Transcription
Xerox WorkCentre 7525/7530/7535/7545/7556Security TargetVersion 1.0Prepared by:Xerox Corporation800 Phillips RoadWebster, New York 14580Computer Sciences Corporation7231 Parkway DriveHanover, Maryland 21076Document Version 1.0, Revision 1.4
Xerox WorkCentre 7525/7530/7535/7545/7556 Security Target 2011 Xerox Corporation. All rights reserved. Xerox and the sphere of connectivity design are trademarks ofXerox Corporation in the United States and/or other counties.All copyrights referenced herein are the property of their respective owners. Other company trademarks arealso acknowledged.Document Version: 1.0 (December 2011).ii Copyright 2011 Xerox Corporation, All rights reserved
Xerox WorkCentre 7525/7530/7535/7545/7556 Security TargetTable of Contents1.SECURITY TARGET INTRODUCTION . 61.1.ST AND TOE IDENTIFICATION . 61.2.TOE OVERVIEW . 71.2.1. Usage and Major Security Features. 71.2.2. TOE Type . 111.2.3. Required Non‐TOE Hardware, Software and Firmware . 111.3.TOE DESCRIPTION. 111.3.1. Physical Scope of the TOE . 111.3.2. Logical Scope of the TOE. 131.4.EVALUATED CONFIGURATION . 162.CONFORMANCE CLAIMS. 182.1.2.2.2.3.2.4.3.COMMON CRITERIA CONFORMANCE CLAIMS . 18PROTECTION PROFILE CLAIMS . 18PACKAGE CLAIMS . 18RATIONALE . 19SECURITY PROBLEM DEFINITION . 213.1.DEFINITIONS. 213.1.1. Users . 213.1.2. Objects (Assets) . 213.1.3. Operations . 233.1.4. Channels . 233.2.ASSUMPTIONS . 243.3.THREATS. 243.3.1. Threats Addressed by the TOE . 243.3.2. Threats Addressed by the IT Environment . 253.4.ORGANIZATIONAL SECURITY POLICIES . 254.SECURITY OBJECTIVES . 274.1.4.2.4.3.4.4.5.EXTENDED COMPONENTS DEFINTION. 345.1.6.SECURITY OBJECTIVES FOR THE TOE . 27SECURITY OBJECTIVES FOR THE OPERATIONAL ENVIRONMENT . 28SECURITY OBJECTIVES FOR THE NON‐IT ENVIRONMENT . 29RATIONALE FOR SECURITY OBJECTIVES . 30FPT FDI EXP RESTRICTED FORWARDING OF DATA TO EXTERNAL INTERFACES . 34SECURITY REQUIREMENTS . 366.1.CONVENTIONS . 366.2.TOE SECURITY POLICIES . 376.2.1. IP Filter SFP (TSP FILTER). 376.2.2. User Access Control SFP (UAC SFP) (IEEE Std. 2600.2‐2009). 386.2.3. TOE Function Access Control SFP (TF SFP) (IEEE Std. 2600.2‐2009) . 396.3.SECURITY FUNCTIONAL REQUIREMENTS . 416.3.1. Class FAU: Security audit . 423 Copyright 2011 Xerox Corporation, All rights reserved
Xerox WorkCentre 7525/7530/7535/7545/7556 Security Target6.3.2. Class FCO: Communication . 446.3.3. Class FCS: Cryptographic support . 446.3.4. Class FDP: User data protection . 456.3.5. Class FIA: Identification and authentication . 486.3.6. Class FMT: Security management . 496.3.7. Class FPR: Privacy . 546.3.8. Class FPT: Protection of the TSF . 546.3.9. Class FTA: TOE access . 556.3.10.Class FTP: Trusted paths/channels. 556.4.EXPLICITLY STATED REQUIREMENTS FOR THE TOE . 566.4.1. FPT FDI EXP.1 Restricted forwarding of data to external interfaces (IEEE Std.2600.2‐2009). 566.5.TOE SECURITY ASSURANCE REQUIREMENTS. 576.6.RATIONALE FOR SECURITY FUNCTIONAL REQUIREMENTS . 576.7.RATIONALE FOR SECURITY ASSURANCE REQUIREMENTS . 626.8.RATIONALE FOR DEPENDENCIES . 636.8.1. Security Functional Requirement Dependencies. 636.8.2. Security Assurance Requirement Dependencies . 657.TOE SUMMARY SPECIFICATION. 667.1.TOE SECURITY FUNCTIONS . 667.1.1. Image Overwrite (TSF IOW) . 667.1.2. Information Flow Security (TSF FLOW) . 677.1.3. Authentication (TSF AUT) . 687.1.4. Network Identification (TSF NET ID) . 687.1.5. Security Audit (TSF FAU) . 697.1.6. Cryptographic Operations (TSF FCS) . 697.1.7. User Data Protection – Disk Encryption (TSF FDP UDE) . 697.1.8. User Data Protection – IP Filtering (TSF FDP FILTER) . 697.1.9. Network Security (TSF NET SEC) . 707.1.10.Security Management (TSF FMT). 708.GLOSSARY (NORMATIVE) . 739.ACRONYMS (INFORMATIVE) . 7710.BIBLIOGRAPHY (INFORMATIVE) . 794 Copyright 2011 Xerox Corporation, All rights reserved
Xerox WorkCentre 7525/7530/7535/7545/7556 Security TargetList of FiguresFigure 1: Architectural Diagram of the TOE .8Figure 2: Xerox WorkCentre 7525/7530/7535/7545/7556 .9List of TablesTable 1: Models and capabilities .9Table 2: Evaluated Software/Firmware version .12Table 3: System User and Administrator Guidance .13Table 4: Users .21Table 5: User Data .22Table 6: TSF Data .22Table 7: TSF Data Categorization .22Table 8: SFR Package Functions for IEEE Std. 2600.2-2009 .23Table 9: Assumptions for the TOE .24Table 10: Threats to User Data for the TOE .25Table 11: Threats to TSF Data for the TOE .25Table 12: Organizational Security Policies for the TOE .26Table 13: Security Objectives for the TOE.27Table 14: Security Objectives for the IT Environment .28Table 15: Security Objectives for the Non-IT Environment .29Table 16: Completeness of Security Objectives .30Table 17: Sufficiency of Security Objectives .31Table 18: User Access Control SFP.38Table 19: Attributes Definition .39Table 20: TOE Security Functional Requirements .41Table 21: Audit Data Requirements .43Table 22: Cryptographic Operations .44Table 23: IEEE 2600.2 Security Assurance Requirements .57Table 24: Completeness of Security Functional Requirements .58Table 25: Sufficiency of Security Functional Requirements .59Table 26: SFR Dependencies Satisfied .63Table 27: EAL2 (Augmented with ALC FLR.3) SAR Dependencies Satisfied.65Table 28: Acronyms .775 Copyright 2011 Xerox Corporation, All rights reserved
Xerox WorkCentre 7525/7530/7535/7545/7556 Security Target1. SECURITYTARGETINTRODUCTIONThis Chapter presents Security Target (ST) identification information and anoverview of the ST. An ST contains the information technology (IT) securityrequirements of an identified Target of Evaluation (TOE) and specifies thefunctional and assurance security measures offered by that TOE to meetstated requirements. An ST principally defines:a) A security problem expressed as a set of assumptions about thesecurity aspects of the environment, a list of threats that theproduct is intended to counter, and any known rules with whichthe product must comply (Chapter 3, TOE SecurityEnvironment).b) A set of security objectives and a set of security requirements toaddress the security problem (Chapters 4, 5 and 6, SecurityObjectives, Extended Components Definition, and IT SecurityRequirements, respectively).c) The IT security functions provided by the TOE that meet the setof requirements (Chapter 7, TOE Summary Specification).The structure and content of this ST comply with the requirements specified inthe Common Criteria (CC), Part 1, Annex A, and Part 3, Chapter 11.1.1.ST and TOE IdentificationThis section provides information needed to identify and control this ST and itsassociated TOE. This ST targets Evaluation Assurance Level (EAL) 2augmented with ALC FLR.3.ST Title:Xerox WorkCentre 7525/7530/7535/7545/7556 SecurityTarget1.0Revision 1.4December 7, 2011CSC Security Testing/Certification Laboratories, XeroxCorporationXerox WorkCentre 7525/7530/7535/7545/7556 (see Section1.3.1 for software version numbers)ST Version:Revision Number:Publication Date:Authors:TOE Identification:6 Copyright 2011 Xerox Corporation, All rights reserved
Xerox WorkCentre 7525/7530/7535/7545/7556 Security TargetST Evaluator:Keywords:CSC Security Testing/Certification LaboratoriesXerox, Multi Function Device, Image Overwrite, WorkCentre ,Color, Mono, Hardcopy, Paper, Document, Printer, Scanner,Copier, Facsimile, Fax, Document Server, Document Storage andRetrieval, Nonvolatile storage, Residual data, Temporary data,Disk overwrite, Network interface, Shared communicationsmedium, Multifunction Device, Multifunction Product, All-InOne, MFD, MFP, Network, Office, ISO/IEC 15408, CommonCriteria, FIPS, Protection Profile, Security Target1.2.TOE Overview1.2.1. Usage and Major Security FeaturesThe product is a multi-function device (MFD) that copies and prints inmonochrome (black and white) and full color, with scan (including “scan-tomailbox1”), and FAX options. A standard component of the TOE is the ImageOverwrite Security package. This function forces any temporary image filescreated during a copy, print, scan or Fax job to be overwritten when those filesare no longer needed. For reference, the architecture of the TOE is illustratedin Figure 1: Architectural Diagram of the TOE below:1In Xerox terminology, the terms “mailbox” and “folder” are used interchangeably, both referring to logical placeholders under which files are stored.7 Copyright 2011 Xerox Corporation, All rights reserved
Xerox WorkCentre 7525/7530/7535/7545/7556 Security TargetFigure 1: Architectural Diagram of the TOEThe optional Xerox Embedded Fax accessory, when purchased and installed,provides local analog fax capability over PSTN connections. Table 1 shows theconfigurations and printing speeds available in the various models of the TOE.8 Copyright 2011 Xerox Corporation, All rights reserved
Xerox WorkCentre 7525/7530/7535/7545/7556 Security TargetTable 1: Models and capabilities(X – included in all configurations; O – product options ordered separately)WorkCentre 7525WorkCentre 7530WorkCentre 7535WorkCentre 7545WorkCentre 7556Print Speed(Color)Print Speed(Mono)PrintCopyScanFaxxxxoUp to 25 ppm Up to 25 ppmxxxoUp to 30 ppm Up to 30 ppmxxxoUp to 35 ppm Up to 35 ppmxxxoUp to 45 ppm Up to 45 ppmxxxoUp to 50 ppm Up to 55 ppmThe hardware included in the TOE is shown in the figure below.Figure 2: Xerox WorkCentre 7525/7530/7535/7545/7556The TOE stores temporary image data created during a copy, print, scan andFax job on the single shared HDD. This temporary image data consists of theoriginal data submitted and additional files created during a job. All partitionsof the HDD used for spooling temporary files are encrypted. The encryptionkey is created on each power-up.The TOE provides an Image Overwrite function to enhance the security of theMFD. The Image Overwrite function overwrites temporary document imagedata at the completion of each job; also upon deletion of each job or of aworkflow scan/fax, file/mailbox in the following cases: at the instruction of the9 Copyright 2011 Xerox Corporation, All rights reserved
Xerox WorkCentre 7525/7530/7535/7545/7556 Security Targetowner; after a reboot; once the TOE is turned back on after a powerfailure/unorderly shutdown; or on demand of the TOE system administrator.The optional Xerox Embedded Fax accessory provides analog FAX capabilityover Public Switched Telephone Network (PSTN) connections and also enablesLanFax jobs, if purchased by the consumer.Xerox’s Workflow Scanning Accessory is part of the TOE configuration. Thisaccessory allows documents to be scanned at the device with the resultingimage being sent via email, transferred to a remote file repository, kept in aprivate (scan) mailbox or placed on to a personal USB storage device.All models of the TOE support auditing. The TOE generates audit logs thattrack events/actions (e.g., print/scan/fax job submission) to identified users.The audit logs, which are stored locally in a 15000 entry circular log, areavailable to TOE administrators and can be exported for viewing and analysis.SSL must be configured in order for the system administrator to download theaudit records; the downloaded audit records are in comma separated formatso that they can be imported into an application such as Microsoft Excel .All models of the TOE support network security. The system administrator canenable and configure the network security support. Filtering rules can bespecified for IPv4 based on both address and port number. Additional securitysupport is provided in the form of secure network communication protocolssupported. SSL support is available for protecting communication over theWeb User Interface (Web UI). SSL may be used for protecting documenttransfers to the remote file depository. IPSec support is available for protectingcommunication over IPv4 and IPv6. Kerberos or SSL support are available forprotecting communication in support of remote authentication.The TOE controls and restricts the information flow from the externalinterfaces to the network controller (which covers the information flow to andfrom the internal network).The TOE requires users and system administrators to authenticate beforegranting access to user (copy, print, fax etc) or system administration functionsvia the Web User Interface (Web UI) or the Local User Interface (LUI). Theuser or system administrator must enter a username and password at eitherthe Web User Interface or the Local User Interface. The password will beobscured2 as it is being entered. The TOE provides for user identification andauthorization as configured by the system administrator.The TOE restricts (normal) users’ access to the documents. A user can onlyaccess his/her own documents.The TOE can integrate with an IPv4 or IPv6 network with native support fordhcp/dhcpv6.2The LUI obscures input with the asterisk character. The specific character used to obscure input at the WebUI isbrowser dependent.10 Copyright 2011 Xerox Corporation, All rights reserved
Xerox WorkCentre 7525/7530/7535/7545/7556 Security TargetThe TOE supports the Common Access Card (CAC) standard and othermethods (refer to chapter 1.3.2.3) for remote authentication.1.2.2. TOE TypeThe TOE is a multi-function device (MFD) that provides copy and print(monochrome and color), document scanning (monochrome and color) andoptional FAX services.1.2.3. Required Non-TOE Hardware, Software and FirmwareThe TOE does not require any additional hardware, software or firmware inorder to function as a multi-function device, however, the network security andfax flow features are only useful in environments where the TOE is connectedto a network or PSTN. TSF NET ID is only available when one of the followingremote authentication services is present on the network that the TOE isconnected to: LDAP or Kerberos. CAC based TSF NET ID requires CACcompliant smart cards and smart card readers.1.3.TOE DescriptionThis section provides context for the TOE evaluation by identifying the logicaland physical scope of the TOE, as well as its evaluated configuration.1.3.1. Physical Scope of the TOETheTOEisaMulti-FunctionDevice(XeroxWorkCentre 7525/7530/7535/7545/7556) that consists of a printer, copier, scanner, FAX(when purchased by the consumer), and email, as well as all Administrator andUser guidance. The difference between the models is their printing speed. Thehardware included in the TOE is shown in Figure 2 above. The optional FAXcard is not shown in this figure3.The various software and firmware (“Software”) that comprise the TOE arelisted in Table 2. A system administrator can ensure that they have a TOE byprinting a configuration sheet and comparing the version numbers reported onthe sheet to the table below.3For installation, the optional FAX card must be fitted into the machine. After powering on the machine, the FaxInstall window pops up on the Local UI with step by step instructions for installation.11 Copyright 2011 Xerox Corporation, All rights reserved
Xerox WorkCentre 7525/7530/7535/7545/7556 Security TargetTable 2: Evaluated Software/Firmware versionSoftware/Firmware ItemWorkCentre 7525/7530/7535/7545/7556System Software061.121.221.28308Network Controller Software061.121.25025User Interface Software061.121.24120Marking Engine Software (Options)- WC 7525/7530/7535081.077.000- WC 7545/7556082.077.000Copy Controller Software061.121.24121Document Feeder Software (DADH)007.008.050Finisher Software (Options)- A-Finisher013.000.000- C-Finisher032.042.000- SB-Finisher005.009.000Fax Software003.010.004Scanner Software030.141.115NOTE: For the remainder of this Security Target, the terms “NetworkController” and “Copy Controller” will refer to the “Network Controller” and“Copy Controller” software components of the “Controller” subsystem.A customer of the TOE can determine whether the Xerox Embedded Faxaccessory, Xerox Workflow Scan accessory and Image Overwrite SecurityPackage4 are installed by reviewing the TOE configuration report. A consumerof the TOE can also determine that they have the evaluated version of the TOEby reviewing the TOE configuration report and comparing the version numbersto the content of Table 2, above.The Administrator and User guidance included in the TOE are listed in Table 3.A system administrator or user can ensure that they have the appropriate4Xerox Embedded Fax accessory, Xerox Workflow Scan accessory and Image Overwrite Security Package are a part ofthe Network Controller or Copy Controller software package and do not have individual version identifiers.12 Copyright 2011 Xerox Corporation, All rights reserved
Xerox WorkCentre 7525/7530/7535/7545/7556 Security Targetguidance by comparing the software version number to the version numberslisted in the table below.Table 3: System User and Administrator GuidanceTitle Xerox WorkCentre 7500 SeriesSystem Administrator Guide v1.0Document NumberNoneDateSeptember 2010NoneSeptember 2010NoneDecember 2011Xerox WorkCentre 7500 SeriesUser Guide v1.0Secure Installation and Operationof Your WorkCentre 7525/7530/7535/7545/7556 v1.3The TOE’s physical interfaces include a power port, an Ethernet port, USB ports,serial ports, FAX ports (if the optional FAX card is installed), Local UserInterface (LUI) with keypad, a document scanner, a document feeder and adocument output.1.3.2. Logical Scope of the TOEThe logical scope of the TOE includes all software and firmware that areinstalled on the product (see Table 2). The TOE logical boundary is composedof the security functions provided by the product.The following security functions are controlled by the TOE: Image Overwrite (TSF IOW)Authentication (TSF AUT)Network Identification (TSF NET ID)Security Audit (TSF FAU)Cryptographic Operations (TSF FCS)User Data Protection – IP Filtering (TSF FDP FILTER)Network Security (TSF NET SEC)Information Flow Security (TSF FLOW)Security Management (TSF FMT)User Data Protection – Disk Encryption (TSF FDP UDE)1.3.2.1.Image Overwrite (TSF IOW)The TOE has an “Immediate Image Overwrite” (IIO) function that overwritesfiles created during job processing. This IIO process automatically starts for allabnormally terminated copy, print, scan or fax jobs stored on the HDD prior tocoming “on line” when any of the following occurs: a reboot or once the MFDis turned back on after a power failure/unorderly shutdown.The TOE also has an “On-Demand Image Overwrite” (ODIO) function thatoverwrites the hard drive(s) on-demand of the system administrator. The13 Copyright 2011 Xerox Corporation, All rights reserved
Xerox WorkCentre 7525/7530/7535/7545/7556 Security TargetODIO function operates in two modes: full ODIO and standard ODIO. Astandard ODIO overwrites all files written to temporary storage areas of theHDD. A full ODIO overwrites those files as well as the Fax mailbox/dialdirectory and Scan-to-mailbox data.Contents stored on the hard disk are overwritten using a three pass overwriteprocedure.1.3.2.2.Authentication (TSF AUT)A user must authenticate by entering a username and password prior to beinggranted access to the Local UI or the Web UI. While the user is typing thepassword, the TOE obscures5 each character entered.Upon successful authentication, users are granted access based on their roleand predefined privileges. Only a system administrator is allowed full access tothe TOE including all the system administration functions. Each common user’saccess is determined by which function (copy, scan, print, fax etc.) they havepermission for.If configured for local authentication the system requires the systemadministrator to enter a username and password for each user. The systemwill authenticate the user against an internal database.By default, the Local UI will terminate any session that has been inactive for 1minutes. By default, the Web UI will terminate any session that has beeninactive for 60 minutes. The system administrator can configure both theLocal UI and Web UI session timeouts to terminate an inactive session aftersome other period of time.1.3.2.3.Network Identification (TSF NET ID)As an alternative to TSF AUT, the TOE allows user name and password for auser to be validated by a designated authentication server (a trusted remoteIT entity). The user is not required to login to the network; account informationentered at Local UI or Web UI of the TOE is authenticated at the serverinstead of the TOE. The remote authentication services6 supported by the TOEinclude: CAC authentication, LDAP v4, Kerberos v5 (Solaris) and Kerberos v5(Windows 2000/2003).The TOE maintains the username from a successful authentication during thecontext of the job, and this value is entered into the audit log as the username.5The LUI obscures input with the asterisk character. The specific character used to obscure input at the WebUI isbrowser dependent6User account (authorization privilege) information can be maintained locally by the TOE or at the remoteauthentication server without impacting how a user session is presented or controlled; however, the use of remoteauthentication servers for this purpose is outside the scope of this evaluation.14 Copyright 2011 Xerox Corporation, All rights reserved
Xerox WorkCentre 7525/7530/7535/7545/7556 Security Target1.3.2.4.Security Audit (TSF FAU)The TOE generates audit logs that track events/actions (e.g.,copy/print/scan/fax job completion) to identified users. The audit logs, whichare stored locally in a 15000 entry circular log, are available to TOEadministrators and can be exported for viewing and analysis.
ST Title: Xerox WorkCentre 7525/7530/7535/7545/7556 Security Target ST Version: 1.0 Revision Number: Revision 1.4 Publication Date: December 7, 2011 Authors: CSC Security Testing/Certification Laboratories, Xerox Corporation TOE Identification: Xerox WorkCentre 7525/7530/7535/7545/7556 (see Section 1.3.1 for software version numbers)
