Xerox Multi-Function Device Security Target
70
Copyright
2013 Xerox Corporation. All rights reserved.
after the job has completed, the files are overwritten, and this is called
Immediate Image Overwrite (IIO).
The TOE automatically starts an IIO procedure for all abnormally terminated
copy, print, scan or fax jobs stored on the HDD prior to coming “on line” when
any of the following occurs: a reboot or once the MFD is turned back on after
a power failure/disorderly shutdown.
The image overwrite security function can also be invoked manually (on
demand) by the system administrator (ODIO). Once invoked, the ODIO
cancels all print and scan jobs, halts the printer interface (network), performs
the overwrites, and then the network controller reboots. A scheduling
function allows ODIO to be executed on a recurring basis as set up by the
System Administrator.
A standard ODIO overwrites all files written to temporary storage areas of the
HDD. A full ODIO overwrites those files as well as the Fax mailbox/dial
directory and Scan to mailbox data.
An ODIO cannot be aborted from either the WebUI or LUI.
TSF_IOW overwrites the contents of the reserved section on the hard disk
using a three pass overwrite procedure.
7.1.2. Information Flow Security (TSF_FLOW)
FPT_FDI_EXP.1
The only physical shared-medium interface of the TOE is the network
interface.
The TOE controls and restricts the data/information flow from the LUI,
document scanner and document feeder to the network interface by brokering
all data through an intermidary subsystem. A connectivity subsystem further
processes the data before sending it to the network interface.
The TOE provides separation between the optional fax processing board and
the network interface and therefore prevents an interconnection between the
PSTN and the internal network. This separation is realized in software, as by
design, these interfaces may only communicate via an intermediary. All
internal command calls (API) and response messages for both the network
and fax interfaces are statically defined within the TOE. No user or system
administrator is able to change their formats or functionalities.
The fax software runs two independent processes, for sending and receiving
job data through the fax card respectively. There is no internal communication
between these two processes.
The same job data will never be active on both the fax interface and network
interface at the same time. For network interface to fax interface (LanFax)
jobs, the entire job must be received as an image and buffered in memory
before it is sent out through the fax interface. Likewise, for fax interface to
network interface (fax forwarding to email) jobs, the entire job must be
To Next Page
Loading...
