Xerox 3550 Ports 161, 162, Snmp, Port 389, Ldap, Port 396, Netware, Port 427, SLP, Port 443, SSL

Page 19

XEROX WorkCentre 3550 Information Assurance Disclosure Paper

2.8.2.7.Ports 161, 162, SNMP

These ports support the SNMPv1, SNMPv2c, and SNMPv3 protocols. Please note that SNMP v1 does not have any password or community string control. SNMPv2 relies on a community string to keep unwanted people from changing values or browsing parts of the MIB. This community string is transmitted on the network in clear text so anyone sniffing the network can see the password. Xerox strongly recommends that the customer change the community string upon product installation. SNMP is configurable, and may be explicitly enabled or disabled in the Properties tab of the device’s web pages.

SNMP traffic may be secured if an IPSec tunnel has been established between the agent (the device) and the manager (i.e. the user’s PC).

The device supports SNMPv3, which is an encrypted version of the SNMP protocol that uses a shared secret. Secure Sockets Layer must be enabled before configuring the shared secret needed for SNMPv3.

2.8.2.8.Port 389, LDAP

This is the standard LDAP port used for address book queries in the Scan to Email feature.

2.8.2.9.Port 396, Netware

This configurable port is used when Novell Netware is enabled to run over IP.

2.8.2.10. Port 427, SLP

When activated, this port is used for service discovery and advertisement. The device will advertise itself as a printer and also listen for SLP queries using this port. It is not configurable. This port is explicitly enabled / disabled in the Properties tab of the device’s web pages.

2.8.2.11. Port 443, SSL

This is the default port for Secure Sockets Layer communication. This port can be configured via the device’s web pages. SSL must be enabled before setting up either SNMPv3 or IPSec. SSL must also be enabled in order to use any of the Web Services (Automatic Meter Reads, or Network Scanning Validation Service).

SSL should be enabled so that the device can be securely administered from the web UI. When scanning, SSL can be used to secure the filing channel to a remote repository.

SSL uses X.509 certificates to establish trust between two ends of a communication channel. When storing scanned images to a remote repository using an https: connection, the device must verify the certificate provided by the remote repository. A Trusted Certificate Authority certificate should be uploaded to the device in this case.

To securely administer the device, the user’s browser must be able to verify the certificate supplied by the device. A certificate signed by a well-known Certificate Authority (CA) can be downloaded to the device, or the device can generate a self-signed certificate. In the first instance, the device creates a Certificate Signing Request (CSR) that can be downloaded and forwarded to the well-known CA for signing. The signed device certificate is then uploaded to the device. Alternatively, the device will generate a self-signed certificate. In this case, the generic Xerox root CA certificate must be downloaded from the device and installed in the certificate store of the user’s browser.

The device supports only server authentication.

2.8.2.12. Port 515, LPR

This is the standard LPR printing port, which only supports IP printing. It is a configurable port, and may be explicitly enabled or disabled in the Properties tab of the device’s web pages.

2.8.2.13. Port 546, DHCPv6

This port is used only when performing DHCPv6, and is not open all of the time. To permanently close this port, DHCPv6 must be explicitly disabled. This is done via the TCP/IP page in the Properties tab on the WebUI.

2.8.2.14. Port 631, IPP

This port supports the Internet Printing Protocol. It is not configurable. This is disabled when the http server is disabled.

 

19

Ver. 1.3, March 2011

Page 19 of 32

Image 19
Contents Prepared by Ver .3, March Device Description Target AudienceSecurity Aspects of Selected Features Target Audience PurposeDisclaimer Device Description Physical Partitioning Security-relevant SubsystemsSecurity Functions allocated to Subsystems Security Functions allocated to SubsystemsController memory components ControllerPurpose Memory ComponentsUSB Ports External ConnectionsUSB Ports Controller External ConnectionsFax Module memory components Fax ModuleScanner HardwareControl and Data Interfaces Local User Interface LUIUser Interface memory components Open-source components System Software StructureOS Layer in the Controller IPv4 Network Protocol Stack Network ProtocolsIPSec Logical AccessNetwork Ports PortsPort 25, Smtp Port 53, DNSPort 80, Http Port 68, DhcpPort 88, Kerberos Ports 137, 138, 139, NetbiosPort 427, SLP Ports 161, 162, SnmpPort 389, Ldap Port 396, NetwareIP Filtering User authentication Authentication ModelLogin and Authentication Methods System Administrator Login All product configurationsSMB Authentication with IP Address SMB Authentication Windows NT 4 or Windows 2000/WindowsDdns SMB Authentication with HostnameNetwork Scanning Multifunction models only DiagnosticsSystem Accounts Printing Multifunction models onlySummary SMart eSolutionsMeter Assistant Supplies AssistantResponses to Known Vulnerabilities Ldap Server Appendix a AbbreviationsElectrically erasable programmable read only memory IPSecWebUI UDPSnmp version / Network Transport support WorkCentre Appendix B Supported MIB ObjectsRFC 1759 Printer MIB Group WorkCentre Supported MIB Objects RFC 1514 Host Resources MIB group WorkCentreRFC 1213 MIB-II for TCP/IP group WorkCentre Additional Capabilities / Application Support WorkCentreRFC/Standard Controller SoftwareController Software Printing Description Languages Appendix E References