A technical overview of all data encryption & collection in FM Audit.
Data Collected and Encryption
1.2 Data Encryption
All data packages from ECI DCA and FMAudit Onsite are encoded and obfuscated. FMAudit recommends utilizing HTTPS for communication Onsite and FMAudit Central. ECI DCA must be utilized with HTTPS to function correctly. Additionally, all sensitive settings and jobs between ECI DCA and Central are encrypted using AES256 standard symmetric encryption algorithm, using a protected shared key. This ensures end-to-end encryption, so data is protected from being read if intercepted by a third party, a competitive or otherwise non-authorized FMAudit instance.
1.3 Security Concerns
ECI DCA and FMAudit Onsite communicates with FMAudit Central by sending an encoded and obfuscated XML stream using the SOAP over HTTPS protocol. Confidential data is not collected, viewed or saved by any FMAudit application.Only printer-related data is collected and viewed. No other network data can be identified or collected by ECI DCA or FMAudit Onsite, with the exception of IP Address, MAC Address, and HostName, which could be excluded from the data submitted if the user chooses to exclude these details.
ECI DCA and FMAudit Onsite does not collect or process any personal data and the only way the system will collect this type of information is if you or your customers input them into FMAudit within a field or label such as location or customer name. ECI DCA and Onsite enables you to monitor network devices using Simple Network Management Protocol (SNMP). It exists inside the customer’s network and from there, it communicates with devices to gather operational information about the device that is made available via the device firmware and an SNMP Management Information Base (MIB). The data exposed by the device varies by manufacturer and model, but it is always technical or operational in nature and specific to the device itself. At the most basic level the data exposed by a printer MIB is documented in the IETF RFC 3805 (https:// tools.ietf.org/html/rfc3805). Additional device information may be exposed by the manufacturer through extensions and private MIBs, but the information is fundamentally technical and device-specific.
1.4 Types of Information Collected
ECI DCA and FMAudit Onsite attempts to collect the following information from networked printing devices during a network scan:
Device Attributes
- IP address (can be masked)
- Manufacturer
- Serial number
- Asset number
- MAC address
- Device description
- Location
- Miscellaneous (machine specific)
Coverage and Meters
- Meter reads
- Meter type
- Coverage level
- Monochrome or color identification
Supplies
- Toner cartridge serial number
- Toner cartridge supply level
- Drum levels
- Maintenance kit levels
- Non-toner supply levels
- Miscellaneous levels
Service
- LCD reading
- Device status
- Error codes
- Firmware
FMAudit Agent, explained further below, attempts to collect the following information from local devices:
- Manufacturer
- Asset number
- Device description
- Location
- Serial number
- Meter reads
- Supply levels (vendor dependent)
- Service codes (vendor dependent)
- Miscellaneous (machine specific)
- IP address of the machine the Agent is installed on (FMAudit Agent Host)
Network Discovery and Meter and Supply Collection (ECI DCA)
To add to the efficiency of the DCA, only when there is new or changed data from the devices will this information be sent into the FMAudit Central Server. This will ensure minimal network load and remove the frequency of any backlogs of device data submissions. Also, discovery and scanning of devices are now independent to ensure that only the IP addresses (or hostname) of devices that have been previously discovered are being scanned on the periodically set basis versus a full network scan (this is completed initially, periodically, or when determined by an admin user).
This will ensure that the speed of device data submissions is as up to date as possible. This will allow for users to be notified of troublesome devices within minutes or even seconds in many situations. ECI DCA separates device discovery from other scan types, enabling you to set custom scan intervals for retrieving meters, supplies attributes and errors. The minimum and maximum values for the scan intervals are:
Scan Function | Default | Minimum | Maximum |
Discovery |
30 minutes | 10 minutes | 720 minutes |
Meters | 120 minutes | 10 minutes | 720 minutes |
Supplies | 60 minutes | 10 minutes | 720 minutes |
Errors | 60 seconds | 30 seconds | 600 seconds |
Attributes | 360 minutes | 10 minutes | 720 minutes |
Device w/out MDF | 60 minutes | 10 minutes | 24 hours |
Please note that scan intervals (meters, supplies, errors and attributes) are only available if a device has a model definition file (MDF). If this is not present, a full scan will be done on the device in question on a predefined interval.
FMAudit Central administrators can remotely manage ECI DCA that have been activated on the server as well as remotely trigger the ECI DCA to execute predefined commands such as data collection tasks, providing ECI DCA logs, running remote MIBWalks, installing HP JAMC, or updating ECI DCA and Onsite settings.
Note: ECI DCA always initiates this communication to the Central server, and not the other way around.
Note: Only when meter or supply information has updated or changed does communication occur, to reduce bandwidth usage.
Network Discovery and Meter and Supply Collection (FMAudit Onsite)
The FMAudit patented Automatic Network Discovery Settings use a mixture of algorithms to identify the network ranges where print devices may be located and then discover and communicate with the devices that are online, routing through multiple network elements such as active workstations or servers, routers, hubs, switches, and additional network hardware.
FMAudit Central administrators can remotely manage FMAudit Onsites that have been activated on the server as well as remotely trigger the Onsite to execute predefined commands such as data collection tasks, providing Onsite logs, running remote MIBWalks, installing HP JAMC, or updating Onsite settings. These are explained in further detail below:
Function | Location | Description |
Tasks |
Onsite Settings |
Can remotely configure tasks to run on a preset schedule but can select tasks (Cache, Meters, Supplies, Service) to run immediately and collect device data on command. |
MIB Walks | Onsite Settings |
Can indicate certain IPv4/IPv6/Hostnames of devices and trigger the Onsite to Start the Collection of the MIB Walks immediately. |
Logs (Detailed) | Onsite Settings |
Can instruct the Onsite to collect the Logs (Critical, Error, Warning, Details, Debug) from a certain date. |
None of these commands lead to data collection beyond the types of information collected as described above. Data exchanged between FMAudit Onsite and FMAudit Central is encrypted using strong encryption protocols that are FIPS compliant. Onsite receives secured software updates from the FMAudit Updates servers.
The Onsite communicates with Central at a predefined interval to determine if there are any queued actions which are not already executed, thus ensuring actions are executed in a timely manner.
Note: FMAudit Onsite always initiates this communication to the Central server, and not the other way around.
Network Traffic
Audits conducted by the software use an intelligent system to extract minimal information for each printer, copier or MFP. Unlike similar products that send a fixed set of queries (a superset of all possible queries) to every networked device, FMAudit Onsite only sends the relevant queries according to the fields the target device supports, with each device query being no more than a few kB of data. To further reduce the amount of network bandwidth used, FMAudit Onsite communicates with no more than 20 devices at a single time. Each IP within the configured ranges will be queried and if no response is received within the configured timeout period it will move onto the next IP address. A rule-of- thumb is that FMAudit will gather information on 65,000 devices in just under one hour.