Xerox 3550 manual Port 88, Kerberos, Ports 137, 138, 139, Netbios

Page 18

XEROX WorkCentre 3550 Information Assurance Disclosure Paper

2.8.2.5.Port 88, Kerberos

This port is only open when the device is communicating with the Kerberos server to authenticate a user, and is only used only to authenticate users in conjunction with the Network Scanning feature. To disable this port, authentication must be disabled, and this is accomplished via the Local User Interface.

This version of software has Kerberos 5.1.1 with DES (Data Encryption Standard) and 64-bit encryption. The Kerberos code is limited to user authentication, and is used to authenticate a user with a given Kerberos server as a valid user on the network. Please note that the Kerberos server (a 3rd party device) needs to be set up for each user. Once the user is authenticated, the Kerberos software has completed its task. This code will not and cannot be used to encrypt or decrypt documents or other information.

This feature is based on the Kerberos program from the Massachusetts Institute of Technology (MIT). The Kerberos network authentication protocol is publicly available on the Internet as freeware at http://web.mit.edu/kerberos/www/. Xerox has determined that there are no export restrictions on this version of the software. However, there are a few deviations our version of Kerberos takes from the standard Kerberos implementation from MIT. These deviations are:

1)The device does not keep a user’s initial authentication and key after the user has been authenticated. In a standard Kerberos implementation, once a user is authenticated, the device holds onto the authentication for a programmed timeout (the usual default is 12 hours) or until the user removes it (prior to the timeout period). In the Xerox implementation, all traces of authentication of the user are removed once they have been authenticated to the device. The user can send any number of jobs until the user logs off the system, either manually or through system timeout.

2)The device ignores clock skew errors. In a standard implementation of Kerberos, authentication tests will fail if a device clock is 5 minutes (or more) different from the Kerberos server. The reason for this is that given enough time, someone could reverse engineer the authentication and gain access to the network. With the 5-minute timeout, the person has just 5 minutes to reverse engineer the authentication and the key before it becomes invalid. It was determined during the implementation of Kerberos for our device that it would be too difficult for the user/SA to keep the device clock in sync with the Kerberos server, so the Xerox instantiation of Kerberos has the clock skew check removed. The disadvantage is that this gives malicious users unlimited time to reverse engineer the user’s key. However, since this key is only valid to access the Network Scanning features on a device, possession of this key is of little use for nefarious purposes.

3)The device ignores much of the information provided by Kerberos for authenticating. For the most part, the device only pays attention to information that indicates whether authentication has passed. Other information that the server may return (e.g. what services the user is authenticated for) is ignored or disabled in the Xerox implementation. This is not an issue since the only service a user is being authenticated for is access to an e- mail directory. No other network services are accessible from the Local UI.

Xerox has received an opinion from its legal counsel that the device software, including the implementation of a Kerberos encryption protocol in its network authentication feature, is not subject to encryption restrictions based on Export Administration Regulations of the United States Bureau of Export Administration (BXA). This means that it can be exported from the United States to most destinations and purchasers without the need for previous approval from or notification to BXA. At the time of the opinion, restricted destinations and entities included terrorist- supporting states (Cuba, Iran, Libya, North Korea, Sudan and Syria), their nationals, and other sanctioned entities such as persons listed on the Denied Parties List. Xerox provides this information for the convenience of its customers and not as legal advice. Customers are encouraged to consult with legal counsel to assure their own compliance with applicable export laws.

2.8.2.6.Ports 137, 138, 139, NETBIOS

For print jobs, these ports support the submission of files for printing as well as support Network Authentication through SMB. Port 137 is the standard NetBIOS Name Service port, which is used primarily for WINS. Port 138 supports the CIFS browsing protocol. Port 139 is the standard NetBIOS Session port, which is used for printing. Ports 137, 138 and 139 may be configured in the Properties tab of the device’s web page.

For Network Scanning features, ports 138 and 139 are used for both outbound (i.e. exporting scanned images and associated data) and inbound functionality (i.e. retrieving Scan Templates). In both instances, these ports are only open when the files are being stored to the server or templates are being retrieved from the Template Pool. For these features, SMB protocol is used.

 

18

Ver. 1.3, March 2011

Page 18 of 32

Image 18
Contents Prepared by Ver .3, March Target Audience Device DescriptionSecurity Aspects of Selected Features Purpose Target AudienceDisclaimer Device Description Security-relevant Subsystems Physical PartitioningSecurity Functions allocated to Subsystems Security Functions allocated to SubsystemsMemory Components ControllerPurpose Controller memory componentsController External Connections External ConnectionsUSB Ports USB PortsHardware Fax ModuleScanner Fax Module memory componentsLocal User Interface LUI Control and Data InterfacesUser Interface memory components System Software Structure Open-source componentsOS Layer in the Controller Network Protocols IPv4 Network Protocol StackLogical Access IPSecPort 53, DNS PortsPort 25, Smtp Network PortsPort 68, Dhcp Port 80, HttpPorts 137, 138, 139, Netbios Port 88, KerberosPort 396, Netware Ports 161, 162, SnmpPort 389, Ldap Port 427, SLPIP Filtering System Administrator Login All product configurations Authentication ModelLogin and Authentication Methods User authenticationSMB Authentication Windows NT 4 or Windows 2000/Windows SMB Authentication with IP AddressSMB Authentication with Hostname DdnsPrinting Multifunction models only DiagnosticsSystem Accounts Network Scanning Multifunction models onlySupplies Assistant SMart eSolutionsMeter Assistant SummaryResponses to Known Vulnerabilities IPSec Appendix a AbbreviationsElectrically erasable programmable read only memory Ldap ServerUDP WebUIAppendix B Supported MIB Objects Snmp version / Network Transport support WorkCentreRFC 1759 Printer MIB Group WorkCentre Additional Capabilities / Application Support WorkCentre RFC 1514 Host Resources MIB group WorkCentreRFC 1213 MIB-II for TCP/IP group WorkCentre Supported MIB ObjectsController Software RFC/StandardController Software Printing Description Languages Appendix E References