Security Measures for Multifunction Printers
With the development of the information society, we are surrounded by various threats such as computer viruses, leakage of personal information, and unauthorized access from the outside. Against diversifying threats, efforts for security measures are one of the most important issues for customers. These security threats are not limited to personal computers, servers, and networks. You can reduce such security threats by regarding a multifunction printer as one of the IT devices and setting and operating it appropriately.
Ricoh updates software/firmware and provides security patches to fix vulnerabilities detected in its products such as multifunction printers and printers. In order to use the multifunction printers and printers more safely, please use the latest software/firmware of the products.
Items to be supported by customer's environment
- By placing your information devices, including multifunction printers and printers, in a network isolated by a firewall, you can prevent unauthorized access from the Internet.
- PC operation
- Operate machines with private IP address.
An IP address is a number assigned to a machine on the network. The IP address used to connect to the Internet is called the "global IP address", while the IP address assigned to a machine used in the local area network such as an inhouse LAN is called the "private IP address".
If a global IP address is set for a multifunction printer, it will be accessible to an unspecified number of users on the Internet, increasing the risk of information leakage due to unauthorized access from the outside. On the other hand, if a private IP address is set for a multifunction printer, it can only be accessed by users on the local area network such as an inhouse LAN. Basically, we recommend you set a private IP address for the IP address of a multifunction printers. For a private IP address, one in the following range is used.
[Private IP address range]
10.0.0.0 to 10.255.255.255
172.16.0.0 to 172.31.255.255
192.168.0.0 to 192.168.255.255
For detailed settings, please visit https://www.ricoh.com/products/security/mfp/setting - By changing the administrator password/supervisor password of machine, you can prevent the attacks (setting changes) by a malicious third party from the Internet. Be sure to change the password from the default value.
- We recommend you protect the data stored on multifunction printers by using the user authentication or the password for documents stored in document server settings.
- SMB settings (*2)
We recommend you use the v3.0 or higher SMB.
For older models that do not allow such settings, we recommend you protect with IPsec. - Storage encryption
We recommend you encrypt the HDD. - Access privilege setting
We recommend you limit the permissions to cancel a job to the job owner and the administrator. - Access limitation by IP address
We recommend you limit the range of IP addresses of PCs that can use MFPs/printers as much as possible. You can prevent unauthorized access from the Internet. - Closing unused communication port (*3) (*4)
We recommend you close unused network ports. In particular, rsh, telnet, ftp, lpr, etc. do not have encryption function by themselves, so if you are concerned about network eavesdropping, we recommend you close the unused ports or protect them with IPsec described later.
For the applications that may be affected by closing the port, see the relevant pages of the instruction manual for each product. If you have any questions, please contact the Ricoh's call center. - SSL/TLS settings
- Installation of device certificate to prevent information leakage via the network, we recommend you use encrypted communication for the models that support encrypted communication. Encrypted communication includes SSL/TLS and IPsec. See the instruction manual for supported communications.
We recommend you use a certificate issued by a trusted third-party certificate authority instead of a self-signed certificate as the digital certificate to be used to encrypt the communication.
If you want to use a self-signed certificate, you need to install it on a PC that uses a browser. We also recommend you create a certificate with a key length of 2048 bits or more. - Limitations for using SSL2.0/3.0 and TLS1.0/1.1 (*5) (*6)
We recommend you do not use the older standard SSL2.0/SSL3.0/TLS1.0/TLS1.1. For older models that do not allow such settings, we recommend you protect with IPsec. - Limitation of cipher suites (*5)
We recommend you do not use RC4/DES/3DES with lower cipher strength.
- Installation of device certificate to prevent information leakage via the network, we recommend you use encrypted communication for the models that support encrypted communication. Encrypted communication includes SSL/TLS and IPsec. See the instruction manual for supported communications.
- IPsec settings
If you need to use a communication method without encryption function although you are concerned about network eavesdropping, we recommend you protect communication with IPsec. - SNMP settings
To reduce the risk of network load attacks using SNMP, we recommend you take the following measures, involving the products from other manufacturers as well.- Change the community name from the default name.
- Do not use the same community name, for example by changing it on the business establishment basis.
Items to be set in the Web browser (Web Image Monitor) (*1)
(*4) UnixFilter prints through lpr/lp/qprt, so if you close lpr/ lp /qprt, printing will no longer be performed.
(*5) The Job Deletion Tool of Enhanced Locked Print NX V2 will no longer be available.
(*6) RC Gate: Remote Communication Gate will no longer be available.
We also support various security functions, so please use them according to your environment. For details of the security functions, see the website below.
https://www.ricoh.com/products/security/mfp/function/