RICOH Unified Communication System. Security White Paper (Ver. 3.5) RICOH Co., Ltd.

Similar documents
Cisco Desktop Collaboration Experience DX650 Security Overview

Package Content IEEE g Wireless LAN USB Adapter... x 1 Product CD-ROM.x 1

WHITE PAPER. Secure communication. - Security functions of i-pro system s

Exam HP2-Z32 Implementing HP MSM Wireless Networks Version: 7.1 [ Total Questions: 115 ]

Configuring the Client Adapter through Windows CE.NET

ipad in Business Security Overview

AXIS M1065-LW Network Camera. User Manual

Vendor: HP. Exam Code: HP2-Z32. Exam Name: Implementing HP MSM Wireless Networks. Version: Demo

Using the Cisco Unified Wireless IP Phone 7921G Web Pages

Security+ SY0-501 Study Guide Table of Contents

Network. NEC Portable Projector NP905/NP901W WPA Setting Guide. Security WPA. Supported Authentication Method WPA-PSK WPA-EAP WPA2-PSK WPA2-EAP

Software Manual Net Configuration Tool Rev. 4.05

Configuring the WT-4 for ftp (Infrastructure Mode)

Securing Your Wireless LAN

HikCentral V1.3 for Windows Hardening Guide

Configuring the Client Adapter through the Windows XP Operating System

The following chart provides the breakdown of exam as to the weight of each section of the exam.

Cyber Security Requirements for Electronic Safety and Security

Configuring the Client Adapter through the Windows XP Operating System

Activity Configuring and Securing a Wireless LAN in Packet Tracer

The following security and privacy-related audits and certifications are applicable to the Lime Services:

System Security Features

Authentication and Security: IEEE 802.1x and protocols EAP based

CompTIA Security+(2008 Edition) Exam

Exam : Title : Security Solutions for Systems Engineers. Version : Demo

Configuring the WT-4 for ftp (Infrastructure Mode)

Software Manual Net Configuration Tool Rev. 4.03

LEAVE THE TECH TO US BLACKBOX.COM/COALESCE

HikCentral V.1.1.x for Windows Hardening Guide

Information Security in Corporation

ISC2. Exam Questions CISSP. Certified Information Systems Security Professional (CISSP) Version:Demo

Configuring a VAP on the WAP351, WAP131, and WAP371

Agile Controller-Campus V100R002C10. Permission Control Technical White Paper. Issue 01. Date HUAWEI TECHNOLOGIES CO., LTD.

TopGlobal MB8000 Hotspots Solution

Application Security for Java-based BlackBerry Handhelds

Salesforce1 Mobile Security White Paper. Revised: April 2014

Access Connections 5.1 for Windows Vista: User Guide

Security Pop Quiz Domain 5 for the CompTIA A+, Network+ and Microsoft Certifications

SECURITY & NETWORK WHITEPAPER

CIS Controls Measures and Metrics for Version 7

4 Enter an IP address and sub-net mask for the ftp server and. 5 Go to the [System and Maintenance] > [Administrative Tools]

RICOH Unified Communication System. Visual communication has changed. Change your work style.

Table of Contents. Chapter1 About g Wireless LAN USB Adapter...1

LEAVE THE TECH TO US BLACKBOX.EU

CIS Controls Measures and Metrics for Version 7

Simple and Powerful Security for PCI DSS

Standard For IIUM Wireless Networking

UNECE WP29/TFCS Regulation standards on threats analysis (cybersecurity) and OTA (software update)

DMP 128 Plus C V DMP 128 Plus C V AT. Cisco CUCM Configuration Guide REVISION: 1.1 DATE: SEPTEMBER 1 ST 2017

Best Practices Guide to Electronic Banking

PROTECTED EXTENSIBLE AUTHENTICATION PROTOCOL

IT Foundations Networking Specialist Certification with Exam

Light Mesh AP. User s Guide. 2009/2/20 v1.0 draft

Frequently Asked Questions

BlackBerry Enterprise Server for IBM Lotus Domino Version: 5.0. Administration Guide

BYOD: BRING YOUR OWN DEVICE.


Submitted on behalf of the DOE National SCADA Test Bed. Jeff Dagle, PE Pacific Northwest National Laboratory (509)

RHM Presentation. Maas 360 Mobile device management

Security Statement Revision Date: 23 April 2009

APP NOTES TeamLink and Firewall Detect

ENHANCING PUBLIC WIFI SECURITY

FinIntrusion Kit / Release Notes. FINFISHER: FinIntrusion Kit 4.0 Release Notes

Cisco Exam Questions and Answers (PDF) Cisco Exam Questions BrainDumps

Exam : JK Title : CompTIA E2C Security+ (2008 Edition) Exam. Version : Demo

MF113w / MF112. User's Guide

Expected Outcomes Able to design the network security for the entire network Able to develop and suggest the security plan and policy

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Wireless Network Video Recorder

Point ipos Implementation Guide. Hypercom P2100 using the Point ipos Payment Core Hypercom H2210/K1200 using the Point ipos Payment Core

Using the Cisco Unified Wireless IP Phone 7921G Web Pages

ENDNOTE SECURITY OVERVIEW INCLUDING ENDNOTE DESKTOP AND ONLINE

Configuring Settings on the Cisco Unified Wireless IP Phone

Security Guide Zoom Video Communications Inc.

Chapter 24 Wireless Network Security

jk0-022 Exam Questions Demo CompTIA Exam Questions jk0-022

MobilePASS. Security Features SOFTWARE AUTHENTICATION SOLUTIONS. Contents

Wireless USB Port Multi-Functional Printer Server. Model # AMPS240W. User s Manual. Ver. 1A

WL 5011s g Wireless Network Adapter Client Utility User Guide

Security Setup CHAPTER

Unified Services Routers

Security and Certificates

Potential Mitigation Strategies for the Common Vulnerabilities of Control Systems Identified by the NERC Control Systems Security Working Group

RADIAN6 SECURITY, PRIVACY, AND ARCHITECTURE

Your wireless network

SMart esolutions Information Security

Web Cash Fraud Prevention Best Practices

5 Press or to choose Infrastructure, then press OK.

Changing face of endpoint security

SRG-300SE/301SE/201SE

تاثیرفناوری اطالعات برسازمان ومدیریت جلسه هشتم و نهم

MaaS360 Secure Productivity Suite

WHITE PAPER. Authentication and Encryption Design

EOC1650. Wireless Access Point / Client Bridge / Client Router PRODUCT DESCRIPTION. 2.4GHz 54Mbps b/g Superior Performance

DreamFactory Security Guide

VOCOM II. WLAN Instructions. VOCOM II Tough

Department of Public Health O F S A N F R A N C I S C O

Dual Band Long Range Multi-Function Access Point/ Client Bridge. Software Features System Requirement. Status

Ready Theatre Systems RTS POS

Document Number: rev D Intuitive Surgical, Inc. OnSite Overview. for the da Vinci Xi and da Vinci Si Surgical System.

Transcription:

RICOH Unified Communication System Security White Paper (Ver. 3.5) - UCS terminals P3500, P1000 P3000, S7000 - Apps (for Windows) (for ipad/iphone) (for Mac) (for Android) - UCS for IWB RICOH Co., Ltd. January 2017 * This white paper does not target RICOH Unified Communication System Advanced (UCS Advanced).

Revision History Date Version Modification from the previous version August, 2013 3.2 Information about apps for Mac and iphone has been added. April, 2014 3.3 Information about P1000 has been added. August, 2014 3.4 Information about P3500 and Android app has been added. January, 2017 3.5 Information about the Service platform which became to be high availability by distributed DC configuration has been changed. Information about UCS for IWB has been added. 2

Overview The Ricoh Unified Communication System performs communication through a service platform built on the cloud. The service platform controls the connections between terminals and relays video and audio data. Service Platform Service Platform (Cloud) Ensure availability with redundancy All service platform components, including firewalls, network equipment and servers, are redundant. Access restrictions The firewalls prevent unauthorized access. Vulnerability measures A tool-based vulnerability assessment is conducted every three months. If any vulnerability is detected, countermeasures will be taken within five business days. System monitoring In addition to monitoring within the service platform, normal conference operation is checked from the outside. Communication 1) Session establishment and call control (commands) Internet 2) Video and audio data transmission (data) 1) Session establishment and call control After establishing a session, the information needed for call control is encrypted by TLS. 2) Video and audio transmission Video, audio, and PC screen-sharing data are all encrypted. The SRTP data transfer method is used. Terminals Mutual Authentication Limiting communication partners The system can make connections when the devices have been mutually authenticated in advance by using the web-based management utility or the application on each device. However, it is also possible to accept calls with contact IDs from unregistered users if the user sets up the terminal to permit such calls. (Supported exclusively by P3500/for Windows.) Vulnerability measures When a vulnerability is found in the software, a software update will be distributed via the Internet. Preventing unauthorized use If a terminal is lost or stolen, it will be rendered inoperable by the data center to prevent unauthorized use. Each terminal is specified by its CID (contact ID). A UCS terminal contains a mechanism for identifying itself as a genuine client terminal. In the case of Apps, terminal authentication is performed using both a CID and password. 3

System Security Service Platform Session establishment and call control (command) The transferred data is encrypted by TLS. M2M communication data, contact list, and other data are protected by encrypted communication. Internet Video and audio (data) Video encoding method: H.264 SVC (H.264/AVC Annex G) Streaming data transfer method: SRTP Terminals Session establishment and call control When a Ricoh UCS terminal starts, it connects to the service platform and displays the contact list. After start-up, all data transfer is encrypted by TLS. Both video and audio data is encrypted by a communication protocol called SRTP (Secure RTP). If the video and audio data should somehow be secretly monitored or saved by a third party, it cannot be decrypted. Restricting access to the service platform from the Internet The firewall accepts only HTTPS access using a browser from the management utility and access through a designated port from a successfully authenticated Ricoh UCS terminal. A tool-based vulnerability assessment is conducted every three months. System monitoring The resources, including the CPUs, memory and network band, as well as the logs are checked using monitoring software. Dedicated software deployed at several locations outside the system checks whether the conference session can start and is executing normally. 4

Security of the Service Platform Service platform as a whole The service platform consists of several data centers. Even if a single data center becomes unavailable due to a natural disaster or a large-scale problem, its functions are automatically transferred to the other servers, and the service can be continued. Each data center has acquired ISO27001 certification. Configuration of the infrastructure in each data center User Internet The firewalls, network equipment, database, and application servers are all redundant. The video distribution servers are also redundant, and can be scaled out according to an increase in the number of users to ensure sufficient resources. The database that stores important data is always located behind a double firewall to prevent data leakage. The connection to the Internet is also redundant. Firewalls Distribution Management Distribution Management Video Distribution Distribution Management Distribution Management Video Distribution Customers Private Information DC-C DC-F Private information provided during the contract process is not recorded in this service platform. It is managed only by the backend system within the Ricoh Network. Database Database Database Database DC-G DC-H : Vulnerability measures DC-D DC-E A tool-based vulnerability assessment is conducted every three months. If any vulnerability is detected, countermeasures will be taken within five business days. DC-A DC-B Ricoh Local Network Private Information Backend System Administrator 5

Terminal Security (Common) Restricting connections with other terminals A Ricoh UCS terminal exchanges video and audio with other terminals around the world through the Internet. To prevent unexpected connections, a UCS terminal only accept calls (for establishing the connections for conferences) from the terminals registered in the Contact List. To register a user in the Contact List of another user, a contact registration request needs to be sent to the other party s terminal using the management utility on the Web or in an application. When the other party approves the request, the terminals are registered in the Contact Lists of both parties. However, it is also possible to accept calls with contact IDs from unregistered users if the user sets up the client to permit such calls (contact ID connections). (Supported exclusively by P3500/for Windows for both calling and receiving calls.) Vulnerability measures When any software vulnerability is found, a software update will be distributed through the Internet. Reporting from a terminal To diagnose problems occurring in the service, the terminal sends (reports) its status. The information collected from the terminals is used by Ricoh only to analyze the problems in the software and hardware, never for other purposes. 6

Terminal Security (P3500 and P1000) The information stored in the internal storage media, including programs and application logs, is password protected. (Even if the storage media is connected to a PC, the content cannot be read.) The user information required for terminal authentication is encrypted. The firmware is signed with a digital signature. If it is tampered with, verification of the digital signature fails and the terminal will not start. When the PC Screen Share feature is used, intrusion (writing) of computer viruses and other malware from the PC is prevented by making the storage area of the terminal read-only before it is connected to the PC through a USB port. Preventing unauthorized use of a Ricoh UCS terminal A UCS terminal has a mechanism for identifying itself as a genuine client terminal. If a terminal is lost or stolen, it will be rendered inoperable by the data center to prevent unauthorized use. (In addition, the CID of a lost or stolen terminal can be reassigned to a different terminal. Therefore, it is possible to use the same CID and Contact List on the new terminal.) Authentication and encryption for wireless LAN The following protocols are supported. Authentication protocols (wireless LAN): Open key system authentication, shared key authentication, WPA-PSK, WPA2-PSK, WPA-EAP(*), and WPA2-EAP(*) Encryption protocols (wireless LAN): WEP 128bit/64bit, TKIP: WPA-PSK/WPA2-PSK/WPA-EAP/WPA2-EAP AES: WPA-PSK/WPA2-PSK/WPA-EAP/WPA2-EAP * For WAP-EAP and WAP2-EAP, only the PEAP method is supported. 7

Terminal Security (P3000 and S7000) All information stored in the internal storage media, including the programs, user information, and application logs, is encrypted. (Even if the storage media is mounted on another main board, the content cannot be decrypted.) The firmware is signed with a digital signature. If it is tampered with, verification of the digital signature fails and the terminal will not start. When the PC Screen Share feature is used, intrusion (writing) of computer viruses and other malware from the PC is prevented by making the storage area of the terminal read-only before it is connected to the PC through a USB port. Preventing unauthorized use of a Ricoh UCS terminal A UCS terminal has a mechanism for identifying itself as a genuine client terminal. If a terminal is lost or stolen, it will be rendered inoperable by the data center to prevent unauthorized use. (In addition, the CID of a lost or stolen terminal can be reassigned to a different terminal. Therefore, it is possible to use the same CID and Contact List on the new terminal.) Authentication and encryption for wireless LAN The following protocols are supported. Authentication protocols (wireless LAN): Open key system authentication, shared key authentication, WPA-PSK, and WPA2-PSK Encryption protocols (wireless LAN): WEP 128bit/64bit, TKIP: WPA-PSK/WPA2-PSK AES: WPA-PSK/WPA2-PSK 8

Terminal Security (for Windows) 1) User information Information on the user and environment used by the application is encrypted in the client terminal and saved in the profile folder of Windows. 2) Application logs Application logs are saved in the profile folder of Windows, which cannot be accessed by other users. 3) Information embedded in the program The application is encrypted so that it cannot be disassembled easily in order to mitigate the risks of information leakage. The application has a tampering detection mechanism. If it is tampered with, the attempt is detected and the application will not start. Preventing unauthorized use of the application This application has a mechanism for performing authentication using both a CID and password. If the CID or password, or both are lost or leaked, the CID can be disabled by the data center. The service can not be used unless the user registers an email address and changes the initial password. 9

Terminal Security (for Mac) 1) User information a. The information on the network proxy is encrypted and saved by the Keychain Service provided by the MacOS. b. Information on the user and environment used by the application is encrypted using the function of the MacOS and saved in the user library folder. 2) Application logs The application logs are saved in an area dedicated for the application using the Sandbox function provided by the MacOS, which cannot be accessed by other applications. The application is signed using the Sandbox function provided by the MacOS. If it is tampered with, the attempt is detected and the application will not start. Preventing unauthorized use of the application This application has a mechanism for performing authentication using a CID and password. If the CID or password, or both are lost or leaked, the CID can be disabled by the data center. The service can not be used unless the user registers an email address and changes the initial password. 10

Terminal Security (for ipad/iphone) 1) User information Information on the user and environment used by the application is encrypted and saved using the Keychain Service provided by the ios, which cannot be accessed by other applications. 2) Application logs Application logs are saved in an area dedicated for the application using the Sandbox function provided by the ios, which cannot be accessed by other applications. The application is saved in a dedicated area using the sandbox function provided by the ios. An ios application needs to be signed, which ensures that it cannot be tampered with or changed. Preventing unauthorized use of the application This application has a mechanism for performing authentication using both a CID and password. If the CID or password, or both are lost or leaked, the CID can be disabled by the data center. The service can not be used unless the user registers an email address and changes the initial password. 11

Terminal Security (for Android) 1) User information Information on the user and environment used by the application is encrypted and saved inside the application. 2) Application logs The log files are stored in the internal storage specific to the application, which cannot be accessed by other applications. 3) Information embedded in the program The application is encrypted so that it cannot be disassembled easily in order to mitigate the risks of information leakage. The application has a tampering detection mechanism. If it is tampered with, the attempt is detected and the application will not start. Preventing unauthorized use of the application This application has a mechanism for performing authentication using both a CID and password. If the CID or password, or both are lost or leaked, the CID can be disabled by the data center. The service can not be used unless the user registers an email address and changes the initial password. 12

Terminal Security (UCS for IWB) 1) User information Information on the user and environment used by the application is encrypted in IWB and saved in the profile folder of Windows. 2) Application logs Application logs are saved in the profile folder of Windows, which cannot be accessed from outside. 3) Information embedded in the program The application is encrypted so that it cannot be disassembled easily in order to mitigate the risks of information leakage. The application has a tampering detection mechanism. If it is tampered with, the attempt is detected and the application will not start. Preventing unauthorized use of the application This application has a mechanism for performing authentication using both a CID and password. If the CID or password, or both are lost or leaked, the CID can be disabled by the data center. The service can not be used unless the user registers an email address and changes the initial password. The CID and password can be entered only in the administrator settings, which is password protected. The password is encrypted and saved in a file on the local disk in IWB. Access to this file is restricted by the Windows group policy. The file can be accessed only by Ricoh s engineers. 13

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback