SYS211 Netgard Secure Scanning for US DOD-Fed …

1 12/16/20111 SYS211 e-Le@rning: Netgard Secure Scanning for DOD and Federal AgenciesPresenter: Henry GoldBusiness Area ManagerAPI technologies Please silence your cell phones Keep background noise to a minimumBefore we Keep background noise to a minimum Do not put your phone on HOLD Please let instructor know if anyone else is sitting in with youToshiba Academy Systems e-Le@rning Program The phone audio will be muted - Please save questions until the end or submit text based questions as we move through presentation12/16/20112 Have questions?Submit text based Submit text based questions questions via the Q&A podvia the Q&A podToshiba Academy Systems e-Le@rning Programvia the Q&A podvia the Q&A podYour Status Throughout the program, we will ask you to respond by indicating your Status. When asked please use the Status Options drop-down button, located at the top of your Academy Systems e-Le@rning Program Set your status now by indicating: Agree 9912/16/20113 The goals of today s e-Le@rning session @rning Goals Introduce the new Netgard MFD security solution that will help facilitate sales to DOD (and soon civilian agencies) How does Netgard relate to GSA?

2 Reduce your sales cycle Provide you with product training to get you started with NdMFDT oshiba Academy Systems e-Le@rning ProgramNetgard MFDe-Le@rning ObjectivesUpon completion of this course, you will be able to: Build your knowledge of a key Security requirement to deploy systems to the DOD and Civilian Agencies Give you the tools needed to close business with the Gov. Provide the necessary skills to install this solutionToshiba Academy Systems e-Le@rning Program12/16 technologies Introduction 2 Netgard Installation and Technical Q&A DiscussionToshiba Academy Systems e-Le@rning ProgramAPI technologies Introduction Who is api technologies ? Featured Customers The Customer NeedToshiba Academy MPS Certification Program12/16/20115 Company Snapshot Prime contractor in sophisticated electronics, highly engineered systems, Secure communications and electronic components and subsystems to the global defense and aerospace industriesdefense and aerospace industries Publicly traded ( ) Revenues of over $380M 2000 Employees Key product focus Defense & Aerospace Products & Services St&E i i S iToshiba Academy Systems e-Le@rning Program Systems & Engineering Services Secure Communications Products & Services Components & SubsystemsFeatured CustomersUS & International Government AgenciesLeading Government & Defense ContractorsToshiba Academy Systems e-Le@rning Program12/16/20116 The Customer NeedDOD Requirement.

3 All multi-function devices (MFDs) that can All multi-function devices (MFDs) that can transmit scan jobs over the LAN must be secured by a Common Access Card (CAC) that will verify and authorize the user before a scan-to-network function is permitted (STIG) Expanding security to Copy function & Print Release Seeing requirement at Civilian Agencies HSPD 12 Toshiba Academy Systems e-Le@rning Programgqg(PIV card)HSPD12 CAC & SMARTCARD Deployments 17 million cards issued to date 5 5 million active cards are in million active cards are in use today Today CACs are: The standard at more than 1,000 sites Used in over 25 countries To date the DoD has deployed over 1 Toshiba Academy Systems e-Le@rning Programpymillion card readersand associated middleware around the world12/16/20117 Netgard Overview How it works Authentication Options Value PropositionToshiba Academy MPS Certification Program End Users Brings their CAC Card to our DeviceStatus/ Job CopyNetgard.

4 How it Works They insert their CAC Card in the reader They enter their Pin Number The Server Verifies Credentials(OCSP/LDAP/AD) Operation Panel Access GrantedOCSP/LDAP/ADCancelProgramApplicat ionCopySendDocument BoxToshiba Academy Systems e-Le@rning ProgramOR Operation Panel Access Denied12/16/20118 Connectivity Simple, in line Ethernet connectionToshiba Academy Systems e-Le@rning Program Web based remote admin Integrates with Active Directory and/or PKI Supports CAC PIN, certificate, LDAP, PKI and OCSPLive Video DemonstrationToshiba Academy Systems e-Le@rning Program12/16/20119 Conforms to DoD requirements Works with all major copier modelsImportant Facts Support for CAC/PIV V1 & V2 Special security features: FIPS 140-2 & 201 Email encryption & signing Confirms identity of senderToshiba Academy Systems e-Le@rning Program Confirms identity of sender Added security on Scan-to-Email feature replaces the From Reply-to and Sender fields with CAC user s email address (obtained from CAC or LDAP) Netgard Customers / DeploymentsOver 3000 Netgard devices are currently deployed in all branches of armed services: Air Force (Andrews, Ramstein, Bolling & Hill AFB) Army (Aberdeen, Fort Collins) Army National Guard Army Reserves Navy (Jabuti Naval Base)Toshiba Academy Systems e-Le@rning Program Navy (Jabuti Naval Base) DAPS/DLA12/16/201110 Configurable Authentication Options PIN (Default, Always ON) User s PIN is used to unlock the CAC.

5 X509 validation (requires issuer certificate) CAC certificate Challenge/response CAC certificate Challenge/response Requires issuer certificate OCSP User s certificate is sent to OCSP server for revocation check. Requires issuer certificate LDAP/LDAPS (anonymous and non-anonymous) LDAP lookup is performed to ensure the user is validToshiba Academy Systems e-Le@rning Program LDAP lookup is performed to ensure the user is valid LDAPS requires server certificate Non-anonymous lookup requires username and password Kerberos Network PKI authentication No adjustment to the Copier/MFP is required the Netgard MFD connects the MFP to the LAN andHow Does the Netgard Affect the Printer/MFP? Netgard MFD connects the MFP to the LAN and handles all network traffic control. Windows users see no difference when they print to the Copier/MFP or add a printer. Administrators may connect to Copier/MFP and manage it using the browser interface as Academy Systems e-Le@rning Program Other Copier/MFP communication, like the Printer Monitor Utility (SNMP based), is unaffected as Proposition Quick to market CAC/PIV Secures Scan to Network.

6 No custom development needed on MFD MFD agnosticMFD agnostic Easy to deploy With over 3000 devices tested Significant investment core competency Priced rightToshiba Academy Systems e-Le@rning ProgramAdditional Points Next release will support GSA PIV (1sthalf 2012) Secure Print Release - Print to cloud with NSI Scan to home Utilizes NSI Autostore Scan to home Utilizes NSI AutostoreToshiba Academy Systems e-Le@rning Program12/16/201112 Physical Installation Let s Install Netgard Connectivity and Physical Connections Local Access Via IP Connection Basic Configuration Setup of MFPT oshiba Academy MPS Certification Program Advanced Authentication Options Netgard Maintenance Pre-Installation Checklist TroubleshootingConnectivityToshiba Academy Systems e-Le@rning Program12/16/201113 Physical Connection Make connections Connect CAC Reader to USB port Connect base network to LAN port Connect copier to DEV port Connect computer to MGMT port (no crossover needed) Connect Vend cable via USB port (optional) Power up unit (~60 seconds to boot)Toshiba Academy Systems e-Le@rning Programp()

7 Initial Install Requires Local AccessVia IP ConnectionToshiba Academy Systems e-Le@rning Program12/16/201114 Administering Netgard MFD Administer Netgard by plugging directly into the Ethernet Management (MGMT) port. Set computer IP to:IP: 192 168 20 20IP: : : Use FireFoxweb browser to administer Netgard :8080 Login informationToshiba Academy Systems e-Le@rning Programg ID: admin Password: password For additional details see the quick install Academy Systems e-Le@rning Program12/16/201115 Netgard HomepageToshiba Academy Systems e-Le@rning Program Tour of UIBasic ConfigurationToshiba Academy Systems e-Le@rning Program12/16/201116 Click on the Network Tab Set IP addresses Set the Netgard s Lan Address If DHCP writeNetwork configuration (Step #1)Address. If DHCP write down the IP address. Tell the Netgard the IP address of the Printer Click the Apply button Set Copier IP:IP: Academy Systems e-Le@rning : Additional configuration optional Click on the Scan Setup button Enable Required ftilitScan Setup (Step #2)functionality Email Set SMTP server IP Scan to self?

8 Encryption & Signing FTPT oshiba Academy Systems e-Le@rning Program Append file header name? Click the Apply button12/16/201117 Scan Setup (Step #2 cont.) Enable SMB Open F/W when CAC authenticated? Set NSI/Autostore information Click the Apply buttonToshiba Academy Systems e-Le@rning ProgramNetgard Admin (Optional) Click on the Admin tab Turn on Management port on LAN Port so Administer Netgard remotely Define an ACLT oshiba Academy Systems e-Le@rning Program12/16/201118 Click on the Admin->Users tbUser Administrationtab. Add a new Admin level user Delete the Toshiba Academy Systems e-Le@rning Programdefault admin Netgard Configuration Now Setup MFPT oshiba Academy Systems e-Le@rning Program12/16/201119 MFP Configuration Set Copier IP address to address configured in the first step (default = )p() Setup Scan to Network functionality Same configuration as if copier was sitting on customer network. If Email set to Send to Self add one Destination Toshiba Academy Systems e-Le@rning ProgramIP Configuration on e-STUDIO MFP IP address = 192 168 10 Subnet Mask= Gateway = Academy Systems e-Le@rning Program12/16/201120 Test Basic Functionality Authenticate with a CAC and test Scan to email Scan to SMB Scan to FTP Scan to email, Scan to SMB, Scan to FTP Perform same test without CAC Browse to Copier Use LAN IP address of Netgard ( )

9 Test Print functionality Use LAN IP address of NetgardToshiba Academy Systems e-Le@rning Program Use LAN IP address of NetgardAdvanced Authentication OptionsToshiba Academy Systems e-Le@rning Program12/16/201121 Authentication Screen Authentication Options Local certificate authentication OCSP Revocation List LDAP Active Directory Lookup Kerberos Authentication Toshiba Academy Systems e-Le@rning Program Click on Scan Setup-> Certificates button Upload Certificates (chain of trust) Upload Trusted Certificates button on the right hand sideAdditional Configuration for Certificates must be in Base-64 encoded format (pem file extension) Point the Netgard to a NTP server to ensure the Date/Time is properly set (Admin->Time Zone)Toshiba Academy Systems e-Le@rning Program12/16/201122 Netgard MaintenanceToshiba Academy Systems e-Le@rning ProgramConfiguration Management Go to the Admin->Utilities Backup and restore a device configuration Perform a Netgard Upgrade Reboot the deviceToshiba Academy Systems e-Le@rning Program12/16/201123 Pre-Installation Check ListToshiba Academy Systems e-Le@rning ProgramPre-Installation Checklist Netgard IP address (Subnet & Mask) May need to provide MAC address DNS IP DNS IP SMTP IP address NTP IP Root & intermediate certificates OCSP URLLDAP i ftiToshiba Academy Systems e-Le@rning Program LDAP information IP, Login, Search details CAC card available for testing12/16/201124 TroubleshootingToshiba Academy Systems e-Le@rning Program1) Check Computer s IP addressIP: : t Get to Management Port?

10 Gateway: ) Confirm that your computer IP address changed:Open Command Window (run>CMD)At the prompt type IPCONFIGE thernet adapter Local Area Connection:Connection-specific DNS Suffix . :Toshiba Academy Systems e-Le@rning ProgramIP Address.. : Mask .. : Gateway .. : ) Start a Newweb browser session (Firefox)Ensure that the URL is correct :808012/16/201125 Diagnostics & LogsToshiba Academy Systems e-Le@rning Program Confirm that the Netgard configuration is correct: Email configuration Scan Setup->Scan to Network->Enable Email Scan Setup>Scan to Network>Server IP address correctTroubleshooting Scan to Email Scan Setup->Scan to Network->Server IP address correct Copier device (Network->Configuration->Copier IP Address) Confirm that the Netgard can ping the copier & SMTP server Take Netgard out of loop to ensure copier setup Confirm that the user successfully completed the CAC Academy Systems e-Le@rning Program Reader displays Ready to Scan Capture email session to determine root cause Monitoring->Diagnostics->Packet Trace->Network Select (LAN and MFD)