Lexmark XC9325 Security White Paper - Page 37
Protected USB Ports
View all Lexmark XC9325 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 37 highlights
Secure Access 37 Benefits • Device functions are enhanced by installing eSF applications in a secure manner using signed, encrypted files that are verified by the device before installation. • Device function usage by eSF applications is restricted to well-defined APIs. Details In the same way that Lexmark devices inspect all downloaded firmware packages for a number of required attributes before the firmware is adopted or executed, eSF applications are delivered to devices using the same packaging as Lexmark device firmware. The application must be packaged appropriately, that is, in a proprietary format. In addition, packages must be encrypted with a symmetric encryption algorithm through a key that is known only to Lexmark and is embedded securely in all devices. However, the strongest security comes from the requirement that all application packages must include multiple digital 2048-bit RSA signatures from Lexmark. If these signatures are not valid, or if the message logs that accompany them indicate that the firmware has been changed since the signatures were applied, the application is discarded. Lexmark eSF applications can be transmitted over the network, which allows all devices on that network to be updated efficiently. This process can be automated and scheduled, and does not require someone to be at each device. The device receives the application, validates it, adopts it, and stores it automatically. For security, the ability to install, update, or remove applications can be limited. First, eSF flash files are subject to the same firmware update access control as other firmware update flash files, so if this access is disabled, eSF applications cannot be installed except through the Embedded Solutions setup page of the web user interface. Access to the web page can be limited with access control restrictions to authorized administrators. The security of the application also relies on a secure development and certification process to verify that the operation of the application performs the desired function and does not permit malicious malware or viruses, or does not allow undesired behavior. Most eSF applications are developed by Lexmark developers, but even for those that are developed by third parties, the completed application is verified for acceptable behavior and adherence to device and memory access restrictions. Only after approval is the application packaged and signed by Lexmark for distribution. Protected USB Ports Overview USB ports on personal computers provide a means to connect devices of various types for a variety of interactions. However, for security reasons, the USB ports on Lexmark devices are far more limited in their capabilities. The USB host ports on Lexmark devices provide the following: • Detect an inserted USB mass storage device (such as a flash drive) and display, by name, the image files and/or flash files that are stored in the device. • Select a supported image file for printing or select a valid flash file to initiate a firmware update (if permitted by security settings). • Scan data directly to the USB flash drive. • Access can be permitted or restricted based on a defined schedule. If enhanced security is required, then the device can limit or not permit these operations, or not permit any use of USB devices.