- Océ Large Format Systems Optimizing Security o Administrator manual Security information
Copyright 2011 Océ All rights reserved. No part of this work may be reproduced, copied, adapted, or transmitted in any form or by any means without written permission from Océ. Océ makes no representation or warranties with respect to the contents hereof and specifically disclaims any implied warranties of merchantability or fitness for any particular purpose. Further, Océ reserves the right to revise this publication and to make changes from time to time in the content hereof without obligation to notify any person of such revision or changes. Edition: 2011-01
Trademarks Trademarks Océ, and its wide-format printing systems are registered trademarks of Océ. Microsoft, Windows, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Microsoft Office PowerPoint are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Linu is a registered trademark of Linus Torvalds. McAfee is a registered trademark or trademark of McAfee, Inc. or its subsidiaries in the United States and other countries. Symantec and Norton are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. Products in this publication are referred to by their general trade names. In most, if not all cases, these designations are claimed as trademarks or registered trademarks of their respective companies. 3
Contents Contents Chapter 1 Océ Security policy...7 The Océ Security policy...8 Océ online resources...10 Overview of the security features available per Océ System...11 Chapter 2 Security features on the Océ TDS / TCS / TC4 systems...13 Overview...14 Overview of the security features for the Océ TDS/TCS/TC4 systems...14 System and Network security...16 Ports - Protocols...16 Applications, protocols and ports used on the Océ TDS/TCS/TC systems...16 Security Patches...23 Policy about Microsoft flaws and vulnerabilities...23 Install the Océ Remote Patch...24 Security levels...26 Security levels presentation...26 Security levels - Printers and scanner versions compatibility...28 Set the Security level...29 Systems with no screen...32 Antivirus...33 Antivirus installation: Compatibility and recommendations...33 Roles and Passwords...35 Roles and Passwords for the Océ TDS/TCS/TC4 systems (ecept Océ TCS300)...35 Roles and Passwords for the Océ TCS300...37 Data security...39 HTTPS through PEWG...57 Print data encryption through HTTPS with Océ Print Eec Workgroup...39 Chapter 3 Security features on the Océ PlotWave 300 and ColorWave 300...59 Overview...60 Security overview for the Océ PlotWave 300 and Océ ColorWave 300 systems...60 System and Network security...61 4
Contents Ports - Protocols...61 Applications, protocols and ports used on the Océ ColorWave 300 and Océ PlotWave 300 systems...61 Security Patches...65 Install the Océ Remote patch (on Océ PlotWave 300 and Océ ColorWave 300)...65 Security levels...68 Security levels presentation...68 Set the security level...70 Security of the USB connection...72 The USB connection on the Local user interface...72 Antivirus...74 Antivirus installation on the Océ PlotWave 300/ Océ ColorWave 300: Compatibility and recommendations...74 Roles and Passwords...75 Roles and profiles in the Océ PlotWave 300 and Océ ColorWave 300...75 Passwords policy and behaviour in the Océ PlotWave 300 and Océ ColorWave 300...76 Data Security...79 E-Shredding...79 E-shredding presentation...79 Enable the e-shredding...81 E-shredding process and system behaviour...83 IPsec...84 IPsec presentation...84 Configure the IPsec settings on the Océ controller...87 Configure the IPsec settings on a workstation or a print server.90 When you use Océ WPD on the print server...100 Troubleshooting: emergency procedure to deactivate IPsec..101 Prevent USB Direct Print and Scan to USB...103 How to prevent 'Print from USB'...103 How to prevent 'Scan to USB'...104 Chapter 4 Security features on the Océ ColorWave 600...107 Overview...108 Security overview for the Océ ColorWave 600 system...108 System and Network security...109 Ports - Protocols...109 Applications, protocols and ports used on the Océ ColorWave 600...109 Protocol protection...111 Network protocols protection...111 Operating system and software protection...112 5
Contents OS and software protection...112 Roles and Passwords...113 Roles and profiles in the Océ ColorWave 600...113 Passwords policy and behaviour in the Océ ColorWave 600..114 6
Chapter 1 Océ Security policy
The Océ Security policy The Océ Security policy Definition At Océ, security is an integral part of system development, and the company is taking a proactive approach to the improvement of security-related issues. Océ is working to address security requirements across all of its digital document systems. For its printing systems connected to the network, Océ strives to ensure the: - Security of the system on the network - Security of the data sent to the printers, with a focus on protecting sensitive documents from being captured by un-authorised persons - Security of the configuration and data on the controller Note: See the Table of the security features on page 11 to get an overview of the security features available per Océ system. System security and security on the network Faced with system vulnerabilities, viruses, worms and in order to maimise the protection of the Océ print systems from hackers and networking attacks, Océ has reinforced the security of the Océ systems by: Introducing the Océ Security levels to offer network security protection against virus / worm attacks or system vulnerabilities (on Windows Operating Systems). Once the Security Interface is activated, you can define the level of security according to your system needs. Notice that the higher level of security you set, the fewer printing and scanning functionalities you get. Protecting the system roles and passwords. The main network and system settings are protected against change. Only authorised users can configure or change these settings Regularly checking the relevance of Microsoft flaws and delivering security patches whenever it is necessary. Providing OS and software protection mechanism. The internal system software is protected against alteration Make the USB connection secure (on systems with USB slot) Implementing network protocols protection features (by use of the Océ Security levels filtering or by configuring each network protocol for firewall filtering) Allowing the installation of an Antivirus software on the Océ system controller Being compliant with IPv6 and then benefiting from IPv6 secured assets 8 Chapter 1 - Océ Security policy
The Océ Security policy Note: The availability of the security features depends on the products. See the Overview of the security features available per Océ System on page 11. Data security on the network To ensure the security of the print data sent on the network, Océ has implemented: The HTTPS capability in the Océ Print Eec Workgroup job submission tool. Use the HTTPS protocol (HTTP over SSL) with Océ Print Eec Workgroup v2.6 and higher to encrypt the submitted print data. Find all information about Print data encryption through HTTPS with Océ Print Eec Workgroup on page 39. The e-shredding feature to overwrite any user data (print/copy/scan) when it is deleted from the system. This feature prevents the recovery of any deleted user data. The IPsec configuration, that provides authentication, data confidentiality and integrity in the network communication between devices. A strong mechanism of encryption guarantees the confidentiality of the user print and scan data on the network. Chapter 1 - Océ Security policy 9
Océ online resources Océ online resources Introduction 'We advise that you visit our website regularly in order to take full advantage of all the available resources:' 'Find the latest supplies from our Media Guide.' 'Get support on your product and answers to your questions in the Océ Knowledgebase.' Keep up-to-date with the latest information on security, the downloads for your drivers, software, printers and related documentation. Get the latest information on Security Connect to the International Corporate Website: ' www.global.oce.com ' Open the security page: http://global.oce.com/support/security/default.asp. Océ Online Knowledgebase Océ permanently develops a base of knowledge for its products. You can access this knowledgebase through the Support section of our website. Describe your question or problem in the search field. Then, find the answer in the list of solutions or documents, ordered by relevancy. 10 Chapter 1 - Océ Security policy
Overview of the security features available per Océ System Overview of the security features available per Océ System # Océ TDS / TCS / TC systems Océ PlotWave 300 Océ ColorWave 300 Océ ColorWave 600 Operating System Windows XP embedded Windows XP embedded Linu Firewall Yes Yes Yes MS Security flaws / Security patches Yes Yes N/A Network protocols protection Océ Security levels - 3 levels Océ Security levels - 3 levels Protection configurable per protocol OS and software integrity mechanism - - Yes Antivirus Compatible with 2 antivirus brands Compatible with 2 antivirus brands - IPv6 Yes for: Océ TCS300 1.6 and higher Océ TCS500 1.6 and higher Océ TDS450 1.6 and higher Océ TDS700 1.6 and higher Océ TDS750 Océ TC4 1.6 and higher Yes Yes Feature to encrypt data on the network HTTPS IPsec - Password protection Yes for: - User settings - Administration settings Yes for: - User settings - Administration settings Yes for: - User settings - Administration settings Chapter 1 - Océ Security policy 11
Overview of the security features available per Océ System Data overwrite - E-shredding - 12 Chapter 1 - Océ Security policy
Chapter 2 Security features on the Océ TDS / TCS / TC4 systems
Overview of the security features for the Océ TDS/TCS/TC4 systems Overview Overview of the security features for the Océ TDS/TCS/TC4 systems Introduction The following Océ TDS/TCS/TC4 sytems are equipped with security features: Océ TDS300 Océ TDS320 Océ TDS400 Océ TDS450 Océ TDS600 and TDS600 Premia class Océ TDS700 Océ TDS750 Océ TDS800 Océ TDS860 (TDS800 Pro Series) Océ TCS300 Océ TCS400 Océ TCS500 Océ TC4 scanner Security features overview # Operating System MS Security patches Network protocols protection Firewall Antivirus Windows XP Service Pack 2 or Windows XP Service Pack 3 (see below) Océ released patches (on http://global.oce.com) 3 Océ Security Levels Yes Compatible with 2 Antivirus brands 14 Chapter 2 - Security features on the Océ TDS / TCS / TC4 systems
Overview of the security features for the Océ TDS/TCS/TC4 systems IPv6 Data encryption Password protection Yes for: Océ TCS300 1.6 and higher Océ TCS500 1.6 and higher Océ TDS450 1.6 and higher Océ TDS700 1.6 and higher Océ TDS750 Océ TC4 1.6 and higher Yes - HTTPS protocol for printing available with Océ Print Eec Workgroup Yes for configuration settings (in the Océ Settings Editor or Océ Epress Webtools) Operating System embedded in the Océ TDS/TCS/TC systems # Océ TDS/TCS/TC release installed with Windows XP SP3 Océ TDS300 1.1.10 and higher Océ TDS320 1.0.10 and higer Océ TDS400 2.1.10 and higher Océ TDS450 3.6 and higher Océ TDS600 4.1.10 and higher Océ TDS700 1.6 and higher Océ TDS750 Océ TDS800 2.1.10 and higher Océ TDS860 1.0.10 and higher Océ TCS300 1.6 and higher Océ TCS400 2.2.10 and higher Océ TCS500 1.6 and higher Océ TC4 1.6 and higher Océ TDS/TCS/TC release installed with Windows XP SP2 Océ TDS300 1.1.9 and lower Océ TDS320 1.0.9 and lower Océ TDS400 2.1.9 and lower Océ TDS450 3.4 and lower Océ TDS600 4.1.9 and lower Océ TDS700 1.3 and lower Océ TDS800 2.1.9 and lower Océ TDS860 1.0.9 and lower Océ TCS300 1.3 and lower Océ TCS400 2.2.9 and lower Océ TCS500 1.5 and lower Océ TC4 1.0.3 and lower Chapter 2 - Security features on the Océ TDS / TCS / TC4 systems 15
Applications, protocols and ports used on the Océ TDS/TCS/TC systems System and Network security Ports - Protocols Applications, protocols and ports used on the Océ TDS/TCS/TC systems Printing applications: security levels, ports and protocols used by the Océ systems # Application /Functionality System Supported security levels () and open port Port used on the controller: protocol Océ Windows Printer Driver (WPD) All Océ TDS and TCS systems (ecept Océ TC4) N* 515 65200 80 139 M* (1) 515 65200 80 H* (2) 515 515: LPR 65200: Océ back-channel (**) 139: SMB 80: HTTP (for advanced accounting) Océ Adobe PostScript 3 driver All Océ TDS and TCS systems (ecept Océ TC4) 515 139 (3) 515 139 (3) 515 515: LPR 139: SMB Océ Print Eec Workgroup - Océ TCS400/ TCS500 - Océ TDS400/ TDS450/ TDS600/ TDS700/ TDS750/ TDS800/ TDS860 80 80 80: HTTP 16 Chapter 2 - Security features on the Océ TDS / TCS / TC4 systems
Applications, protocols and ports used on the Océ TDS/TCS/TC systems Application /Functionality System Supported security levels () and open port Port used on the controller: protocol Océ Print Eec Workgroup over SSL (HTTPS) - Océ TDS400/ TDS450/ TDS600/ TDS700/ TDS750/ TDS800/ TDS860, Océ TCS400/ TCS500 N* 443 M* H* 443: HTTPS Océ Publisher Select (v1.8 and higher) Océ TDS750 515 65200 80 515 65200 80 80: HTTP 65200: Océ back-channel (*) 515: LPR Océ ReproDesk All Océ TDS and TCS systems (ecept Océ TC4) 515 65200 515 65200 515: LPR 65200: Océ back-channel Océ PELT Windows All Océ TDS and TCS systems (ecept Océ TC4 and TDS750) 515 65200 515 65200 (4) 515 515: LPR 65200: Océ back-channel Océ Print Eec Light Web Océ TDS400 1.X, Océ TDS600 2.X, Océ TDS800 1.X, Océ TCS400 <= 2.1 80 80 80: HTTP Océ Print Eec Basic All Océ TDS and TCS systems (ecept Océ TDS300 Océ TDS320, Océ TCS300 and Océ TC4) 80 80 80: HTTP Chapter 2 - Security features on the Océ TDS / TCS / TC4 systems 17
Applications, protocols and ports used on the Océ TDS/TCS/TC systems Application /Functionality System Supported security levels () and open port Port used on the controller: protocol Novell NDPS printing All Océ TDS and TCS systems (ecept Océ TC4) N* 515 M* 515 H* 515 515: LPR LPR printing (command line) All Océ TDS and TCS systems (ecept Océ TC4) 515 515 515 515: LPR FTP printing All Océ TDS and TCS systems (ecept Océ TC4) 21 4242 (5) 21 21: FTP 4242: FTP passive mode (6) SMB printing - Océ TDS300/ TDS320/ TDS400/ TDS600/ TDS800/ TDS860 - Océ TCS400 139 139: SMB Notes: * Levels: N: Normal - M: Medium - H: High (*) Océ back-channel is an Océ proprietary protocol used to retrieve information from the printer (status, media loaded...) and to display it in the application or driver. (1) LPR printing with back-channel and advanced accounting. No SMB printing (2) LPR printing. No back-channel. No SMB printing. No advanced accounting (3) LPR printing only. No SMB printing (4) LPR printing. No back-channel (5) FTP active mode only (6) For data communication channel 18 Chapter 2 - Security features on the Océ TDS / TCS / TC4 systems
Applications, protocols and ports used on the Océ TDS/TCS/TC systems Scanning applications: security levels, ports and protocols used by the Océ systems # Application /Functionality System Supported security levels () and open port Port used on the controller: protocol Scan to File Remote SMB All Océ TDS, TCS and TC4 systems ecept Océ TCS300 and Océ TDS300 N* M* H* SMB (no incoming port required on the controller) Scan to File Remote FTP All Océ TDS, TCS and TC4 systems ecept Océ TCS300 and Océ TDS300 (1) (1) FTP Scan data retrieval by FTP All Océ TDS, TCS and TC4 systems 21 4242 (2) 21 21: FTP 4242: FTP passive mode (3) Notes: * Levels: N: Normal - M: Medium - H: High (1) FTP passive mode only: the FTP server on the remote workstation must support FTP passive mode (2) FTP active mode only (3) For data communication channel Chapter 2 - Security features on the Océ TDS / TCS / TC4 systems 19
Applications, protocols and ports used on the Océ TDS/TCS/TC systems Control management: security levels, ports and protocols used by the Océ systems # Application /Functionality System Supported security levels () and open port Port used on the controller: protocol PING All Océ TDS, TCS and TC4 systems N* M* H* ICMP SNMP based applications Océ TDS450 v3.1 and higher UDP 161 UDP 161: SN- MP Océ Remote Logic All Océ TDS and TCS systems ecept Océ TDS700, Océ TDS750, Océ TCS300 and Océ TC4 1099 9999 16440 to 16460 1099 9999 16440 to 16460 Océ specific protocol Océ Power Logic Remote Océ TDS700, Océ TDS750 and Océ TC4 1099 9999 16440 1099 9999 16440 Océ specific protocol Océ Settings Editor Web application Océ TCS300 80 80 80: HTTP Name resolution (**) All Océ TDS, TCS and TC4 systems / UDP 53 /UDP 53: DNS DHCP All Océ TDS, TCS and TC4 systems UDP 68 UDP 68 UDP 68 UDP 68: DHCP 20 Chapter 2 - Security features on the Océ TDS / TCS / TC4 systems
Applications, protocols and ports used on the Océ TDS/TCS/TC systems Application /Functionality System Supported security levels () and open port Port used on the controller: protocol Océ Account Center Advanced accounting (WPD) All Océ TDS, TCS and TC4 systems ecept Océ TCS300, Océ TDS300 and Océ TDS320 N* 80 M* 80 H* 80: HTTP Accounting information retrieval by FTP All Océ TDS, TCS and TC4 systems ecept Océ TCS300, Océ TDS300 and Océ TDS320 21 4242 (1) 21 21: FTP 4242: FTP passive mode (3) Browse Océ systems on the network with Windows network neighbourhood Océ TDS450/ TDS700/ TDS750/ TC4 Océ TCS300/ TCS500 UDP 137 UDP 137: Net- Bios over /IP Browse Océ systems on the network with Windows network neighbourhood Océ TDS300/ TDS320/ TDS400/ TDS600/ TDS800/ TDS860 Océ TCS400 UDP 137 UDP 137: SMB Océ License Logic All Océ TDS, TCS and TC4 systems 80 80 80: HTTP Océ Remote Patch All Océ TDS, TCS and TC4 systems ecept Océ TCS300 80 80 80: HTTP Chapter 2 - Security features on the Océ TDS / TCS / TC4 systems 21
Applications, protocols and ports used on the Océ TDS/TCS/TC systems Application /Functionality System Supported security levels () and open port Port used on the controller: protocol Océ Remote Security settings All Océ TDS and TCS systems ecept Océ TCS300, Océ TDS300, Océ TDS320 and Océ TC4 N* 80 443 M* 80 H* 80: HTTP (3) 443: HTTPS Océ Service Logic All Océ TDS, TCS and TC4 systems 21 4242 (1) 21 21: FTP 4242: FTP passive mode (4) Océ Meter Manager Océ TDS450 1.7.1/ TDS700 1.7.1 and higher versions Océ TDS750 Océ TCS300 1.7.1/ TCS500 1.7.1 and higher versions UDP 161 UDP 161: SN- MP Notes: * Levels: N: Normal - M: Medium - H: High (**) The name resolution is mainly used to determine the IP address of the scan destination during Scan fo File operation (1) FTP active mode only (3) HTTP traffic is automatically redirected to HTTPS (4) For data communication channel 22 Chapter 2 - Security features on the Océ TDS / TCS / TC4 systems
Policy about Microsoft flaws and vulnerabilities Security Patches Policy about Microsoft flaws and vulnerabilities Policy Océ regularly checks whether vulnerabilities (mainly described in the Microsoft security bulletins) affect the Océ Power Logic Controller. Then Océ informs the users whether the systems are vulnerable (or not), and in case of vulnerability, publishes a corresponding Océ Patch. Patch procedure Download the patches to apply to your printer from the http://global.oce.com website: Select your print system and open the Downloads/security page (eample: http://global.oce.com/products/tds700/downloads.asp#tab3) to get the latest patches and to check whether a Microsoft flaw impacts the Océ controller. On this page you find: The latest information about security (MS flaws...) The Océ security patches The instructions to apply the patches on the Océ controller The procedure to identify the Océ patches installed on your system Note: The patches provided by Microsoft on the Microsoft website cannot be directly installed on the controllers. Use the appropriate Océ patches. Consult also the Océ Security Web page - http://global.oce.com/support/security/ for general security information. Depending on the version of your system controller, you must download the Océ Remote Patch and install it on the controller (see Install the Océ Remote Patch on page 24). Chapter 2 - Security features on the Océ TDS / TCS / TC4 systems 23
Install the Océ Remote Patch Install the Océ Remote Patch Purpose The Océ Remote Patch functionality allows you to: load and remotely apply Security and software patches onto the controller check the last patch successfully applied check the eecution status of the latest patch applied ('Success' or 'Failure') It is available for the following products versions: Océ TDS300 1.1.9 and higher Océ TDS320 1.0.9 and higher Océ TDS400 2.1.9 and higher Océ TDS450 3.3.1 and higher Océ TDS600 4.1.9 and higher Océ TDS700 1.2.1 and higher Océ TDS750 Océ TDS800 2.1.9 and higher Océ TDS860 1.0.9 and higher Océ TCS400 2.2.9 and higher Océ TCS500 1.4.1 and higher Océ TC4 scanner 1.0.2 and higher When to do Each time a security patch needs to be remotely installed on the controller. Before you begin - Download the security patch from the Océ website (Downloads/Security page of your product on http://global.oce.com) Open the Océ Remote Patch page either: - in the web browser of a workstation: enter the URL http://[controller hostname or IPaddress]/OceRemotePatch.html or - In Océ Print Eec Workgroup v2.6 and higher: from the 'Administration' menu, click Océ Remote Patch Log on to the Océ Remote Patch page as the controller system administrator. 24 Chapter 2 - Security features on the Océ TDS / TCS / TC4 systems
Install the Océ Remote Patch Remotely install an Océ patch 1. Browse to the location of the patch file(*.oce) Note: Click 'Reset' to clear the field when needed 2. Click 'Apply Patch' 3. Confirm The installation starts. At the end of the process, the controller reboots. 4. After the restart: - in the web browser of a workstation enter the following URL: http://[controller hostname or IPaddress]/OceRemotePatch.html or - from the 'Administration' menu of Océ Print Eec Workgroup, click 'Océ Remote Patch ' 5. Log on as the controller system administrator 6. Check that the 'Last eecution status' of the patch is 'Success': the installation was successful. Note: When the status is 'Failure', apply the patch again. If the installation fails again, contact your Océ representative. Chapter 2 - Security features on the Océ TDS / TCS / TC4 systems 25
Security levels presentation Security levels Security levels presentation Introduction Océ defined 3 levels of security according to the customer needs. The presentation below can help you to select the most suitable level. HIGH security level The HIGH level is the most secure mode for printing and scanning. The compliant applications are based on the LPR protocol for printing and on the FTP protocol for scanning. Target: This level provides you with the most secure mode while using the basic feature for printing and scanning. Only some Océ applications are available. See the security levels supported per application/functionality on page 16. This security level may also be used when you want to be protected whenever a vulnerability has been discovered and the corresponding patch cannot be yet installed. As soon as the patch can be installed, you can go back to the original security level. MEDIUM security level The MEDIUM level is compliant with all the Océ applications available for printing and scanning which do not present a high risk (as reported by most popular network scanners). Target: This level is recommended if you need to be secured while you want to use the Océ applications for printing and/or scanning (you can use the system including more functions than with the HIGH security level). Normal security level This mode offers all the functionalities. Target: You can select this level if you want to use some features not covered by MEDIUM security level. 26 Chapter 2 - Security features on the Océ TDS / TCS / TC4 systems
Security levels presentation This level is more dedicated for small network infrastructure where security is less required versus features. Chapter 2 - Security features on the Océ TDS / TCS / TC4 systems 27
Security levels - Printers and scanner versions compatibility Security levels - Printers and scanner versions compatibility Introduction The security levels are implemented on the following versions of the printers/scanner controller: Printers versions # Océ TDS300 Océ TDS320 Océ TDS400 Océ TDS450 Océ TDS600 Océ TDS700 Océ TDS750 Océ TDS800 Océ TDS860 Océ TCS300 Océ TCS400 Océ TCS500 Océ TC4 scanner v1.1.1 and higher All versions v2.1.1 and higher All versions v4.1.1 and higher All versions All versions v2.1.1 and higher v1.0 and higher All versions v2.2 and higher All versions All versions To check whether your Océ system with no screen is equipped, check the firmware version number on the control panel during the reboot of the printer. For the Océ TDS300, the version number must be 1.1 or higher. For the Océ TDS400, the version number must be 2.1 or higher. For the Océ TCS400, the version number must be 2.2 or higher (you can access it when the printer is off-line, on the 'Configure system' menu). 28 Chapter 2 - Security features on the Océ TDS / TCS / TC4 systems
Set the Security level Set the Security level Introduction The security user interface is available locally on the controller only, from the Océ Settings Editor (no remote access). Note: You need to be logged on as the System Administrator to access the security level interface and change the security levels. [1] Log on From the 'Edit' menu, select 'Security...' to open the 'Security level' window. [2] Access Security window It displays the current 'Security level' and the available options. According to the security level selected, the settings are available (in black) or not (in grey): The controller is delivered with the 'Normal' security level by default, but according to your needs, you can switch by selecting the required level. Chapter 2 - Security features on the Océ TDS / TCS / TC4 systems 29
Set the Security level Illustration [3] Security level interfaces: High / Medium / Normal Manage the security levels 1. In the 'Security level' window, check the level required ('Normal', 'Medium' or 'High'). 2. Click 'OK' once, then 'Cancel'. A warning message is displayed: [4] Security warning message 3. Click 'OK'. 4. After processing, a message displays the security level confirmation. Click 'OK' to reboot the controller: [5] reboot 30 Chapter 2 - Security features on the Océ TDS / TCS / TC4 systems
Set the Security level Result When the security level is changed from 'Normal' to 'Medium' or 'High', the level selected is also displayed on the Océ System Control Panel (click on the 'Security' button): [6] Océ System Control Panel - Security level information Chapter 2 - Security features on the Océ TDS / TCS / TC4 systems 31
Systems with no screen Systems with no screen For systems delivered without screen, keyboard nor mouse, it is possible to switch between security levels using diskettes/cd. There is one diskette/cd per security level: 1 diskette/cd to switch to HIGH security level. 1 diskette/cd to switch to MEDIUM security level. 1 diskette/cd to switch to STANDARD / Normal security level. Océ delivers 3 deliverables to build the diskettes/cds. Please contact your local Océ representative. 32 Chapter 2 - Security features on the Océ TDS / TCS / TC4 systems
Antivirus installation: Compatibility and recommendations Antivirus Antivirus installation: Compatibility and recommendations Introduction To install the Symantec or MacAfee antivirus programmes, contact your Océ representative. Note: Océ shall not be liable for damages of any kind attributable to the use of an antivirus on the Océ systems controllers. Compatibility Océ tested the installation of the 3 following antivirus programmes on the Océ systems controller: # Antivirus Symantec AntiVirus Endpoint Protection 11 McAfee VirusScan Enterprise Edition 8.7i epolicy Orchestrator for AntiVirus update installable on the controller of: Océ TDS300 1.1.8.1 and upper Océ TDS320 1.0.8.1 and upper Océ TDS400 2.1.8.1 and upper Océ TDS450 3.3.1 and upper Océ TDS600 4.1.8.1 and upper Océ TDS700 1.2.1 and upper Océ TDS750 Océ TDS800 2.1.8.1 and upper Océ TDS860 1.0.8.1 and upper Océ TCS300 1.2.1 and upper Océ TCS400 2.2.6 and upper Océ TCS500 1.4.1 and upper Océ TC4 scanner 1.0.2 and upper Chapter 2 - Security features on the Océ TDS / TCS / TC4 systems 33
Antivirus installation: Compatibility and recommendations Symantec AntiVirus Corporate Edition 10 (Norton) Océ TDS300 1.1.3 to 1.1.5 Océ TDS320 Océ TDS400 2.1.3 and upper Océ TDS450 Océ TDS600 4.1.3 and upper Océ TDS700 Océ TDS750 Océ TDS800 2.1.3 and upper Océ TDS860 1.0.1 and upper Océ TCS300 Océ TCS400 2.2.2 and upper Océ TCS500 Océ TC4 scanner 34 Chapter 2 - Security features on the Océ TDS / TCS / TC4 systems
Roles and Passwords Roles and Passwords for the Océ TDS/TCS/TC4 systems (ecept Océ TCS300) Roles and Passwords for the Océ TDS/TCS/TC4 systems (ecept Océ TCS300) Roles In all Océ TDS/TCS/TC4 (ecept TCS300) systems, the main network and system settings are protected against change. Only authorised users can configure or change these settings. 4 roles are available: Key operator: The Key Operator can manage the jobs and the device settings Repro operator The Repro operator can manage jobs (print and scan) System administrator The System Administrator can manage the Configuration settings (such as the Network settings, scan destinations settings...) and print jobs Océ service This role is used eclusively by the Océ Service Technician Note: Refer to your Océ TDS/TCS/TC4 user manual to get information related to the authorised users and to the settings access rights. Passwords used The passwords protect: The roles The Scan To file remote user name Password modification table for Océ TDS/TCS/TC4 systems# Password for Can be changed by Key operator Key operator Repro operator Repro operator System administrator System administrator ScanToFile remote user name Anyone (no login requested) Chapter 2 - Security features on the Océ TDS / TCS / TC4 systems 35
Roles and Passwords for the Océ TDS/TCS/TC4 systems (ecept Océ TCS300) Note: Keep these passwords. The loss of these passwords may require the intervention of Océ Service. Passwords storage on the controller All passwords are stored encrypted on the controller. There is no open access to the system to change them. You can change them only through the standard user interface on the controller. Passwords eport policy No password is eported to the backup files, ecept the passwords for the Scan To File remote user names. The passwords for the Scan To File remote user names are stored encrypted (in the *.sm file) 36 Chapter 2 - Security features on the Océ TDS / TCS / TC4 systems
Roles and Passwords for the Océ TCS300 Roles and Passwords for the Océ TCS300 Roles description In the system, the main network and system settings are protected against change. Only authorised users can configure/change these settings. 4 roles are available: Key operator: The Key Operator can manage the jobs and the device settings System administrator The System Administrator can manage the Configuration settings such as the Network settings and the scan destinations settings Power user The Power User has both the rights of the Key Operator and the System Administrator Océ service This role is used eclusively by the Océ Service Technician Passwords used in Océ Settings Editor Web application In Océ Océ Settings Editor Web application the passwords protect the roles. Password modification table for Océ TCS300# Password for Can be changed by Key operator Key operator or Power user System administrator System administrator or Power user Power user Power user Password policy 256 characters maimum Any number [0-9] Any letter lowercase/uppercase [a-z][a-z] the following special characters: # _ - ~! @ # $ % ^ *? { } ( ) = +,. ; : [ ] / \ Chapter 2 - Security features on the Océ TDS / TCS / TC4 systems 37
Roles and Passwords for the Océ TCS300 Passwords storage on the controller All passwords are stored encrypted on the controller. There is no open access to the system to change them. You can change them only through the standard user interface on the controller. Passwords eport policy The roles passwords are not stored in the backup set. 38 Chapter 2 - Security features on the Océ TDS / TCS / TC4 systems
Data security HTTPS through PEWG Print data encryption through HTTPS with Océ Print Eec Workgroup Print data encryption through HTTPS with Océ Print Eec Workgroup Introduction To protect the privacy of your print data on the network, use the HTTPS protocol (HTTP over SSL) with Océ Print Eec Workgroup (v2.6 and higher). You can then send encrypted print data to Print Eec Workgroup using the following URL: https://[common Name or PrinterHostname or PrinterIPaddress] Eample: https://tcs500.oce.com Definition Océ proposes 2 services when printing with Print Eec Workgroup by means of HTTPS instead of HTTP: the print data encryption to ensure the print data confidentiality the use of certificates: the client station which submits the print can check the identity of the controller. Compatible versions of Océ Print Eec Workgroup The HTTPS feature is embedded in Océ Print Eec Workgroup v2.6 and higher, recommended for : Océ TDS400 Océ TDS400 Prémia Class Océ TDS450 Océ TDS600 Océ TDS600 Premia Class Océ TDS700 Océ TDS750 Océ TDS800 Océ TDS800 Pro series Océ TCS400 Océ TCS500 Chapter 2 - Security features on the Océ TDS / TCS / TC4 systems 39
Print data encryption through HTTPS with Océ Print Eec Workgroup The self-signed certificate and the CA-signed certificate By default, Océ delivers an Océ self-signed certificate. This certificate provides encryption of the print data between the client and the controller. It can be easily used. This self-signed certificate has not been signed by a Certification Authority, consequently the web browser will display a 'Certificate Error' message the first time you use the HTTPS protocol. This certificate may be used with a few limitations (see Use the Océ self-signed certificate on page 42) or while you are waiting for a trusted certificate to be delivered by a Certification Authority. When your security policy recommends it, the administrator can request and import a certificate delivered by a Certification Authority (CA-signed certificate). See the overall procedure to request and import a CA-signed certificate on page 47. HTTPS protocol and the Security levels The HTTPS protocol in Océ Print Eec Workgroup is available only in Normal security level. The HTTPS protocol uses the port 443. 40 Chapter 2 - Security features on the Océ TDS / TCS / TC4 systems
Configure the use of HTTPS HTTPS through PEWG Configure the use of HTTPS Introduction You can configure the use of HTTPS through the job submission tool for Océ TDS and TCS systems: Océ Print Eec Workgroup v2.6 and higher. On the Remote Security page, set the use of the secured protocol to: - 'Required' to allow only HTTPS protocol - 'Optional' to allow both HTTP and HTTPS protocols Note: When you set HTTPS to 'required' in PEWG v2.6 or higher, only the Océ Account Center communication protocol remains in HTTP mode. Configure the use of HTTPS 1. In a web browser, open Océ Print Eec Workgroup v 2.6 or higher (enter the printer IP address or hostname) 2. From the Administration menu, select Océ Remote Security 3. Log on as the printer system administrator 4. On the Océ Remote Security page, select 'Set the HTTPS mode' 5. Set the HTTPS mode to 'Required' or keep 'Optional' (default) 6. 'Reboot the controller to apply the change' Chapter 2 - Security features on the Océ TDS / TCS / TC4 systems 41
Use the Océ self-signed certificate Use the Océ self-signed certificate Introduction You can use the HTTPS protocol with the default Océ self-signed certificate to send encrypted print data to the printer controller. The first time you use a self-signed certificate, your web browser will generate security error messages. In order to easily and securely use the self-signed certificate in your web browser, you must: - View and check the self-signed certificate in your web browser - Configure your web browser to trust the self-signed certificate The procedures depend on the web browser you use to open Océ Print Eec Workgroup. See below the use with: - Internet Eplorer - Mozilla Firefo Use the Océ self-signed certificate with Internet Eplorer 1. On a workstation, type the URL address of your printer in Internet Eplorer (https://[hostname]). A warning window opens. It displays 2 errors: The certificate is not issued by a trusted certificate authority. The Common Name in the certificate does not match the printer hostname (or IP Address) you typed in the address bar. 2. In order to view and check the self-signed certificate, continue to the website. 42 Chapter 2 - Security features on the Océ TDS / TCS / TC4 systems
Use the Océ self-signed certificate Note: A warning- Security message may open to ask whether you trust the applet distributed by Océ. This message concerns only the Java applets used in Print Eec Workgroup. It is not related to the self-signed certificate. You can check the certificate and click 'Yes'. 3. Océ Print Eec Workgroup opens, but the address bar displays a certificate error. Click on the error. The certificate is invalid. 4. View the certificate. 5. The certificate is issued to 'Océ PE WG ' by 'Océ PE WG ' (where '' is the controller Mac Address). Check the Details and the Certification Path. In Details, check the following values: Common Name (CN) = Océ PE WG Organization Unit (OU) = PE WG Organization (O) = Océ 6. Click 'Install Certificate...' 7. Follow the Wizard's instructions to import the certificate into your web browser. Validate. Chapter 2 - Security features on the Océ TDS / TCS / TC4 systems 43
Use the Océ self-signed certificate When the import is successful, the 'Océ PE WG' Certificate is recognised and its status is OK. 8. Open the Tools menu\internet options\advanced tab. In the Security section, uncheck the option "Warn about certificate address mismatch" 9. Restart the browser and type the URL of your printer in Internet Eplorer (https://[hostname]). 44 Chapter 2 - Security features on the Océ TDS / TCS / TC4 systems
Use the Océ self-signed certificate Result The padlock is displayed on the address bar, Océ self-signed certificate guarantees: The identity of the remote computer (controller) The encryption of the print data on the network. Use the Océ self-signed certificate with Mozilla Firefo 1. On a workstation, type the URL address of your printer in Mozilla Firefo (https://[hostname]). A warning window opens. It displays 2 errors: The certificate is not trusted because it is self-signed The certificate is only valid for 'Océ PE WG ' 2. In order to view and check the self-signed certificate, continue to add an eception. 3. Click 'Add Eception...' 4. In the 'Add Security Eception' window, click 'Get Certificate' to get the certificate from the controller web server. The 'Wrong site' and 'Unknown Identity' errors are displayed. 5. Click 'View...' to see the content of the certificate. Check the following values: Common Name (CN) = Océ PE WG Organization Unit (OU) = PE WG Chapter 2 - Security features on the Océ TDS / TCS / TC4 systems 45
Use the Océ self-signed certificate Organization (O) = Océ 6. The certificate is issued to 'Océ PE WG ' by 'Océ PE WG ', so you can confirm the security eception (permanent or temporary eception). 7. A security warning window may pop-up. Click 'Yes' to continue. Result The Océ Print Eec Workgroup software opens. You can check in the status bar (at the bottom of the window) that the padlock is displayed. In the navigation bar, the Océ certificate is registered as an eception. The identity of the remote controller and the encryption of the data on the network are secured. 46 Chapter 2 - Security features on the Océ TDS / TCS / TC4 systems
Description of the overall procedure to request and import a CA-signed certificate HTTPS through PEWG Description of the overall procedure to request and import a CA-signed certificate Introduction By default the first certificate delivered for the use of HTTPS with Océ Print Eec Workgroup is an Océ self-signed certificate. To ensure a fully trusted authentication, you can request and import a certificate delivered by a Certification Authority (CA-signed certificate). Information about certificates When you generate a CA-signed certificate request on a controller: A new private key is created: this key stays in the controller The certificate request containing the public key is created. Send it to the Certification Authority. The CA-signed certificate you will receive also contains the public key. This public key is linked to the private key already stored in the controller. In the controller, the private key and the public key must match to enable a secure HTTPS protocol. To request and then import a CA-signed certificate while you are still using HTTPS with Océ Print Eec Workgroup 2.6 and higher, follow these 2 procedures, step by step: Overall procedure to prepare and generate the CA-signed certificate request (Océ Print Eec Workgroup 2.6 and higher) # Step A1- Back up the current certificate and private key Description The current certificate can be: the original Océ self-signed certificate embedded with Océ Print Eec Workgroup a CA-signed certificate (delivered by a Certification Authority) you previously installed See Back up a certificate and a private key on page 49. Chapter 2 - Security features on the Océ TDS / TCS / TC4 systems 47
Description of the overall procedure to request and import a CA-signed certificate Step A2- Generate the certificate request A3- Save the content of the certificate request A4- Restart the controller Description Make this step when you want to request and install a CA-signed certificate. During the creation of the request, a new private key is created. See Generate a certificate request on page 50. Send this content to the Certification Authority to request a (CA-signed) certificate The Certification Authority will check the request and reply. - If the request is valid, go to step A4 - if the request is not valid, make a new request (A2) according to the remarks/corrections suggested by the CA request feedback Overall procedure to import the new CA-signed certificate # Step B1- Save and store the new CAsigned certificate B2- Import the new CA-signed certificate into the controller B3- Restart the controller B4- Import the Root certificate into the web browsers of the workstations B5- Back up the certificate and private key Description Save the CA-signed certificate you received from the Certification Authority. Import the CA-signed certificate (Root and/or Intermediate and CA-signed certificates). See Import a CA-signed certificate (into the controller and workstations) on page 52 The Root certificate identifies the Certification Authority. By default, the web browsers contain a list of well-known and trusted Root certificates. In case the Root certificate of the Certification Authority is not in this list, install the CA Root certificate in the 'Trusted Root certificates' list of the web browser, on each workstation. See Check and import the Root certificate into the workstations browser on page 53 Back up and store the certificate and the private key in order to be able to restore them if needed. See Back up a certificate and a private key on page 49. 48 Chapter 2 - Security features on the Océ TDS / TCS / TC4 systems
Back up a certificate and a private key Back up a certificate and a private key When to do You must back up the certificate and private key: BEFORE you generate a certificate request (step A1 of the overall procedure on page 47): To save your current certificate and private key. AFTER you import the new certificate (step B5): To save your new certificate and private key, in order to be able to restore them if needed. Back up the current certificate and private key 1. In a web browser, open Océ Print Eec Workgroup v2.6 or higher (https:\\[ip address or hostname]) 2. From the Administration menu, select Océ Remote Security A new HTTPS browser page opens. Note: A warning message can occur: validate and continue. 3. Log on as the printer system administrator 4. In the Océ Remote Security page, select 'Backup certificate and private key' 5. To save the server certificate and private key, enter a password made of 6 characters at least ('Password used to encrypt the private key') 6. Confirm the password 7. Click 'Save' 8. Download and store the back up file (.jks). Chapter 2 - Security features on the Océ TDS / TCS / TC4 systems 49
Generate a CA-signed certificate request Generate a CA-signed certificate request Purpose Create a certificate request in Océ Print Eec Workgroup 2.6 and higher. Use this function only when you want to request a new CA-certificate. Before you begin Install the latest version of Print Eec WorkGroup for your printer (v2.6 or higher, see http://global.oce.com/products/print-eec-workgroup/) Back up the current Certificate and Private key already installed on the controller (see Back up a certificate and a private key on page 49). 'Generate a certificate request' Note: Step A2 of the overall procedure on page 47. 1. In a web browser, open Océ Print Eec Workgroup v 2.6 or higher (https:\\[ip address or hostname]) 2. From the Administration menu, select Océ Remote Security A new HTTPS browser page opens. Note: A warning message can occur: validate and continue. 3. Log on as the printer system administrator 4. In the Océ Remote Security page, select 'Generate a certificate request' 5. Fill out the form with the requested information Note: In the certificate request the Common Name MUST be the hostname or the Fully Qualified Domain Name (FQDN) of the printer (e.g.: or ''TDS800' or 'TDS800.mycompany.com'). This Common Name will be used in the URL when you open Océ Print Eec WorkGroup through HTTPS (e.g.: 'https://[commonname]). 6. Click 'Generate'. 50 Chapter 2 - Security features on the Océ TDS / TCS / TC4 systems
Generate a CA-signed certificate request Result The web server generates a certificate request. The content of the request is displayed (plain tet). Eample (fake request): -----BEGIN NEW CERTIFICATE REQUEST----- MIIBvDCCASQAwfDELMAkGA1UEBMCRlIDDAKBgNVBAgTA0lERjEQ- MA4GA1UEBMHQ1JFVEVJ TDEBEGA1UEChMKT2NlIFBMVCBTQTEMMAoGA1UECMDU05TMSowKAY- DVQQDEyF0ZHM3MDAtNzQw LnNucy5vY2VjcmV0WlsLm9jZS5uZwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIG- JAoGBAJ2NKQMd HjiDZ1khzTJTORHqjKl3AtE3PXqRsiHouTH5JTceYtaBjCnCJ4pGKY5iKN8KJi- JuZG8PHY7o W/+zpvN2VtX7TcyTAvyCThUwL+cqo75tvODo5HM- CUa2sLdl8GO9WMLpgZkH5KzIiO+LcI4 yqbqhenynyws0c2obx- Cq3yksF74+XIO0swhoA2yfDp4T+LuF3wys8lUH3ZhhkOYg== -----END NEW CERTIFICATE REQUEST----- Save and send the request Note: Step A3 of the overall procedure on page 47. 1. Click 'Save' to save the content of the request in a.csr file (named 'certificate_request.csr' by default) 2. Restart the controller 3. Send the content of this request to the Certification Authority. Chapter 2 - Security features on the Océ TDS / TCS / TC4 systems 51
Import a CA-signed certificate (into the controller and workstations) Import a CA-signed certificate (into the controller and workstations) 1. Import the CA-signed certificate into the controller: Import the 'Root certificate' Import the 'Intermediate certificate' Import the CA-certificate 2. Import the Root certificate into the workstations web browser Import the 'Root certificate' Import the 'Intermediate certificate' Import the CA-certificate Import the 'Root certificate' into the controller Note: Step B2 of the overall procedure on page 47 Note: Save locally or on the network all the CA-signed certificate files the Certification Authority sent you. 1. In a web browser, open Océ Print Eec Workgroup v2.6 or higher (https:\\[ip address or hostname]) 2. From the Administration menu, select Océ Remote Security A new HTTPS browser page opens. Note: A warning message can occur: validate and continue. 3. Log on as the printer system administrator 4. In the Océ Remote Security page, select 'Import CA-signed certificate' 5. Select 'Root certificate' 6. Browse to the Root certificate file and click 'Import' Note: The Root certificate may already eist in the web server certificates list. 52 Chapter 2 - Security features on the Océ TDS / TCS / TC4 systems
Import a CA-signed certificate (into the controller and workstations) 7. Validate to confirm the import 8. When the message 'Certificate successfully imported.' pops up, go on to import the 'Intermediate certificate' Note: When an error message is displayed, see its meaning in Security through PEWG 2.6: Error messages on page 57. Import the 'Intermediate certificate' 1. Select 'Intermediate certificate' 2. Browse to the Intermediate certificate file and click 'Import' 3. When the message 'Certificate successfully imported.' pops up, go back to the main page to import the 'CA-signed certificate' Import the 'CA-signed certificate' 1. Select 'CA-signed certificate' 2. Browse to the certificate file 3. Select 'Yes' to validate the certificate against Java root certificates and click 'Import' 4. When the message 'Certificate successfully imported.' pops up, restart the controller. Result The certificate is now installed on the server. Check and import (if needed) the CA Root certificate also into the workstations web browser. That will secure the complete data workflow between the workstations and the server. Check and import the 'Root certificate' into the workstations browser Note: Step B4 of the overall procedure on page 47 1. On each workstation, open the web browser 2. In the Tools - Internet Options - Content window, open the 'Certificates' Chapter 2 - Security features on the Océ TDS / TCS / TC4 systems 53
Import a CA-signed certificate (into the controller and workstations) 3. Check if the CA 'Root certificate' is already displayed in the 'Trusted Root Certification Authorities' list 4. If it is not in the list, import the CA Root certificate. 54 Chapter 2 - Security features on the Océ TDS / TCS / TC4 systems
Restore a certificate and a private key Restore a certificate and a private key When to do You can restore the certificate and the private key at any moment, in case of need. Restore the certificate and private key 1. In a web browser, open Océ Print Eec Workgroup v 2.6 or higher (https:\\[ip address or hostname]) 2. From the Administration menu, select Océ Remote Security A new HTTPS browser page opens. Note: A warning message can occur: validate and continue. 3. Log on as the printer system administrator 4. In the Océ Remote Security page, select 'Restore certificate and private key' 5. Browse to the back up file 6. Enter the password of the back up file 7. Click 'Restore' 8. A dialog bo opens: 'This action will overwrite the current certificate. Continue?' Click 'OK' 9. When the key and the certificate are successfully restored, restart the controller. Chapter 2 - Security features on the Océ TDS / TCS / TC4 systems 55
Reset the current certificate Reset the current certificate Purpose This procedure creates a new Océ self-signed certificate. When to do You can reset the certificate after a certificate request or at any moment when you want to restore a self-signed certificate. Note: Prefer the restoration of the original self-signed certificate (that requests a preliminary back up of the original self-signed certificate): Each 'Reset certificate' action generates a new self-signed certificate (with a new private and public key). So each time you reset the certificate, you must import the new certificate into the web browser. Reset the certificate 1. In a web browser, open Océ Print Eec Workgroup v2.6 or higher (https:\\[ip address or hostname]) 2. From the Administration menu, select Océ Remote Security A new HTTPS browser page opens. Note: A warning message can occur: validate and continue. 3. Log on as the printer system administrator 4. In the Océ Remote Security page, select 'Reset certificate' 5. Click the 'Reset' button 6. When the reset is successful ('Certificate successfully reset'), reboot the controller Result A new self-signed certificate has been generated on the controller. Configure your web browser to use it (see Use the Océ self-signed certificate on page 42) 56 Chapter 2 - Security features on the Océ TDS / TCS / TC4 systems
Security through PEWG 2.6: Error messages HTTPS through PEWG Security through PEWG 2.6: Error messages Introduction Find below the description of the error messages you can encounter when you manage security through Print Eec Workgroup 2.6 and higher: # If the error message is: 'Incorrect Login' 'Administrator's session has epired' 'Incorrect password' 'An internal server error occurred while processing the request. Repeat the operation' 'Certificate import failed. Check the validity of the certificate file.' 'Error: This CA-signed certificate does not match the latest CA-signed certificate request.' That means: Type in the correct login/password to open the Océ Remote Security page. The session epires after 5 minutes. Type the password used to back up the certificate An internal error occurred during the generation of the certificate request An internal error occurred during the reset of the certificate An internal error occurred during the restoration of the back up file Repeat the operation. If the operation fails again, contact your system administrator or your Océ local representative. The file you try to import is not a valid certificate file. The certificate you try to import does not match the certificate request (Private key). Possible causes: the imported certificate does not match the certificate request the certificate has been reset (to a selfsigned one) Chapter 2 - Security features on the Océ TDS / TCS / TC4 systems 57
Security through PEWG 2.6: Error messages If the error message is: 'The certificate chain cannot be established. Import Root and/or Intermediate certificates first.' 'Certificate already imported' 'Error when saving file. Operation aborted.' That means: The controller does not recognise the Root or Intermediate certificate provided by the Certification Authority. Import the Root or/and the Intermediate certificate in the controller before you import the certificate. (See Import the Root certificate into the controller on page 52 and Import the Intermediate certificate on page 53) The certificate has already been imported The back up process failed due to an internal error. Repeat the operation. 58 Chapter 2 - Security features on the Océ TDS / TCS / TC4 systems
Chapter 3 Security features on the Océ PlotWave 300 and ColorWave 300
Security overview for the Océ PlotWave 300 and Océ ColorWave 300 systems Overview Security overview for the Océ PlotWave 300 and Océ Color- Wave 300 systems Introduction The Océ PlotWave 300 and Océ ColorWave 300 are equipped with security features. Security overview # Operating System Firewall Network protocols protection MS Security patches Antivirus IPV6 Data encryption on the network Data overwrite Password protection Windows XP Service Pack 3 Yes 3 Océ Security Levels Océ released patches Compatible with 2 Antivirus brands Yes IPsec E-shredding Yes for administration settings 60 Chapter 3 - Security features on the Océ PlotWave 300 and ColorWave 300
Applications, protocols and ports used on the Océ ColorWave 300 and Océ PlotWave 300 systems System and Network security Ports - Protocols Applications, protocols and ports used on the Océ ColorWave 300 and Océ PlotWave 300 systems Printing applications: security levels, ports and protocols used by the Océ systems # Application /Functionality System Supported security levels () and open port Port used on the controller: protocol Océ Windows Printer Driver (WPD) Océ ColorWave 300/ PlotWave 300 N* 515 65200 80 UDP 515 M* (1) 515 65200 80 H* (2) 515 515: LPR 65200: Océ back-channel (**) 80: HTTP (for advanced accounting) UDP 515: Océ protocol (for printer discovery) Océ Adobe PostScript 3 driver Océ ColorWave 300/ PlotWave 300 515 515 515 515: LPR Océ Publisher Select Océ ColorWave 300/ PlotWave 300 515 65200 80 515 65200 80 80: HTTP 65200: Océ back-channel (*) 515: LPR Océ ReproDesk Studio Océ ColorWave 300/ PlotWave 300 515 65200 515 65200 515: LPR 65200: Océ back-channel (*) Chapter 3 - Security features on the Océ PlotWave 300 and ColorWave 300 61
Applications, protocols and ports used on the Océ ColorWave 300 and Océ PlotWave 300 systems Application /Functionality System Supported security levels () and open port Port used on the controller: protocol Novell NDPS printing Océ ColorWave 300/ PlotWave 300 N* 515 M* 515 H* 515 515: LPR LPR printing (command line) Océ ColorWave 300/ PlotWave 300 515 515 515 515: LPR FTP printing Océ ColorWave 300/ PlotWave 300 21 4242 (3) 21 21: FTP 4242: FTP (4) Notes: * Levels: N: Normal - M: Medium - H: High (**) Océ back-channel is an Océ proprietary protocol used to retrieve information from the printer (status, media loaded...) and to display it in the application or driver. (1) LPR printing with back-channel and advanced accounting (2) LPR printing. No back-channel. No advanced accounting (3) FTP active mode only (4) Data channel for FTP passive mode Scanning applications: security levels, ports and protocols used by the Océ systems # Application /Functionality System Supported security levels () and open port Port used on the controller: protocol Scan to File Remote SMB Océ ColorWave 300/ PlotWave 300 N* M* H* - Scan to File Remote FTP Océ ColorWave 300/ PlotWave 300 (1) (1) - 62 Chapter 3 - Security features on the Océ PlotWave 300 and ColorWave 300
Applications, protocols and ports used on the Océ ColorWave 300 and Océ PlotWave 300 systems Application /Functionality System Supported security levels () and open port Port used on the controller: protocol Scan data retrieval by FTP Océ ColorWave 300/ PlotWave 300 N* 21 4242 M* (2) 21 H* 21: FTP 4242: FTP (3) Notes: * Levels: N: Normal - M: Medium - H: High (1) FTP passive mode only: the FTP server on the remote workstation must support FTP passive mode (2) FTP active mode only (3) Data channel for FTP passive mode Control management: security levels, ports and protocols used by the Océ systems # Application /Functionality System Supported security levels () and open port Port used on the controller: protocol PING Océ ColorWave 300/ PlotWave 300 N* M* H* ICMP SNMP based applications Océ ColorWave 300/ PlotWave 300 UDP 161 UDP 161: SN- MP Océ Epress WebTools Océ ColorWave 300/ PlotWave 300 80 80 80: HTTP Name resolution (**) Océ ColorWave 300/ PlotWave 300 / UDP 53 /UDP 53: DNS Chapter 3 - Security features on the Océ PlotWave 300 and ColorWave 300 63
Applications, protocols and ports used on the Océ ColorWave 300 and Océ PlotWave 300 systems Application /Functionality System Supported security levels () and open port Port used on the controller: protocol DHCP Océ ColorWave 300/ PlotWave 300 N* UDP 68 M* UDP 68 H* UDP 68 UDP 68: DHCP Océ Account Center Advanced accounting (WPD) Océ ColorWave 300/ PlotWave 300 80 80 80: HTTP Accounting information retrieval by FTP Océ ColorWave 300/ PlotWave 300 21 4242 (1) 21 21: FTP 4242: FTP (2) Browse Océ systems on the network with Windows network neighbourhood Océ ColorWave 300/ PlotWave 300 UDP 137 UDP 137: Net- Bios over /IP Océ Service Logic Océ ColorWave 300/ PlotWave 300 21 4242 (1) 21 21: FTP 4242: FTP (2) IPsec Océ ColorWave 300/ PlotWave 300 UDP 500 UDP 4500 UDP 500 UDP 4500 Notes: * Levels: N: Normal - M: Medium - H: High (**) The name resolution is mainly used to determine the IP address of the scan destination during Scan fo File operation (1) FTP active mode only (2) Data channel for FTP passive mode 64 Chapter 3 - Security features on the Océ PlotWave 300 and ColorWave 300
Security Patches Install the Océ Remote patch (on Océ PlotWave 300 and Océ ColorWave 300) Install the Océ Remote patch (on Océ PlotWave 300 and Océ ColorWave 300) Introduction You can install the Océ Remote patches (Security patches) on the following versions of the systems: Océ PlotWave 300 1.2.1 and higher Océ ColorWave 300 1.1.2 and higher Before you begin Download the Océ Security patch from the Océ website on http://global.oce.com: Open the product page and go to the Downloads/Security page to find the available security patches Install the Océ Remote patch 1. Open the Océ Epress Webtools 2. Open the 'Support' tab 3. Select 'Update' Chapter 3 - Security features on the Océ PlotWave 300 and ColorWave 300 65
Install the Océ Remote patch (on Océ PlotWave 300 and Océ ColorWave 300) The Authentication window opens. 4. Log in as the System administrator or Power user The latest patch successfully applied (when any) is displayed 5. Click on the 'Update' icon (top right corner) to open the wizard 6. Click OK 66 Chapter 3 - Security features on the Océ PlotWave 300 and ColorWave 300
Install the Océ Remote patch (on Océ PlotWave 300 and Océ ColorWave 300) 7. Browse to the Océ Remote patch and click OK to install it 8. Click OK to confirm the update Chapter 3 - Security features on the Océ PlotWave 300 and ColorWave 300 67
Security levels presentation Security levels Security levels presentation Introduction Océ defined 3 levels of security according to the customer needs. The presentation below can help you to select the most suitable level. HIGH security level The HIGH level is the most secure mode for printing and scanning. The compliant applications are based on the LPR protocol for printing and on the FTP protocol for scanning. Target: This level provides you the most secure mode while using the basic feature for printing and scanning. Only some Océ applications are available. See the security levels supported per application/functionality on page 61. This security level may also be used when you want to be protected whenever a vulnerability has been discovered and the corresponding patch cannot be yet installed. As soon as the patch can be installed, you can go back to the original security level. MEDIUM security level The MEDIUM level is compliant with all the Océ applications available for printing and scanning which do not present a high risk (as reported by most popular network scanners). Target: This level is recommended if you need to be secured while you want to use the Océ applications for printing and/or scanning (you can use the system including more functions than with the HIGH security level). Normal security level This mode offers all the functionalities. Target: You can select this level if you want to use some features not covered by MEDIUM security level. 68 Chapter 3 - Security features on the Océ PlotWave 300 and ColorWave 300
Security levels presentation This level is more dedicated for small network infrastructure where security is less required versus features. Chapter 3 - Security features on the Océ PlotWave 300 and ColorWave 300 69
Set the security level Set the security level Introduction The 'Security' wizard on the printer user panel gives the option to check or change the security level of the system. Before you begin The System Administrator or a Power User can protect the security settings with a password. When the protection is activated, you must type the password in the printer user panel before you can change the security level. Manage the security level 1. From the 'HOME' screen select the 'System' tab. 2. Select the 'Setup' tab. 3. Use the scroll wheel to go to the 'Security'('Configure settings') wizard. 4. Open this section with the confirmation button. 5. The screen displays the security level and the active network access options: 6. Two options are possible: Press the 'Back' key in case you only want to check the security settings. 70 Chapter 3 - Security features on the Océ PlotWave 300 and ColorWave 300
Set the security level Press the 'Net >' key in case you want to adapt the security level. Enter the password if requested and follow the wizard to adapt the security level. Protect the security level by a password 1. Open the Océ Epress Webtools in a web browser (http://printer IP address or hostname) 2. In the 'Preferences' tab, select 'System settings' 3. In the 'Printer Properties', goes to 'Password to change security level' 4. Click on the value to edit it 5. Log in as the System Administrator or as a Power User 6. Select 'New' 7. Type and re-type a numeric password 8. Confirm to activate the password. Result You must type the password in the printer user panel when you want change the security level. Chapter 3 - Security features on the Océ PlotWave 300 and ColorWave 300 71
The USB connection on the Local user interface Security of the USB connection The USB connection on the Local user interface Introduction A USB connection is available on the Océ PlotWave 300 and Océ ColorWave 300 Local user interface. This USB connection is used to: Install and upgrade the controller software Backup and restore the controller configuration Scan to the USB storage device Print from the USB storage device Security on the USB port General USB port protection: Booting from the USB device is not possible. Eecuting any programme present on the USB device is not possible The Autorun is disabled and no operation on the controller can eecute a programme on the USB device. Propagating on network any infected file present on the USB device plugged on the USB port is not possible Read from / write to USB device protection Protection of the USB READ operation: - when restoring a controller configuration from the Local User Interface. In that case, any file infected by a virus appears as an invalid backup file. The controller software detects it and rejects the restore operation. - when printing from the USB device. Any print file infected by a virus will never compromise controller's software integrity. Protection of the USB WRITE operation: - during the backup of the controller configuration, from the Local User Interface. The backup is performed by the internal controller software. It cannot contaminate the USB device by any threat. - when making a Scan To File to the USB device: The Scan To File operation to USB device is performed by the internal controller software. It cannot contaminate the USB device by any threat. 72 Chapter 3 - Security features on the Océ PlotWave 300 and ColorWave 300
The USB connection on the Local user interface Disable the USB features You can disable: The direct printing operation from USB. See How to prevent 'Print from USB' on page 103 The scanning operation to USB. See How to prevent 'Scan to USB' on page 104 Chapter 3 - Security features on the Océ PlotWave 300 and ColorWave 300 73
Antivirus installation on the Océ PlotWave 300/ Océ ColorWave 300: Compatibility and recommendations Antivirus Antivirus installation on the Océ PlotWave 300/ Océ Color- Wave 300: Compatibility and recommendations Océ PlotWave 300 and Océ ColorWave 300 compatibility with an antivirus The following 2 antivirus programmes: Symantec AntiVirus Endpoint Protection 11 McAfee VirusScan Enterprise Edition 8.7i/ epolicy Orchestrator for AntiVirus update Can be installed on the following controller versions of: Océ PlotWave 300 v1.2 and higher Océ ColorWave 300 v1.1.1 and higher Installation To install the Symantec or MacAfee antivirus programmes, contact your Océ representative. Océ shall not be liable for damages of any kind attributable to the use of an antivirus on its controllers. 74 Chapter 3 - Security features on the Océ PlotWave 300 and ColorWave 300
Roles and Passwords Roles and profiles in the Océ PlotWave 300 and Océ ColorWave 300 Roles and profiles in the Océ PlotWave 300 and Océ Color- Wave 300 Roles description In the system, the main network and system settings are protected against change. Only authorised users can configure/change these settings. 4 roles are available: Key operator: The Key Operator can manage the jobs and the device settings System administrator The System Administrator can manage the Configuration settings such as the Network settings, scan destinations settings, security settings (e-shredding, IPsec), and the hardware/software configuration settings... Power user The Power User has both the rights of the Key Operator and the System Administrator Océ service This role is used eclusively by the Océ Service Technician Chapter 3 - Security features on the Océ PlotWave 300 and ColorWave 300 75
Passwords policy and behaviour in the Océ PlotWave 300 and Océ ColorWave 300 Passwords policy and behaviour in the Océ PlotWave 300 and Océ ColorWave 300 Introduction There are 2 groups of passwords: The passwords used in Océ Epress WebTools The passwords used in the printer Local User Interface Passwords used in Océ Epress WebTools In Océ Epress WebTools the passwords protect: The roles The Scan to File remote user name The security settings (preshared key for IPsec) Password modification table for Océ PlotWave 300 and Océ ColorWave 300# Password for Can be changed by Key operator Key operator or Power user System administrator System administrator or Power user Power user Power user Any ScanToFile remote user name System administrator or Power user Any preshared key for IPsec System administrator or Power user Password policy 256 characters maimum Any number [0-9] Any letter lowercase/uppercase [a-z][a-z] the following special characters: # _ - ~! @ # $ % ^ *? { } ( ) = +,. ; : [ ] / \ Passwords used on the Océ Local User Interface Password to change the Network Settings 76 Chapter 3 - Security features on the Océ PlotWave 300 and ColorWave 300
Passwords policy and behaviour in the Océ PlotWave 300 and Océ ColorWave 300 Password to change the security level Password to clear the system Password to print demo and test prints Password to change the hardware/software configuration Password to start the scanner calibration Note: Keep these passwords. The loss of these passwords may require the intervention of Océ Service. LUI Passwords modification table for Océ PlotWave 300 and Océ ColorWave 300# LUI Password for Change of the Network Settings Change of the security level Clear of the system Print of demo and test prints Change of the hardware/software configuration Start of the scanner calibration Can be changed by System administrator or Power user Password backup/restore policy with the 'Save Set'/'Open Set' features Some passwords are stored into the backup set made with the 'Save Set' feature of Océ Epress WebTools. Password backup table for Océ PlotWave 300 and Océ ColorWave 300# Password / pincode for Change of the Network Settings Change of the security level Clear of the system Print of demo and test prints Change of the hardware/software configuration Start of the scanner calibration Any preshared key for IPsec Any ScanToFile remote user name Backup with 'Save set'? Yes, encrypted (1) Yes, encrypted (1) Yes, encrypted (1) Yes, encrypted (1) Yes, encrypted (1) Yes, encrypted (1) No No Restore with 'Open set'? Yes (2) Yes (2) Yes (2) Yes (2) Yes (2) Yes (2) - - Chapter 3 - Security features on the Océ PlotWave 300 and ColorWave 300 77
Passwords policy and behaviour in the Océ PlotWave 300 and Océ ColorWave 300 Password / pincode for Key operator System administrator Power user Backup with 'Save set'? No No No Restore with 'Open set'? - - - (1) : - When a password is configured as 'No password', the information 'Auto' (meaning 'No password') is stored in the the backup file. It is not encypted - The passwords are stored in the backup file whatever the login used when making the 'Save Set' operation (System administrator, the Key operator, or the Power user) (2) - The passwords are restored only when the System administrator or the Power user makes the 'Open Set' operation - When a password has been stored with 'Auto' value, it is restored with the 'No password' value 78 Chapter 3 - Security features on the Océ PlotWave 300 and ColorWave 300
E-shredding presentation Data Security E-Shredding E-shredding presentation Introduction The e-shredding feature is a security feature which allows to overwrite any user data (print/copy/scan) when it is deleted from the system. This feature prevents the recovery of any deleted user data (files' content and attributes) A deleted job is a job that cannot be retrieved from any user interface. When is a job deleted? A job is deleted either: When it is manually deleted from a Smart Inbo After it was successfully printed and was not saved in a Smart Inbo ('Save printed jobs in a Smart Inbo' system setting is disabled in the Océ Epress Webtools) After a 'ScanToFile to remote destination' has been successfully performed After a 'ScanToFile to USB stick' has been performed successfully or not When it is automatically deleted after a timeout: - When the end of the job lifetime in the Smart Inbo is reached ('Save printed jobs in a Smart Inbo' system setting is enabled in the Océ Epress Webtools and the 'Printed jobs in Smart Inbo: job lifetime' is set) - When the time for the cleanup of the 'Scans in Smart Inbo' is reached When a 'Clear system Remove all jobs' is performed on the printer local interface E-shredding algorithms Select one of the three e-shredding behaviours: DOD 5220.22-M: 3-pass overwriting algorithm (compliant with the US Department of Defense directive): Gutmann: 35-pass overwriting algorithm with random data Custom: set the number of passes, from 1 to 35. Chapter 3 - Security features on the Océ PlotWave 300 and ColorWave 300 79
E-shredding presentation Note: The e-shredding feature has been designed to minimise impact of the global system performance. However the more passes selected, the more impact it has on general performance. It is recommended to minimise the number of passes when document production is required. 80 Chapter 3 - Security features on the Océ PlotWave 300 and ColorWave 300
Enable the e-shredding Enable the e-shredding Before you begin You must be logged as a System Administrator or a Power user. Before enabling the e-shredding, it is recommended to disable the 'Save printed jobs in a Smart Inbo' system setting in the Océ Epress Webtools (so that all the print jobs will be automatically deleted after successful printing). Enable/disable the e-shredding (Océ Epress WebTools) 1. Open a web browser and enter the system URL: http://<hostname>, to open the Océ Epress WebTools 2. Open the 'Configuration' - 'Connectivity' page and select the 'E-shredding' section 3. Click Edit 4. Check 'E-shredding' feature to enable it 5. Select the algorithm. When you select 'Custom', set the number of passes Result When the E-shredding feature is enabled, an indication is displayed at 2 locations in the system: On the printer, on the Local User Interface, an indication is displayed in the System menu: 'E-shredding enabled' In the Océ Epress WebTools window, a new icon is added to the list of icons (bottom right) Chapter 3 - Security features on the Océ PlotWave 300 and ColorWave 300 81
Enable the e-shredding Each time data (file's content or attributes) is deleted from the system, the e-shredding process occurs. For a while, the E-shredding feedback returns as 'busy': On the printer, on the Local User Interface, an indication is displayed in the System menu: 'E-shredding busy' In the Océ Epress WebTools window, roll the mouse over the e-shredding icon to display the 'E-shredding busy' status Once the e-shredding data processed is complete, the status comes back to: 'E-shredding enabled' in the Local User Interface 'E-shredding ready' in the Océ Epress WebTools (roll over the icon) Note: In case some scanned files have a 'Scan destination file name' composed of more than 256 characters, on the controller or on the remote destination, they will be deleted, but they will not be e-shredded (too long name). 82 Chapter 3 - Security features on the Océ PlotWave 300 and ColorWave 300
E-shredding process and system behaviour E-shredding process and system behaviour When you enable the e-shredding When you enable the e-shredding, the system starts the e-shredding process for all print/scan jobs that will be deleted. E-shredding process will occur as a background task. All processed jobs will be e-shredded as soon as they are deleted: - After a manual deletion from the Smart Inbo - After an automatic deletion of the print and scan jobs by the system (timeout, disabled Smart Inbo, cleanup) When you disable the e-shredding When you disable the e-shredding, the system: Terminates the e-shredding process for files which are being e-shredded Will not e-shred the new deleted files Make sure a file is completely e-shredded Once a scan or print job has been processed, perform the following actions to make sure the file is e-shredded: 1- Enable the e-shredding 2- Check the printed job is deleted from the Smart Inbo or check the scan job is deleted from the 'Scans' Smart Inbo. Manually delete the job when needed. 3- Shut down the system controller 4- Restart the system controller The e-shredder displays a 'busy' status. 5- Wait until the e-shredder status comes back to 'Ready' (in Océ Epress WebTools) or 'Enabled' (on the system Local User Interface) The job file is e-shredded. Chapter 3 - Security features on the Océ PlotWave 300 and ColorWave 300 83
IPsec presentation IPsec IPsec presentation Introduction IPsec provides authentication, data confidentiality and integrity in the network communication between devices. A strong mechanism of encryption guarantees the confidentiality of the user print and scan data on the network. IPsec is particularly suitable in a configuration where you need to create a dedicated secure link between the printer/copier system and a workstation which can be dedicated as a Print Server (or a Scan Server). You can connect up to 5 IPsec stations to the printer/copier system. In this configuration below: The printer/copier system is physically connected to the network but communicates only with a dedicated station (a Print Server or Scan Server for eample) The Print Server receives the print request from the workstations via IP on the network The Print Server send the print requests to the printer/copier system via IPsec The workstations cannot communicate directly with the printer/copier system Note: In this configuration, the back-channel communication between a workstation and the printer is unavailable (the back-channel information is not displayed in the Océ WPD driver). Note: IPsec is compatible with IPv4 only. Make sure IPv6 is 'Disabled' before you configure IPsec on the controller. 84 Chapter 3 - Security features on the Océ PlotWave 300 and ColorWave 300
IPsec presentation Illustration IPsec parameters in the Océ Epress Web Tools (EWT) The following IPsec parameters are available in the Océ Epress Web Tools : IPsec Generic section: # IPSec Enabled/Disabled General setting to enable or disable IPsec. Once enable, only the network traffic defined by the IPsec configuration rules is authorised. Chapter 3 - Security features on the Océ PlotWave 300 and ColorWave 300 85
IPsec presentation Failsafe option Enabled/Disabled Default preshared key Other settings Keep this option enabled during the IPsec configuration, until the complete and successful IPsec communication between the printer/copier system and the configured station. - When the option is Enabled (with IPsec enabled), only the network traffic defined by IPsec configuration rules is authorised. All other network traffic is denied ecept the HTTP traffic for Océ Epress Web Tools with any workstation: this allows to change some IPsec settings via Océ Epress Web Tools, from any workstation. - When the option is Disabled (with IPsec enabled): only the network traffic defined by the IPsec configuration rules is authorised. All other network traffic is denied. You can define a default preshared key that will be used for all the stations connected by IPsec to the printer/scanner system. You can display the other IPsec generic settings ('See all'). Keep them unchanged. IPsec stations section: You can configure a maimum of 5 IPsec communications between the printer/copier system and 5 workstations. Enable and configure the parameters for each required station. The parameters can be different for each different workstation: - the IP address - the preshared key (keep the generic default one or set a custom one) 86 Chapter 3 - Security features on the Océ PlotWave 300 and ColorWave 300
Configure the IPsec settings on the Océ controller Configure the IPsec settings on the Océ controller Before you begin You must be logged as a System Administrator or a Power user. Activate and configure IPsec on the printer/scanner controller 1. Open a web browser and enter the system URL: http://<hostname>, to open the Océ Epress Web Tools 2. Open the 'Configuration' - 'Connectivity' page and select the IPsec section 3. In 'IPsec generic' section, click 'Edit' 4. Check 'IPsec' 5. Keep 'Failsafe option' checked during the phase you configure the IPSec. In case of need, this allows to be able to connect to the Océ Epress Web Tools from any workstation in order to be able to change parameters. Chapter 3 - Security features on the Océ PlotWave 300 and ColorWave 300 87
Configure the IPsec settings on the Océ controller 6. Keep the other parameters as they are. 7. In the 'IPsec stations' section, click 'Edit' 8. Select '"IPsec station 1: Enable' 9. Enter the 'IPsec station 1: IP address' of the workstation 10. Create and enter the 'IPsec station 1: Preshared key' using the following policy: 256 characters maimum Any number [0-9] Any letter lowercase/uppercase [a-z][a-z] the following special characters: # _ - ~! @ # $ % ^ *? { } ( ) = +,. ; : [ ] / \ Note: Write it down, this preshared key will be required during the IPsec configuration on the workstation. 88 Chapter 3 - Security features on the Océ PlotWave 300 and ColorWave 300
Configure the IPsec settings on the Océ controller Note: In the '/IP: IPv6' section, make sure /IP (IPv6) is disabled. Result The IPsec settings are configured on the controller for a connection to a workstation (which can be a print server). Chapter 3 - Security features on the Océ PlotWave 300 and ColorWave 300 89
Configure the IPsec settings on a workstation or a print server Configure the IPsec settings on a workstation or a print server Purpose Complete the IPsec configuration for a secure connection between the printer/copier system and a workstation. Follow the 6 steps below: 1- Add the security snap-in 2- Create the security policy 3- Create the filter list 4- Define the filter actions and security negotiation 5- Define the security rule 6- Assign the security policy When to do After the IPsec configuration on the controller. Before you begin Log on the workstation with the Administration rights. Note: The procedure below shows the configuration steps on Windows server 2008. The procedure is similar on other Operating Systems (Windows Server 2003, Windows XP, Windows Vista, Windows 7) 1- Add the security snap-in 1. In the 'Start' - 'Run' window, enter 'mmc' to open the management console 2. In the top menu select 'File' - 'Add/Remove Snap-in' 90 Chapter 3 - Security features on the Océ PlotWave 300 and ColorWave 300
Configure the IPsec settings on a workstation or a print server 3. Select 'IP Security Policy Management' and click 'Add' to add it to the root console 4. Keep 'Local computer' checked and click 'Finish' The security snap-in is added, click 'OK' Chapter 3 - Security features on the Océ PlotWave 300 and ColorWave 300 91
Configure the IPsec settings on a workstation or a print server 2- Create the security policy 1. In the console, right click on 'IP Security Policies on local Computer' and select 'Create IP Security Policy' 2. Click 'Net' to open the wizard 3. Enter the name for the policy and click 'Net' 4. Uncheck 'Activate the default response rule' 5. Uncheck 'Edit properties' and click 'Finish' 92 Chapter 3 - Security features on the Océ PlotWave 300 and ColorWave 300
Configure the IPsec settings on a workstation or a print server 3- Create the filter list 1. In the console, right click on 'IP Security Policies on local Computer' and select 'Manage IP filter lists and filter actions ' 2. In the 'Manage IP filter lists' tab click 'Add' 3. Enter a filter name and a description and click 'Add' 4. Click 'Net' to open the wizard Chapter 3 - Security features on the Océ PlotWave 300 and ColorWave 300 93
Configure the IPsec settings on a workstation or a print server 5. Check the 'Mirrored' checkbo and click 'Net' 6. Select 'My IP address' as the 'Source address and click 'Net' 7. Select 'A specific IP address or subnet' as 'Destination address' and enter the IP address of the controller (printer/scanner controller configured in..a COMPLETER...) 8. Select 'Any' as the 'IP Protocol Type' and click 'Net' 9. Click 'Finish' 10. In the 'IP filter list' window, click OK The filter list is set 94 Chapter 3 - Security features on the Océ PlotWave 300 and ColorWave 300
Configure the IPsec settings on a workstation or a print server 4- Define the filter actions and security negotiation 1. Open the 'Manage Filter Actions' tab and click 'Add' to open the wizard. 2. Click 'Net' 3. Give a name to the filter actions and click 'Net' 4. Select 'Negotiate security' and click 'Net' 5. Select 'Allow unsecured communication if a secure connection cannot be established' or 'Fall back to unsecured communication' (depending on the Operating System) and click 'Net' Chapter 3 - Security features on the Océ PlotWave 300 and ColorWave 300 95
Configure the IPsec settings on a workstation or a print server 6. Select 'Custom' and click on the 'Settings...' button 7. Configure the settings as below 8. Click 'OK' and 'Net', then 'Finish' 5- Define the security rule 1. In the console, right click on the IP security policy just created and select 'Properties' to open the wizard 2. Click 'Net' 96 Chapter 3 - Security features on the Océ PlotWave 300 and ColorWave 300
Configure the IPsec settings on a workstation or a print server 3. Select 'This rule does not specifiy a tunnel', and click 'Net' 4. As the Network type, select 'All network connections' and click 'Net' 5. Select the filter previously created then click 'Net' 6. Select the filter action previously created then click 'Net' Chapter 3 - Security features on the Océ PlotWave 300 and ColorWave 300 97
Configure the IPsec settings on a workstation or a print server 7. In the 'Authentication method' window, check 'Use this string to protect the key echange (preshared key)' 8. Enter the preshared key you set in Epress WebTools (see Activate and configure IPsec on the printer/scanner controller on page 87), then click 'Net' 9. Click 'Finish' 10. Click 'OK' to validate the Security rule 6- Assign the security policy 1. In the console, right click on the security policy just created and select 'Assign' 98 Chapter 3 - Security features on the Océ PlotWave 300 and ColorWave 300
Configure the IPsec settings on a workstation or a print server The configuration is activated on the workstation: 2. To test the configuration, open a 'command' window and issue a 'ping' command from the workstation to the printer/scanner controller When the test works properly it is recommended to disable the 'Failsafe mode' on the printer/scanner controller. So, only the workstation is allowed to communicate with the printer/scanner system. Note: In case you use the WPD driver, see When you use Océ WPD on the print server on page 100. Chapter 3 - Security features on the Océ PlotWave 300 and ColorWave 300 99
When you use Océ WPD on the print server When you use Océ WPD on the print server Introduction It can happen that a user on a workstation not configured with IPsec sends a job to the printer via a print server (configured with IPsec) through a shared driver (WPD) installed on the print server. In this case, when the 'Faisafe mode' is disabled, the communication between the workstation (not configured as a IPsec destination) and the printer controller is blocked (the HTTP communication is stopped). Illustration Use of the WPD driver on the workstation configured as a print server, when the 'Failsafe mode' is disabled Consequences: - The back-channel information from the printer is not displayed on the driver interface - The jobs sent with the driver are not printed when the basic or advanced accounting is activated. The jobs are stored in the Smart Inbo, on the controller An error message is displayed when opening the 'Accounting' settings in the driver (see the illustration). You must go to the printer user interface to enter the Accounting information and print the jobs. When the 'Failsafe mode' is enabled When you enable the 'Failsafe mode': - The back-channel information is not displayed in the driver - But the accounting communication and process are maintained 100 Chapter 3 - Security features on the Océ PlotWave 300 and ColorWave 300
Troubleshooting: emergency procedure to deactivate IPsec Troubleshooting: emergency procedure to deactivate IPsec Introduction In the following case: IPsec is enabled and activated on the printer/scanner controller The 'Failsafe mode' is disabled The communication between the controller and the station fails You cannot open remotely the Océ Epress WebTools to change the settings. The system is locked. Then you can use the emergency procedure to disable IPsec via the Local User Interface on the printer/scanner system. Purpose Disable IPsec 1. On the Local User Interface, click on 'System' 2. Select 'Setup' 3. Roll down to the Security item and open the Security menu The status is 'IPsec is enabled' Chapter 3 - Security features on the Océ PlotWave 300 and ColorWave 300 101
Troubleshooting: emergency procedure to deactivate IPsec 4. Click 'Net' several times to open the IPsec window Note: Enter the password if required (depending on the configuration of the access to the Security menu). 5. Select 'Disabled' to deactivate IPsec 6. Click 'Net' to the end of the procedure 7. Restart the controller Result IPsec is disabled. After the restart, you will be able to open the Océ Epress WebTools remotely from a workstation (HTTP). 102 Chapter 3 - Security features on the Océ PlotWave 300 and ColorWave 300
How to prevent 'Print from USB' Prevent USB Direct Print and Scan to USB How to prevent 'Print from USB' Introduction You can disable any access to the USB device by preventing printing from / scanning to the USB device. Illustration [60] USB direct print: Disabled How to disable the 'USB direct print' feature 1. Open a web browser and enter the system URL: http://<hostname>, to open the Océ Epress WebTools 2. Open the 'Preferences' - 'System settings' page and select the 'Printer properties' section 3. Go to the 'USB direct print' setting 4. Click on the value to open the 'USB direct print' window 5. Log in 6. Select 'Disabled' and 'Ok' Chapter 3 - Security features on the Océ PlotWave 300 and ColorWave 300 103
How to prevent 'Scan to USB' How to prevent 'Scan to USB' Introduction You can neutralize the 'Scan to File to USB storage device' capability. To prevent scanning to USB destination you must: 1. Disable any 'USB stick' scan destination 2. Remove the USB destination from all Scan templates Purpose Prevent any user from scanning to a USB device. Illustration [61] Disable the 'Scan to USB' 1- Disable any 'USB stick' scan destination 1. Open a web browser and enter the system URL: http://<hostname>, to open the Océ Epress WebTools 2. Open the 'Configuration' - 'Scan destinations' page 3. Edit the 'Scan destination 2: Local to USB storage device' 4. Uncheck the setting 'Scan destination 2 enabled' and click 'Ok' 104 Chapter 3 - Security features on the Océ PlotWave 300 and ColorWave 300
How to prevent 'Scan to USB' 5. For each scan destination from 'Scan destination 3' to 'Scan destination 10', make sure that the scan destination type is NOT 'Local to USB storage device' 2- Remove the USB destination from all Scan templates 1. In Océ Epress WebTools open the 'Preferences' - 'Scan job defaults' page 2. In each 'Scan template: File' section, check that the 'Destination' is not 'USB stick' 3. When the destination is 'USB stick', edit the setting to change it Chapter 3 - Security features on the Océ PlotWave 300 and ColorWave 300 105
How to prevent 'Scan to USB' 106 Chapter 3 - Security features on the Océ PlotWave 300 and ColorWave 300
Chapter 4 Security features on the Océ ColorWave 600
Security overview for the Océ ColorWave 600 system Overview Security overview for the Océ ColorWave 600 system Introduction The Océ ColorWave 600 has been designed around the Linu Operating System which is less prone to security threats than the Microsoft systems. However any new release of the system always embeds the latest security fies. Moreover, the Océ ColorWave 600 offered the following security features: Security overview # Operating System Firewall Network protocols protection OS and software integrity Antivirus IPv6 Password protection Linu Yes Yes (per protocol, through firewall) Yes No Yes Yes - Configuration settings password - Local user interface pincode 108 Chapter 4 - Security features on the Océ ColorWave 600
System and Network security Ports - Protocols Applications, protocols and ports used on the Océ ColorWave 600 Applications, protocols and ports used on the Océ ColorWave 600 Printing applications: ports and protocols used by the system # Application /Functionality Océ Windows Printer Driver (WPD) Océ PostScript 3 driver Océ Publisher Epress Publisher Select Océ Reprodesk Studio Novell NDPS printing LPR printing FTP printing Océ Publisher Copy Port used on the controller: protocol 515: LPR 65200: Océ backchannel (*) 80: HTTP (for advanced accounting) UDP 515: Océ protocol for Printer Discovery 515: LPR 80: HTTP 80: HTTP 515: LPR 65200: Océ backchannel (*) 515: LPR 515: LPR 21 4242 (for data channel in FTP passive mode) 80: HTTP Remarks Océ ColorWave 600 R1.3.1 and higher for Printer Discovery * Océ back-channel is an Océ proprietary protocol used to retrieve information from the printer (status, media loaded...) and to display it in the application or driver. For IPv4 only Chapter 4 - Security features on the Océ ColorWave 600 109
Applications, protocols and ports used on the Océ ColorWave 600 Control management: ports and protocols used by the system # Application /Functionality PING SNMP based applications Name resolution Océ Epress WebTools Océ Account Center / Advanced accounting (WPD) Accounting information retrieval by FTP Océ Service Logic Océ Meter Manager Port used on the controller: protocol ICMP (incoming echo request only) UDP 161: SNMP UDP 53: DNS 80: HTTP 80: HTTP 80: HTTP 21: FTP 4242: FTP passive mode UDP 161: SNMP Remarks For NEW and ESTAB- LISHED connection only For NEW and ESTAB- LISHED connection only Océ ColorWave 600 R1.3.1 and higher 110 Chapter 4 - Security features on the Océ ColorWave 600
Network protocols protection Protocol protection Network protocols protection Introduction On the Océ ColorWave 600 system, you can completely disable some protocols in order to protect them against attacks. List of network protocols # Protocols FTP SNMP LPD Backchannel HTTP ICMP DNS Available Protection Yes. Can be disabled* Yes Can be disabled* Yes Can be disabled* Always Enabled Océ proprietary protocol No, always Enabled No, always Enabled No, always Enabled * To disable a network protocol, go to the Configuration / Connectivity section of the Océ Epress WebTools and uncheck the protocol. Chapter 4 - Security features on the Océ ColorWave 600 111
OS and software protection Operating system and software protection OS and software protection Introduction On the Océ ColorWave 600 the operating system and software are stored on 'read only' partitions to guaranty OS and software integrity at each reboot. Description At power on, the Océ ColorWave 600 original system software is loaded. This orginal system software cannot be modified (ecept when using the Océ procedures for update) Any eploit of the security vulnerability can only affect temporary files. A reboot of the system brings it back to the original genuine one. 112 Chapter 4 - Security features on the Océ ColorWave 600
Roles and profiles in the Océ ColorWave 600 Roles and Passwords Roles and profiles in the Océ ColorWave 600 Roles description 4 different roles eist in the product. Eeach of them has the ability to configure or modify some system settings. The roles are: Key operator: The Key operator can manage the jobs and the device settings System administrator The System administrator can manage the Configuration settings, such as the Network settings Power user The Power User has both the rights of the Key operator and the System administrator Océ service This role is used eclusively by the Océ Service Technician Chapter 4 - Security features on the Océ ColorWave 600 113
Passwords policy and behaviour in the Océ ColorWave 600 Passwords policy and behaviour in the Océ ColorWave 600 Introduction There are 2 groups of passwords: The passwords used in Océ Epress WebTools The passwords used in the printer Local User Interface Passwords used in Océ Epress WebTools In Océ Epress WebTools the passwords protect the roles. Password modification table for Océ ColorWave 600# Password for Can be changed by Key operator Key operator or Power user System administrator System administrator or Power user Power user Power user Password policy 256 characters maimum Any number [0-9] Any letter lowercase/uppercase [a-z][a-z] the following special characters: # _ - ~! @ # $ % ^ *? { } ( ) = +,. ; : [ ] / \ Password used on the Océ Local User Interface The LUI password to change the Network Settings can be changed by the System administrator or Power user. Password backup/restore policy with the 'Save Set'/'Open Set' features The password used to change the Network Settings is stored encrypted into the backup set made with the 'Save Set' feature of Océ Epress WebTools. The roles passwords are not stored in the backup set. 114 Chapter 4 - Security features on the Océ ColorWave 600
Passwords policy and behaviour in the Océ ColorWave 600 Note: - When a password is configured as 'No password', the information 'Auto' (meaning 'No password') is stored in the the backup file. It is not encypted - The passwords are stored in the backup file whatever the login used when making the 'Save Set' operation (System administrator, the Key operator, or the Power user) - The passwords are restored only when the System administrator or the Power user makes the 'Open Set' operation - When a password has been stored with 'Auto' value, it is restored with the 'No password' value Chapter 4 - Security features on the Océ ColorWave 600 115
Inde Inde Antivirus Océ ColorWave 300...74 Océ PlotWave 300...74 Recommendations...33 I IPsec Controller configuration...87 Océ Epress WebTools settings...85 Presentation...84 Workstation configuration...90 C CA-signed certificate Overall procedure...47 Certificate Backup...49 Error messages...57 Import...52 Request...50 Reset...56 Restore...55 D Data encryption Data encryption...39 E E-shredding Algorithms...79 Behaviour...83 Enable...81 Presentation...79 E-shreeding Activation...81 H HTTPS CA-signed certificate...47 Certificates...39 Data encryption...39 Océ Print Eec Workgroup...39 Océ Remote Security...41 Self-signed certificate...42 HTTPS on PEWG Configuration...41 K Knowledgebase Knowledgebase...10 M Microsoft flaws Microsoft flaws...23 O Océ Remote Patch Océ Remote Patch...24, 65 Océ Security Patch Océ Security Patch...23 Océ security policy Océ security policy...8 OS and software protection Océ ColorWave 600...112 P Password Backup...77, 114 LUI password...114 LUI passwords...76 Restore...77, 114 Password policy Océ ColorWave 600...114 Océ PoltWave 300, Océ ColorWave 300...76 Océ TCS300...37 Océ TDS/TCS/TC systems...35 Ports and protocols Ports and protocols...16, 61 R Roles Roles...75, 113 116
Inde Océ TCS300...37 Océ TDS/TCS/TC systems...35 S Scan to USB Neutralize...104 Security levels Available applications...16, 61, 109 Available protocols...16, 61, 109 Ports...16, 61 Presentation...26, 68 U USB direct print Disabled...103 W Website Website...10 downloads...10 URL...10 Wizard: Security Wizard: Security...70 117
+2
+2
- Beyond the Ordinary o Printing for Professionals Creating global leadership in printing Canon and Océ have joined forces to create the global leader in the printing industry. For our customers this combines Canon and Océ technology with the support of the Océ direct sales and service organisations. Look to the new Canon-Océ combination for: Enterprise printing in the office and corporate printroom Large format printing of technical documentation, signage and display graphics Production printing for marketing service bureaus and graphic arts Business Services for document process outsourcing 2011Océ. Illustrations and specifications do not necessarily apply to products and services offered in each local market. Technical specifications are subject to change without prior notice. Trademarks mentioned in this document are the property of their respective owners. For more information visit us at: 2011-01 GB www.oce.com