Docstoc

Masterfolie UTAX 2007 (PowerPoint)

Document Sample
Masterfolie UTAX 2007 (PowerPoint) Powered By Docstoc
					Data Security on
TA Triumph-Adler
SynControl Systems
(System Support)
       01.04.2011
       ISO 15408 EAL3 – Common Criteria
History & Background

 The constant increase in the use of information technology in the business world
  led to increased demands in view of data security.

 Already by the end of the 1980s, the complex area of IT security and the related
  demands for a secure operation of IT systems and products resulted in the
  development of standardised criteria for the evaluation and testing of IT security.




                                                                                        2
      ISO 15408 EAL3 – Common Criteria
History & Background

   1989: The „Bundesamt für Sicherheit in der Informationstechnik“ (BSI – German
    Federal Office for Information Security) issues a catalogue of criteria for the
    evaluation of IT systems that allows independent evaluation institutes to
    evaluate IT systems in line with unified criteria and IT products in view of the
    effectiveness of their security relevant measures.

   1991: Germany, France, the UK and the Netherlands publish „Information
    Technology Security Evaluation Criteria“ (ITSEC), i. e. harmonised pan-
    European IT security criteria.

   1998: Completion of the „Common Criteria“ (CC) – „Common Criteria for
    Information Technology Security Evaluation “ (version 2.0), thereby introducing
    internationally accepted evaluation criteria for IT security


                                                                                       3
       ISO 15408 EAL3 – Common Criteria
What is behind ISO 15408 EAL3?

 ISO 15408 is an international Security Standard in the framework of the Common
  Criteria which states that the safety engineering of products must comply with the
  aforementioned standard.

 Several EA levels exist (0-7) within ISO 15408.

 EAL3 is the currently relevant level for office systems and stands for a certain
  level of security and confidentiality within ISO 15408 (Evaluation Assurance
  Level), which states that security functions must be methodically tested and
  evaluated, including the control of their development environments.




                                                                                       4
       ISO 15408 EAL3 – Common Criteria
 Link to the Common Criteria website:

   http://www.commoncriteriaportal.org/thecc.html

 Link to the BSI website:
  BSI (German Federal Office for Information Security):

   http://www.bsi.de/




                                                          5
       ISO 15408 EAL3 – Common Criteria

Links to relevant websites of IPA:

 A list of certified products of all manufacturers can be found under the following
  link of the Japanese Evaluation Institute IPA:
          http://www.ipa.go.jp/security/jisec/jisec_e/certfy_list.html

 A list of products that are currently being certified can be found under:
          http://www.ipa.go.jp/security/jisec/jisec_e/prdct_in_eval.html

 Details on the certification of Data Security Kits (B), (C), (D) and (E) can be
  found under:
          http://www.ipa.go.jp/security/jisec/jisec_e/c0035_it4035_ecvr.htm

          http://www.ipa.go.jp/security/jisec/jisec_e/certfy_list/c0151_it7182.htm

          http://www.ipa.go.jp/security/jisec/jisec_e/c0057_it5065.htm#itkz7031




                                                                                       6
       ISO 15408 EAL3 – Common Criteria
Which TA Triumph-Adler products comply with ISO 15408?

   Data Security Kit (B)* (DC 2060/2080)
   Data Security Kit (C)* (DC 2325/2330/2230/2240/2250)
   Data Security Kit (D)* (DCC 2625/2632/2635)
   Data Security Kit (E)* (DCC 2725/2730/2740/2840/2850, DC 2430, DC 2242/2252,
    CLP 4550)

 The certificate is issued in the name of the original manufacturer Kyocera Mita (the
  certification is chargeable to each applicant!).
 Since TA Triumph-Adler systems are identical in construction, we can assure our
  customers the compliance of our systems with the ISO regulation.




                                                                                 *optional


                                                                                             7
       ISO 15408 EAL3 – Common Criteria
What is the effect of installing the optional Data Security Kit?

 Overwriting and encryption functions of the system hard disk and the optional
  printer hard disk* are enabled:

Overwriting:

 Data are stored on the hard disk until they are overwritten with other data => with
  recovery programs data can be retrieved and used illegally.
 The security kit deletes and overwrites output data so that these can no longer be
  recovered – this happens automatically.




                                                                   *depending on the system



                                                                                              8
       ISO 15408 EAL3 – Common Criteria
What needs to be taken into account when installing the optional Data Security Kit?

 Two overwriting methods are available and can be selected by the administrator:

    Simple overwriting: A certain area (when overwriting) or the whole storage area
     (when initialising) of the hard disk will be overwritten with zeros (0), so that data
     recovery is made impossible.
    Triple overwriting (default): First, the same area as before will be overwritten
     twice with random data, followed by zeros (0). This method is more secure than
     simple overwriting and makes data recovery almost completely impossible.




                                                                                             9
       ISO 15408 EAL3 – Common Criteria
What is the effect of installing the optional Data Security Kit?

Encryption (AES Encryption):

 Scanned originals and other user data are stored on the hard disk.
 The security kit encrypts data before they are stored on the hard disk => this
  increases security, because data can only be decrypted during normal use.
 Encryption is carried out automatically in line with AES (Advanced Encryption
  Standard). In the US this standard is approved for governmental documents which
  are subject to the highest secrecy level.




                                                                                    10
       ISO 15408 EAL3 – Common Criteria
What needs to be taken into account when installing the optional Data Security Kit?

 The system is initialised during installation of the security kit. That means that data
  stored on the hard disk will be deleted.
 The function „Repeat Copy“ is no longer available after installation.
 A button „Security“ will be added to the system menu after installation.
 If the Data Security Kit is installed correctly, the hard disk icon will appear in the
  lower right corner of the display (in security mode).




                                                                                            11
Security Settings at TA Triumph-Adler Systems
Security settings at the system:

   Authentication at the system (input of numeric code)
   Locking the USB host
   Locking „Repeat Copy“
   Locking/partially locking the display




                                                           12
Authentication at the System (alpha-numeric)
 Authentication at the system prevents unauthorised access by third parties.

 User defined limitations can be set (account ID, numeric password) for printing,
  scanning, copying and faxing.




                                                                                     13
Authentication at the System (numeric)
 Authentication at the system prevents unauthorised access by third parties.

 User defined limitations can be set (account ID, numeric password) for printing,
  scanning, copying and faxing.




                                                                                     14
Disabling the USB Host for Optional Data Storage Media
The USB host can be locked via the Embedded Web Server:




                                                          15
Disabling „Repeat Copy“
„Repeat Copy“ can be locked by either of the following ways:

   Installation of the Data Security Kit
   Locking and switching the function off in the system menu




                                                                16
Disabling „Repeat Copy“
Disabling/partly disabling the Display


 The function „Repeat Copy“ can be locked by partially locking the display in the
 Embedded Web Server:




                                                                                    17
Security Settings (Scanning)
The security of the scan functions mainly depends upon the security settings of
the user network:



 FTP:              Security settings of the FTP server are active:
                    Input of user name and password is required.
 SMB:              Security settings of the user network are active:
                    Usually, the user has to log in with user name and password.
 E-Mail:           Like SMB - SMTP security settings are active:
                    Usually, a sender address known to the SMTP server has to be
                    used.




                                                                                   18
Security Settings (Scanning)
A higher security level for scanning is available with the installation of the optional PDF
Upgrade Kit. This kit encrypts and compresses PDF files generated on the system.
Opening as well as printing and editing of PDF files can be restricted.




                                                                                              19
Security Settings (Scanning)
There are two encryption levels:
 „low level“ (40 bit)
 „high level“ (128 bit)




                                   20
Security Settings (Scanning)
Another possibility to enhance the security level on TA Triumph-Adler systems
when using e-mail transmission is the domain restriction for transmission and
reception.




                                                                                21
Network Security Settings
   Authentication at the Embedded Web Server
   Network authentication
   Certificates
   General settings and helpful hints




                                                22
Authentication at the Embedded Web Server
 Accessing the Embedded Web Server is possible (default).
  Via „Basic“ and „Security: Account Settings“ an administrator password can be set.
  Access to the Embedded Web Server can be encrypted by SSL.
 At the system several administrators with different passwords can be registered.
  Moreover, users can be registered and given a password.




                                                                                       23
Network Authentication
 This setting for log-on at the system offers the highest network security standard.
 Log-on at the system is possible via inputting a user name and password.
 Two authentication methods exist:
     - NTLM
     - KERBEROS
 Which of the two is used depends on the network and server operating system.
 Network authentication can be combined with the authentication at the system as
  well as the account management (limitation for printing, scanning, copying and
  faxing).
 Passwords, user control and security levels are adjustable with TA Triumph-Adler
  systems.




                                                                                        24
Network Authentication
Network authentication and server settings (defaults) can be made at the system or via
the Embedded Web Server.




                                                                                         25
Combining Network and System Authentication with
Account Management
Settings at the system:

 Setting up a local user via the Network Print Monitor




                                                          26
Combining Network and System Authentication with
Account Management

 Configuration of the local user




                                                   27
Combining Network and System Authentication with
Account Management

 Assigning/mapping an account to/with a local user




                                                      28
Combining Network and System Authentication with
Account Management

 Settings for the system authentication




                                                   29
Combining Network and System Authentication with
Account Management

 Settings in the KX printer driver




                                                   30
Combining Network and System Authentication with
Account Management
 Limiting and controlling of accounts via network authentication with the Network
  Tool for Accounting




                                                                                     31
Network Security Settings / Certificates
 Certificates offer another possibility to enable communication security in the
  network.

 This ensures a secure connection between the print system and the client.

 The certificate generated by the printer is exported, stored in the certification
  memory of the clients (Windows XP/Vista) and judged „secure“.

 These settings ensure that no error message (insecure certificate) is generated at
  the client.




                                                                                       32
Network Security Settings / Certificates
Examples of error messages:




                                           33
Network Security Settings / Certificates




                                           34
Network Security Settings / Certificates




The general name must be identical to the host name of the system.
If no DNS (Domain Name System) is used, the host name must be assigned
an IP address (file „Hosts“ under Windows\System32\drivers\etc).



                                                                         35
Network Security Settings / Certificates
Export of a certificate:




                                           36
Network Security Settings / Certificates
Import of a certificate at the client:


                                           The call is made via:
                                           „Start“, „Run“,
                                           „certmgr.msc“ and „OK“




                                                                    37
Network Security Settings / Certificates
Import of a certificate at the client:




                                           38
Network Security Settings / Certificates
Import of a certificate at the client:




                                           39
Network Security Settings / Certificates
Import of a certificate at the client:




                                           40
Security Settings (Printing)
 The network security is mainly dependent upon the settings of the user network.
 The security settings of the TA Triumph-Adler systems can be adapted to the
  majority of security standards within client networks.
 Various security settings are available from IP filtering, SSL, HTTPS, SMNP V1,
  V2C, V3, SMTP and POP3 domain restriction, over NTLM and KERBEROS
  authentication, Data Security Kit*, PDF Upgrade Kit* and locking/partially locking
  the display up to restricting users (printing, scanning, copying).
 Combining the log-on with the user name and password and the installation of the
  Data Security Kit* ensures the highest possible security level for TA Triumph-Adler
  systems in a client network.




                                                                                 *optional



                                                                                             41
Printing and Storing of Print Jobs to the Hard Disk
 Available security settings when printing
 Security settings in the printer driver




                                                      42
Printing and Storing of Print Jobs to the Hard Disk
Security settings:

       Securing the Document Box with a password
       Using the Data Security Kit
       Sending Private Print jobs with a password




                                                      43
Security Settings (Printing)
IP filtering

 IP filtering allows to restrict access to the system to registered IP addresses.
 Access to certain protocols (SNMP, FTP, HTTP, HTTPS, etc.) can be limited with
  IP filtering.




                                                                                     44
Security Settings (Printing)
Encrypted printing via SSL

 The transmission to the print system as well as the print data stream are
  encrypted so that reading out data in the network by third parties is impossible.




                                                                                      45
Security Settings (Printing)
How to proceed when printing with SSL encryption:

 Enable SSL encryption at the system
 Main switch ON/OFF
 Install a new printer in Windows (minimum requirement: Windows XP)




                                                                       46
Security Settings (Printing)
Select network printer and use following syntax:

(HTTPS://Printservername or IP address/printers/lp1)




                                                       47
Security Settings (Printing)
Should setting up an HTTPS port fail, it has to be checked in the Internet Explorer
whether local access to the network is available.




                                                                                      48
Security Settings (Printing)
Select and install printer and select HTTPS port




                                                   49
Security Settings in the Printer Driver
When using a print system with network authentication or local user this setting is also
active in the printer driver.



                                             Driver settings can be secured by a
                                             password.




                                                                                           50
Security Settings in the Printer Driver
If user boxes have been defined under device properties, item „hard disk“, secure
printing into the box is possible.




                    15 digit passwort

                                                                                    51
Security Settings in the Printer Driver
A password can be set for secure printing to prevent access by unauthorised users to
the print data at the system.




                                                                                       52
Security Settings in the Printer Driver
In order to prevent unauthorised printing of copies, a „Security Watermark“ can be
set in the driver under emulation „PCL-XL“.




                                                                                     53
Security Settings in the Printer Driver
Prior to activating the Security Watermark function in the PCL-XL emulation, the
plug-in „Security Watermark“ has to be installed.




                                                                                   54
Security, Logging at the System
 Through logging at the system it is possible to trace unauthorised access attempts.
  All activities (jobs) can be traced at the system under „Status“ and „Log“.




                                                                                        55
Security Settings when Printing with the Optional
Network Card UT-110G

   Log-file function
   FTP over SSL
   Printing over HTTPS
   Encrypted printing with certificates (Windows systems)
   Securing the print server with a password
   IP filtering
   Receiving encrypted ThinPrint data
   Locking the display
   Network authentication
   E-mail traffic/transmission




                                                             56
Security Settings when Printing with the Optional
Network Card UT-110G

Using the log-file function:




                                                    57
Security Settings when Printing with the Optional
Network Card UT-110G

FTP over SSL

 FTP data transmission via an encrypted data and control channel
 Using SSL is recommended to avoid that unencrypted user names, passwords and
  data can be read out by third parties (condition: FTPS-able FTP client).




                                                                                 58
Security Settings when Printing with the Optional
Network Card UT-110G

Printing over HTTPS with SEH‘s tool Print Monitor

 HTTP data transmission via an encrypted data and control channel.
 Using SSL is recommended to avoid that unencrypted user names, passwords and
  data can be read out by third parties.
 The easiest way to enable the configuration is via the PRINTSERVER Print
  Monitor.




                                                                                 59
Security Settings when Printing with the Optional
Network Card UT-110G
Settings when printing over HTTPS




                                                    60
Security Settings when Printing with the Optional
Network Card UT-110G
Encrypted printing with Windows systems including certificates

 The PRINTSERVER Print Monitor enables encrypted printing with Windows
  systems. Condition: Internet Explorer 5.1 and Directory Service Client.




                                                                            61
Security Settings when Printing with the Optional
Network Card UT-110G
 Certificates can be generated with the network card UT-110G or via a certification
  server.
 This certificate can be imported onto the network card.

 How to export a certificate:



                                               Issuing a certificate is initiated at the
                                               server. In the Management Console a
                                               snap-in is generated and the certificate is
                                               exported with a key.




                                                                                             62
Security Settings when Printing with the Optional
Network Card UT-110G
How to import a certificate:

The certificate is imported via the website of the network card.




                                                                   63
Security Settings when Printing with the Optional
Network Card UT-110G
How to secure the network card with a password via the Print Server Homepage:



                                                 This setting requires a password if
                                                 changes are made.




                                                                                       64
Security Settings when Printing with the Optional
Network Card UT-110G
Limiting system access through IP filtering




                                                    65
Security Settings when Printing with the Optional
Network Card UT-110G
Receiving encrypted ThinPrint data

 Using SSL encrpytion enables a secure connection when sending print jobs from
  the ThinPrint server to the print server.
 The ThinPrint server asks the print server for a certificate.
 With the certificates the ThinPrint server checks whether the print server is allowed
  to receive print data.
 If encryption is activated for the ThinPrint server, a certificate of a common
  Certification Agency (CA) must be installed on the ThinPrint server as well as on
  the print server.




                                                                                          66
Security Settings when Printing with the Optional
Network Card UT-110G

Locking the display* (disabling the configuration at the display)




                                                        *for systems with display that support this function



                                                                                                               67
Security Settings when Printing with the Optional
Network Card UT-110G
Network authentication

 Through authentication a network can be prevented from unauthorised access.
 The print server can participate in various authentication methods.




                                                                                68
Security Settings when Printing with the Optional
Network Card UT-110G
E-mail transmission (SMTP and POP3) can be secured through authentication:

 User name and password for authentication at the server
 User name and password for log-in at the server including TLS encryption




                                                                             69
Thank you very much
  for your attention!




                        70

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:53
posted:4/2/2011
language:English
pages:70