Home

ST of the Oce PRISMAsync 11.9.75.55 as used in

1. 10 Appendix B References 1 Secure Deletion of Data from Magnetic and Solid State Memory Peter Guttman 1996 http www cs auckland ac nz pgut001 pubs secure_del html 2 US Department of Defence Military Standard DOD 5220 22m http www dss mil isecnispom_0195 htm 08 October 2009 Page 50 of 55 Commercial BSI DSZ CC 0615 COMMERCIAL 11 Appendix C Glossary of Terms Repro room Reprographics room 08 October 2009 Page 51 of 55 Commercial BSI DSZ CC 0615 COMMERCIAL 12 Appendix D Firewall rule table The firewall rule table that is used by the Oc PRISMAsync for controlling the inbound flow of data is given below By default no traffic is permitted to enter the TOE except for the ports defined in the rule tables below ICMP administration Protocol Destination Port ICMP any LPR accepting print jobs Protocol Destination Port TCP 515 Web HTTPS server with HTTP redirect administration Protocol Destination Port TCP 443 TCP 80 SNMP non security functionality related administration Protocol Destination Port UDP 161 08 October 2009 Page 52 of 55 Commercial BSI DSZ CC 0615 COMMERCIAL 13 Appendix E Security Related Administration Functions In this appendix the security related administration functions that are available to S SERVICE_ENGINEER and S REMOTE_SYSADMIN are detailed The tables give the administration f
2. P TOE_ADMINISTRATION X P JOB_DELETE X The individual rationales demonstrating that the threats assumptions and organizational security policies are met are described as follows A DIGITAL_COPIER The assumption is met by the following TOE assurance objective O E LOCAL_INTERFACE The environment into which the TOE will be introduced shall contain an Oc VP41x0 MFD that provides a Local User Interface and Glass Plate through which S OPERATOR can interact easily with the TOE to manage the print queues When sending a D PRINT_JOB to the Oc PRISMAsync S OPERATOR is aware that they must delete the job on the same workday that it is sent to the TOE whether or not it is used Requiring job data to be deleted from the TOE on the same workday it is sent reduces the time available to an attacker in which the data object is vulnerable The MFD provides a glass plate and LUI with which S OPERATOR can perform print copy scan jobs The ST claim is not valid when the TOE is used with any other type of Oc MFD The TOE will not work with any other device including Digital MED Products from any other manufacturers 08 October 2009 Page 36 of 55 Commercial BSI DSZ CC 0615 COMMERCIAL Although the assumption states that a VP41x0 MFD from Oc will be used the MFD is an un trusted device A ENVIRONMENT The assumption is met by the following objectives for the environment O E ENVIRONMENT The env
3. 2 1 TOE Overview This section presents an overview of the TOE 2 1 1 TOE physical scope and boundary The firm Oc produces a wide range of multifunctional devices for copying printing and scanning MFDs For the purpose of this evaluation the MFD consists of two main parts 1 the Oc PRISMAsync controller and 2 the Digital Printer and Scanner Copier and Local User Interface peripherals that together form the VP41x0 R1 3 product The Oc PRISMAsync is a PC based MFD controller that provides a wide range of printing scanning and copy functionality to the Digital Printer Scanner and Copier and Local User Interface peripherals to which the Oc PRISMAsync is connected The Oc PRISMAsync provides security functionality to the MFD The Oc PRISMAsync can operate in two different security modes High and Normal This Security Target covers the Oc PRISMAsync operating in the security mode High as delivered by Oc to the customer This mode provides a restricted set of functionality that is configured to meet the Security Target claim Changing the operational mode invalidates the claims made in this Security Target 08 October 2009 Page 10 of 55 Commercial BSI DSZ CC 0615 COMMERCIAL The Oc PRISMAsync is connected between a network and the MFD This is depicted in Figure 1 Input Glass Plate of MFD Copy Data Scan Data Flow Flow gt Network Print Data Flow y y Output Tray of MFD F
4. FPT_SEP 1 TSF domain separation Filtering of network traffic occurs is an area of the TOE that is separate to non TSF related operation This SFR supports the objective by ensuring that the filtering mechanism is protected by it not being exposed to non TSF mechanisms from which a possible attack could be made O F JOB_SHRED FDP_RIP 1 Subset residual information protection This SFR supports the objective by ensuring that once print copy or scan job is no longer needed and during the startup procedure if residual print or scan job data is found then the related data will be electronically shredded from the hard disk The SFR has been refined to describe the moment when the data will be shredded FPT_RVM 1 Non bypassability of the TSP Print and scan jobs must pass through the shredding mechanism This SFR supports the objective by ensuring that print and scan jobs cannot leave the TOE except in the authorised manner FPT_SEP 1 TSF domain separation Shredding occurs is an area of the TOE that in separate to non TSF related operation This SFR supports the objective by ensuring that the shredding mechanism is protected by it not being exposed to other non TSF mechanisms from which a possible attack could be made O F AUTHENTICATE FIA_UID 2 User identification before any action S REMOTE_SYSADMIN and S SERVICE_ENGINEER must identify themselves to the TOE before any TOE management actions can be performed FIA_UAU 2 User authentic
5. SFR helps to reduce the amount of sensitive data present on the hard disk in the event of it being stolen FIA_UID 2 This Security Functional Requirement ensures that administrators correctly identify themselves to the TOE before security management functions can be used This SFR is supported by SF MANAGEMENT and provides functionality whereby administrators S REMOTE_SYSADMIN and S SERVICE_ENGINEER can identify themselves to the TOE This helps to restrict access to security management functions and thereby reduces the risk of modification being made to the TOE settings by unauthorised users 08 October 2009 Page 45 of 55 Commercial BSI DSZ CC 0615 COMMERCIAL FIA_UAU 2 This Security Functional Requirement ensures that administrators correctly authenticate themselves to the TOE before security management functions can be used This SFR is supported by SF MANAGEMENT and provides functionality whereby administrators S REMOTE_SYSADMIN and S SERVICE_ENGINEER can authenticate themselves to the TOE This helps to restrict access to security management functions and thereby reduces the risk of modification being made to the TOE settings by unauthorised users FMT_MOF 1 This Security Functional Requirement ensures that the TOE management functions are only used by either the Oc technician S SERVICE_ENGINEER or customer system administrator S REMOTE_SYSADMIN This SFR is supported by SF MANAGEMENT and ensures that non administrators ca
6. SNMP These are remote administrators typically a network administrator from the organization owning renting the TOE They can read and write a limited set of settings of the TOE through a SNMP connection None of the settings that the remote system administrator can access through SNMP are security related in the sense that they provide access to the assets that the TOE protects or allow changes to be made to the TOE security functionality Service engineer These are local administrators and are typically employed by Oc They have access through an Ethernet connection to a wide range of settings on the TOE The TOE connection is PIN code protected and service license protected and access to the management functions provided to the Service engineer require specific hardware and software It is not possible to access the management functions made available to the service engineer without the software that is installed on the service engineer laptop 08 October 2009 Page 17 of 55 Commercial BSI DSZ CC 0615 COMMERCIAL The various administrators and the interfaces through which they interact with the TOE are depicted in Figure 7 MED Peripheral Service Engineer Remote system administrator Figure 7 MFD Administrators and interfaces The TOE has minimized all other functionality The TOE supports the following network protocols e TCP IP UDP IP and ICMP No other network protocols are enabled The TOE manu
7. a wide range of printing scanning and copying functionality to the MFD peripherals to which it is connected The Oc PRISMAsync provides security functionality to the MFD This Security Target describes the Oc PRISMAsync and the specific security problem that it addresses The Target of Evaluation TOE is a collection of software components Oc developed software 3 party printer language interpreters Operating System that use the underlying hardware platform The TOE is a subset of the complete Oc PRISMAsync 08 October 2009 Page 8 of 55 Commercial BSI DSZ CC 0615 COMMERCIAL 1 3 CC Conformance The evaluation is based upon e Common Criteria for Information Technology Security Evaluation Version 2 3 Part 1 General model August 2005 e Common Criteria for Information Technology Security Evaluation Version 2 3 Part 2 Security functional requirements August 2005 e Common Criteria for Information Technology Security Evaluation Version 2 3 Part 3 Security assurance requirements August 2005 e Common Methodology for Information Technology Security Evaluation Version 2 3 Part 2 Evaluation Methodology August 2005 The chosen level of assurance is EAL2 Evaluation Assurance Level 2 augmented with ALC_FLR 1 This Security Target claims the following conformance to the CC CC Part 2 conformant CC Part 3 conformant 08 October 2009 Page 9 of 55 Commercial BSI DSZ CC 0615 COMMERCIAL 2 TOE Description
8. environment and not on a recurring basis It is assumed that the customer will have a Security Policy governing the use of IT products by employees in the customer organisation The TOE assumes that the network to which it is attached is protected by security measures that are intended to prevent mal ware viruses and network traffic not related to the working of the operational environment entering the network to which it is attached Although the Virus database files and various patches are kept up to date the policy recognises that new threats emerge over time and that occasionally they may enter the environment from outside and 08 October 2009 Page 22 of 55 Commercial BSI DSZ CC 0615 COMMERCIAL A SLA 3 3 Threats T RESIDUAL_DATA T MALWARE provides measures to help limit the damage The Policy will define how IT products are protected against threats originating from outside the customer organisation The organisation s employees are aware of are trained in and operate according to the terms and conditions of the policy The policy also covers physical security and the need for employees to work in a security aware manner including the usage of the TOE The Security Policy describes and requires a low to medium level of assurance EAL2 for the TOE It is assumed that any security flaws discovered in the TOE will be repaired by Oc possibly as part of an agreed service level agreement S THIEF steals the TOE or par
9. installation generation and start up of the TOE is e Software development and delivery for the Oc PRISMAsync Controllers Development ADV assurance measures The developer documentation for ADV functional specifications can be found in e Functional Specification for the Oc PRISMAsync 11 9 75 55 as used in the Oc VP41x0 R1 3 version 1 4 e High Level Design for the Oc PRISMAsync 11 9 75 55 as used in the Oc VP VP41x0 R1 3 version 1 3 Guidance AGD assurance measures The document containing the guidance for Oc service engineers is maintained on the service engineers laptop with the reference e Oc VarioPrint 4110 4120 Security service documentation Edition 2009 10 It is not a publicly available document The guidance for the customer administrators and users is in e Oc VarioPrint 4110 4120 Administrator settings and tasks Edition 2009 05 e Oc VarioPrint 4110 4120 Manual type Operating information version 2008 11 e Oc VarioPrint 4110 4120 Common Criteria certified configuration of the Oc PRISMAsync Edition 2009 09 Life Cycle ALC assurance measures The physical procedural personnel and other security measures applied by the developer can be found in e Flaw remediation for Oc printer copier scanner products 08 October 2009 Page 33 of 55 Commercial BSI DSZ CC 0615 COMMERCIAL Test ATE assurance measures The developer test documentation can be a test analysis showing that the tests cover the ent
10. uses a generic PC hardware platform The Oc PRISMAsync only provides functionality related to the operation of the TOE and does not have dual function for example as an office file server The nature of the TOE is such that evaluation at EAL2 provides a suitable level of assurance that the TSF operates in its own domain 08 October 2009 Page 46 of 55 Commercial BSI DSZ CC 0615 COMMERCIAL The operation of the TSF in its own domain provides the following 1 The filtering mechanisms are in a separate domain to the rest of the non security related operations that the TOE performs This SFR is supported by SF FILTERING This protects the integrity of the filtering mechanism against un authorised subjects and threat attacks 2 The shredding mechanisms are in a separate domain to the rest of the non security related operations that the TOE performs This SFR is supported by SF SHREDDING This protects the integrity of the shredding mechanism against un authorised subjects and threat attacks 3 The TOE security management mechanisms are in a separate domain to the rest of the non security related operations that the TOE performs This SFR is supported by SF MANAGEMENT This protects the integrity of the security management mechanisms against un authorised subjects and threat attacks FPT_RVM 1 This Security Functional Requirement ensures that no security related operations can be performed without being controlled by the TOE s security m
11. 1072 KB935839 KB951698 KB935840 KB951748 KB936021 KB952954 KB937143 KB953838 KB938829 KB953839 KB939373 KB953839 KB939653 KB954211 KB941568 KB956390 KB941644 KB956391 KB941693 KB956803 KB942527 KB956841 KB942615 KB957095 KB942763 08 October 2009 Page 54 of 55 Commercial BSI DSZ CC 0615 COMMERCIAL 15 Distribution list 1 BSI 2 Oc Technologies BV 3 Brightsight 08 October 2009 Page 55 of 55 Commercial BSI DSZ CC 0615
12. D TRAFFIC from S NETWORK_DEVICE to enter its boundary It is assumed that the TOE has a S DIGITAL_PRINTER device attached to it S DIGITAL_PRINTER is part of the Oc VP41x0 MED It is assumed that for EAL2 that the interface from the Oc PRISMAsync to the S DIGITAL_PRINTER will not be used to mount an attack and that the interface is only used for the purposes of printing It is assumed that the TOE has an S DIGITAL_SCANNER device attached to it S DIGITAL_SCANNER is part of the Oc VP41x0 R1 3MFD It is assumed that for EAL2 that the interface from the Oc PRISMAsync to the S DIGITAL_SCANNER will not be used to mount an attack and that the interface is only used for the purposes of scanning It is assumed that the TOE has a S LUI device attached to it S LUI is part of the Oc VP41x0 MED It is assumed that for EAL2 the interface from the LUI to the Oc PRISMAsync will not be used to mount an attack as the TOE security functions cannot be accessed via this interface and the interface is only used for the purposes of printing scanning and copying The TOE assumes that its operational environment is a repro room contained within a regular office environment Physical access to the operational environment is restricted to S OPERATOR and S SERVICE_ ENGINEER The office environment also contains non threatening office personnel S OPERATOR S REMOTE_USER S REMOTE_SYSADMIN and S SERVICE_ENGINEER S THIEF is only rarely present in this
13. NT_JOB D SCAN_JOB and D_COPY_JOB e On deletion of R PRINT_JOB R COPY_JOB and R SCAN_JOB by S OPERATOR S REMOTE_SYSADMIN or S SERVICE_ENGINEER e On TOE start up or TOE reboot Dependencies No dependencies 5 13 SFRs for Management FIA_UID 2 User identification before any action FIA_UID 2 1 The TSF shall require S REMOTE_SYSADMIN and S SERVICE_ENGINEER to identify themselves before allowing any other TSF mediated actions on the behalf of that user Dependencies No dependencies FIA_UAU 2 User authentication before any action FIA_UAU 2 1 The TSF shall require S REMOTE_SYSADMIN and S SERVICE_ENGINEER to be successfully authenticated before allowing any other TSF mediated actions on the behalf of that user Dependencies FIA_UID 1 hierarchical component included FMT_MOF 1 Management of security functions behaviour S REMOTE_SYSADMIN 0 FMT_MOF 1 1 The TSF shall restrict the ability to modify the behaviour of the functions described in appendix E for SSREMOTE_SYSADMIN to S REMOTE_SYSADMIN Dependencies FMT_SMF 1 included FMT_SMR 1 included 8 This is a refinement to show when the de allocation is to take place When you delete a file the OS modifies the relevant entry from the file allocation table The data remains on the hard disk and can be retrieved with suitable tools This is why the TOE shreds the data What is happening is that e When the job manager discards data it moves the data reference in
14. Oc Technologies BV BrightSight report ST Oc PRISMAsync 11 9 75 55 4 6 2 ST of the Oc PRISMAsync 11 9 75 55 as used in the Oc VarioPrint 41x0 Release 1 3 Version 4 6 2 Date 08 October 2009 Certification ID BSI DSZ CC 0615 Sponsor Oc Technologies BV File name Oce PRISMAsync Security_Target 4 6 2 doc No of pages 19 This Security Target was prepared for Oc Technologies BV P O Box 101 5900 MA Venlo The Netherlands bri g htsig ht by Brightsight your partner in security approval 2009 Oc Technologies B V Brightsight Respectively COMMERCIAL COMMERCIAL 08 October 2009 Page 2 of 55 Commercial BSI DSZ CC 0615 COMMERCIAL Document information Date of issue Author s Version number report Certification ID Scheme Sponsor Evaluation Lab Sponsor Project leader Target of Evaluation TOE TOE reference name CC EAL number Classification Report title Report reference name 08 October 2009 Page 3 of 55 08 October 2009 4 6 2 BSI DSZ CC 0615 BSI Oc Technologies BV P O Box 101 5900 MA Venlo The Netherlands Brightsight IT Security Evaluation Facility Delftechpark 1 2628XJ Delft The Netherlands Frederik Eveilleau Oc PRISMAsync 11 9 75 55 as used in the Oc VarioPrint 41x0 Release 1 3 Oc PRISMAsync 2 augmented with ALC_FLR 1 Commercial ST of the Oc PRISMAsync 11 9 75 55 as used in the Oc VarioPrint 41x0 Release 1 3 ST Oc PRI
15. R Yovsscsccsscaciccosesesscaseesssisecsessesseccsassosesssacseacpusenteapiocseasouscndenssocsececadestensaasesscodseseuasadsensse 4 1 SECURITY TARGET INTRODUCTION snsssnnenerenesenennnnenenesenensnnsnnese 7 1 1 ST Ten tafi cation sos ss times nn intel un ELLE tile con nr lath inti need 7 1 2 ST OVERVIEW ibs ee E Ne Re dashed hs Sete ta hah EE delays hid ecto ase se 8 1 3 GC CONTOPM ANCE eoi emon aeree en lee di taf ne nent 9 2 TOE DESCRIPTION sseesemsenmenenenessennnnennsesesessnnessennsesensseseenescenenseceescece 10 2 1 TOE OVERVICW Si me ne SARE LE BA EE EIS 10 2 1 1 TOE physical scope and boundary ss 10 2 1 2 TOE logical scope and boundary 14 3 TOE SECURITY ENVIRONMENT mssennnenerenennennenerenenerenenenensnnese 20 3 1 Definition of subjects objects and operations 000 0 ce eee eeeeeeseeereeeeeceecnaecsaeceseeneeeaee 20 3 1 L Nonhuman Subjects 45m men es manette R ni nee desde 20 3 1 2 Human subjectssisi rie ris men en mt eta ork ae eddie 20 3 13 SOBDIJESCIS Haine ER TR mt ne sale aeasscbeaued EEEa 21 2154 Op rations imite E E one nt cdots sab tente ete nest ts ss int 21 3 2 ASSUMP ONS zoi vr n teei UN ee ME CUA te eal ees Ten on en see 22 3 3 Threats os Tnt eh nn rem uen T Na eee denis A 23 3 4 Organisational Security Policies ss 23 4 SECURITY OBJECTIVES enesensnnnnnnensnnensnsnenenseneeneeeoneessesesceneeseeee 24 4 1 TOE Security ODJECUVES este nn nt tn EEA tnt een fige tels 24 4 1 1 Functional Security Objectives for the
16. SA 3 1 The TSF shall enforce the NETWORK_POLICY to provide restrictive default values for security attributes that are used to enforce the SFP FMT_MSA 3 2 The TSF shall allow nobody 3 to specify alternative initial values to override the default values when an object or information is created Dependencies FMT_MSA 1 included FMT_SMR 1 included FMT_SMF 1 Specification of Management Functions FMT_SMF 1 1 The TSF shall be capable of performing the following security management functions as described in appendix E Functions related to R SHRED_ JOB that are available to S REMOTE_SYSADMIN and S SERVICE_ ENGINEER e Set the number of shred runs Dependencies No dependencies 11 For grammatical and clarity reasons the underscore between change and default was removed and the word the before security attributes was moved to between change and default 12 The TOE does not allow any users to change any security attributes in the evaluated configuration 13 The word the before nobody was removed for grammatical reasons 14 Note that this is the only setting which is available in security mode high the evaluated configuration 08 October 2009 Page 28 of 55 Commercial BSI DSZ CC 0615 COMMERCIAL FMT_SMR 1 Security roles FMT_SMR 1 1 The TSF shall maintain the roles S REMOTE_SYSADMIN S SERVICE_ENGINEER S REMOTE_USER and S OPERATOR FMT_SMR 1 2 The TSF shall be able to associate users with ro
17. SMAsync 11 9 75 55 4 6 2 Commercial BSI DSZ CC 0615 COMMERCIAL Document history Version Date Comment 0 1 14 04 05 Initial draft 0 2 17 05 05 Incorporated Oc comments 0 3 30 05 05 Incorporated Oc and BSI comments 0 4 24 11 05 Incorporated Oc comments 1 0 06 02 06 Incorporated BSI comments 2 0 10 02 06 Incorporated BSI comments 2 1 16 02 06 Incorporated BSI comments 3 0 13 12 07 Updated for 21x0 3 1 31 1 08 Correction small error in Appendix D 3 2 10 06 08 Adaptation to comments from BSI 3 3 04 07 08 Adaptation to comments ZK_0510_ASE_03 rtf 4 0 16 02 09 Updated for 41x0 4 0 19 02 09 Repair errors in ST 4 1 05 03 09 Incorporated BSI comments 4 2 27 03 09 Update with the last TOE version and the new brand name 4 3 01 04 09 Update with the BSI ID and the ast TOE version 4 4 27 04 09 Incorporate BrightSight comments 4 5 03 06 09 Incorporate BSI comments 4 6 16 06 09 Update the reference to the user manual CCC configuration 4 6 1 21 09 09 Update the reference to the user manual CCC configuration 2009 09 4 6 2 08 10 09 Update the reference to the security service manual for CCC 2009 10 Signature The sponsor project leader has signed for technical correctness Frederik Eveilleau Sponsor Project leader 08 October 2009 Page 4 of 55 Commercial BSI DSZ CC 0615 COMMERCIAL Contents DOCUMENT INFORMATION msmeneensenennnenenerenenenenenenenenesenensnsenenesenses 3 DOCUMENT HISTO
18. TOE ss 24 4 1 2 Assurance Security Objectives for the TOE eee eeeeseeneecneeceeceseceseeeeeeeseeeeaes 24 4 2 Security Objectives for the environment 24 5 IT SECURITY REQUIREMENTS smnnenenenenennennenenenennennenesenesse 26 5 1 TOE Security Functional Requirements 0000 0 ceeeeeceeseeeeeeeeeeeseeeeeeecseceseeeseeseneeeaes 26 SLL SERS for Bilterin o3icc ste nee finit te it laste ta cerees tl otavebbiueteatshetectees 26 S4122 USER sifor Shred din ges 2seiesss52stecsees aie Mess titres ins sas rates nl tance tests 26 5 1 3 SFRS for Management gt reisene trs domaine menant eee Reste 27 5 1 4 SFRS for Protection of the TSF itself 29 5 1 5 Strength of function claim ss 29 5 2 TOE Security Assurance Requirement ccceccceesseceecceceeeeeeaeceeaeeceeeeessaeeeeaaeceeneeees 29 5 3 Security Requirements for the IT Environment 30 5 4 Explicitly stated requirements 30 6 TOE SUMMARY SPECIFICATION ssmsneeenerenennnnnenerenenenensenensnnese 31 6 1 IT Security FUNCTIONS annro aa in ment Eae iea a eg 31 6 1 1 Probabilistic functions and mechanisms 31 6 1 2 Strength of function Claims it semer Rate E E Muni en rte 32 08 October 2009 Page 5 of 55 Commercial BSI DSZ CC 0615 COMMERCIAL 6 2 Assurance Measures rennene ienee e eea ent nent Lette eee ates 33 7 PP A i S I SEET EE A E E 35 8 RATIONALE DAE EE EEN E OA EEA EA 36 8 1 Security Objectives Rationale ss 36 8 2 Security Requirements Ra
19. UDP IP and ICMP as a network protocol DINBOUND_TRAFFIC shall only enter the TOE R ENTER_TOE if the Port is specified as being open in Appendix D The chances of mal ware being accidentally sent to the TOE and causing a security violation is limited by only opening the ports and enabling the protocols that are absolutely necessary for the operation of the TOE Although the TOE is designed tested and configured with security as a main concern it is possible that vulnerabilities will be discovered in the future that could be exploited in order to use the TOE as a launch pad for an attack By only opening the ports and enabling the protocols that are absolutely necessary for the operation of the TOE the chances of a successful attack launch are limited P JOB_DELETE The policy requirement is met by the following TOE functional objective O F JOB_SHRED The TOE shall delete all D PRINT_JOB D SCAN_JOB and D COPY_JOB data as soon as it is no longer required or if during the start up procedure residual PRINT_JOB D SCAN_JOB and D COPY_JOB are found on the TOE s hard disk including the swap file The first write cycle starts immediately after the job has deleted and the remaining cycles are completed once the TOE enters an idle state The data shall be deleted according to a recognised standard so that it cannot be reconstituted Scrubbing the data from the hard disk when it is no longer needed helps prevent the data been accessed by un
20. Version 3018 PCL6 interpreter Version IPS6 0 2 Tomcat Web server version 5 5 26 with SSL support Of these 6 the first three are not part of the TOE and together form the underlying hardware platform that the TOE makes use of The underlying hardware platform does not provide any specific security related functionality for the TOE The TSF is mediated by the last three software components that are part of the TOE This is depicted in Figure 4 1 Note that the Oc PRISMAsync protects print copy and scan data stored in it against theft through e shredding but the Oc PRISMAsync itself may be stolen 08 October 2009 Page 12 of 55 Commercial BSI DSZ CC 0615 COMMERCIAL TOE Non TOE Generic PC Hardware Drivers 3 Generic PC Hardware 1 2 Figure 4 Division of the Oc PRISMAsync into TOE and non TOE The physical interfaces through which the TOE communicates are e A network card through which a service engineer can administer the TOE directly physically accessible thanks to a cable extender e A network card through which print and scan jobs can pass and a remote system administrator can administer the TOE physically accessible after removing a screwed panel e A RS232 interface The data that flows between the TOE and the MED for printer control purposes passes through this interface physically accessible after removing a screwed panel e A RS422 interface The data that flows between the TOE and the MFD fo
21. age 24 of 55 Commercial BSI DSZ CC 0615 COMMERCIAL O E DEPLOYMENT addition measures shall be implemented to only allow connections to the TOE from devices situated on the same network No inbound connections from external networks are allowed The network scans data for mal ware viruses and worms This type of data may originate from either inside or outside the network to which the TOE is attached and includes the TOE itself The network LAN to which the TOE is attached is well managed with established procedures for introducing and attaching new devices to the network O E LOCAL_INTERFACE The environment into which the TOE will be introduced shall contain an Oc VP41x0 MED that provides a Local User Interface and Glass Plate through which S OPERATOR can interact easily with the TOE to manage the print queue When sending a D PRINT_JOB to the Oc PRISMAsync S OPERATOR will ensure the print job is deleted from the TOE during the same working day either by printing not using the TOE waiting room or deleting the jobs manually from the automatic print queue or waiting room Additionally S REMOTE_SYSADMIN can remove all jobs in the waiting room at any time The Oc PRISMAsync MED peripheral provides a glass plate and LUI with which S OPERATOR can perform print scan and copy jobs The ST claim is not valid when the TOE is used with any other type of Oc MED The TOE will not work with any other device including Digital MFD Prod
22. ation before any action S REMOTE_SYSADMIN and S SERVICE_ENGINEER must authenticate themselves to the TOE before any TOE management actions can be performed FMT_SMEF 1 Specification of Management Functions The functions that can be performed by either the S REMOTE_SYSADMIN or S SERVICE_ENGINEER are defined FMT_MOF 1 Management of security functions behaviour Only TOE administrators and Oc technicians can use security related functions FMT_SMR 1 Security roles The TOE shall make a distinction between administrators and ordinary users FPT_RVM 1 Non bypassability of the TSP 08 October 2009 Page 41 of 55 Commercial BSI DSZ CC 0615 COMMERCIAL Users other than S REMOTE_SYSADMIN and S SERVICE_ENGINEER cannot gain access to security management functions of the TOE without begin first controlled by the mechanisms specified in this document FPT_SEP 1 TSF domain separation Identification and authentication of users occurs in an area of the TOE that is separate to non security related operation 8 2 2 The security requirements for the IT environment meet the security objectives for the environment The TOE does not make any security requirements on its environment 08 October 2009 Page 42 of 55 Commercial BSI DSZ CC 0615 COMMERCIAL 8 2 3 The Assurance Requirements and Strength of Function Claim are appropriate EAL2 ALC_FLR Which comprises of ACM_CAP 2 Configuration Items ADO_DEL 1 Delivery proc
23. authorised persons P TOE_ADMINISTRATION The policy requirement is met by the following TOE functional objective 08 October 2009 Page 38 of 55 Commercial BSI DSZ CC 0615 COMMERCIAL O F AUTHENTICATE The TOE ensures that S IREMOTE_ SYSADMIN and S SERVICE_ENGINEER must identify and authenticate themselves to the TOE before allowing them to modify the TOE security settings 08 October 2009 Page 39 of 55 Commercial BSI DSZ CC 0615 COMMERCIAL 8 2 Security Requirements Rationale The purpose of the Security Requirements Rationale is to demonstrate that the security requirements are suitable to meet the Security Objectives 8 2 1 The SFRs meet the Security Objectives for the TOE For each Security Objective for the TOE we demonstrate that it is met by the SFRs The tracings are provided implicitly by the rationales jesi Jez m 1 m m m B R FF 8 EE 8 E i Eb KE EK B B E P P 5 S E E eo R H H Lo pi P O F INBOUND_FILTER X X X X X X O F JOB_SHREAD X X X O F AUTHENTICATE X X X X X X X The individual rationales demonstrating the objectives are met are described as follows O F INBOUND_FILTER FDP_ACC 1 Subset access control Inbound traffic is filtered so that only traffic relating to the operation of the TOE is allowed to enter the TOE This SFR supports the security objective by restricting the TOE data flow to only that that is necessary for the operation of th
24. curity Environment for which a low attack potential exists The Security Function that is realised by probabilistic or permutational mechanisms is e SF MANAGEMENT 08 October 2009 Page 47 of 55 Commercial BSI DSZ CC 0615 COMMERCIAL The claim for this Security Function is SOF basic These Security Function is traced back to the TOE SFRs it implements in 8 3 1 As the SOF claim for the Security Function is equal to the SOF claims for the TOE SFRs it implements the SOF claims are consistent 8 3 4 The functions are mutually supportive The requirements are mutually supportive see section 8 2 6 and the functions that implement theses requirements are complete see section 8 3 1 The functions are mutually supportive This argument has been based on section 9 3 8 of Guide for the production of PPs and STs PDTR 15446 N2449 8 4 PP Claims Rationale This Security Target TOE does not claim conformance to any Protection Profile 08 October 2009 Page 48 of 55 Commercial BSI DSZ CC 0615 COMMERCIAL BSI ITSEF LUI MFD Appendix A Abbreviations Bundesamt f r Sicherheit in der Informationtechnik IT Security Evaluation Facility Local User Interface attached to the Oc PRISMAsync via a USB connection non security related interface used to manage the print queues Multifunctional device for copying printing and scanning connected to a network 08 October 2009 Page 49 of 55 Commercial BSI DSZ CC 0615 COMMERCIAL
25. e TOE This reduces the number of vulnerable entry points FDP_ACF 1 Security attributes based access control All ports that are not necessary for the operation of the TOE as described in this document are blocked This SFR supports the security objective by reducing the number of entry points that could be vulnerable to attack FMT_MSA 1 Management of security attributes The TOE is delivered pre configured to the customer This SFR supports the objective by ensuring that it is not possible for any user including S SERVICE_ENGINEER and S REMOTE_SYSADMIN to change the settings of the firewall mechanism FMT_MSA 3 Static Attribute initialisation In order to change the security attributes of the TOE the management interfaces provided for S SERVICE_ENGINEER and S REMOTE_SYSADMIN must be used This SFR supports the objective by ensuring that the TOE provides restrictive default security related settings that require no additional modification by SERVICE_ENGINEER or S REMOTE_SYSADMIN Nobody is allowed to create new settings with alternative values FPT_RVM 1 Non bypassability of the TSP 08 October 2009 Page 40 of 55 Commercial BSI DSZ CC 0615 COMMERCIAL In order for data to enter or leave the TOE it must pass through the filtering mechanism This SFR supports the security objective by ensuring that TSF cannot be bypassed resulting in a direct line between the network to which the TOE is attached and the TOE being created
26. echanisms The Oc PRISMAsync provides a limited set of security functionality that is related to the operation of the TOE The nature of the TOE is such that evaluation at EAL2 provides a suitable level of assurance that the only the TSF can perform security related operations This SFR is supported by SF MANAGEMENT This Security Functional Requirement ensures that 1 No filtering mechanisms can be performed without being controlled by the TOE s security mechanisms This SFR is supported by SF FILTERING 2 No shredding mechanisms can be performed without being controlled by the TOE s security mechanisms This SFR is supported by SF SHREDDING 3 No security related operations can be performed without being controlled by the TOE s security mechanisms This SFR is supported by SF MANAGEMENT 8 3 2 The assurance measures meet the SARs The statement of assurance measures has been presented in the form of a reference to the documents that show that the assurance measures have been met CC Part 3 paragraph 188 This statement can be found in section 6 2 8 3 3 The SOF claims for functions meet the SOF claims for the SFRs The SFRs FIA_UAU 2 and FIA_UID 2 require the TOE to provide security functions that provide identification authentication functionality that meets a SOF claim of SOF basic This rational for this is that the claim must adequate to defend against the identified threats to the TOE that are identified in the TOE Se
27. edures ADO_IGS 1 Installation generation and start up procedures ADV_FSP 1 Fully defined external interfaces ADV_HLD 1 Security enforcing high level design O A SLA ADV_RCR 1 Informal correspondence demonstration AGD_ADM 1 Administrator Guidance AGD_USR 1 User guidance ALC_FLR 1 Basic Flaw remediation ATE_COV 1 Analysis of coverage ATE_FUN 1 Functional testing ATE_IND 2 Independent testing sample AVA_SOF 1 Strength of TOE security function evaluation AVA_VLA 1 Developer vulnerability analysis The Assurance Requirements consist of EAL 2 requirements components The TOE is a commercially available device produced by a well known manufacturer and most importantly provides a limited set of security related functionality The TOE has been structurally tested by Oc and is suitable for environments that require a low to moderate level of independently assured security The developer works in a consistent manner with good commercial practice Occasionally the TOE may develop a problem that requires S SERVICE_ENGINEER to make a visit to the customer location in order to repair the TOE Oc has procedures that support these processes and for this reason the assurance requirements have been augmented with the following assurance classes as the developer is able to meet them Components for Life cycle support Class ALC e ALC _FLR 1 Basic Flaw Remediation The evaluation of the TOE security mechanisms at AVA_VLA 1 is des
28. ements support the security functionality provided by the TOE 3 1 Definition of subjects objects and operations To facilitate definition of threats OSPs assumptions security objectives and security requirements we define the subjects objects and operations to be used in the ST first 3 1 1 Non human subjects The system equipment that will be interacting with the TOE in alphabetical order S DIGITAL_PRINTER A device that is part of the MFD peripheral that physically renders a print job and is attached to the TOE via a cable S DIGITAL_SCANNER A device that is part of the MED peripheral that scans in a copy or scan job and is attached to the TOE via a cable S LUI A device that provides a User Interface to S OPERATOR for non security related operations such as local copying printing scanning queue management S NETWORK_DEVICE An unspecified network device that is logically connected to the TOE and is located in the same operating environment office building 3 1 2 Human subjects The users or subject acting on behalf of that user that will be interacting with the TOE are S REMOTE_USER A person who can interact with the TOE indirectly by sending or creating print jobs and can send them to S OPERATOR to be forwarded to the TOE They are not malicious towards the TOE S REMOTE_USER typically sends print jobs from their desktop PC S OPERATOR A person with access to the operational environment of the TOE who is aware of
29. facturer has filtered all network ports so that only data that is essential to the operation of the TOE can enter the TOE through the network interface The TOE has further restricted the functionality behind each open network port to that which is absolutely necessary to its functioning This is done to maximize the integrity of the TOE itself and minimize the risk of the TOE being infected or hacked and subsequently being used as a stepping stone to damage the network The availability of security related functionality As depicted in Figure 7 The Remote Key Operator is not able to influence the security of the TOE as they have no access to security settings via the Oc PRISMAsync Setting Editor 08 October 2009 Page 18 of 55 Commercial BSI DSZ CC 0615 COMMERCIAL Because the Remote Key Operator and TOE Operator cannot access security related settings on the Oc PRISMAsync LUI they cannot affect the TOE For the sake of clarity Figure 8 shows the interfaces to the TOE and the subjects that can access and manage TOE security settings Network ES di B Service Remote system Engineer administrator Figure 8 TOE Administrators and interfaces 08 October 2009 Page 19 of 55 Commercial BSI DSZ CC 0615 COMMERCIAL 3 TOE Security Environment The TOE is intended to provide scan print and copy functionality to users requiring a low to moderate level of security assurance Additional environmental and organisational requir
30. formal correspondence demonstration Components for Guidance documents Class AGD AGD_ADM 1 Administrator guidance AGD_USR 1 User guidance Components for Life cycle support Class ALC ALC_FLR 1 Basic flaw remediation Components for Tests Class ATE ATE_COV 1 Evidence of coverage ATE_FUN 1 Functional testing ATE_IND 2 Independent testing sample Components for Vulnerability assessment Class AVA AVA_SOF 1 Strength of TOE security function evaluation AVA_VLA 1 Developer vulnerability analysis 5 3 Security Requirements for the IT Environment None 5 4 Explicitly stated requirements None 15 The ST defines security objectives for the IT environment in which the TOE will operate In accordance with the Common Criteria Standard these objectives are not mapped to Security Requirements for the IT Environment 08 October 2009 Page 30 of 55 Commercial BSI DSZ CC 0615 COMMERCIAL 6 TOE Summary Specification 6 1 IT Security Functions SF FILTERING The TOE uses a built in firewall to block ports that are not needed for the operation of the TOE In addition no network protocols that are not supported by the evaluated configuration are enabled By default no traffic is permitted to enter the TOE from the network to which it is attached except for the supported network packets via the ports defined in the rule table described in Appendix D SF SHREDDING Once a print copy or scan job has been deleted the data is overwr
31. how the TOE should be used They are not malicious towards the TOE S OPERATOR typically interacts indirectly with the TOE via S LUI or over the network S OPERATOR receives print jobs from S REMOTE_USER and places the jobs in the TOE print queue or in the waiting room as appropriate to be processed by the TOE S REMOTE_SYSADMIN A person who can change some TOE settings using an Oc supplied interface accessed remotely over a network connection They are trusted by the customer and are adequately trained They are capable 08 October 2009 Page 20 of 55 Commercial BSI DSZ CC 0615 COMMERCIAL S SERVICE_ENGINEER S THIEF 3 1 3 Objects of making mistakes They access the TOE via its network card from a remote location on the customer LAN They do not access the TOE via the service network link A person with elevated privileges above those of S OPERATOR and S REMOTE_SYSADMIN This person is an Oc representative and accesses the TOE through a dedicated network interface that is separated from the customer network interface They are not malicious towards the TOE but are capable of making mistakes when operating it S THIEF cleaning staff burglar visitor in rare cases a user will have no moral issues in stealing the TOE or parts of it Once S THIEF has stolen the TOE or parts of it he may attempt to retrieve earlier print scan and copy jobs from the TOE S THIEF is opportunistic and is not a recurring visitor to the environment
32. igned to provide assurance the exploit of obvious vulnerabilities by an attacker with a low attack potential Therefore the SOF claim is SOF basic This strength of function claim is consistent with the security objectives for the TOE and the defined TOE assumptions that have been made 08 October 2009 Page 43 of 55 Commercial BSI DSZ CC 0615 COMMERCIAL 8 2 4 All dependencies have been met The following dependencies are identified and met FDP_ACF 1 FDP_ACC 1 FMT_MSA 1 FMT_MSA 3 FIA_UID 2 FMT_SMF 1 FMT_SMR 1 8 2 5 The requirements are internally consistent Because the assurance requirements form a package EAL 2 they are internally consistent The addition of ALC_FLR 1 does not cause inconsistencies with the EAL 2 package The functional requirements and assurance requirements do not have any dependencies between them and are therefore completely independent of each other Because both functional and assurance requirements are internally consistent and they are independent the requirements are internally consistent 8 2 6 The requirements are mutually supportive The requirements are complete and do not cause inconsistencies therefore the requirements are considered to be mutually supportive This argument has been based on section 9 3 8 of Guide for the production of PPs and STs PDTR 15446 N2449 08 October 2009 Page 44 of 55 Commercial BSI DSZ CC 0615 COMMERCIAL 8 3 TOE Summary Specification Rationale 8 3 1 The f
33. igure 1 Relation between the Oc PRISMAsync and MFD The Oc PRISMAsync is located internally in the MFD This physical configuration is depicted in Figure 2 Figure 2 View of the Oc PRISMAsync controller in VP4110 4120 open or closed side 08 October 2009 Page 11 of 55 Commercial BSI DSZ CC 0615 COMMERCIAL Figure 3 Viewer of a separated Oc PRISMAsync controller The internal configuration helps prevent theft of the Oc PRISMAsync but prevention of theft of the Oc PRISMAsync is outside the scope of this evaluation All logical access points network ports USB serial parallel ports etc are protected from physical access in the internal configuration by a metal casing The Oc PRISMAsync consists of 1 A generic off the shelf PC comprising an Intel CPU Mono Core 2 0GHz or Dual Core 2 2GHz Up to 2Go internal DDR2 RAM a VGA output graphical I O up to2 x 160GB hard drive 6 x USB 2 0 ports 2 x serial ports 1 x RS 232 amp 1 x RS 422 and 2 x Ethernet ports UTP Audio output 2 Generic embedded graphics card and 2 network cards supporting 10 100 1000Mbs Ethernet UTP 3 Drivers for the PC Chipset CPU graphics card audio and network cards 4 The Microsoft Windows XP embedded XPe operating system with service pack 2 included the additional patches listed in Appendix F 5 Oc PRISMAsync specific software release 11 9 75 55 6 Third party developed software Adobe PS3 PDF Interpreter
34. ime interval is set to everyday at 12am by default 08 October 2009 Page 15 of 55 Commercial BSI DSZ CC 0615 COMMERCIAL E mail server FTP server Operators ET Figure 6 Operators and interfaces for scanning 7 The operator is unable to access any of the TOE security functions through the LUI The LUI can only be used for scanning copying printing and managing print queues 08 October 2009 Page 16 of 55 Commercial BSI DSZ CC 0615 COMMERCIAL The TOE can be managed As indicated in the previous sections the MFD of which the TOE is a part supports remote end users and Operators The MED also supports various administrators which are described briefly here Remote Key Operator These are typically administrators or secretaries from the organization owning renting the TOE They can interact with the Oc PRISMAsync through a Web interface that communicates with the TOE via the LAN Through this interaction they have access to a limited amount of non security related settings of the TOE Remote System administrator HTTPS These are remote administrators typically a network administrator from the organization owning renting the TOE They can read and write a limited set of settings of the TOE through an SSL over HTTP connection HTTPS The remote administrator can identify the TOE via a certificate Web pages that are delivered via the HTTPS connection are non cacheable Remote System administrator
35. in which the TOE operates The data objects for the TOE that the TOE will operate upon are D PRINT_JOB D SCAN_JOB D COPY_JOB D INBOUND_TRAFFIC 3 1 4 Operations A print job received by S OPERATOR from S REMOTE_USER and submitted to the TOE Data that is scanned in via the S DIGITAL_SCANNER peripheral attached to the Oc PRISMAsync Data is sent from the TOE to a FTP or e mail server located elsewhere on the network Data that is scanned in via the S DIGITAL_SCANNER peripheral attached to the Oc PRISMAsync Data is returned from the TOE to the printer peripheral for rendering TCP IP UDP IP or ICMP network packets received by the TOE D INBOUND_TRAFFIC has the Security Attributes Port and Protocol associated with it The operations that are performed by the TOE are R PRINT_JOB R SCAN_JOB R COPY_JOB The TOE processes and releases a D PRINT_JOB to the attached S DIGITAL_PRINTER peripheral The TOE processes and releases a D SCAN_JOB to the attached network though S NETWORK_DEVICE The TOE processes and releases a D COPY_JOB to the attached S DIGITAL_PRINTER peripheral 08 October 2009 Page 21 of 55 Commercial BSI DSZ CC 0615 COMMERCIAL R SHRED_JOB R ENTER_TOE 3 2 Assumptions A DIGITAL_PRINTER A DIGITAL_SCANNER A LUI A ENVIRONMENT A SECURITY_POLICY The TOE shreds released D PRINT_JOB D SCAN_JOB and D_COPY_JOB data objects from the TOE s hard disk The TOE allows D INBOUN
36. ire functional specification can be found in Test Specification for the Common Criteria Evaluated Security Functionality implemented in the Oc PRISMAsync Controller version 2 6 Vulnerability Assessment AVA assurance measures An analysis of vulnerabilities can be found in Strength of function analysis the Oc PRISMAsync 11 9 75 55 as used in the Oc VP41x0 R1 3 version 1 4 Vulnerability analysis for the Oc PRISMAsync 11 9 75 55 as used in the Oc VarioPrint 4110 4120 printer copier scanner Release 1 3 version 1 3 Oc PRISMAsync Vulnerability Analysis Internal Report Oc PRISMAsync Penetration Tests Internal Report Oc PRISMAsync Common Criteria Security test results Internal Report 08 October 2009 Page 34 of 55 Commercial BSI DSZ CC 0615 COMMERCIAL 7 PP Claims This Security Target TOE does not claim compliance to a Protection Profile 08 October 2009 Page 35 of 55 Commercial BSI DSZ CC 0615 COMMERCIAL 8 Rationale 8 1 Security Objectives Rationale For each assumption threat and OSP we demonstrate that it is met by the security objectives The tracings are provided in the following table VIS VO WALT GNNOGNIA O HS OfO AOVAYALNI TWOOTH O LNAWNONMIANT T O AONOd HHOMLAN HO INANAOTIdAd 4 O ALVOLLNAHLAV AO A DIGITAL_PRINTER X A DIGITAL_SCANNER A LUI X x lt A ENVIRONMENT X A SECURITY_POLICY X X X A SLA X T RESIDUAL_DATA X T MALWARE X
37. ironment into which the TOE will be introduced is protected by physical measures that limit access to S OPERATOR and S SERVICE_ENGINEER The physical measures are adequate to prevent all other persons but a determined S THIEF who deliberately wants to steal a part of or the entire TOE by methodically planning an attack on the TOE over a period of time A SECURITY_POLICY The assumption is met by the following objectives for the environment O E NETWORK_POLICY The network to which the TOE is attached shall be adequately protected so that the TOE is not visible outside the network In addition measures shall be implemented to only allow connections to the TOE from devices situated on the same network No inbound connections from external networks are allowed The network scans data for mal ware viruses and worms This type of data may originate from either inside or outside the network to which the TOE is attached and includes the TOE itself O E DEPLOY MENT The network LAN to which the TOE is attached is well managed with established procedures for introducing and attaching new devices to the network O E LOCAL_INTERFACE The environment into which the TOE will be introduced shall contain an Oc VP41x0 that provides a Local User Interface and Glass Plate through which S OPERATOR can interact easily with the TOE to manage the print queues When sending a D PRINT_JOB to the Oc PRISMAsync S OPERATOR is aware that they must delete the job o
38. itten It is possible to perform multiple write cycles with various patterns being applied At least three write cycles will always take place The first write cycle starts after the job has been deleted and to improve job throughput performance all other remaining cycles are done once the TOE enters an idle state The shredding mechanism supports US DOD 5220 22m and Gutmann algorithms SF MANAGEMENT The TOE can be managed in relation to SF SHREDDING In order to gain access the S REMOTE_SYSADMIN or S SERVICE_ ENGINEER must authenticate themselves to the TOE S SERVICE_ENGINEER does this by entering a PIN S REMOTE_SYSADMIN authenticates himself by entering a password The TOE is delivered by Oc with the most restrictive set of operational settings 6 1 1 Probabilistic functions and mechanisms The TOE contains probabilistic functions and mechanisms in the form of passwords and PIN numbers that are used for the authentication of SIREMOTE_ SYSADMIN and S SERVICE_ENGINEER respectively 16 See Appendix B References for more information relating to these algorithms 08 October 2009 Page 31 of 55 Commercial BSI DSZ CC 0615 COMMERCIAL Subject Function Mechanism S REMOTE_SYSADMIN SF MANAGEMENT For the HTTPS connection SF SHREDDING an alpha numeric password ASCII characters 32 127 ranging in length between 8 and 50 characters is required After the first failed attempt a delay mechanism is invoked There a
39. les Dependencies FIA_UID 1 hierarchical component included 5 1 4 SFRs for Protection of the TSF itself FPT_SEP 1 TSF domain separation FPT_SEP1 1 The TSF shall maintain a security domain for its own execution that protects it from interference and tampering by untrusted subjects FPT_SEP 1 2 The TSF shall enforce separation between the security domains of subjects in the TSC Dependencies No dependencies FPT_RVM 1 Non bypassability of the TSP FPT_RVM 1 1 The TSF shall ensure that TSP enforcement functions are invoked and succeed before each function within the TSC is allowed to proceed Dependencies No dependencies 5 15 Strength of function claim The Strength of function claim for all the probabilistic functions and mechanisms provided by the TOE is SOF basic 5 2 TOE Security Assurance Requirements The TOE security assurance requirements are conformant to the CC Evaluation Assurance Level EAL2 ALC_FLR 1 In detail the following Security Assurance Requirements are chosen for the TOE Components for Configuration management Class ACM ACM_CAP 2 Configuration Items Components for Delivery and operation Class ADO ADO_DEL 1 Delivery procedures ADO_IGS 1 Installation generation and start up procedures 08 October 2009 Page 29 of 55 Commercial BSI DSZ CC 0615 COMMERCIAL Components for Development Class ADV ADV_FSP 1 Informal functional specification ADV_HLD 1 Descriptive high level design ADV_RCR 1 In
40. n the same workday that it is sent to the TOE whether or not it is printed The MFD provides a glass plate and LUI with which S OPERATOR can perform print copy scan jobs The ST claim is not valid when the TOE is used with any other type of Oc MED The TOE will not work with any other device including Digital MFD Products from any other manufacturers A SLA The assumption is met by the following TOE assurance objective O A SLA The TOE shall be evaluated to ALC_FLR 1 There are measures in place to repair faults in the TOE when they occur T RESIDUAL_DATA The threat is met by the following TOE functional objective 08 October 2009 Page 37 of 55 Commercial BSI DSZ CC 0615 COMMERCIAL O F JOB_SHRED The TOE shall delete all D PRINT_JOB D SCAN_JOB and D COPY_JOB data as soon as it is no longer required or during the start up procedure if residuals D PRINT_JOB D SCAN_JOB or D COPY_JOB are found on the TOE s hard disk including the swap file The first write cycle starts immediately after the job has deleted and the rest are completed once the TOE enters an idle state The data shall be deleted according to a recognised standard so that it cannot be reconstituted Scrubbing the data from the hard disk when it is no longer needed helps prevent the data been accessed by unauthorised persons T MALWARE The threat is met by the following objectives for the environment O F INBOUND_FILTER The TOE will only support TCP IP
41. nnot administer the TOE FMT_MSA 1 This Security Functional Requirement ensures that the TOE management functions related to the filter mechanism settings cannot be changed This SFR is supported by SF MANGEMENT that ensures that filter related settings cannot be changed by administrators FMT_MSA 3 This Security Functional Requirement ensures that the TOE management functions related to the filter mechanism settings are given default values This SFR is supported by SF MANAGEMENT that ensures that the filter related settings are pre configured before delivery to the customer FMT_SMF 1 This Security Functional Requirement ensures that the TOE management functions are defined This SFR is supported by functions made available by SF MANAGEMENT and defines the set of operations that are available to the Oc technician S SERVICE_ENGINEER or customer system administrator S REMOTE_SYSADMIN that are needed to administrate the TOE FMT_SMR 1 This Security Functional Requirement ensures that the TOE makes a distinction between security related roles and normal users This SFR is supported by SF MANAGEMENT This SFR is supported by SF MANAGEMENT and ensures that non administrators cannot administer the TOE FPT_SEP 1 This Security Functional Requirement ensures that the TSF operates in its own domain and cannot be influenced by external sources This requirement is met by the physical characteristics of the TOE that comprises software that
42. r scanner control purposes passes through this interfaces physically accessible after removing a screwed panel e A USB interface The data that flows between the TOE and the MFD for all printing scanning copying and power management purposes passes through this interface physically accessible after removing a screwed panel e A USB port through which the Operator can communicate with the TOE via the toucg screen LUI to manage print jobs but this interface cannot be used to perform any security management operations physically accessible after removing a screwed panel e A USB port through the TOE gives the printer status via the Red Orange Green Operator light e A USB port through which the Operator can stop or re start the print process HO GO Button 08 October 2009 Page 13 of 55 Commercial BSI DSZ CC 0615 COMMERCIAL The operator guidance for the TOE consists of e Oc VarioPrint 4110 4120 Manual type Operating information version 2008 11 e Oc VarioPrint 4110 4120 Common Criteria certified configuration of the Oc PRISMAsync Edition 2009 09 The administrator guidance for the TOE consists of e Oc VarioPrint 4110 4120 Administrator settings and tasks Edition 2009 05 e Oc VarioPrint 4110 4120 Common Criteria certified configuration of the Oc PRISMAsync Edition 2009 09 The Oc PRISMAsync administration guidance for the Oc service engineer consists of e Oc VarioPrint 4110 4120 Security service doc
43. re no security management functions or access to the assets that the TOE protects that are accessible via the SNMP connection S SERVICE_ENGINEER SF MANAGEMENT A fixed length numeric pin SF SHREDDING code of 6 digits 6 1 2 Strength of function claim The SFRs FIA_UID 2 and FIA_UAU 2 require the TOE to provide security functions that provide identification authentication functionality that meets a SOF claim of SOF basic A strength of function claim of SOF basic is made for the security function SF MANAGEMENT This is the security function that implements FIA_UID 2 and FIA_UAU 2 08 October 2009 Page 32 of 55 Commercial BSI DSZ CC 0615 COMMERCIAL 6 2 Assurance Measures Appropriate assurance measures are employed to satisfy the security assurance requirements The following list gives a mapping between the assurance requirements and the documents containing the information needed for the fulfilment of the respective requirement Configuration Management ACM assurance measures The documents containing the description of the configuration management system as required by ACM and how it is used are is e Configuration Management List for the Oc PRISMAsync Controller PS R11 9 75 55 as used in the Oc VarioPrint 4110 4120 printer copier scanner release 1 3 products version 1 9 2 Delivery and Operation ADO assurance measures The document containing the description of all steps necessary for secure
44. shall only enter the TOE R ENTER_TOE if its Port is specified as being open in Appendix D O F JOB_SHRED The TOE shall delete all D PRINT_JOB D SCAN_JOB and D COPY_JOB data as soon as it is no longer required During the start up procedure any residual D PRINT_JOB D SCAN_JOB and D COPY_JOB located in the TOE s hard disk including the swap file is deleted The first write cycle occurs after the job has been deleted and the other remaining cycles occur once the TOE enters an idle state The data shall be deleted according to a recognised standard so that it cannot be reconstituted O F AUTHENTICATE The TOE ensures that S IREMOTE_SYSADMIN and S SERVICE_ ENGINEER must authenticate themselves to the TOE before allowing them to modify the TOE security settings 4 1 2 Assurance Security Objectives for the TOE O A SLA The TOE shall be evaluated to ALC_FLR 1 42 Security Objectives for the environment O E ENVIRONMENT The environment into which the TOE will be introduced is protected by physical measures that limit access to S OPERATOR and S SERVICE_ENGINEER The physical measures are adequate to prevent all other persons but not a determined S THIEF who deliberately wants to steal a part of or the entire TOE by methodically planning an attack on the TOE over a period of time O E NETWORK_POLICY The network to which the TOE is attached shall be adequately protected so that the TOE is not visible outside the network In 08 October 2009 P
45. sssnsscesssssesssssnesessnessessessossesooes 54 15 DISTRIBUTION LIST sue 55 08 October 2009 Page 6 of 55 Commercial BSI DSZ CC 0615 COMMERCIAL 1 Security Target Introduction 1 1 ST Identification Name of the TOE Oc PRISMAsync 11 9 75 55 as used in the Oc VarioPrint 41x0 Release 1 3 Name of the Security Target ST of the Oc PRISMAsync 11 9 75 55 as used in the Oc VarioPrint 41x0 Release 1 3 ST evaluation status Non evaluated release ST version number 4 6 2 ST publication date 08 October 2009 ST authors This Security Target was prepared for Oc Technologies BV P O Box 101 5900 MA Venlo The Netherlands bri g htsig ht by Brightsight IT Security Evaluation Facility ed Delftechpark 1 partner in security 2628XJ Delft approval The Netherlands 08 October 2009 Page 7 of 55 Commercial BSI DSZ CC 0615 COMMERCIAL 1 2 ST Overview The firm Oc produces a wide range of multifunctional devices for copying printing and scanning MFDs for various purposes One of these MFD seriess the VP41x0 R1 3 VP4110 and VP4120 uses PC hardware based controller the Oc PRISMAsync The Oc PRISMAsync v11 9 75 55 is used with the Oc VP41x0 R1 3 These VarioPrint products are referred to collectively in this Security Target as MFDs An Oc VP41x0 R1 3 with embedded the Oc PRISMAsync controller The Oc PRISMAsync is a PC based MFD controller The Oc PRISMAsync provides
46. the file allocation table to a location that is dedicated to the E shred subsystem e The E shred subsystem then erases the data makes the data unavailable by overwriting the data several times The E shred service then removes the reference to the erased data from the file allocation table so that the erased disk resources can be re used 9 The Oc PRISMAsync can experience errors and sometimes require restarting to handle these errors or users restart the photocopier anyway in an attempt to handle these errors It is therefore important that the photocopier also deletes data whenever it is restarted 10 Note that this SFR relates to administration via the HTTPS connection There are no TSF mediated actions that can be managed via the SNMP connection 08 October 2009 Page 27 of 55 Commercial BSI DSZ CC 0615 COMMERCIAL FMT_MOF 1 Management of security functions behaviour S SERVICE_ ENGINEER FMT_MOF 1 1 The TSF shall restrict the ability to modify the behaviour of the functions described in appendix E for SSERVICE_ENGINEER to S SERVICE_ENGINEER Dependencies FMT_SMEF 1 included FMT_SMR 1 included FMT_MSA 1 Management of security attributes FMT_MSA 1 1 The TSF shall enforce the NETWORK_POLICY to restrict the ability to change the default security attributes Port and Protocol to nobody 2 Dependencies FDP_ACC 1 included FMT_SMF 1 included FMT_SMR 1 included FMT_MSA 3 Static Attribute initialisation FMT_M
47. tionale ee eeeeseeesceeseeeseeesaecnseceseceseeesecseeeeeeseeeeaaecaaees 40 8 2 1 The SFRs meet the Security Objectives for the TOE oe eee esesseceseceneceteeeeeees 40 8 2 2 The security requirements for the IT environment meet the security objectives for the environments sienne dite ates eee eed peta er eee 42 8 2 3 The Assurance Requirements and Strength of Function Claim are appropriate 43 8 2 4 All dependencies have been met 44 8 2 5 The requirements are internally consistent 44 8 2 6 The requirements are mutually supportive 2 0 0 eee eeeceseeeeeeeeeeeeaeeeseeeaeesaaecnaeees 44 8 3 TOE Summary Specification Rationale ss 45 8 3 1 The functions meet the SFRS R A R 45 8 3 2 The assurance measures meet the SARS 47 8 3 3 The SOF claims for functions meet the SOF claims for the SFRs 47 8 3 4 The functions are mutually supportive ss 48 8 4 PP Claims Rational s c seit misent main ternnninihnmitiaenittin 48 9 APPENDIX A ABBREVIATIONSeeenenennnnnnennse 49 10 APPENDIX B REFERENCES eee 50 11 APPENDIX C GLOSSARY OF TERMS ssenennnnnenerenensenesesensenese 51 12 APPENDIX D FIREWALL RULE TABLE ssssnnneenesee 52 13 APPENDIX E SECURITY RELATED ADMINISTRATION FUNCTIONS ss 53 14 APPENDIX F XP PATCHES APPLIED csscscssscsscsscsscssesss
48. to print jobs and temporary files This is achieved by writing over the job related data with other data thereby making it difficult to retrieve the original data The TOE administrators can select the number of write iterations This 2 fold mechanism is fully asynchronous Shredding is performed in a separate process with different priorities depending on the overwriting iteration The first iteration starts after the data is deleted The remaining iterations take place with low priority in the background Additionally the TOE is also configured to shred all data periodically Every day every week or every month or never The TOE operators scan jobs that are exported to the network Operators can scan documents on the VP41x0 R1 3 using the Local User Interface LUD and the resulting images will then be submitted to the TOE The TOE can process the images to a variety of file formats and then transfer the resulting files by ftp to an ftp server or by SMTP to an e mail server on the network The Operator can also complete copy jobs through the LUI with the resulting images sent to the MFD The operators and interfaces they interact with LUI and network are depicted in Figure 6 Also scan and copy jobs see the next sub section and Figure 6 Job data is deleted when the job is completed or deleted from the mailbox Temporary files swap file are shredded during system restart The setting to shred the data at a particular t
49. ts thereof and retrieves stored or deleted D PRINT_JOB D SCAN_JOB and D COPY_JOB The motivation for S THIEF to attack the TOE is low because it requires sophisticated data recovery equipment that can recover data even after the shredding mechanism has executed to recover data that has little value to the attacker An S NETWORK_DEVICE is used by malware that may have entered the TOE s operational environment to launch an attack on the integrity of the TOE The motivation to carry out this attack is low 3 4 Organisational Security Policies P JOB_DELETE When D PRINT_JOB D SCAN_JOB and D COPY_JOB objects are no longer needed by the TOE they will be deleted by the TOE at the earliest available opportunity in a manner that meets a recognised standard P TOE_ADMINISTRATION The modification of TOE security settings shall be restricted to S SERVICE_ENGINEER and S REMOTE_SYSADMIN 08 October 2009 Page 23 of 55 Commercial BSI DSZ CC 0615 COMMERCIAL 4 Security Objectives 41 TOE Security Objectives This section consists of two groups of objectives e Functional Security Objectives for the TOE that deal with what the TOE must do e Assurance Security Objectives for the TOE that deal with how much assurance one should have in that the TOE does what it is expected to 4 1 1 Functional Security Objectives for the TOE O F INBOUND FILTER The TOE will only support TCP IP UDP IP and ICMP as a network protocol DINBOUND_TRAFFIC
50. ucts from any other manufacturers 08 October 2009 Page 25 of 55 Commercial BSI DSZ CC 0615 COMMERCIAL 5 IT Security Requirements 5 1 TOE Security Functional Requirements 5 1 1 SFRs for Filtering FDP_ACC 1 Subset access control FDP_ACC1 1 The TSF shall enforce the NETWORK _ POLICY on D INBOUND_TRAFFIC Dependencies FDP_ACF 1 included FDP_ACF 1 Security attributes based access control FDP_ACF1 1 The TSF shall enforce the NETWORK_POLICY to objects based on the following e Port e Protocol FDP_ACF 1 2 The TSF shall enforce the following rules to determine if an operation among controlled subjects and controlled objects is allowed e The TOE shall perform R ENTER_TOE on D INBOUND_TRAFFIC only if Port D INBOUND_TRAFFIC ICMP LPR HTTP HTTPS SNMP and Protocol TCP IP or UDP IP FDP_ACF 1 3 The TSF shall explicitly authorise access of subjects to objects based on the following additional rules e none FDP_ACF 1 4 The TSF shall explicitly deny access of subjects to objects based on the following additional rules e none Dependencies FDP_ACC 1 included FMT_MSA 3 included 5 1 2 SFRs for Shredding FDP_RIP 1 Subset residual information protection 08 October 2009 Page 26 of 55 Commercial BSI DSZ CC 0615 COMMERCIAL FDP_RIP 1 18 The TSF shall ensure that any previous information content of a resource is made unavailable upon the deallocation of the resource from the following objects D PRI
51. umentation Edition 2009 10 2 1 2 TOE logical scope and boundary The TOE protects two assets itself and the copy print and scan job data that it receives Firstly the TOE protects its own integrity against threats from the LAN to which it is attached through use of a firewall Secondly the TOE protects the confidentiality of print copy and scan job data after they are no longer needed The Oc PRISMAsync does this by shredding the data after they are deleted In order to protect these two assets it offers the following functionality The TOE controls printing from the network The TOE accepts Postscript PDF and PCL6 print jobs from remote users on the network lpr over TCP IP and provides these as images to the attached MFD printing peripheral The TOE receives a print job from a remote end user and it is either put in the print waiting room or in the print queue Once this job becomes the first in the queue the TOE processes this print job into images and sends these images to the attached MED peripheral for printing The remote end users and interfaces they interact with are depicted in Figure 5 No guidance is necessary for the remote end user of the TOE The waiting room is the name use to refer to operator mailbox 08 October 2009 Page 14 of 55 Commercial BSI DSZ CC 0615 COMMERCIAL Remote end user Figure 5 End users and interfaces for printing The TOE is configured to destroy the data relating
52. unction name and a short description S SERVICE_ENGINEER Administration Function Description ResetSASPassword Resets the S REMOTE_SYSADMIN password to its default value S REMOTE_SYSADMIN amp S SERVICE_ENGINEER Administration Function Description Security Security level enable high level Enable disable switch for high security level This must not be changed if the customer requires the CC evaluated configuration Security E shredding Method Shredding method Dod Guttmann custom Security E shredding Number of runs Number of runs can be set from 3 to 35 when the Custom shredding method is selected System System administrator PIN Change S REMOTE_SYSADMIN password 17 In high security mode shredding cannot be turned off 18 When DoD is chosen the number of passes is fixed to 3 and cannot be changed When Gutmann is chosen the number of passes is fixed to 35 and cannot be changed 08 October 2009 Page 53 of 55 Commercial BSI DSZ CC 0615 COMMERCIAL 14 Appendix F XP Patches applied KB888413 KB942830 KB918118 KB942831 KB921503 KB943055 KB924270 KB943460 KB924667 KB943485 KB925454 KB944338 KB925902 KB944338 v2 KB926247 KB944533 KB926255 KB944945 KB926436 KB945553 KB927779 KB946026 KB928090 KB947864 KB928255 KB948590 KB928388 KB948686 KB930178 KB94888 1 KB931784 KB950749 KB931836 KB950759 KB933360 KB950760 KB933566 KB950974 KB933729 KB95
53. unctions meet the SFRs For each SFR we demonstrate that it is met by the Security Functions The tracings are provided implicitly by the rationales PET TEEEEREEREEEE PR EREEREEEEE SF FILTERING X X X X X X SF SHREDDING X X X SF MANAGEMENT X X X X X X X X X FDP_ACC 1 This Security Functional Requirement ensures that only traffic is allowed to enter the TOE that is relevant to its operation This SFR is supported by SF FILTERING that restricts flow of network traffic and limits the supported network protocols FDP_ACF 1 This Security Functional Requirement ensures that all ports that are non essential to the operation of the TOE are blocked This SFR is supported by SF FILTERING SF FILTERING expands on the restricted flow of network traffic and supported network protocols by defining which ports are open and which protocols are supported FDP_RIP 1 This Security Functional Requirement ensures requires that residual information relating to D PRINT_JOB D COPY_JOB and D SCAN_JOB is deleted once they are no longer needed or during the startup procedure if residual print or scan job data is found on the hard disk including the swap file The SFR has been refined to describe the moment when the data will be shredded This SFR is supported by SF SHREDDING that provides functionality that ensures the data objects detailed above are shredded in accordance with known standards This

ST of the Oce PRISMAsync 11.9.75.55 as used in

Contents

Download Pdf Manuals

Related Search

Related Contents