark X792 Lexmark X850 Lexmark X850 (4) Lexmark X852 Lexmark X854 Lexmark X860 (4) Lexmark X862 (4) Lexmark X864 (4) Lexmark X925 Lexmark X940 Lexmark X945 3

The Proposed Concern The issue that raises concern is the presence of a fax modem on a device that also includes a network adapter. The fax modem, by nature, is: 1. Inherently bidirectional; it is capable of sending information to and from the MFP. 2. Inherently connected to the outside world; assuming the modem is connected to a phone line, the device is theoretically open to being accessed from anywhere. Based on these two attributes, it has been proposed that a security exposure may be present. Couldn t someone connect to the MFP via the modem and then somehow get information off of the network, thus exposing the customer s network to inappropriate access? Phone Line: - inherently open access - inherently not secure - inherently bidirectional Internal Network: - secure - restricted access Figure 1.0 The Proposed Exposure 4

The Practical Considerations There is a long list of reasons why the presence of a fax modem on a device that also includes a network adapter is not a security exposure. This document explores each of these points in more detail: There is no support for controlling the device via the phone connection one cannot dial into the device and interact with it via FTP, Telnet, or any similar mechanism. The modem and network adapter hardware are on separate cards and cannot communicate directly with one another. This prohibits data from crossing over between the two channels. The modem is configured to send and receive fax only, not data. The modem s configuration is limited and controlled by the MFP s firmware. The MFP firmware does not allow arbitrary data to be exchanged over the fax modem, only facsimile data representing page images can be exchanged. The avenues by which the MFP s firmware can be updated are secured, and unauthorized firmware and software cannot be placed onto the MFP. All these factors prevent the interaction of the fax modem and network adapter hardware from providing a security exposure. No Control of the Device via Phone Line Many devices that support an analog phone modem do so to allow the device to be controlled remotely, via the phone line. On such devices, one can call the device and interact with it: turn it on or off, change its settings, and so on. Typically, this would occur over some sort of management session, such as Telnet. However, the presence of an analog phone modem does not automatically involve any such mechanism. In order for the device to allow such interaction, the support needs to be built in and intentionally provided. Lexmark s products do not include or allow for this sort of control. No Lexmark MFPs allow for any sort of configuration via the phone line. There are no diagnostic modes by which any external mechanism can control or reconfigure the behavior of the modem. The only function that the analog phone modem is capable of exchanging is fax information. It does not allow for configuration or any sort of remote control of the device, and it does not allow any avenue to access the network to which the device is connected. 5

Modem and INA are Separate by Design Lexmark MFPs use a third-party fax chip to handle analog-to-digital processing, while the rest of the fax modem process is handled directly by Lexmark firmware. The internal network adapter function is implemented separately from the modem capabilities, and the two functions are implemented on separate circuit cards; the fax card is connected via a cable to a daughter card, while the network connection is on the MFP s motherboard. The fax processes are handled directly by the Lexmark firmware, as is the network adapter interaction, and the Lexmark firmware is designed to prohibit direct interaction between the fax and network components. Network Connection Daughter Card MFP Motherboard Fax Card Phone Connection Figure 2.1 Separation of Modem and Network Function on Lexmark MFPs Modem is Configured for Fax Only Control of the fax functionality is incorporated directly into the Lexmark firmware. The fax chip that sends and receives data over the phone line is directly controlled by the Lexmark firmware. The modem chip is in a mode that is even more restrictive than Class 1 mode, and it relies on the Lexmark firmware for composition and transmission of fax data. The firmware explicitly disallows the transmission of frames in data mode and only allows for the sending and receiving of facsimile jobs. 6

No Support for the PS Fax Mechanism Some fax devices employ a mechanism known as PS Fax, or PostScript File Transfer. When two fax devices support PS Fax and connect via an analog phone session, PS Fax allows a print job to be transmitted in its original PostScript format. This is faster and produces higher-quality output than converting the job to a bitmap at the sending end and transmitting the bitmap. However, the ability of the receiving device to accept non-image data creates a security exposure. The PostScript job itself could potentially include malicious function(s), and the support for opening the connection for non-image data could leave the device vulnerable to other sorts of transmissions. For these reasons, the PS Fax capability is not supported on Lexmark MFPs. Phone Line Does Not Provide Means to Update Firmware Because the only way to change the behavior of the modem would be with modified firmware, the question of how that might be accomplished can be reasonably posed. Because the network connection is secure, the avenue of concern is the phone line as it is inherently connected to the outside world. The nature of the Lexmark firmware and the modem s fax operation, however, is to accept only fax frames these are frames that contain image data. When these frames are combined, they are assembled and wrapped in PostScript commands and submitted to the MFP s interpreter as image data. There is no other data path available, and no way for data that comes in via the fax to be treated as anything but a fax image. If the data that is received does not represent an image, the data is purged as an invalid PostScript job. There is no avenue by which modified firmware (or any sort of executable code) could be packaged as a fax job and become operable within the printer or MFP. 1 When accessing the MFP via the internal network, there are significant safeguards in place to disallow the modification of the MFP s firmware. One example is the requirement that any firmware upgrade is digitally signed by Lexmark, using Lexmark s private encryption key. This disallows any firmware, except that which is produced and approved by Lexmark, from being placed onto the MFP device. 7

Summary While the initial reaction to an MFP device that contains a modem and a network adapter in close proximity might raise a concern that a potential security exposure exists, such a concern is not warranted. The Lexmark MFP implements the fax and network features in such a way that the hardware and firmware are both designed to keep the fax and network mechanisms separate, and the nature of the MFP restricts the addition or replacement of the Lexmark firmware. Copyright 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Lexmark International, Inc. All rights reserved. PostScript is a registered trademark of Adobe Systems Incorporated in the United States and other countries. This white paper does not constitute a specification or warranty. All rights and remedies concerning products are set forth in each product s Statement of Limited Warranty. 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information