HP Inc.
HP LaserJet Enterprise MFP M527 Series,
Color LaserJet Enterprise MFP M577 Series, and
PageWide Enterprise Color MFP 586 Series
Firmware with Jetdirect Inside Security Target
Version: 2.0 Copyright © 2008-2016 by atsec information security corporation and HP Inc. Page 13 of 98
Last update: 2016-06-07 or its wholly owned subsidiaries
Web Services:
o Open Extensibility Platform device (OXPd) Web Services
o WS* Web Services
The HTTP-based EWS administrative interface allows administrators to remotely manage the features of
the TOE using a web browser.
The Web Services allow administrators to manage the TOE using HP WJA, which is part of the
Operational Environment. The TOE supports both HP's Open Extensibility Platform device (OXPd) Web
Services and certain WS* Web Services (conforming to the WS* standards defined by w3.org) accessed
via the Simple Object Access Protocol (SOAP) and Extensible Markup Language (XML).
The SNMP network interface allows administrators to remotely manage the TOE using external SNMP-
based management tools like HP WJA.
Printer Job Language (PJL) is used in a non-administrative capacity by the Administrative Computer. The
Administrative Computer uses PJL to send print jobs to the TOE as well as to receive job status. In
general, PJL supports password-protected administrative commands, but in the evaluated configuration
these commands are disabled. For the purposes of this Security Target, we define the PJL Interface as
PJL data sent to port 9100.
The TOE protects all network communications with IPsec, which is part of the embedded Jetdirect Inside
firmware. Though IPsec supports multiple authentication methods, in the evaluated configuration, both
ends of the IPsec connection are authenticated using X.509v3 certificates. An identity certificate for the
TOE must be created outside the TOE, signed by a Certificate Authority (CA), and imported (added) into
the TOE with the Certificate Authority's CA certificate.
Because IPsec authenticates the computers (IPsec authenticates the computer itself; IPsec does not
authenticate the individual users of the computer), access to the Administrative Computer should be
restricted to TOE administrators only.
The TOE distinguishes between the Administrative Computer and Network Client Computers by using IP
addresses, IPsec, and the embedded Jetdirect Inside's internal firewall. In the evaluated configuration,
the number of Administrative Computers used to manage the TOE is limited to one and the Device
Administrator Password must be set.
The evaluated configuration supports the following SNMP versions:
SNMPv1 read-only
SNMPv2c read-only
SNMPv3
Network Client Computers connect to the TOE using IPsec with X.509v3 certificates to protect the
communication and to mutually authenticate. These client computers can send print jobs to the TOE
using the PJL Interface as well as receive job status.
The TOE supports an optional analog telephone line connection for sending and receiving faxes. The
Control Panel uses identification and authentication to control access for sending analog faxes. Because
the fax protocol doesn’t support authentication of incoming analog fax phone line users, anyone can
connect to the analog fax phone line (unless the number has been added to the Blocked Fax Numbers
list), but the only function an incoming analog fax phone line user can perform is to transmit a fax to the
TOE.
Some fax devices can hold a fax until another fax device requests that the fax be sent. Users can use the
Fax Polling Receive function of the TOE to retrieve faxes from other fax devices. This is called a Fax
Polling Receive job by this document. To perform this function, the user authenticates via the Control
Panel and initiates the function by entering the phone number of the other fax device. The TOE will dial
the other fax device, negotiate a fax session, and request the other fax device to transfer the held fax to
To Next Page
Loading...