Lexmark C4342 Security White Paper - Page 37

Protected USB Ports

Get Lexmark C4342 PDF manuals and user guides View all Lexmark C4342 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 37 highlights

Secure Access 37 Benefits • Device functions are enhanced by installing eSF applications in a secure manner using signed, encrypted files that are verified by the device before installation. • Device function usage by eSF applications is restricted to well-defined APIs. Details In the same way that Lexmark devices inspect all downloaded firmware packages for a number of required attributes before the firmware is adopted or executed, eSF applications are delivered to devices using the same packaging as Lexmark device firmware. The application must be packaged appropriately, that is, in a proprietary format. In addition, packages must be encrypted with a symmetric encryption algorithm through a key that is known only to Lexmark and is embedded securely in all devices. However, the strongest security comes from the requirement that all application packages must include multiple digital 2048-bit RSA signatures from Lexmark. If these signatures are not valid, or if the message logs that accompany them indicate that the firmware has been changed since the signatures were applied, the application is discarded. Lexmark eSF applications can be transmitted over the network, which allows all devices on that network to be updated efficiently. This process can be automated and scheduled, and does not require someone to be at each device. The device receives the application, validates it, adopts it, and stores it automatically. For security, the ability to install, update, or remove applications can be limited. First, eSF flash files are subject to the same firmware update access control as other firmware update flash files, so if this access is disabled, eSF applications cannot be installed except through the Embedded Solutions setup page of the web user interface. Access to the web page can be limited with access control restrictions to authorized administrators. The security of the application also relies on a secure development and certification process to verify that the operation of the application performs the desired function and does not permit malicious malware or viruses, or does not allow undesired behavior. Most eSF applications are developed by Lexmark developers, but even for those that are developed by third parties, the completed application is verified for acceptable behavior and adherence to device and memory access restrictions. Only after approval is the application packaged and signed by Lexmark for distribution. Protected USB Ports Overview USB ports on personal computers provide a means to connect devices of various types for a variety of interactions. However, for security reasons, the USB ports on Lexmark devices are far more limited in their capabilities. The USB host ports on Lexmark devices provide the following: • Detect an inserted USB mass storage device (such as a flash drive) and display, by name, the image files and/or flash files that are stored in the device. • Select a supported image file for printing or select a valid flash file to initiate a firmware update (if permitted by security settings). • Scan data directly to the USB flash drive. • Access can be permitted or restricted based on a defined schedule. If enhanced security is required, then the device can limit or not permit these operations, or not permit any use of USB devices.

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
Benefits
Device functions are enhanced by installing eSF applications in a secure manner using signed, encrypted
files that are verified by the device before installation.
Device function usage by eSF applications is restricted to well-defined APIs.
Details
In the same way that Lexmark devices inspect all downloaded firmware packages for a number of required
attributes before the firmware is adopted or executed, eSF applications are delivered to devices using the same
packaging as Lexmark device firmware. The application must be packaged appropriately, that is, in a proprietary
format. In addition, packages must be encrypted with a symmetric encryption algorithm through a key that is
known only to Lexmark and is embedded securely in all devices. However, the strongest security comes from
the requirement that all application packages must include multiple digital 2048-bit RSA signatures from
Lexmark. If these signatures are not valid, or if the message logs that accompany them indicate that the firmware
has been changed since the signatures were applied, the application is discarded.
Lexmark eSF applications can be transmitted over the network, which allows all devices on that network to be
updated efficiently. This process can be automated and scheduled, and does not require someone to be at
each device. The device receives the application, validates it, adopts it, and stores it automatically.
For security, the ability to install, update, or remove applications can be limited. First, eSF flash files are subject
to the same firmware update access control as other firmware update flash files, so if this access is disabled,
eSF applications cannot be installed except through the Embedded Solutions setup page of the web user
interface. Access to the web page can be limited with access control restrictions to authorized administrators.
The security of the application also relies on a secure development and certification process to verify that the
operation of the application performs the desired function and does not permit malicious malware or viruses,
or does not allow undesired behavior. Most eSF applications are developed by Lexmark developers, but even
for those that are developed by third parties, the completed application is verified for acceptable behavior and
adherence to device and memory access restrictions. Only after approval is the application packaged and
signed by Lexmark for distribution.
Protected USB Ports
Overview
USB ports on personal computers provide a means to connect devices of various types for a variety of
interactions. However, for security reasons, the USB ports on Lexmark devices are far more limited in their
capabilities.
The USB host ports on Lexmark devices provide the following:
Detect an inserted USB mass storage device (such as a flash drive) and display, by name, the image files
and/or flash files that are stored in the device.
Select a supported image file for printing or select a valid flash file to initiate a firmware update (if permitted
by security settings).
Scan data directly to the USB flash drive.
Access can be permitted or restricted based on a defined schedule. If enhanced security is required, then
the device can limit or not permit these operations, or not permit any use of USB devices.
Secure Access
37