Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Microsoft, Windows, and Internet Explorer are trademarks or registered trademarks of Microsoft
Corporation in the U.S. and other countries.
All product/brand names are trademarks or registered trademarks of the respective holders.
Important
1. This manual is copyrighted with all rights reserved. Under the copyright laws, this manual may not be
copied or modified in whole or part, without the written consent of the publisher.
2. Parts of this manual are subject to change without prior notice.
3. We welcome any comments on ambiguities, errors, omissions, or missing pages.
4. Never attempt any procedure on the machine that is not specifically described in this manual.
Unauthorized operation can cause faults or accidents. Fuji Xerox is not liable for any problems resulting
from unauthorized operation of the equipment.
An export of this product is strictly controlled in accordance with Laws concerning Foreign Exchange and
Foreign Trade of Japan and/or the export control regulations of the United States.
XEROX, the sphere of connectivity design, CentreWare, ApeosWare, and EasyAdmin are trademarks or
registered trademarks of Xerox Corporation in the U.S. or Fuji Xerox Co., Ltd.
Before Using the Security Function
Preface
This guide is intended for the manager and system administrator of the organization where
the machine is installed, and describes the setup procedures related to security.
For general users, this guide describes the operations related to security features.
For information on the other features available for the machine, refer to the following
guidance.
Note The hash values of the PDF files are described in the Security Target disclosed at the FujiXerox
5 AsiaPacific (http://www.fxap.com.sg/product/) and the JISEC (http://www.ipa.go.jp/security/jisec/
jisec_e/) website. Please check that the hash values of your manuals are correct.
The manual number might be changed when the manual content is updated.
The security features of the ApeosPort-V C7775/C6675/C5575/C4475/C3375/C3373/
C2275, DocuCentre-V C7775/C6675/C5575/C4475/C3375/C3373/C2275 are supported by
the following ROM version.
Controller ROM Ver. 1.0.14
Important
The machine has obtained IT security certification for Common Criteria EAL3.
This certifies that the target of evaluation has been evaluated based on the certain evaluation
criteria and methods, and that it conforms to the security assurance requirements.
Note, however, that your ROM and guidance may not be the certified version because they may
have been updated along with machine improvements.
Security Features
ApeosPort-V and DocuCentre-V have the following security features:
z
Hard Disk Data Overwrite
z
Hard Disk Data Encryption
z User Authentication
z
System Administrator's Security Management
z
Customer Engineer Operation Restriction
z Security Audit Log
z
Internal Network Data Protection
z FAX Flow Security
z Self Test
2
Before Using the Security Function
3
Before Using the Security Function
z IPSec
Set to enabled.
z
SNMP v1/v2c
Set to disabled.
z SNMP v3
Set to enabled.
z S/MIME
Set to enabled.
z
Audit Log
Set to enabled.
Important The security will not be warranted if you do not correctly follow the above setting instructions.
The Fax Flow Security feature requires no special setting by the System Administrator.
When you set Data Encryption [On] again, enter an encryption key of 12 characters.
4
Before Using the Security Function
SSL/TLS
For the SSL client (Web browser) and the SSL server that communicate with the machine,
select a data encryption suite from the following.
z SSL_RSA_WITH_RC4_128_SHA
z SSL_RSA_WITH_3DES_EDE_CBC_SHA
z
TLS_RSA_WITH_AES_128_CBC_SHA
z TLS_RSA_WITH_AES_256_CBC_SHA
z TLS_RSA_WITH_AES_128_CBC_SHA256
z
TLS_RSA_WITH_AES_256_CBC_SHA256
(The recommended browser is Microsoft Internet Explorer 6/7/8/9)
S/MIME
For the machine and E-mail clients, select an Encryption Method/Message Digest Algorithm
from the following.
z RC2/128bit, 3Key Triple-DES/168bit, AES/128bit, AES/192bit, AES/256bit
z SHA1, SHA256
IPSec
For the IPSec host that communicates with the machine, select an Encryption Method/
5
Message Digest Algorithm from the following.
z AES(128bit)/SHA1
z
3Key Triple-DES(168bit)/SHA1
SNMP v3
The encryption method of SNMPv3 is DES/56bit or AES 128bit. Set [Message Digest
Algorithm] to [SHA1].
Important
For secure operation, while you are using CentreWare Internet Services, please do not
access other web site, and do not use other applications.
For secure operation, when you change [Authentication Type], or prior to disposing of the
machine, please initialize the hard disk by resetting [Data Encryption] and changing
[encryption key].
For preventing SSL vulnerability, you should set the machine address in the proxy exclusion
list of browser.
By this setting, secure communication will be ensured because the machine and the remote
browser communicate directly without proxy server, and thus you can prevent man-in-the-
middle attack.
Because DocuCentre-V does not have S/MIME function, please do not use the E-mail and
Internet Fax.
5
Before Using the Security Function
6
Settings for the Secure Operation 1 (Initial Settings Procedures Using Control Panel)
This section describes the initial settings related to security features, and how to set them
on the machine's control panel.
7
Settings for the Secure Operation 1 (Initial Settings Procedures Using Control Panel)
5 Enter a new passcode of 9 or more characters using the keyboard displayed, and then
select [Save].
6 Select [Retype Passcode].
7 Enter the same passcode using the keyboard displayed, and then select [Save].
8 Select [Save].
9 In the [Do you want to change the System Administrators Passcode?] screen, select [Yes].
8
Settings for the Secure Operation 1 (Initial Settings Procedures Using Control Panel)
Set Authentication
9
Settings for the Secure Operation 1 (Initial Settings Procedures Using Control Panel)
10
Settings for the Secure Operation 1 (Initial Settings Procedures Using Control Panel)
11
Settings for the Secure Operation 1 (Initial Settings Procedures Using Control Panel)
12
Settings for the Secure Operation 2 (Initial Settings Procedures Using CentreWare Internet Services)
This section describes the initial settings related to security features, and how to set them
on CentreWare Internet Services.
1 Open your Web browser, enter the TCP/IP address of the machine in the Address or
Location field, and press the <Enter> key.
2 Enter the System Administrator's ID and the passcode if prompted.
3 Display the [Properties] screen by clicking the [Properties] tab.
13
Settings for the Secure Operation 2 (Initial Settings Procedures Using CentreWare Internet Services)
Set IPP
Set SSL/TLS
14
Settings for the Secure Operation 2 (Initial Settings Procedures Using CentreWare Internet Services)
6 Click [Import].
Set IPSec
Before setting [Digital Signature] for [IKE Authentication Method], you need to import an
IPSec certificate according to the same procedure as "Configuring Machine Certificates"
(P.14).
1 Enter the IP Address in the [Specify Destination IPv4 Address] box on the [IPSec] screen.
2 Enter the IP Address in the [Specify Destination Ipv6 Address] box.
3 Select [Enabled] or [Disabled] from the [Communicate with Non-IPSec Device] drop-down
list.
4 Click [Apply].
5 Click [Reboot Machine].
Set SNMPv3
15
Settings for the Secure Operation 2 (Initial Settings Procedures Using CentreWare Internet Services)
Set S/MIME
To use E-mail with this machine, the E-mail function needs to be enabled and configured as
5 described in the Administrator Guide's "8 E-mail Environment Settings".
Before making the S/MIME setting, you need to import an S/MIME certificate according to
the same procedure as "Configuring Machine Certificates" (P.14).
16
Settings for the Secure Operation 2 (Initial Settings Procedures Using CentreWare Internet Services)
17
Settings for the Secure Operation 3 (Regular Review by Audit Log)
This section describes the setting procedure and the importing method of the Audit Log
feature using the System Administrator client via CentreWare Internet Services.
The Audit Log is regularly reviewed by the Security Administrator, often with the aid of third
party analyzing tools. The audit log helps to assess attempted security breaches, identify
actual breaches, and prevent future breaches.
The important events of the machine such as device failure, configuration change, and user
operation are traced and recorded based on when and who operated what function.
Auditable events are stored with time stamps into NVRAM. When the number of stored events
reaches 50, the 50 logs on NVRAM are stored into one file ("audit log file") within the internal
HDD. Up to 15,000 events can be stored. When the number of recorded events exceeds 15,000,
the oldest audit log file is overwritten and a new audit event is stored.
There is no deletion function.
1 Open your Web browser and enter the TCP/IP address of the machine in the Address or
Location field, press the <Enter> key.
5 2 Supply the Administrator ID and Password, when prompted.
3 Click the [Properties] tab.
4 Click [Security].
5 Click [Audit Log].
6 Check the [Enabled] box for [Audit Log].
7 Click [Apply].
1 Open your Web browser and enter the TCP/IP address of the machine in the Address or
Location field, press the <Enter> key.
2 Enter the system administrator's ID and Password if prompted.
3 Click the [Properties] tab.
4 Click [Security].
5 Click [Audit Log].
6 Click [Export as text file] for [Export Audit Log].
18
Settings for the Secure Operation 3 (Regular Review by Audit Log)
The following information is recorded in imported audit log data, check it regularly whether
there are not breaches by accessing or attempt.
z
Log ID: Consecutive numbers as an audit log identifier
z Date/Time: The date and time when a event was recorded
z Logged Events: Various acts and processing object storing audit log
z
User Name: The user name that generated an auditable event
z Description: Description on events
z Status: Status or result of event processing
z
Optionally Logged Items: Additional information recorded to audit log
(except common record items)
e.g.: The following audit log is recorded, when someone tried to login by ID(User1), and the
login failed due to an invalid password.
Item Description
Log ID 1
Date 01/01/2014
Time
Logged Events
10:00:00
Login/Logout
5
User Name User1
Description Login
Status Failed (Invalid Password)
Optionally Logged Items -
19
User Authentication
User Authentication
20
Appendix
Appendix
Set Maximum
Passcode].
[Authentication/ [Security] > [System - 5
5
Login Attempts Security Settings] > Administrator Settings]
[Authentication] >
[Maximum Login
Attempts By System
Administrator]
Set Service [System Settings] > [Security] > [Service - Off
Rep.Restricted [Common Service Representative
Operation Settings] > [Other Restricted Operation]
Settings] > [Service
Rep.Restricted
Operation].
Set Overwrite [Authentication/ - - 3
Hard Disk Security Settings] >
[Overwrite Hard Disk]
Set Data [System Settings] > - - Off
Encryption [Common Service
Settings] > [Other
Settings] > [Data
Encryption].
Set [Authentication/ [Security] > [Settings] > [General Off
Authentication Security Settings] > [Authentication Device Settings] >
[Authentication] > Configuration] [Access Permissions] >
[Login Type]. [Login Setup/Auditron]
> [Login Setup/Auditron
mode]
Set Access Control [Authentication/ [Security] > - Off
Security Settings] > [Authentication
[Authentication] > Configuration]
[Access Control]
21
Appendix
22
Appendix
23
ApeosPort-V C7775/C6675/C5575/C4475/C3375/C3373/C2275
DocuCentre-V C7775/C6675/C5575/C4475/C3375/C3373/C2275
Security Function Supplementary Guide
ME6371E2-2 (Edition 1)
August 2014
Fuji Xerox Co., Ltd. Copyright 2014 by Fuji Xerox Co., Ltd.