This article will answer frequently asked security and networking questions utilized within the Ultimaker ecosystem. It can be used to help fill out IT and networking related questionnaires.
What networking protocols does the printer use?
When printing via Digital Factory, a TLS connection is setup.
- Our printers use TLS 1.3
- The Ultimaker 3 uses TLS 1.2
When printing via local network, HTTP is used. It is not possible to setup a TLS connection because a certificate cannot be issued to a local IP. The local management interface is only available on a local IP.
Can I disable local network printing?
Ultimaker S-line printers running firmware 6.0 can enable a firewall that will prevent local network traffic. The Digital Factory can then be utilised for secure printing. This is considered by Ultimaker to be the most secure setup.
What version of Debian do the printers run?
Printers running firmware 6.0 and above run Debian Buster.
Printers running firmware 5.x run Debian Jesse.
What software does the printer use for remote access?
Ultimaker printers utilize Nginx web server for remote access.
Printers running firmware 6.0 and above run Nginx 1.14.2.
Can I disable TLS?
TLS is used for encrypted traffic between the printer and the Digital Factory. It cannot be disabled.
Do Ultimaker printers utilize SMB?
SMB is not used.
Does Ultimaker cloud solution log suspicious events, such as unauthorized attempted logins?
No. We do not currently have a functionality that monitors suspicious login activity in the Digital Factory.
What logging is done by Ultimaker cloud solution?
At current, we log various client activity which is prone to change as we develop the platform.
Will security-related changes to privileged accounts be logged and alerted?
All accounts have the same level of security at present. This includes email notification upon change of password. For more security, we recommend enabling 2-factor authentication.
Do Ultimaker hardware and software synchronize to an authoritative Network Time Protocol (NTP) source?
Ultimaker printers synchronize over NTP port 123.
Ultimaker cloud software maintains own time in UTC.
For how long are Ultimaker logs kept, in either online or offline storage with the ability to be exportable or transferable?
Currently we store online cloud logs for a maximum of 40 days. They are not available for export, or transferable.
Printer logs are created on an ongoing basis, and are rotated upon reaching a maximum data limit.
Will this solution/tool be regularly monitored for unauthorized activities?
This monitoring is not currently available.
Will passwords be encrypted both in motion and at rest prior to go-live?
Will any encryption keys used in this solution/tool be properly documented and managed through either Public Key Infrastructure (PKI), PBKDF2, or some other secure key management process?
We use the secret management solutions from Google Cloud and Hashicorp Vault.
Will the solution be hosted in a physically secure location where access is monitored and controlled?
Yes. We utilize Google Cloud, and inherent all security from this platform. See cloud security article.
What security solutions does Ultimaker recommend?
You can view our security solutions here.
For any File Transfer Protocol (FTP) connections, will only secure FTP (SFTP/FTP-S) be used?
FTP is not used in the Ultimaker Cloud Environment. We use signed URLs over HTTPS for file transfer
Will any users with administrative access to the solution/tool require the use of multi-factor authentication?
Multi factor authentication can be set up, but is not required by default.
Will there be a documented account management process for use of the Ultimaker Digital Factory?
Organizational admin has full control over new user accounts. See more about organizations.
Will user accounts be removed/disabled if inactive for a longer period?
Inactive accounts are currently not removed or disabled.
Will mechanisms be in place to alert when accounts have been created, modified, enabled, disabled, and removed?
Yes, Starting point is the organisation in Digitial Factory (Essentials subscription only). Each user must accept invite to join organisation to access organisation resources. In addition printers are shared on team basis, where only team members have access to associated printers. See more about essentials.
Will every user be given a unique account (i.e. no generic or shared accounts)?
Yes. There are no shared accounts. Each account requires a unique email.
Will access, use, and distribution of data follow the principle of least privilege?
Data is separated on application level based on data ownership (multi tenant). Automated tests are in place to ensure data ownership rules are correctly enforced. See cloud security article.
Will the system owner ensure that all software/firmware assets associated with this ecosystem be kept updated to the latest stable version?
This is our commitment as part os ISO27001 certification, expected to be gained Q2 2021.
Where can I read more about Ultimaker Cloud security?
You can read more about our cloud platform security here.