Canon Paper Shredder, User Manual

Page 1: ...ion in this document may be used to more clearly understand the many imageRUNNER ADVANCE security related configuration capabilities offered by Canon The imageRUNNER ADVANCE system offers a number of standard and optional capabilities that when used by a customer can help facilitate effective management and security of data processed and stored by the system Ultimately it is the customer s respons...

Page 2: ...ecurity Table of Contents 1 Introduction 3 2 Device Security 5 3 Information Security 11 4 Network Security 22 5 Security Monitoring Management 27 6 Logging Auditing 28 7 Canon Solutions Regulatory Requirements 30 8 Conclusion 33 9 Addendum 34 ...

Page 3: ... ADVANCE systems are designed to help prevent data loss help protect against unwanted device infiltration and help keep information from being compromised Dennis Amorosano Sr Director Solutions Marketing Business Support Canon U S A Inc As the marketplace has evolved the technology associated with office equipment continues to develop at an ever increasing pace Over the last several years alone tr...

Page 4: ... with general purpose PCs They contain many of the same components like CPUs memory and hard disks and some even use mainstream operating systems like Windows or Linux Like any other device on the network sensitive information may be passed through these units and stored in the device s hard disk and memory Yet at many companies multifunction devices are not given the same attention concerning inf...

Page 5: ...sure that only approved walk up and network based users can access the device and its functions such as print copy and Scan and Send features Beyond limiting access to only authorized users authentication also provides the ability to control usage of color output and total print counts by department or user Device Based Authentication Department ID Mode An embedded feature within imageRUNNER ADVAN...

Page 6: ...le to eliminate the need for an external server or integrated with an existing authentication server through customization Support is provided for cards from HID Prox HID iClass Casi Rusco MIFARE and AWID Customization can also be performed to provide support for other card types Advanced Authentication Common Access Card CAC Personal Identity Verification PIV Card Federal agencies both civilian a...

Page 7: ...Card Reader system option requires the use of intelligent cards that must be inserted in the system before granting access to functions which automates the process of Department ID authentication The optional Control Card Card Reader system manages populations of up to 300 departments or users 2 3 Access Control Canon imageRUNNER ADVANCE systems support a number of access control options to help y...

Page 8: ...and only allowed 2 sided printing and copying Device Function Values Description Print Allowed Not Allowed Allows or prohibits using applications related to the Print function Copy Allowed Not Allowed Allows or prohibits using applications related to the Copy function Send Store on Network Sets restrictions for externally sending scanned documents user inbox documents and saving documents to file ...

Page 9: ... administrators may choose to allow all users to make black and white copies while prompting users to login if they choose to output color or use the Scan and Send function Scan and Send Security On devices that have Scan and Send enabled certain information such as fax numbers and e mail addresses may be considered confidential and sensitive For these devices there are additional security feature...

Page 10: ...stination types that are available to users when sending documents with Scan and Send and Fax Permissions can be set to enable or disable the entry of new addresses for the following Entries in the Address Book LDAP Servers User Inboxes One touch Buttons Favorites Buttons The User s E mail Address Send to Myself if Using SSO Login Print Driver Security Features Print Job Accounting A standard feat...

Page 11: ...ion is modified in any way the signature code will not match and the application will not be permitted to run on the device These safety measures make it virtually impossible for an altered or rogue MEAP application to be executed on an imageRUNNER ADVANCE system Section 3 Information Security Protecting your organization s confidential information is a mission that Canon takes seriously From your...

Page 12: ...non Compact MFPs CMFP complementing mixed fleet and MPS business for larger customers Based on uniFLOW server technology SSP enables secure printing on compact Canon MFPs while also including aspects of uniFLOW s signature follow me printing and authentication Serverless Secure Print works by holding the user s print job on their PC The users can then walk to a Canon device in the SSP network auth...

Page 13: ...ough a Windows login box Administrators can manage the Advanced Box feature through the Remote UI interface and perform the following actions Create user accounts and define type Admin vs End User Activate authentication and enable Personal Space Register network devices for remote access Select the file formats allowed for storage printable format only common Office formats or all By limiting to ...

Page 14: ...igital signature they can view the document s properties to review the signature s contents including the Certificate Authority system product name serial number and the Time Date stamp of when it was created If the signature is a device signature it will also contain the name of the device that created the document while a user signature verifies the identity of the authenticated user that sent o...

Page 15: ...0 for a more detailed description on the Document Scan Lock Trace feature The PDF A 1b and Encrypted PDF file formats are not compatible with Adobe LiveCycle Rights Management ES The Scan Lock feature enables the following restrictions to be applied to a document Complete Restriction No one can make any copy send fax Password Authentication Allows the ability to make copy send fax only if the prop...

Page 16: ...lude a standard hard disk format utility as well as more advanced optional accessories such as the HDD Data Erase Kit the HDD Data Encryption Kit or the Removable HDD Kit Some imageRUNNER ADVANCE systems that are configured with the optional HDD Mirroring Kit for external Print Controller may contain more than one disk Standard HDD Format Best practices and often company policies usually recommend...

Page 17: ...ed to the disk using the 256 bit AES Advanced Encryption Standard algorithm Please refer to Section 9 2 for information on the Canon imageRUNNER ADVANCE Hard Disk Drive Security Kit Options Please see the imageRUNNER Bulletin 5 10 issued on 4 26 10 entitled Hard Disk Drive Format Technology Procedures for imageRUNNER imageRUNNER ADVANCE and imagePRESS devices to learn more about this feature HDD D...

Page 18: ...e of the last set is printed out c Staple Sort When a user programs a job to be sorted into stapled sets the page data will be overwritten page by page after all of the stapled sets finish printing d Remote Cascade Copy When a user programs a remote or cascade copy job depending on the settings chosen page data will either immediately be overwritten page by page or the page data will be overwritte...

Page 19: ... no impact on performance Removable HDD Kit The imageRUNNER Removable HDD Data Kit option provides a means for system administrators to physically lock the device s internal hard disk drive into the system during normal operation thereby decreasing the risk of theft Once the device has been powered down the drive can be unlocked and removed for storage in a secure location Job Log Conceal Function...

Page 20: ... AES 256 bit encryption to protect your print job data while in transmission over the network To protect print jobs from being output at the device unattended the Encrypted Secured Print feature holds the job in a queue until the user defined password is entered on the control panel Encrypted PDF The Encrypted PDF feature of imageRUNNER ADVANCE systems support 40 bit 128 bit RC4 encryption and 128...

Page 21: ...ny action associated with these documents stored in a polling box is performed using G3 Fax protocols which provide no means of accessing a local network Other Fax Features Fax Forwarding Mailbox Fax Forwarding The Fax Forwarding function allows imageRUNNER ADVANCE systems equipped with a fax board to forward inbound fax transmissions to specific recipients This is done by setting predetermined co...

Page 22: ... are accessible As a result unwanted device communication and system access via specific transport protocols can be effectively blocked Canon imageRUNNER ADVANCE systems have the ability to disable unused TCP IP ports to further secure the devices Disabling ports affects the available functions and applications on the device Configurable ports include Name Port Description Setting location Functio...

Page 23: ...ecure Socket Layer SSL encryption support for some transmissions to and from the imageRUNNER device such as Internet protocol Printing IPP Internet fax I fax Remote UI Web Access and DIDF IPv6 Support IPv6 support which is available in all imageRUNNER ADVANCE systems provides a more secure network infrastructure improved traffic routing and easier management for administrators than IPv4 Device Inf...

Page 24: ...g Security Payload A protocol that provides confidentiality via encryption while certifying the integrity and authentication of only the payload part of communicated data Key Exchange Protocol Supports IKEv1 Internet Key Exchange version 1 for exchanging keys based on ISAKMP Internet Security Association and Key Management Protocol IKE includes two phases in phase 1 the SA used for IKE IKE SA is c...

Page 25: ...alue for this community string for most network devices is often public Using this community string an application can retrieve data from the imageRUNNER ADVANCE system s Management Information Base MIB elements There is also a read write community string and its default value is usually private Using the read write community string an application can actually change values for MIB variables Canon...

Page 26: ...tocols To protect the service against attack or improper use administrators can enable additional security features such as SMTP Authentication and POP Authentication before SMTP SMTP Authentication To prevent unauthorized users from making use of the device s internal SMTP server administrators can enable SMTP Authentication and designate a username and password to connect to the server In additi...

Page 27: ... Security section Section 6 Logging Auditing Few security procedures can completely prevent the intentional leak of confidential information while maintaining high productivity but if an occurrence does happen it is important to be able to trace it to the source Canon has developed a number of cutting edge technologies to provide administrators with powerful ways to discourage leaks and investigat...

Page 28: ...njunction with SSO will provide the ability to track usage per individual user Canon imageWARE Accounting Manager provides the capability to Track copy scan send fax jobs Track by paper type single and double sided output or N Up output Track by device Track by Individual group or department Track by black and white or color copy print jobs Multi tiered billing codes for charge back purposes Analy...

Page 29: ... department s use Following the development of the Common Criteria the National Institute of Standards and Technology and the National Security Agency in cooperation and collaboration with the U S State Department worked closely with their partners in the CC Project to produce a mutual recognition arrangement for IT security evaluations that use the Common Criteria The Arrangement is officially kn...

Page 30: ...on Profile is part of a suite of standards developed by the Hardcopy Device and System Security Working Group sponsored by the IEEE Information Assurance Standards Committee of the IEEE Computer Society Canon participated in the development of the P2600 suite of Protection Profiles as a member of the Hardcopy Device and System Security Working Group With specified processes configurations and sett...

Page 31: ...ia a Federal Government issued CAC or PIV card AA CAC PIV can also be used in conjunction with the Access Management System AMS limiting function access based on defined roles Authorized Send CAC PIV Designed to meet the needs of the United States Department of Defense and numerous government agencies the Authorized Send CAC PIV option for imageRUNNER ADVANCE systems provides a means for the devic...

Page 32: ...tems offer a robust set of standard features and optional components When properly deployed the devices can be effectively protected against vulnerabilities from either malicious or unintentional use Combined with advanced monitoring and management tools for auditing and centralized administration the systems can meet the demand for increased productivity and strong security As corporate privacy g...

Page 33: ...ice security internal company security policies should ultimately dictate which security measures are appropriate for implementation within a specific environment 1 Choose a form of User Authentication and or Access Control 2 Set the system administrator ID and password 3 Disable unused ports and applications e g FTP RUI 4 Set passwords for Mail Boxes and Advanced Boxes 5 Restrict printing and RUI...

Page 34: ...PRO C9065 PRO 8105 8095 8085 6075 6065 6055 Activation Install Encryption Board Install Encryption Board LMS License Access Key Deactivation Uninstall the Board Uninstall the Board Yes HDD Encryption AES 256 Bit AES 256 Bit HDD Overwrite X Overwrite Pattern Null Once Random Data Once Random Data 3 times DoD 5022 22M Compliant Mode System Manager Password Password Initialization in Service Mode X S...

Page 35: ...White Paper Canon imageRUNNER ADVANCE Security 9 3 IEEE 2600 1 CC Functional Requirements 9 4 IEEE 2600 1 CC Settings Registration Items Preferences ...

Page 36: ...set Time Auto Reset Time in Preferences Settings Registration Function After Auto Reset in Preferences Settings Registration 3 The setting of Preferences Settings Registration Adjust Time is restricted for both administrator and general user when ON is selected for Audit Log Retrieval 4 Not displayed when the Remote Operation Kit is enabled 5 To allow to receive a secured print job specify Functio...

Page 37: ...and Canon Canon s subsidiaries or affiliates their licensors distributors or dealers shall not be liable for any claim against you by a third party arising out of the use or performance of canon s products or information referenced herein Regulatory Disclaimer Statements made in this document are the opinions of Canon U S A None of these statements should be construed to customers or Canon USA s d...