Specifications

ManualsBrandsSavin ManualsAll in One PrinterLD330

Print Controller Design Guide for Information Security



Visit our Knowledgebase at:

http://www.ricoh-usa.com/support/knowledgebase.asp

07/27/2010

Print Controller Design Guide for

Information Security 06A

Version 1.00

Gestetner Lanier Savin Ricoh

DSm416

DSm416f

DSm416pf

LD016

LD016f

LD016spf

816

816f

816mf

MP161

MP161f

MP161spf

DSm715

DSm716

DSm721d

DSm716s

DSm721ds

LD315

LD316

LD320d

LD316L

LD320Ld

9016

9021d

9016s

9021ds

MP1500

MP1600

MP2000

MP1600L

MP2000L

DSm625 LD125 7025 MP2500

DSm725e

DSm730e

LD325

LD330

8025e

8030e

MP2510

MP3010

DSm735e

DSm745e

LD335

LD345

8035e

8045e

MP3500

MP4500

GWD2004

GWD2006

LW324

LW336

2404WD

2406WD

MPW2400

MPW3600

Summary of content (92 pages)

PAGE 1
Print Controller Design Guide for Information Security 07/27/2010 Print Controller Design Guide for Information Security 06A Version 1.
PAGE 2
Print Controller Design Guide for Information Security: Notice: THIS DOCUMENT MAY NOT BE REPRODUCED OR DISTRIBUTED IN WHOLE OR IN PART, FOR ANY PURPOSE OR IN ANY FASHION WITHOUT THE PRIOR WRITTEN CONSENT OF RICOH COMPANY LIMITED. RICOH COMPANY LIMITED RETAINS THE SOLE DISCRETION TO GRANT OR DENY CONSENT TO ANY PERSON OR PARTY. Copyright © 2010 by Ricoh Company Ltd.
PAGE 3
Print Controller Design Guide for Information Security: TABLE OF CONTENTS 1. Overview ........................................................................................................................ 4 2. Internal System Configuration........................................................................................ 6 2-1 Hardware Configuration ............................................................................................. 6 2-2 Software Configuration...........................
PAGE 4
Print Controller Design Guide for Information Security: 1. Overview This document describes the structural layout and functional operations of the hardware and software for the multi-functional products and laser printers listed below (herein referred to as the “MFP” and “LP”, respectively), which were designed and developed by Ricoh Co. Ltd. (herein referred to as Ricoh), as well as the security of image data and related information handled by MFP/LP internal and peripheral devices.
PAGE 5
Print Controller Design Guide for Information Security: Note: Some of the hardware (e.g. external I/F) and functions described in this document may not be supported by the end user’s machine. For these details, please refer to the Operating Instructions for the specific machine in question. Note: Throughout this document you may see references such as 04A (2004 Autumn) or 05S (2005 Spring). You will only see an A (Autumn) or S (Spring) attached to the last two digits of a year.
PAGE 6
Print Controller Design Guide for Information Security: 2.
PAGE 7
Print Controller Design Guide for Information Security: LP Page Memory - RAM - (HDD) Operation Panel Flash ROM Engine Image Processing Printing Processing and Control Unit Ethernet - CPU - RAM USB Type B RC Gate Host I/F Internet Parallel NVRAM ・Settings ・Counters Gigabit Ethernet Wireless LAN Bluetooth IC Card Reader I/O Controller USB Type A Controller Extended I/F Pict Bridge Compatible Device SD Card I/F Image Memory area: Also performs image-processing functions such as data compressi
PAGE 8
Print Controller Design Guide for Information Security: 2-2 Software Configuration =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Copier Scanner FAX Printer GW WS EAC WebSys VAS Principal Machine Functions SDK Web DocBox =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ECS MCS OCS FCS NCS DCS CCS NRS LCS MIRS DESS SRM SCS Shared Service Layers UCS S libc IMH V
PAGE 9
Print Controller Design Guide for Information Security: FCS (FAX Control Service) Exchanges data and commands with the FCU (FAX Control Unit), which manages and controls FAX communication and telecommunications lines. SCS (System Control Service) Manages the status of all internal operations performed on or by the system as a whole, and controls the switching of the LCD screen as well as the operational link between SP settings and machine operations.
PAGE 10
Print Controller Design Guide for Information Security: Principal Machine Functions Copier Activates the scanning engine, which reads the original and then sends the data on to the controller to be printed out from the printing engine. Secondary data, such as that used for access control, is handled from the operation panel. Printer Receives image data through the host interface, which then sends the data to the controller. Also contains a printer language processing subsystem (e.g.
PAGE 11
Print Controller Design Guide for Information Security: 3. Data Security External I/F The MFP/LP is equipped with the following interfaces for connection with external devices: Serial I/F for LADP connection. Serial I/F for connection of external coin/card-operated devices. Serial I/F for connection of peripheral devices (e.g. DF, Finisher, LCT). Analog G3 FAX I/F (public telecommunications line), G4 FAX I/F (ISDN).
PAGE 12
Print Controller Design Guide for Information Security: 4. Communication between the MFP/LP and its peripherals is conducted via the peripheral I/F using Ricoh-unique protocols. These exchanges are limited to pre-determined commands and data, and only take place after the MFP/LP has recognized the peripheral device. If the MFP/LP receives illegal data from the peripheral, it will judge that a perhiperal device failure has occurred or that the device is not connected.
PAGE 13
Print Controller Design Guide for Information Security: 9. The USB I/F (Type A) only allows connection with devices that support either IC card-based authentication or PictBridge printing functions. Each function can be enabled/disabled individually. PictBridge printing functions (color MFP/LPs only): After the identity of the connected PictBridge device is verified, the interface and device exchange only pre-defined commands and/or data. Access to data stored inside the MFP/LP is not possible.
PAGE 14
Print Controller Design Guide for Information Security: • This use of a public key to decrypt the digital signature allows the MFP/LP to verify that that there has been no illegal alteration of the data. • The basic identifying information of the firmware (version, type, etc.) is stored in the MFP/LP as the update is being performed. Therefore it is possible to retry the update with the same SD card in the event that the update is interrupted, e.g. if the MFP/LP main power suddenly turns off.
PAGE 15
Print Controller Design Guide for Information Security: Remote Firmware Installation • In addition to using an SD card, it is also possible to update the firmware by transmitting the firmware files to the MFP/LP via a remote connection. Since these files are transmitted over public Internet communication paths in some cases, routed through multiple servers before reaching their destination, it is necessary to use the authentication process described above for remote update as well.
PAGE 16
Print Controller Design Guide for Information Security: Installation via RC-Gate Download RC-Gate Digital signature Program + digital signature @Remote Center Ricoh Licenese Server Installation directly from @Remote Center Remote Firmware Installation using @Remote Remote installation Ridoc IO OperationServer Update performed using Web Smart Device Monitor V2 (device management utility) Digital signature Download Ricoh distribution server Program + digital signature Ricoh license server Upda
PAGE 17
Print Controller Design Guide for Information Security: 5. Authentication, Access Control Authentication • When enabled, User Authentication requires all users to go through a username and password-based authentication process before MFP/LP operations can be performed. This is true in cases where the user attempts to access MFP/LP functions via the operation panel as well as via a network connection.
PAGE 18
Print Controller Design Guide for Information Security: • Before authentication at the MFP/LP operation panel can be performed, uses must be pre-registered in the MFP/LP. The communication path can be encrypted using SSL, however for environments that do not support SSL protocol, the password itself is encrypted using an encryption key specified by the Administrator. To do this, however, the Printer/Scanner option must be installed.
PAGE 19
Print Controller Design Guide for Information Security: Authentication information (input from operation panel) Integration Server Authentication Basic Auth. One method is selected (1-4) [1] [2] [3] [4] Windows Server LDAP Server Customized Auth. Server LAN Job + Auth. Info. PC Integration Server Authentication IC Card Authentication Overview • IC Card Authentication is provided to the field in the form of an optional IC card.
PAGE 20
Print Controller Design Guide for Information Security: • IC Authentication using the serial number/IDm (Felica cards or those containing a Felica chip): When the IC card is placed in the reader, the CSC reads the username and password stored in the card and begins the authentication process automatically. Note: Standard Felica specifications do not support the use of function release codes.
PAGE 21
Print Controller Design Guide for Information Security: • On MFP/LPs with email transmission applications, to prevent the impersonation of the user by a third party, it is possible to set the MFP so that the email address of the logged-in user is set as the “From” field whenever an email is sent. Users who do not have a registered email address would not be able to send email. • It is possible to prohibit the sending of email to any address except those that have been approved.
PAGE 22
Print Controller Design Guide for Information Security: 6. Administrator Settings In order to spread the risk of malicious operations by a single individual with administrator-level access rights, the MFP/LP allows the following five types of administrators to be registered. • Machine Administrator: Manages the User Tools settings and ensures that the MFP/LP is always in good working order.
PAGE 23
Print Controller Design Guide for Information Security: 7. Data Erase/Overwrite Overview • A wide variety of data is stored in MFP/LP memory both permanently and temporarily. The HDD stores data such as image data, email destinations, and Address Book data containing various types of user information. In addition, the NVRAM stores data such as User Tools settings, while the FCU stores FAX reception image data.
PAGE 24
Print Controller Design Guide for Information Security: Auto Erase Memory • The main purpose of this feature is to automatically overwrite data stored to the processing region of the HDD, i.e. data that is saved to the HDD for purposes of MFP/LP internal processing only, of which users are normally unaware. Auto Erase Memory prevents this unnecessary data from remaining in the HDD by overwriting it as soon as it is no longer used by the MFP/LP.
PAGE 25
Print Controller Design Guide for Information Security: 8. Data Protection Protection of Address Book Data • The tables below show the various types of data stored in Address Book entries as well as the operations that general users/groups, owners and user administrators can perform on this data. It is possible to assign general user access privileges to individual users as well as to groups.
PAGE 26
Print Controller Design Guide for Information Security: Make View Changes Delete Entries Change ACL Settings R View Yes RW Edit Yes Yes RWD Edit/Delete Yes Yes Yes RWDO Full-Access Yes Yes Yes Yes Access Privileges and Operations for the Address Book Document Server Documents (MFP models only) • The tables below show the various types of data stored in Document Server management files, as well as the operations that general users/groups, owners and User Administrators can perform on
PAGE 27
Print Controller Design Guide for Information Security: Document General Info. Document No. Owner Document General Users (User) Administrator Use ACL RW RW － W W Use ACL RW RW 00001 Document Name Meeting files Thumbnails Bibliographic Info. Pg. 1 Image Data Pg. 2 Image Data ・・・ Info Detailed User ・・・ Document Password ******** 00002=R--00003=RW-ACL Information 00004=RW-O 00005=RWDO ・・・ Access Privilege Management Structure for Stored Documents View Bibliog.
PAGE 28
Print Controller Design Guide for Information Security: 9. Additional Methods for Increased Security In addition to the above, administrators can also perform the following settings as needed to provide additional security. • Prohibit access to SP Mode without authorization from the user. • Prohibit individual users from registering or making changes to Address Book entries.
PAGE 29
Print Controller Design Guide for Information Security: 10. Job/Access Logs • Job logs and access logs for the principal machine functions in contain entries for job status-related events (initiation, completion, any changes during the job), while the access log contains entries for MFP/LP operational events (authentication, operations performed on documents, administrator operations). Therefore, not every single operational or status-related event is recorded in the log.
PAGE 30
Print Controller Design Guide for Information Security: • The MFP/LP does not allow any changes to be made to the log data itself, i.e. the data can only be transferred to Web SmartDeviceMonitor for Admin in an unaltered, encrypted state. Therefore, the data cannot be overwritten or modified in any way, even by those with administrator-level access rights. • When the log reaches its capacity, the oldest entries are then overwritten one by one by each new entry.
PAGE 31
Print Controller Design Guide for Information Security: Access log Capacity: With HDD: Without HDD: 6000 entries 500 entries Time to full condition: With HDD: 6000/M minutes Without HDD: 500/M minutes Note: - One job = one event - M = Average number of events (log entries) generated in one minute Example: An HDD is installed, and an average of eight (8) events occurs per minute.
PAGE 32
Print Controller Design Guide for Information Security: 11. Capture (MFP Models Only) Overview of Capture Operations • When a user makes a copy or performs any of the operations listed below, the Capture function sends a copy of the image over the network to ScanRouter, after which it is forwarded to its final destination, ScanRouter Document Server. • This function can be used to back-up images, or as a means of maintaining records of MFP usage for each individual user.
PAGE 33
Print Controller Design Guide for Information Security: Operations that Generate Captured Images • Images are captured and sent to ScanRouter whenever any of the following operations are successfully completed. Once the main setting is enabled, the capture will occur automatically if Auto or Compulsory is selected, and only when the user specifies if Manual is selected. Note: The MFP itself is able to capture incoming FAXes as well, but ScanRouter currently does not support this.
PAGE 34
Print Controller Design Guide for Information Security: Capture Settings • ScanRouter is used to program all settings for the Capture function. • The following are the principal settings for this feature. Except for Compulsory, these settings do not require Administrator-level access rights to be changed. 1. Principal settings: - The Capture function can be enabled or disabled. - It is possible to select Auto, Manual, Compulsory (Name Fixed), Compulsory (Name Available) or Do Not Capture.
PAGE 35
Print Controller Design Guide for Information Security: Security Considerations • Three transfer protocols are available for sending captured documents to ScanRouter: FTP, HTTP and HTTPS. Protocol selection is based on the settings programmed in ScanRouter. • In order to use HTTPS, it is necessary to install ScanRouter EX or later and then enable the appropriate settings for encrypted communication. In addition, the operator can also set the machine to authenticate the target ScanRouter server.
PAGE 36
Print Controller Design Guide for Information Security: 12. Principal Machine Functions Copier (MFP Models Only) Overview of Copier Operations • When a copy job is initiated, the scanning engine scans the original and forwards this data to the controller to be printed out from the printing engine. If “Store File” is selected at this time, the image data is also stored in the HDD.
PAGE 37
Print Controller Design Guide for Information Security: Data Security Considerations • Since the page location data is erased at the conclusion of every copy job, it is not possible to perform a job re-print on the same data. In addition, since the Copier function itself does not have any external I/F and does not perform any data exchanges or communication with external devices, it is not possible for any illegal external data to be introduced through the Copier function.
PAGE 38
Print Controller Design Guide for Information Security: Restricting the Available Functions for Each Individual User • When User Authentication is enabled, it is possible to then allow or prohibit the use of specific Copier functions for each individual user. For example, with color products, it is possible to allow or prohibit the use of B/W, full-color, two-color and single-color modes for each user.
PAGE 39
Print Controller Design Guide for Information Security: Print Backup • After a job is performed, it is possible to store a copy of the image data in the HDD (via the MCS), and then use the Netfile function to retrieve this data to Desk Top Editor For Production. For more on this data flow, see Data Flow. • The supported file formats for this operation are: JPEG2000, JPEG, TIFF, PDF (single-page) and PDF (multi-page).
PAGE 40
Print Controller Design Guide for Information Security: 13. Printer Overview of Printer Operations • The Printer function can be divided into main processes: 1) Converting the printer language data received by the MFP/LP into image data, and 2) Printing out this image data onto the paper in accordance with the specified job settings. The former is performed by the printer language processing subsystem, while the latter is performed by the printing subsystem.
PAGE 41
Print Controller Design Guide for Information Security: • From the printer driver, it is possible to select the following printing methods: Normal Print, Sample Print, Locked Print, Hold Print, Stored Print, Store and Print, and Save to Document Server. The data processing flow varies depending on the method used since some operations are not supported with some printer languages (see below).
PAGE 42
Print Controller Design Guide for Information Security: When Normal Print is selected as the print job, the print management data*1 for the image data stored in the HDD is stored in volatile RAM memory in Ricoh original format. It is erased at the • conclusion of the job, together with the page location data.
PAGE 43
Print Controller Design Guide for Information Security: Printing Encrypted Image Data • With PDF Direct Print, it is possible to print out an encrypted PDF file. The password is registered in the Printer function via WebImageMonitor or the MFP/LP operation panel, or is set inside DeskTopBinder (incl. the Function Pallet). When the printer receives the file, the printer language processing subsystem (PDF interpreter) temporarily stores the file directly to the HDD.
PAGE 44
Print Controller Design Guide for Information Security: • The password necessary for authentication is encrypted before the printer driver sends it to the MFP/LP. When performing the encryption, it is possible to use a key that is common to both the driver and the MFP/LP, known as the driver encryption key. It is also possible to encrypt the password using Simple Encryption, which does not use the driver encryption key.
PAGE 45
Print Controller Design Guide for Information Security: • It is possible to make a Stored Print or Store and Print document available for printing out by any authenticated user by selecting “Share” in the printer driver’s Advanced Options settings when the job is sent. It is also possible to change the access privileges setting for the document from WebImageMonitor. Normally, this is set in the printer driver to grant access to either all authenticated users or to the creator of the document alone.
PAGE 46
Print Controller Design Guide for Information Security: • As stated above, the PDF interpreter cross-references the password programmed in the MFP/LP with the encrypted password sent from the PC, and destroys the incoming data when these passwords do not match. In addition, the incoming data is also destroyed if accompanying information alerts the MFP/LP that printing of this file is prohibited.
PAGE 47
Print Controller Design Guide for Information Security: 14.
PAGE 48
Print Controller Design Guide for Information Security: • When sending an email from the MFP via the SMTP server, the operator can either send the scanned image as a file attachment, or send a text-only email that contains the URL for accessing the image in the MFP HDD. Using this URL, the operator then accesses the image via DeskTopBinder or Desk Top Editor for Production. • When authenticating with User Codes, the User Code data is sent from the TWAIN driver in binary format (unencrypted).
PAGE 49
Print Controller Design Guide for Information Security: Protection of Data when Performing Scanning and Sending Operations It is possible to set the MFP or related software to perform the following operations: - Require user identification when sending to a forwarding server. By requiring the operator to select from pre-registered email destinations and then input a protection code, it is possible to protect against sender impersonation.
PAGE 50
Print Controller Design Guide for Information Security: • By enabling Basic Authentication, it is possible to protect the destination information. For each destination, it is possible to assign an access level to each registered user (View, Edit, Delete, and Full-Access). Users who have View privileges for a particular destination can select the destination for forwarding, but cannot edit or delete the data.
PAGE 51
Print Controller Design Guide for Information Security: • It is also possible to assign a password to individual documents when scanning them for storage in the Document Server. After this, the document cannot be sent unless the correct password is entered. Additionally, when the Document Protect feature in System Settings is enabled, the MFP will deny any attempt to access a given document if an incorrect password is entered ten times consecutively.
PAGE 52
Print Controller Design Guide for Information Security: • As explained above, the email forwarding feature sends data from the MFP to external destinations via the network. By changing the network traffic-related settings, which can only be performed by Network Administrators, it is possible to prohibit or limit the conditions under which emails from the MFP are actually forwarded to their destinations.
PAGE 53
Print Controller Design Guide for Information Security: 15. FAX (MFP Models Only) Overview of FAX operations • The FAX function sends the scanned image data from the scanner engine to the other party’s machine via a telecommunications line as a G3 or G4 FAX. Conversely, the MFP will only accept incoming FAX data that conforms to G3/G4 standards. The incoming document is then forwarded on to the printer engine for printing out.
PAGE 54
Print Controller Design Guide for Information Security: • With FAX reception, the incoming data is received by the FCU, which then sends the printing command to the FAX function via the FCUH and FCS. The FAX function then forwards the printing command to the ECS via the FCS, and the printing engine is activated. The FAX image data is then sent from the FCU to the printing engine for printing out.
PAGE 55
Print Controller Design Guide for Information Security: Data Security Considerations • The FCU supports only G3 and G4 FAX protocols. Therefore, even if an initial connection is established with a terminal that does not use these protocols, the MFP will view this as a communication failure and terminate the connection. This prevents access via telecommunications lines and the FCU to internal networks, and ensures that no illegal data can be introduced via these lines.
PAGE 56
Print Controller Design Guide for Information Security: • When User Authentication is enabled, it is possible to set the authenticated user as the “Sender” of the FAX data. Similarly, for Internet FAX transmission, it is possible to set the authenticated user as the “Sender” of the email, i.e. the user who appears in the “From” field of the email.
PAGE 57
Print Controller Design Guide for Information Security: Protection of FAX Transmission Operations • By setting restrictions on address book destinations in addition to enabling User Authentication, it is possible to limit access to the destinations listed in the address book. After clearing authentication, general users are able to select only those destinations that have been set to allow this. In addition, the MFP can be set so that users can only transmit data to destinations registered in the MFP.
PAGE 58
Print Controller Design Guide for Information Security: Extended Security Feature • It is possible to set Extended Security to prohibit the transfer or forwarding of data, preventing any unauthorized sending of data to external destinations. Note: - The access control used for SMTP reception/delivery operates in accordance with RFC2305. - The SMTP-AUTH feature operates in accordance with RFC2554. • The Journal log (FAX job history log) is able to store up to 200 entries.
PAGE 59
Print Controller Design Guide for Information Security: 16. NetFile (GWWS) Overview of NetFile Operations • NetFile operates via communication with the following applications installed on a network connected client PC: DeskTopBinder, Desk Top Editor For Production, SmartDeviceMonitor for Admin, ScanRouter, Web SmartDeviceMonitor for Admin.
PAGE 60
Print Controller Design Guide for Information Security: Transferring Job Log and Access Log Data to Web SmartDeviceMonitor for Admin • The Netfile job log contains data related to job status (initiation, completion, any changes during the job), while the access log contains data related to operational events (authentication, operations performed on documents, administrator operations). Both logs are saved to the HDD by the LCS, and contain a date and time for each entry. As mentioned in section 1.
PAGE 61
Print Controller Design Guide for Information Security: Creating Thumbnails (MFP models only) • The MFP creates thumbnail images in JPEG format for the first page of the image files stored in the HDD. The thumbnails themselves are also stored in the HDD as well. The specific operations performed by the MFP to create the thumbnails depend on whether or not the File Format Converter is installed.
PAGE 62
Print Controller Design Guide for Information Security: Downloading Document Server Files to the PC (MFP models only) • From DeskTopBinder or Desk Top Editor for Production, it is possible to download full images stored on the MFP HDD. Netfile loads the requested image data stored in the HDD via the MCS, and then sends it to the PC via the NCS.
PAGE 63
Print Controller Design Guide for Information Security: Forwarding Image Data with Capture • With the Capture feature, the primary machine function temporarily stores the image data to the HDD in tandem with the MCS and IMH. A request is then made to the GWWS via the SCS to capture the image. In tandem with the MCS and IMH, the GWWS in turn loads the image data out of HDD storage, converts the image to a file type for Capturing.
PAGE 64
Print Controller Design Guide for Information Security: Viewing and Changing User Data Settings Stored in the MFP/LP • From SmartDeviceMonitor for Admin, it is possible to view and change the user data settings stored in the MFP/LP. Only users authenticated as User Administrators are able to change these settings. User data is stored in the HDD and is managed by the UCS.
PAGE 65
Print Controller Design Guide for Information Security: Transferring the Job Log and Access Log Data • To send log data from the MFP/LP to Web SmartDeviceMonitor for Admin, GWWS communicates with the LCS, which uses its internal modules to load the necessary information out of HDD memory. GWWS then encrypts the data using the DESS module and sends it as a Web SmartDeviceMonitor for Admin client over an SSL connection.
PAGE 66
Print Controller Design Guide for Information Security: User Authentication Tickets (MFP models only) When using User Authentication to connect to the MFP from a PC client station, the user must be authenticated using the User ID and password information sent to the MFP. However with the use of pre-issued User Authentication Tickets, users can access the MFP without having to input the necessary authentication information each time a session is initiated.
PAGE 67
Print Controller Design Guide for Information Security: 17. Data Security Considerations SOAP Communication Sessions • SOAP communication supports SSL (Secure Sockets Layer), ensuring the proper security during communication sessions. Even in cases where SSL is not used, the client (PC) identifies the server (MFP/LP) via a unique session ID. Only after the MFP/LP identifies the client through this session ID will it accept any requests from the client.
PAGE 68
Print Controller Design Guide for Information Security: Restoring Files Back to the MFP (MFP models only) • Netfile will reject any data it receives that does not conform to preset formats, regarding it as illegal data.
PAGE 69
Print Controller Design Guide for Information Security: Deleting, Pausing or Resuming Print Jobs • To delete the current job or all active jobs at once, the operator must have Machine Administrator-level access privileges. In addition, the operator must have already logged in to SmartDeviceMonitor for Admin as a Machine Administrator. • As mentioned above, the operator can delete, pause, or resume a print job from DeskTopBinder. The printer driver uses a track ID to identify each individual print job.
PAGE 70
Print Controller Design Guide for Information Security: 18. Web Applications Web Server Framework The MFP/LP Web Server was developed exclusively by Ricoh, Co. Ltd. Encrypted Communication Support • The Web server installed on the MFP/LP supports SSL communication. Since the MFP/LP is accessed via an HTTPS connection, all input/output data is encrypted (incl. authentication ID, password, and cookie). This allows for safe and secure communication between WebImageMonitor and the MFP/LP.
PAGE 71
Print Controller Design Guide for Information Security: Protection Against URL Buffer Overflows • URL buffer overflow attacks occur when intentionally oversized URL strings are sent to a Web server with the intent of overflowing the buffer’s storage capacity, causing the server to shut down. WebImageMonitor prevents such trouble by limiting the length of the URL strings it will accept, rejecting any requests that exceed this limit.
PAGE 72
Print Controller Design Guide for Information Security: 19. WebDocBox (MFP models only) Overview of WebDocBox Operations • WebDocBox allows users to issue commands via a Web browser to view, capture, print, send (email, FAX, forward) and delete Document Sever image files that were saved to the MFP HDD using the Copier, Printer, Scanner and FAX functions, as well as those that were restored to the MFP using Desk Top Editor For Production. It is also possible to view thumbnails of these images.
PAGE 73
Print Controller Design Guide for Information Security: Sending Stored Image Data to the PC • When the MFP receives a request from the Web browser to send stored image data to the PC, WebDocBox instructs the GWWS to send the requested data. GWWS loads the requested data from HDD memory via the MCS and then sends it to the PC via the NCS.
PAGE 74
Print Controller Design Guide for Information Security: • It is possible to protect individual Document Server documents with a password (see Document Server Documents (MFP models only) for more details). • It is possible to restrict remote access to stored documents using the same ACL mentioned in section 1.52. Users logged in as Document Administrators are able to disable the password lock as well as view, edit and delete all documents.
PAGE 75
Print Controller Design Guide for Information Security: 20. Optional Features @Remote Overview of @Remote Operations • “@Remote” refers to a remote machine management service that manages and monitors the MFP/LP status from a remote location called the @Remote Center. Information and commands are exchanged directly between the MFP/LP and @Remote Center, or between these two points via an intermediary device called RC Gate, which is connected to the MFP/LP in the same LAN.
PAGE 76
Print Controller Design Guide for Information Security: The NCS module communicates with RC Gate via the host I/F over an SSL connection. The authentication process uses the information on the relevant digital certificates to verify the identity of both machines. To do this, the NRS module uses the DESS module and checks the information contained in the digital certificates.
PAGE 77
Print Controller Design Guide for Information Security: The NCS module communicates with the @Remote Center via the host I/F over an SSL connection. Both the MFP/LP and @Remote center perform a bi-directional, digital certificate-based SSL authentication process to verify that the other is a valid @Remote communication terminal, after which the NRS module accesses the DESS module and compares the @Remote Center ID information sent from the center with the ID information already stored in the MFP/LP.
PAGE 78
Print Controller Design Guide for Information Security: • The internal layout of the modules is such that the NRS module must always exchange machine information with RC Gate via the SCS module. Although it is possible for RC Gate to obtain specific machine information stored in the MFP/LP, there is no route possible that would allow access to the image data. It is therefore not possible for any image data stored in the MFP/LP to be mistakenly sent to the @Remote Center.
PAGE 79
Print Controller Design Guide for Information Security: 21. CSS (Customer Support System) – MFP Models Only Overview of CSS Operations • The CSS control center sends a request for service-related information to the MFP across a telecommunications line, which is then received by the LADP (line adapter telephony box). The LADP then obtains the requested information via the CSS I/F and sends it back to the CSS control center.
PAGE 80
Print Controller Design Guide for Information Security: 22. Copy Data Security Feature Overview of Copy Data Security Operations • The Copy Data Security feature acts to discourage unauthorized copying of confidential documents. There are two aspects to the feature: Marking the copy/print with a visible, embedded pattern Note: The marking aspect is a standard feature on MFP/LP models.
PAGE 81
Print Controller Design Guide for Information Security: Data Flow Marking: • The data flow for when the Copy Data Security feature is selected at the time a print job is performed is virtually the same as that of regular print jobs (see Printer). The printer language-encoded data sent from the host computer is interpreted by the language processing subsystem, after which it is converted into image data.
PAGE 82
Print Controller Design Guide for Information Security: Other Conditions of Use On some MFP models, one or more of the following limitations exist: • • The Copy Data Security Unit and FAX option cannot be installed on the same MFP. The Copy Data Security Unit and FAX option can be installed on the same MFP, but the detection/graying process described above does not work when sending a FAX. • When the Copy Data Security Unit is installed: The Scanner function cannot be used.
PAGE 83
Print Controller Design Guide for Information Security: 23. Device SDK Applications (DSDK) Overview of Operations • DSDK applications developed by Vendors are able to make use of the scanning, printing and other functions of the MFP/LP by calling the VAS (Virtual Application Service), which wraps the GW-API for the standard principal functions of the MFP/LP. This arrangement allows SDK applications to run as additional principal functions themselves once installed.
PAGE 84
Print Controller Design Guide for Information Security: Installation • DSDK applications are installed via Type 1 or Type 2 SD cards into partitions and directories in the MFP/LP HDD or SD card itself that are specifically allocated for DSDK applications. • The SAS (SDK Application Service) in the MPF contains an installer for DSDK applications.
PAGE 85
Print Controller Design Guide for Information Security: Overview of SDK Application Functions • As mentioned above, Vendors can create their own DSDK applications for installation on the MFP/LP. Vendors are provided with an image library, which simplifies complex internal MFP/LP operational flows into concise, predefined methods for simple execution. This allows Vendors to develop their applications relatively easily.
PAGE 86
Print Controller Design Guide for Information Security: Data Flow Scanning Functions: Sending Data over the Network with the Copier and Scanner (MFP models only) • DSDK applications are capable of utilizing the scanning features of the MFP Copier and Scanner. For an overview of the MFP Copier and Scanner operations, please refer to Copier (MFP Models Only) and Scanner (MFP Models Only).
PAGE 87
Print Controller Design Guide for Information Security: Network Functions • As mentioned above, a Type 1 SDK application is able to perform network communication either by using the NCS or by opening and closing its own unique socket. Since Type 2 applications are Java-based, they must use the network classes provided by Sun Microsystems, and are therefore restricted to socket-based network communication.
PAGE 88
Print Controller Design Guide for Information Security: 24.
PAGE 89
Print Controller Design Guide for Information Security: SDK Authentication (Types 1 and 2) • Once the development of the SDK application has been completed, and Ricoh has authorized its installation on the MFP/LP model(s) in question, Ricoh provides the Vendor with: 1) a file containing the unique product ID mentioned above in its raw form, and 2) a “key file,” which contains two hash values generated from the product ID and SDK application object code, which are then embedded inside randomly-generated da
PAGE 90
Print Controller Design Guide for Information Security: • As a general rule, Ricoh assigns relatively restricted access privileges to Type 2 applications. These applications are normally prohibited from performing operations such as file storage to MFP/LP media or opening and closing sockets to communicate over the network. Vendors who wish to utilize such functions must make this request to Ricoh when applying for the digital signature.
PAGE 91
Print Controller Design Guide for Information Security: Protection Against Attacks on Principal MFP/LP Functions, Prevention of Damage to the System Buffer Overflow Attacks on the MFP/LP VM • After completing the development of the SDK application, the Vendor must apply to Ricoh for the items necessary to carry out the SDK Authentication and/or Digital Authentication processes described above, and at that time declare the expected VM consumption of the application.
PAGE 92
Print Controller Design Guide for Information Security: Certification of the SDK Application • Having completed the development of the production-level (product release) version of the SDK application, the Vendor must then request Ricoh to certify the application. When applying for Ricoh certification, the Vendor must provide Ricoh with the application’s functional specifications, entire object code and all relevant evaluation results.