A R I C O H C O M PA N Y

LD015/f/spf
D I G I T A L Versatile, reliable desktop performance
These convenient, all-in-one systems offer digital copying, advanced faxing, network scanning, and printing in a compact, cost-effective design
your document management partner
Business-class productivity for workgroups
With the Lanier LD015, LD015f, and LD015spf, even the most budget-conscious offices and workgroups can produce a full range of high-quality business documents more cost-effectively than ever before. These powerful digital multifunction products (MFPs) offer tremendous versatility in a convenient, compact footprint to increase workgroup productivity while saving valuable real estate and reducing operating costs. Choose the LD015 for superior digital copying with built-in duplexing. The LD015f includes additional faxing functionality. And the LD015spf delivers advanced network printing and embedded scanning capabilities. All three deliver superior performance and long-term durability, making each a reliable solution for virtually any workgroup with up to 20 users from branch offices of large corporations to independent businesses and smaller professional ofces. These systems are easy to manage and provide the flexibility and power you need to create a wide range of business-class documents, quickly and cost-effectively. Whats more, they produce high-quality 600 dpi output at the full rated speed of 15 pages per minute, regardless of the application, for exceptional productivity. Convenient, built-in scanning reduces costs Network scanning creates opportunities to share and manage documents more quickly, at a lower total cost. That is why the LD015spf features embedded scan-to-email functionality, which enables users to scan originals just like regular fax documents, convert them to PDF or TIFF files, then distribute the files via email. Because this feature is completely built-in, the LD015spf can communicate with the email server without the need to install additional software on a local server. This minimizes the complexity of network management, and makes it easier than ever to eliminate longdistance fax costs.
All three systems feature a convenient, compact, and space-saving footprint.
Users can maximize throughput and reduce operating costs with standard duplexing and full rated speed for every application.
systems maintain steady workflow to maximize throughput. Plus, they feature a first-copy time of 7.5 seconds, automatic duplexing, and electronic sorting to expedite even the most challenging jobs all in one compact, space-saving footprint. Industry-standard network connectivity These systems are ideal for seamless network integration. The LD015 and LD015spf offer Ethernet and USB 2.0 interfaces for networked environments or stand-alone operation. These interfaces are optional for the LD015, and come standard with the LD015spf. The LD015spf also features the SmartDeviceMonitor utility, which enables IT managers and administrators to monitor and configure the system remotely, as well as control print workflow. You can also select the Web Image Monitor utility to perform similar remote management tasks through a Web browser interface. Streamlined fax distribution workflow To minimize fax costs, the LD015spf incorporates Internet faxing for long-distance communications. Like scan-to-email, Internet faxing uses an outbound email server to store and feed files between systems. Users simply enter an email address instead of a fax number. Scanned originals are converted to TIFF files and sent to any Internet fax or email address. As with email, delivery confirmation is nearly instantaneous. Internet faxing helps streamline fax workflow while saving time, paper, and long-distance costs for smaller workgroups.

All-in-one solutions for advanced document management
Digital performance improves productivity The LD015, LD015f, and LD015spf have several innovative features to help workgroups produce business-class output with greater speed and efficiency. As the only digital MFPs in their class with full rated speed for all jobs whether copy, fax, scan, or print these
About Lanier Worldwide Lanier Worldwide, Inc. is a wholly owned subsidiary of Ricoh Corporation, the Americas sales and marketing unit of Ricoh Company, Ltd., a $14.5 billion global manufacturer of digital copier/printers. Lanier helps its customers succeed by understanding their unique document management needs and delivering systems and services that increase efficiency, reduce cost, and improve document workflow. Award-winning solutions include digital multifunction products (color and monochrome), printers (color and monochrome), multifunction facsimile, scanners, digital duplicators, and wide format systems, as well as facilities management and outsourcing services.

D I G I T A L

S P E C I F I C AT I O N S
G E N E R A L F E AT U R E S
Machine Type Process Desktop CCD array image sensor, laser beam scanning/marking, and electrophotographic printing Standard 15 ppm 7.5 seconds Standard (rotate sorting not available) Standard LD015: 16MB LD015f: 64MB LD015spf: 192MB Trays: 1 x 250 sheets Bypass: 1 x 100 sheets 250 sheets (internal tray) A4/8.5" x 11"; 8.5" x 14" with ADF 93%, 78%, 65%/129%, 155% 50% to 200% in 1% increments 18.43" x 17.72" x 14.61" 120V, 60Hz Optional Auto Tray Switch, Photo Mode, Auto Start, Standard Duplex, Electronic Sort, Scan Once/Copy Many, Combine Copy, 50 User Codes Optional Utilities Standard Drivers Optional Drivers Standard Utilities Network Operating Systems Network Protocol
SCANNING/PRINTING MODULE (LD015spf)
Standard on the LD015spf. Optional on the LD015. Max Speed/Resolution Memory Printer Interfaces Optional Interfaces 15 ppm / 600 dpi 192MB Ethernet (RJ-45; 100Base-TX/ 10Base-T), USB 2.0 Wireless LAN Interface IEEE802.11b, IEEE 1394 x 2 port, Parallel Port IEEE 1284, Bluetooth TCP/IP, IPX/SPX, SMB (NetBEUI, NetBIOS over TCPIP), AppleTalk Windows 9x/Me, NT4.0, 2000, XP, Server 2003, Netware 3.12, 3.2, 4.1, 4.11, 5.0, 5.1, 6.0, Unix (Sun Solaris 2.6/7/8/9, HP-UX 10.x/11x, SCO Open Server 5.0.6, RedHat Linux 6.x/7.x, IBM AIX V4.3/5L V5.1), Mac OS 8.6-9.2X (OS X Classic), Mac OS X Native (V.10.1 or later) RPCS, PCL6, PCL5e, LAN-Fax, TWAIN Adobe PostScript3 Web Image Monitor, SmartDeviceMonitor for Admin, SmartDeviceMonitor for Client, ScanRouter V2 Lite, DeskTopBinder V2 Lite, FontManager 2000, 1394 Utility, Print Utility for Mac, Acrobat Reader ScanRouter Pro, Lanier Capture 100, 200, 300, 400, 600 dpi SMTP authentication, POP 3 authentication, POP before SMTP authentication Max 150 destinations Max 100 from address book Max 10 Group (max 100 users in one group) Single Page TIFF, Multi-page TIFF, PDF

ADF Max. Copy Speed First Copy Time Electronic Sorting Duplex Memory
Standard Paper Supply Output Capacity Max. Copy Size Reductions/Enlargements Zoom Dimensions (WxDxH) Power Requirements Special Features
F A X F E AT U R E S ( L D 5 f A N D L D 5 s p f )
Modem Speed Scanning Speed Compatibility Quick Dial Keys Speed Dial Addresses Fax Memory Memory Backup Group Dial Dual Access LAN-FAX Requirements LAN-FAX Addresses Internet Fax Requirements 33.6 Kbps Less than 2 seconds G150 2MB (160 pages)* 1 hour 10 groups, 100 numbers per group Yes Printer/scanner option 300 Printer/scanner option
Scan Resolution Scan-to-Email Authorization
Scan-to-Email Register Address Scan-to-Email Destinations Scan-to-Email Group Addresses Scan-to-Email File Formats
Lanier, a world of difference The Lanier philosophy is embodied in Customer Vision: a commitment we make every day. It means seeing the business through your eyes, responding to your needs, and exceeding your expectations.
For best results, we recommend that you use only Lanier consumables and supplies. Due to our policy of continued improvement, Lanier reserves the right to alter specications of this product without prior notice. *Transmission times apply to text data using the ITU-T No. 1 test chart phase C at four percent (4%) page coverage in standard resolution, between the same or similar machines at maximum modem speed. Transmission times may vary in actual use. All registered trademarks or trade names are the property of their respective owners and are hereby acknowledged.

OPTIONAL ACCESSORIES

Paper Bank Cabinet Stand Telephone Handset Scanning/Printing Module 1 x 500-sheet tray
As an ENERGY STAR Partner, Lanier has determined that this product meets the ENERGY STAR guidelines for energy efciency.
Lanier Worldwide, Inc. 2300 Parklake Drive NE Atlanta, GA USA 30345
2004 Lanier Worldwide, Inc. All rights reserved. 6/04 P1102-0294

Printed in USA

www.lanier.com

Network Security White Paper
Network Security White Paper for Digital Multifunction and Printing Devices
NOTICE THIS DOCUMENT SHALL NOT BE REPRODUCED IN WHOLE OR IN PART, FOR ANY PURPOSE OR IN ANY FASHION AND DISTRIBUTED WITHOUT THE PRIOR WRITTEN CONSENT OF RICOH CORPORATION. WHICH CONSENT RICOH CORPORATION MAY GRANT OR DENY IN ITS SOLE DISCRETION. All product names, domain names or product illustrations, including desktop images, used in this document are trademarks, registered trademarks or the property of their respective companies. They are used throughout this book in an informational or editorial fashion only and for the benefit of such companies. Ricoh does not grant or intend to grant hereby any right to such trademarks or property to any third parties. No such use, or the use of any trade name, or web site is intended to convey endorsement or other affiliation with Ricoh products. Although best efforts were made to prepare this document, Ricoh Corporation makes no representation or warranties of any kind with regards to the completeness or accuracy of the contents and accepts no liability of any kind including but not limited to performances, merchantability, fitness for any particular purpose, or any losses or damages of any kind caused or alleged to be caused directly or indirectly from this document.
Technology Solutions Center Ricoh Corporation

Version: 1.1

Page 1 of 27 Visit our knowledgebase at: HTTP://www.ricoh-usa.com/support/knowledgebase.asp Copyright 2004 Ricoh Corporation

Table of Contents

Section 1 1.1 1.2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8 2.9 2.10 2.11 2.Title Introduction Terms Model Cross Reference Embedded Services and Potential Security Issues Telnet FTP HTTP SNMP SHELL (RSH/RCP) LPD IPP DIPRINT (RAW Print) NBT MDNS HTTPS Others Appendix Page 15
Page 2 of 27 Visit our knowledgebase at: HTTP://www.ricoh-usa.com/support/knowledgebase.asp Copyright 2004 Ricoh Corporation
Network Security White Paper 1. Introduction This document describes potential internal and external network threats and the recommended precautions for preventing them. The products have built-in network services for providing a variety of features for network clients, such as network scanning, printing or faxing, and also client services for accessing network servers running outside the products, such as an LDAP server, NetWare server, or Mail server. As the products are designed for use inside an Intranet where network clients and servers are protected by firewalls, the products rely on the Intranets security policy, like the security provided by other network servers and clients. However, some customers require more strict security levels for network devices, because potential threats from inside the firewalls are increasing, and some configurations even use a secure connection to the Internet as a part of the Intranet. To satisfy these demands, the products are all evaluated by security scanning applications during development, and also are checked for known vulnerability issues reported by Internet security organizations, such as CERT Coordination Center (CERT/CC : http:// www.cert.org/ ). Whenever we find security vulnerabilities in the products, we provide appropriate countermeasures. For more information, see the current version of the Network Security White Paper and information posted in our online Knowledge Base. 1.1 Terms The following terms are used in this document. Please familiarize yourself with them. The products: This refers to the digital multifunction and printing devices covered by this document, as noted in the Model Cross Reference table. It is intended to mean all of these machines collectively. The physical interface of the Ethernet board on the products.

Host Interface:

1.2 Model Cross Reference

Product Code

B129 B130 B168/B169 B121 B122 B123 B089 B093

Ricoh Corp Model Name

Aficio 1515 Aficio 1515F Aficio 1515MF/1515PS Aficio 2015 Aficio 2018 Aficio 2018D Aficio 2022 Aficio 2027
Savin (USA) Model Gestetner Model Name Name
3515 3515F 3515MF 4018D DSm415 DSm415f DSm415pf DSM615 DSM618 DSM618d DSm622 DSm627

Lanier Model Name

LD015 LD015f LD015spf/ LD015sp LD115 LD118 LD118D LD122 LD127
Page 3 of 27 Visit our knowledgebase at: HTTP://www.ricoh-usa.com/support/knowledgebase.asp Copyright 2004 Ricoh Corporation
B079 B135 B082 B138 B070 B071 B190 B146/B147 B148/B149 G094 G095 G091
Aficio 2035 Aficio 2035e/2035eG Aficio 2045 Aficio 2045e/2045eG Aficio 2090 Aficio 2105 Aficio 2228c Aficio 2232c Aficio 2238c AP400 AP400N AP600N
4035 4035e/4135eG 4045 4045e/4145eG C2820 C3224 C3828 P7325 P7325N P7132N 3532 DSM635/ DSM635g 4532 DSM645/DSM645g DSc328 DSc332 DSc338
LD035 LD135 LD045 LD145 LD090 LD0105 LD228c LD232c LD238c LP026 LP026N LP032
2. Embedded Services and Potential Security Issues
Some server services (Telnet, FTP, etc.) allow write access from network clients. Because of this, some customers may feel that the products are insecure against viruses, worms, or intruder access. The products are secure against such attacks and provide security measures against potential threats to specific services, but some of these measures can make the services unavailable. For example, disabling the LPD port will make the products unavailable for LPR clients. To avoid such an inconvenience, specifying an Access Control list of safe client host addresses is strongly recommended. Once you set up Access Control for specific IP addresses, the products will receive print or scan requests from the specified hosts only. This Access Control is applied for LPD printing, RCP/RSH access, HTTP/HTTPS access (where supported) FTP printing, TCP raw printing (DIPRINT), SMB printing, IPP printing, and scanning from DeskTopBinder. For information on how to set up access control, refer section 3.C of the Appendix. In the following sections, the potential threats and recommended precautions are given for each service. The recommended precautions should be accompanied by a firewall and restricted by Access Control. 2.1. Telnet: 2.1.1. Function Overview The Telnet service provides a virtual terminal service in order to use the maintenance shell (MSHELL). It is compliant with RFC 854. The MSHELL uses TCP port 23 and provides a dedicated command interface for the following functions. Configuring network settings of the products from remote terminals, Monitoring device status and settings from remote terminals,
Page 4 of 27 Visit our knowledgebase at: HTTP://www.ricoh-usa.com/support/knowledgebase.asp Copyright 2004 Ricoh Corporation
Network Security White Paper Getting system logs from remote terminals.
Unlike shell services for UNIX/Linux, the MSHELL provides a command interface for configuration purposes only. Access to the file system or kernel, or modifying system files inside the products is not possible. When logging into the MSHELL, the user must enter a correct password (The default password is password). 2.1.2. Potential Threats and Recommended Precautions Destruction, corruption and modification of the file system and kernel: There is no possibility of destruction, corruption or modification of the file system. The MSHELL permits write-access to network parameters only and no one can access the file system or kernel. Possibility of acting as a server for relaying viruses: There is no possibility that the products will be used by viruses as an open relay server, because unrecognized data is disregarded. Also, neither the local file system nor remote host can be accessed via the MSHELL. Theft of password: When accessing the MSHELL, the password is sent in clear text because the Telnet protocol itself does not support encryption. So if the password is intercepted by a packet sniffer, the possibility of unauthorized access and changes being made does exist. Recommended precautions: The following are suggested precautions against threats to the embedded Telnet service. The levels described below indicate the level of security (Level 1 is lowest). Please take the appropriate action for your security policy. Level 1: Change the password from the default value to something difficult to guess and change it regularly. Since the password is the same as the one for Web Image Monitors Administrator mode, changing it for MSHELL means changing it for Web Image Monitors Administrator mode. Close the Telnet port. The port can be completely closed using MSHELL. When Telnet is disabled, the services provided by MSHELL will no longer be available. A Memory Clear by a customer network engineer is required in order to start the Telnet service again.

Level 2:

2.2. FTP: 2.2.1. Function Overview The FTP (File Transfer Protocol) protocol is compliant with RFC 959 and enables the sending and receiving of data files over the Internet with reliability and efficiency. Transmission Control Protocol (TCP) port 20 is used for FTP-data and TCP port 21 is used for FTP-control service. Any FTP client software (e.g., FTP Commander) used must also be compliant with RFC 959.
Page 5 of 27 Visit our knowledgebase at: HTTP://www.ricoh-usa.com/support/knowledgebase.asp Copyright 2004 Ricoh Corporation
Network Security White Paper The FTP protocol enables the reception of print jobs and firmware files from remote clients. It also provides the files listed in the following table to clients.
File name Syslog Install Stat Prnlog Info Help Fax application files (hidden) Description System log information Install Shell script Printer Status Print log information Printer Information Help Fax job log information Fax counter Fax address book Attribute Read-only Read-only Read-only Read-only Read-only Read-only SmartDeviceMonitor for Admin/Client is required to read/ manage these files.
Table 1: Files Provided to FTP Clients NOTE Only Service Technicians can add firmware to the FTP server. In addition, some of the products do not have this function.
2.2.2. Potential threats and recommended precautions Destruction, corruption and modification of the file system: There is no possibility of destruction, corruption or modification of the file system. Although the FTP service permits write-access, any files that are received by the printer are considered to be a print job or firmware data. When the embedded FTP server receives an executable file, the product prints a binary representation (garbage characters) of the data contained in the executable. As for firmware, a dedicated account and password that are disclosed only to Service Technicians is required to input firmware to the printer using the FTP service. In addition, data is verified by checking the header, IDs and the file format before being used. It is impossible to make a pseudo firmware file to destroy the file system. Possibility of acting as a server for relaying viruses: There is the possibility of accessing other hosts through the products by using the PORT command. This is known as an FTP bounce attack (see: HTTP://cgi.nessus.org/plugins/dump.php3?id=10081 for more information). To prevent this type of attack, close the FTP port. Possibility of successful DoS (Denial of Service) attack: There is a possibility of coming under hostile DoS attack when using the PASV command (see: HTTP://cgi.nessus.org/plugins/dump.php3?id=10085 for more information). If the FTP
Page 6 of 27 Visit our knowledgebase at: HTTP://www.ricoh-usa.com/support/knowledgebase.asp Copyright 2004 Ricoh Corporation
Network Security White Paper server continues to receive the PASV command, other FTP connection requests will be refused. In order to recover the status of the products, rebooting is required. To prevent this vulnerability, close the FTP port. Theft of password: When accessing the FTP service, the user name and password are sent in clear text because the FTP protocol itself does not support encryption. However, this does not present a major security risk because no changes can be made to the system via FTP. In fact a password and dedicated account is only necessary when updating the firmware and they are given to only Service Technicians. There is no possibility of destruction of the file system from someone using a sniffed account and password because it is impossible to make a pseudo firmware file to destroy the file system. Recommended precautions: As stated earlier, the suggested precaution against the threats to the embedded FTP service is closing the FTP port if you maintain a strict security policy. The port for this service can be completely closed using Web Image Monitor or the MSHELL. 2.3. HTTP: 2.3.1. Function Overview The HTTP (HyperText Transfer Protocol) service provides web services. This service is compliant with RFC 1945 and uses TCP port 80. The following web functions are provided: Configuring machine settings via Web Image Monitor in Administrator mode, Viewing machine settings and status via Web Image Monitor, Managing files saved in the Document Server of the products via DeskTopBinder, Managing user information and retrieving counter information when using User Management Tool in SmartDeviceMonitor for Admin/Client, Managing the Products address book when using Address Management Tool in SmartDeviceMonitor for Admin.

NOTE When logging into Web Image Monitor in Administrator mode, the user must enter the password. The default password is the same as the one used for the MSHELL; password.
2.3.2. Potential threats and recommended precautions Destruction, corruption and modification of the file system: There is no possibility of destruction, corruption or modification of the file system, because no one can access the file system and executable files cannot be processed on the products web server.
Page 7 of 27 Visit our knowledgebase at: HTTP://www.ricoh-usa.com/support/knowledgebase.asp Copyright 2004 Ricoh Corporation
Network Security White Paper Possibility of acting as a server for relaying viruses: There is no possibility that the products will be used by a virus as an open relay server. The web server was developed by Ricoh and does not allow any malicious, executable files to be processed. Theft of password: When accessing Web Image Monitor, the password is sent with BASE64 encryption. In this case, the password is not sent in clear text, but it is also not particularly difficult to decrypt. Therefore, if the password is intercepted using a packet sniffer and then decrypted, the possibility of unauthorized access and changing of network settings does exist. Recommended precautions: The following are suggested precautions against threats to the HTTP service. The levels described below indicate the level of security (Level 1 is lowest). Take the appropriate action for your security policy. Level 1: Change the password from the default value to something difficult to guess and change it regularly. Since the password is the same as the one for Web Image Monitors Administrator mode, changing it for MSHELL means changing it for Web Image Monitors Administrator mode as well. Disable web function. If it is not needed, Web Image Monitor can be disabled using MSHELL. When the web setting is set to Down, Web Image Monitor does not activate and error 503 Service Unavailable is displayed. Even when not in use, TCP port 80 stays open. Close the HTTP port. The HTTP port can be completely closed with MSHELL. When HTTP is set to Down, Web Image Monitor does not activate and the IPP (Internet Print Protocol) function that allows a printer to be called via HTTP (e.g., HTTP://<printer host name or ip address>/), is not available. Calling a printer via IPP (e.g., IPP://<printer host name or ip address>/), is available.

Level 3:

2.4. SNMP: 2.4.1. Function Overview SNMP (Simple Network Management Protocol) is used to communicate network management information between the network management stations (SNMP manager), such as a PC running a management application, and the agents in the network (SNMP agent), such as printers, scanners, workstations or servers, routers and hubs. The SNMP service is embedded in the products, to provide a method of managing them on the network. This service is compliant with RFC 1157 for SNMP v1 and RFC 1902 for SNMP v2. UPD port 161 is used for SNMP service and UDP port 162 is used for SNMPtrap. The following functions are provided: Configuring the settings of the products, Monitoring the status of the products,

Page 8 of 27 Visit our knowledgebase at: HTTP://www.ricoh-usa.com/support/knowledgebase.asp Copyright 2004 Ricoh Corporation
Network Security White Paper Detecting the errors of the products.
Although SNMP service is not protected by a password, it is protected using unique community names and assigned access rights (read-only, read-write, trap) within those communities. You can only communicate with or configure an agent if it is a member of the same community and if the access rights allow you to get or modify data in the MIBs (Management Information Base) embedded in the products. Default settings of SNMP community names are follows; Read-only : public Read-Write : admin
2.4.2. Potential threats and recommended precautions Management hosts and agents belong to an SNMP community. An SNMP community is a collection of hosts grouped together for administrative purposes. Defining communities provides security by allowing only management systems and agents within the same community to communicate with each other. However community names are sent in clear text because of the specification of the protocol and can be compromised. The suggested precautions against this threat are as follows. The levels described below indicate the level of security (Level 1 is lowest). Take the appropriate action for your security policy. Level 1: Change the community names from the default value to something difficult to guess and change it regularly. When the community name settings are changed in the agents, the community name settings in the management utilities must also be changed. Close the SNMP port. If it is not absolutely necessary, the SNMP port should be closed via Web Image Monitor or the MSHELL.
2.5. SHELL (RSH/RCP): 2.5.1. Function Overview Remote shell (RSH/RCP) services provide the following functions via TCP port 514. Printing jobs from RSH/RCP clients. Monitoring machine status and settings from RSH/RCP clients. Providing print and system logs to RSH/RCP clients. Transferring scan data to the Twain driver.
2.5.2. Potential threats and recommended precautions Destruction, corruption and modification of the file system: There is no possibility of destruction, corruption or modification of the file system because no one can access the
Page 9 of 27 Visit our knowledgebase at: HTTP://www.ricoh-usa.com/support/knowledgebase.asp Copyright 2004 Ricoh Corporation

Network Security White Paper file system or kernel and executable files cannot be processed via the remote shell service. Possibility of acting as a server for relaying viruses: There is no possibility that the products will be used by a virus as an open relay server. Although the remote shell service permits write-access, all written data are treated as print jobs. Even if someone sent an executable file via the embedded remote shell service, the products prints the file as garbage data. Theft of user name: The user name is sent in clear text when using the remote shell service. If the user is concerned about this, the port for remote shell service can be completely closed via Web Image Monitor and MSHELL. Recommended precautions: As stated above, there are not many threats that apply to the products. However, if you want to maintain a strict security policy, the RCH/RCP service can be disabled and the port for this service can be completely closed using Web Image Monitor or the MSHELL. 2.6. LPD: 2.6.1. Function Overview The LPD service is one of the TCP/IP Printing Services known as LPD or LPR. This service is compliant with RFC 1179 and uses TCP port 515 for connection with a RFC 1179 compliant client. The following functions are provided by this service: Printing from LPR clients, Monitoring the status of the printer and print queues of LPR clients, Deleting print jobs from print queues of LPR clients.
2.6.2. Potential threats and recommended precautions Destruction, corruption and modification of the file system: There is no possibility of destruction, corruption or modification of the file system or kernel because no one can access it via the LPR service. Possibility of successful DoS (Denial of Service) attacks: There is no possibility of successful DoS attacks. When the products receive data that does not meet the protocol specification, the products will stop the LPD service, and the executed application (if any), at regular steps. Recommended precautions: If a strict security policy is to be maintained, the LPD service can be disabled and the port for this service can be completely closed using Web Image Monitor or the MSHELL. 2.7. IPP: 2.7.1. Function Overview
Page 10 of 27 Visit our knowledgebase at: HTTP://www.ricoh-usa.com/support/knowledgebase.asp Copyright 2004 Ricoh Corporation

Network Security White Paper The IPP (Internet Printing Protocol) service is used for Internet printing from IPP clients. This service is compliant with RFC 2565 and it uses TCP port 631 or TCP port 80. The following functions are provided by the IPP service: Printing a job from an IPP client, Providing job status to an IPP client.
The IPP service has a user authentication function. 10 accounts are available for IPP service and the password can be set for each account. Both basic and digest authentication are supported. Basic authentication is common, but the user name and password are sent in clear text. Digest authentication is more secure with the user name and password irreversibly encrypted. Both authentication methods are selectable in Web Image Monitor and MSHELL. IPP authentication can also be disabled. In this case, usernames and passwords are not authenticated (The default setting is disabled.). 2.7.2. Potential threats and recommended precautions Destruction, corruption and modification of the file system: There is no possibility of destruction, corruption or modification of the file system because it cant be accessed via the IPP service in the products. Possibility of successful DoS (Denial of Service) attacks: There is no possibility of successful DoS attacks. When the products receive data that can carry out a DoS attack, a waiting period is implemented in the reply process of the products. This reduces the system load and stops the service and application at regular steps if data that falls outside of the protocol specification is present in the system. Recommended precautions: As stated above, there are not many threats that apply to the products. However, if you want to maintain a strict security policy, we recommend the following precautions. The levels described below indicate the level of security (Level 1 is lowest). Take the appropriate action for your security policy. Level 1: Set IPP Authentication to either basic or digest from disabled in Web Image Monitor, MSHELL or the operation panel. Digest authentication is more secure than basic because the username and password are encrypted. Close the IPP (631/TCP) port. If it is not absolutely necessary, the IPP port should be closed via Web Image Monitor or MSHELL. However, using HTTP://<printer host name or IP address>/ (an IPP function) is available.
2.8. DIPRINT (RAW print) 2.8.1. Function Overview
Page 11 of 27 Visit our knowledgebase at: HTTP://www.ricoh-usa.com/support/knowledgebase.asp Copyright 2004 Ricoh Corporation
Network Security White Paper The DIPRINT (Direct Print or RAW Print) service is Ricoh Company Ltds name for port 9100 communication. This service provides direct printing from remote terminals using TCP port 9100. 2.8.2. Potential threats and recommended precautions There are not many threats in this service because all written data is treated as a print job. Even if someone sent an executable file via the embedded remote shell service, the products would print the file as garbage data. Recommended precautions: As stated above, there are not many threats that apply to the products. However, if you want to maintain a strict security policy, the DIPRINT port can be changed and the port for this service can be completely closed using Web Image Monitor or MSHELL. 2.9. NBT 2.9.1. Function Overview The NBT stands for NetBIOS over TCP/IP. The products provide the NetBIOS (Network Basic Input/Output System) service over TCP/IP instead of NetBEUI (NetBIOS Extended User Interface) so that a remote host can access network services of the products by the NetBIOS name (Computer Name) instead of IP address. This service uses 3 ports, UDP port 137 for NetBIOS-NS (NetBIOS Name Service), UDP port 138 for NetBIOS-DGM (NetBIOS Datagram Service) and TCP port 139 for NetBIOS-SSN (NetBIOS Session Service). SMB (Server Message Block) over TCP/IP is provided by this service as follows: Browsing the print servers from SMB clients, Printing a job from SMB clients, Sending notifications of a job completion to SMB clients.

2.11.2. Potential threats and recommended precautions
Page 13 of 27 Visit our knowledgebase at: HTTP://www.ricoh-usa.com/support/knowledgebase.asp Copyright 2004 Ricoh Corporation
Network Security White Paper Destruction, corruption or modification of the file system: There is no possibility of destruction, corruption or modification of the file system. Because no one can access the file system and executable files cannot be processed on the products web server. Possibility of acting as a server for relaying viruses: There is no possibility that the products will be used by a virus as an open relay server. The web server was developed by Ricoh and does not allow any malicious and executable files to be processed. Possibility of attacker taking advantage of a heap corruption error in OpenSSL: There is a possibility of causing a crash on the products by taking advantage of a heap corruption bug in the version of the OpenSSL used by the products. This will result in a crash which causes a DoS (Denial of Service) or which will disable secure communications (HTTPS). (see: http://cgi.nessus.org/plugins/dump.php3?id=11875 for more information). To prevent this vulnerability, close the HTTPS port. Theft of password: When using HTTPS, all data including the password is encrypted using SSL. This is safer than sending passwords encoded in Base 64 (using HTTP). Recommended precautions: The following are suggested precautions against threats to the HTTPS service. The levels described below indicate the level of security (Level 1 is lowest). Please take the appropriate action for your security policy. Level 1: Change the password from the default value to something difficult to guess and change it regularly. Note the password is the same as the one for logging in to the MSHELL. So, changing the password for Web Image Monitors Administrator mode means changing it for the MSHELL as well. Disable web function. If it is not needed, Web Image Monitor can be disabled using the MSHELL. When web is set to Down, Web Image Monitor does not activate and the error 503 Service Unavailable is displayed. Even when not in use, TCP port 443 stays open and is therefore HTTPS is available for IPP printing. Close the HTTPS port. The HTTPS port can be completely closed with MSHELL. In this case, both Web Image Monitor and IPP (Internet Print Protocol) are unavailable via HTTPS. If the HTTPS port is closed, Web Image Monitor and IPP printing are still available via HTTP.
2.12. Others TCP port 7443 and 7444 are reserved for a remote service that we will launch in the future. Those ports cannot be closed. However there are no threats that apply to the products because this service accepts only a Ricoh-confidential protocol and it is impossible to emulate it without having knowledge of the protocol specification. In addition, we do not disclose the protocol specification to anyone outside of Ricoh Company, Ltd. HTTP is used for this service as an underlying layer. Please refer to section 2.3 HTTP for the potential threats and recommended precautions.

Page 14 of 27 Visit our knowledgebase at: HTTP://www.ricoh-usa.com/support/knowledgebase.asp Copyright 2004 Ricoh Corporation
Page 15 of 27 Visit our knowledgebase at: HTTP://www.ricoh-usa.com/support/knowledgebase.asp Copyright 2004 Ricoh Corporation
Network Security White Paper 3. Appendix 3.A. The list of services provided with open TCP/UDP ports
Protocol Telnet FTP-control HTTP Port Num. 23/TCP 21/TCP 80/TCP Login N/A Y N/A Default Username N/A ANONYMOUS N/A Username Password Changeable N/A N/A N/A Y N/A Y Default Password password N/A password Password Changeable Y N/A Y This is the same password as is used for Telnet. If no password is input, then only read access is available. This is the same password as is used for Telnet and HTTP. If not password is entered, then only read access is available. Note This is the same password as is used for Web Image Monitor.
HTTPS NetBIOS-NS NetBIOS-DGM NetBIOS-SSN
443/TCP 137/UDP 138/UDP 139/TCP

password

161/UDP
RO: public RW: admin N/A N/A
Although there is no concept of user accounts, it can perform access restrictions using the Community Name. Up to 10 Communities can be registered.

RSH/RCP (shell) LPD

514/TCP 515/TCP

N/A N/A

N/A N/A Authentication by account/password is not performed by default. In this case all users are ANONYMOUS. When IPP authentication is enabled, a username and password will be required.

631/TCP

ANONYMOUS
Future remote service DIPRINT
7443/TCP 7444/TCP 9100/TCP
Page 16 of 27 Visit our knowledgebase at: HTTP://www.ricoh-usa.com/support/knowledgebase.asp Copyright 2004 Ricoh Corporation
Network Security White Paper 3.B. Related Protocols
Protocol IP ICMP UDP TCP FTP-DATA FTP-CONTROL SMTP DOMAIN (DNS) BOOTP POP SNTP NetBIOS-NS NetBIOS-DGM TCP/IP, IPX/SPX, NetBEUI NetBIOS-SSN IMAP SNMP-TRAP LDAP SYSLOG NCP SLP IPX SPX TCP/IP TCP/IP, IPX/SPX TCP/IP TCP/IP TCP/IP, IPX/SPX TCP/IP IPX/SPX IPX/SPX Protocol Suite TCP/IP TCP/IP TCP/IP TCP/IP TCP/IP TCP/IP TCP/IP, IPX/SPX TCP/IP TCP/IP TCP/IP TCP/IP Commonly Used Port Num. Protocol Num. 1 Protocol Num. 17 Protocol Num. 6 20/TCP, UDP 21/TCP, UDP 25/TCP, UDP 53/TCP, UDP 67/TCP, UDP 68/TCP, UDP 110/TCP, UDP 123/TCP, UDP 137/TCP, UDP 138/TCP, UDP 139/TCP, UDP 143/TCP, UDP 162/TCP, UDP 389/UDP, TCP 514/UDP 524/TCP, UDP 427/TCP, UDP 1) Getting internet-fax data 1) Sending status information to Network Management Server. 1) Searching e-mail addresses from the LDAP servers address book. 1) Sending system logs to a syslog server. 1) Logging in to a Netware server. 2) Printing from the Netware environment. 1) Searching for a Netware Server. 1) Providing IPX connections 1) Providing SPX connections 1) Sending scan data to SMB clients. (Scan to SMB) 1) Sending scan data to the FTP server. (Scan to FTP) 2) Sending scan data to ScanRouter 1) Sending scan data to the SMTP server. (Scan to E-mail) 1) Resolving IP addresses from the server name. 1) Getting IP addresses and other network parameters from the DHCP server. 1) Using POP before SMTP authentication for 'Scan to E-mail'. 2) Receiving internet-fax data. 1) Getting GMT from the NTP server. Description of the protocols function in GW Products.

Page 17 of 27 Visit our knowledgebase at: HTTP://www.ricoh-usa.com/support/knowledgebase.asp Copyright 2004 Ricoh Corporation
Protocol SAP RIP APPLETALK PAP NetBeui Protocol Suite IPX/SPX IPX/SPX APPLETALK APPLETALK NETBEUI Commonly Used Port Description of the protocols function in GW Products. Num. 1) Broadcasts to availability of print services. 1) Broadcasts route information. 1) Providing APPLETALK connections. 1) Providing APPLETALK printing services 1) Providing NetBEUI connections.
Page 18 of 27 Visit our knowledgebase at: HTTP://www.ricoh-usa.com/support/knowledgebase.asp Copyright 2004 Ricoh Corporation
Network Security White Paper 3.C. The Purpose of Access Control The products will accept communication only from a set range of IP addresses. This can be applied to connections from LPR, RCP/RSH, HTTP, HTTPS (where supported), FTP, DIPRINT, SMB, IPP, and DeskTopBinder, but cannot be applied to Telnet, a web browser or SmartDeviceMonitor. 3.C.1. Web Image Monitor Web Image Monitor can be used for accessing the products. A supported browser such as Microsoft Internet Explorer and the products IP address is required. 1. Enter the IP address in the address field using the following form: http://printer host name or IP address and click on Go. The following page should be displayed:
NOTE Take note of the blue bar near the top of the web page shown below. This indicates that you are in normal, user mode
Click on Administrator Mode. A network password dialog will be displayed.
Page 19 of 27 Visit our knowledgebase at: HTTP://www.ricoh-usa.com/support/knowledgebase.asp Copyright 2004 Ricoh Corporation
In order to access Administrator mode, a password is required. (The default password is password). Login to enter Administrator mode. You will know that you are in administrator mode if the bar at the top of the main frame is brown instead of blue.
Page 20 of 27 Visit our knowledgebase at: HTTP://www.ricoh-usa.com/support/knowledgebase.asp Copyright 2004 Ricoh Corporation
Network Security White Paper 4. To open the access control settings, click Configuration then Security then Access Control in the left frame.
Enter the range of IP addresses that you wish to permit communication with and click the Apply button. The products will now accept communications from the IP addresses you have specified.
Page 21 of 27 Visit our knowledgebase at: HTTP://www.ricoh-usa.com/support/knowledgebase.asp Copyright 2004 Ricoh Corporation
Page 22 of 27 Visit our knowledgebase at: HTTP://www.ricoh-usa.com/support/knowledgebase.asp Copyright 2004 Ricoh Corporation
Network Security White Paper 3.C.2. MSHELL 1. Access the products, using a Telnet client. In this case the Windows 2000 standard Telnet client is shown.
Open the Maintenance Shell (MSHELL) by entering telnet followed by the IP address of the product you need to access. A password will be required for this. (The default password is password). Using the access command input the access control range.

Page 23 of 27 Visit our knowledgebase at: HTTP://www.ricoh-usa.com/support/knowledgebase.asp Copyright 2004 Ricoh Corporation
Network Security White Paper NOTE For example: The command: msh> access 1 range 172.16.1.0 172.16.2.0 will permit access from 172.16.1.0 to 172.16.2.0 The command: msh> access flush will clear all access ranges.
If changes have been made, the following question will appear before the user logs out. Do you save configuration data? Enter yes to commit the changes or no to discard them.
Page 24 of 27 Visit our knowledgebase at: HTTP://www.ricoh-usa.com/support/knowledgebase.asp Copyright 2004 Ricoh Corporation
Network Security White Paper 3.D. How to Disable Services The following services can be enabled or disabled by selecting up or down. TCPIP, NETWARE(1, below), SMB(2, below), APPLETALK, LPR, FTP(3, below), RSH, DIPRINT, web(Only MSHELL) (4, below), SNMP(5, below), IPP(6, below), HTTP(Only MSHELL) (7, below), IP1394, SCSIPRINT, Telnet (Only MSHELL) 1. NETWARE: Setting NETWARE to down, disables the IPX/SPX protocol and NCP/IP (Netware Core Protocol/Internet Protocol). Therefore if NETWARE is down, printing in the IPX/SPX environment and in the pure IP environment is unavailable. LPR in NDPS and iPrint (IPP Printing) are unaffected. SMB: Setting SMB to down, closes NetBIOS Session Service (139/TCP) as well as NetBEUI. However affects only the server service. The client service is not affected. Therefore, if SMB is down, Scan to SMB can still be used. FTP: Setting FTP to down, closes the FTP port (21/TCP), however the FTP client function is still available. Therefore if this function is down, Scan to FTP is still available. WEB: Setting web to down, disables the Web Image Monitor. However even if this function is disabled, HTTP Port (80/TCP) will still be open. Therefore if this function is disabled, IPP printing using HTTP Port (80/TCP) is still available. SNMP: Setting SNMP to down, closes SNMP port (161/UDP). In addition when SNMP is down, the SNMP trap function and SNMP function over IPX/SPX are not available. IPP; Setting IPP to down, disables the IPP printing function but doesnt close the IPP Port (631/TCP). Therefore if IPP is down, IPP printing using HTTP (80/TCP) is still available. HTTP; Setting HTTP to down, closes HTTP Port (80/TCP). Therefore, not only Web Image Monitor but also IPP printing using HTTP port (80/TCP) is disabled.

3.D.1. Web Image Monitor Refer to section 3.C.1. Web Image Monitor, for steps 1 through 3 of this procedure. Continue with step 4, below. 4: To access the protocol settings click Configuration, then Network, then Protocol, and then Protocol in the left frame as shown below.
NOTE All protocols are enabled by default.
Page 25 of 27 Visit our knowledgebase at: HTTP://www.ricoh-usa.com/support/knowledgebase.asp Copyright 2004 Ricoh Corporation

5: 1. 2.

Set the services you wish to stop by selecting Disable in the drop down list box. Access MSHELL as described in 3.C.2. MSHELL above. When you reach the msh> prompt, enter set http down to disable HTTP.

3.D.2. MSHELL

NOTE The parameters in the following screen capture show the set command usage and protocols.
Page 26 of 27 Visit our knowledgebase at: HTTP://www.ricoh-usa.com/support/knowledgebase.asp Copyright 2004 Ricoh Corporation
Close your MSHELL session by entering logout at the msh> prompt. Close Telnet by entering quit.

5. Summary

In this document you learned about potential threats to network security and the recommended precautions to take to protect the products. You should now be able to take appropriate actions to ensure the security of your networked devices. The following websites are provided as reference so you can learn more about network security: RFC: http://www.faqs.org/rfcs/ CVE: http://cve.mitre.org/ CERT: http://www.cert.org/ CIAC: http://www.ciac.org/ciac/ SecurityFocus: http://www.securityfocus.com/ NESSUS: http://www.nessus.org/index2.html
Page 27 of 27 Visit our knowledgebase at: HTTP://www.ricoh-usa.com/support/knowledgebase.asp Copyright 2004 Ricoh Corporation