HP Inc.
HP LaserJet Enterprise MFP M527 Series,
Color LaserJet Enterprise MFP M577 Series, and
PageWide Enterprise Color MFP 586 Series
Firmware with Jetdirect Inside Security Target
Version: 2.0 Copyright © 2008-2016 by atsec information security corporation and HP Inc. Page 82 of 98
Last update: 2016-06-07 or its wholly owned subsidiaries
FIA_AFL.1
FIA_ATD.1
FIA_UAU.1
FIA_UAU.7
FIA_UID.1
FIA_USB.1
FMT_SMR.1
IPsec I&A 7.1.3.2
The TOE uses IPsec to identify and mutually authenticate the following user types:
Administrative Computer (U.ADMINISTRATOR)
Network Client Computers (U.NORMAL)
IPsec uses IP addresses and X.509v3 certificates via the IKE protocols (IKEv1 and IKEv2) to identify and
authenticate, respectively, a client computer. The TOE contains one X.509v3 identity certificate and one
or more X.509v3 CA certificates to use for the IPsec mutual authentication. The TOE does not maintain
individual X.509v3 certificates of its client computers.
The User Identity of a client computer is its IP address. The TOE's internal firewall maintains lists
(IPsec/Firewall address templates) of IP addresses of client computers that can connect to the TOE as a
Network Client Computer and as the Administrative Computer. If a client computer has an unrecognized
IP address that is not defined in the IPsec/Firewall as either the Administrative Computer or a Network
Client Computer, then the client computer is not allowed to connect to the TOE. Similarly, if the client
computer presents an invalid or unknown (unrecognized CA) X.509v3 certificate, the IPsec mutual
authentication mechanism will fail.
The TOE also uses IP addresses and X.509v3 certificates via the IKE protocols to connect to and identify
other trusted IT products. See section 7.1.6.27 for more details.
The TOE supports the following versions of the IKE protocol:
IKEv1 ([RFC2409] and [RFC4109])
IKEv2 ([RFC4306] and [RFC4718])
Mutual identification and authentication must be completed before any tasks can be performed by a
Network Client Computer or an Administrative Computer.
The service templates define the User Role of a client computer. The following service templates are
used to define the TOE's User Roles for IPsec users:
All Services (U.ADMINISTRATOR)
Network Client Computers (U.NORMAL)
The All Services service template is provided with the TOE. The Network Client Computers service
template is created by the administrator as part of the TOE's configuration guidance.
Both the Administrative Computer and the Network Client Computers can access the PJL Interface on
port 9100, but only the Administrative Computer can access the EWS (HTTP) interface, Web Services
interface (OXPd and WS*), and SNMP interface.
IP address management is discussed in section 7.1.4.5. Certificate management is discussed in section
7.1.6.27.
To Next Page
Loading...