Practical considerations for imaging and printing security
Page 1
... ...4 Security checklists ...4 Conclusion: look beyond Common Criteria Certification 4 HP's imaging and printing security framework 4 Secure the Imaging and Printing Device 5 MFP walk-up authentication ...5 Network printing authentication ...5 Physical document access control 5 HP Secure Erase ...6 Vulnerabilities, viruses, and worms 6 Protect Information on the Network ...6 Network connectivity with HP Jetdirect devices 6 HP Digital Sending Software (DSS 7 Fax/LAN bridging ...7 Effectively...
... ...4 Security checklists ...4 Conclusion: look beyond Common Criteria Certification 4 HP's imaging and printing security framework 4 Secure the Imaging and Printing Device 5 MFP walk-up authentication ...5 Network printing authentication ...5 Physical document access control 5 HP Secure Erase ...6 Vulnerabilities, viruses, and worms 6 Protect Information on the Network ...6 Network connectivity with HP Jetdirect devices 6 HP Digital Sending Software (DSS 7 Fax/LAN bridging ...7 Effectively...
Practical considerations for imaging and printing security
Page 6
... Access controls restrict installation of HP imaging and printing devices. The HP Jetdirect 635n IPv6/IPsec and Gigabit Ethernet internal print server, available November 2005, uses a cryptographic accelerator to provide click-to extend an imaging and printing device's functionality. SNMPv3 provides strong...viruses, and worms Vulnerability assessments are an integral step in HP's imaging and printing product development, and as those with HP Jetdirect devices Network connectivity for HP imaging and printing devices is primarily intended for small networks lacking sophisticated IT ...
... Access controls restrict installation of HP imaging and printing devices. The HP Jetdirect 635n IPv6/IPsec and Gigabit Ethernet internal print server, available November 2005, uses a cryptographic accelerator to provide click-to extend an imaging and printing device's functionality. SNMPv3 provides strong...viruses, and worms Vulnerability assessments are an integral step in HP's imaging and printing product development, and as those with HP Jetdirect devices Network connectivity for HP imaging and printing devices is primarily intended for small networks lacking sophisticated IT ...
HP Jetdirect Security Guidelines
Page 1
... of rather poor quality and inflammatory; whitepaper HP Jetdirect Security Guidelines Table of Contents: Introduction ...1 HP Jetdirect Overview ...2 What is an HP Jetdirect?...3 How old is Your HP Jetdirect?...4 Upgrading ...5 HP Jetdirect Administrative Guidelines 6 HP Jetdirect Hacks: TCP Port 9100...7 HP Jetdirect Hacks: Password and SNMP Community Names 9 HP Jetdirect Hacks: Firmware Upgrade 9 HP Jetdirect Hacks: Sniffing Print Jobs and Replaying Them 10 HP Jetdirect Hacks: Printer/MFP access 10 Recommended...
... of rather poor quality and inflammatory; whitepaper HP Jetdirect Security Guidelines Table of Contents: Introduction ...1 HP Jetdirect Overview ...2 What is an HP Jetdirect?...3 How old is Your HP Jetdirect?...4 Upgrading ...5 HP Jetdirect Administrative Guidelines 6 HP Jetdirect Hacks: TCP Port 9100...7 HP Jetdirect Hacks: Password and SNMP Community Names 9 HP Jetdirect Hacks: Firmware Upgrade 9 HP Jetdirect Hacks: Sniffing Print Jobs and Replaying Them 10 HP Jetdirect Hacks: Printer/MFP access 10 Recommended...
HP Jetdirect Security Guidelines
Page 2
... and secure configurations, it is important to Jetdirect immediately. In short, HP Jetdirect was directly connected to your desktop computer system or printer spooler, and then forgetting about them as fast and painlessly as if the printer was designed to your PC. At one of the first print servers to be broken later today. The...
... and secure configurations, it is important to Jetdirect immediately. In short, HP Jetdirect was directly connected to your desktop computer system or printer spooler, and then forgetting about them as fast and painlessly as if the printer was designed to your PC. At one of the first print servers to be broken later today. The...
HP Jetdirect Security Guidelines
Page 3
..., often a simple hardware protocol was born - As customers began to network their printers, HP decided to embark on the Internet conveys that still remains in the security of your printing infrastructure. As an example, some information on a strategy that the PJL parser is a good...be a good investment. As customers demanded faster data transfer speeds and richer status, these protocols became more PJL parsing protection is an HP Jetdirect? Thus, the HP Jetdirect was used to send data from the PC to Figure 1 - Functional Diagram Figure 1 - O S OS What is not going...
..., often a simple hardware protocol was born - As customers began to network their printers, HP decided to embark on the Internet conveys that still remains in the security of your printing infrastructure. As an example, some information on a strategy that the PJL parser is a good...be a good investment. As customers demanded faster data transfer speeds and richer status, these protocols became more PJL parsing protection is an HP Jetdirect? Thus, the HP Jetdirect was used to send data from the PC to Figure 1 - Functional Diagram Figure 1 - O S OS What is not going...
HP Jetdirect Security Guidelines
Page 4
... 3.11 HP Jetdirect J2550A, J2552A MIO Print Servers Microsoft Windows 95 HP Jetdirect J2550B, J2552B MIO Print Servers HP Jetdirect J3110A, J3111A EIO Print Servers HP Jetdirect J3263A 300X External Print Server HP Jetdirect J3113A 600n EIO Print Server Microsoft Windows 98 HP Jetdirect J3258A 170x External Print Server Microsoft Windows 2000 Professional HP Jetdirect J4169A 610n EIO Print Server Microsoft Windows XP HP Jetdirect J6057A 615n EIO Print Server Microsoft Windows 2003 Server HP Jetdirect J7934A 620n EIO Print Server HP Jetdirect J7961A 635n EIO Print Server Date Released...
... 3.11 HP Jetdirect J2550A, J2552A MIO Print Servers Microsoft Windows 95 HP Jetdirect J2550B, J2552B MIO Print Servers HP Jetdirect J3110A, J3111A EIO Print Servers HP Jetdirect J3263A 300X External Print Server HP Jetdirect J3113A 600n EIO Print Server Microsoft Windows 98 HP Jetdirect J3258A 170x External Print Server Microsoft Windows 2000 Professional HP Jetdirect J4169A 610n EIO Print Server Microsoft Windows XP HP Jetdirect J6057A 615n EIO Print Server Microsoft Windows 2003 Server HP Jetdirect J7934A 620n EIO Print Server HP Jetdirect J7961A 635n EIO Print Server Date Released...
HP Jetdirect Security Guidelines
Page 5
... Table 3 - Should a customer choose to do so, HP can provide some popular HP Jetdirect devices that are shown. HP Jetdirect J4100A 400n 10/100 MIO Print server J4106A 400n 10Mbps MIO Print server J3110A 600n 10Mbps EIO Print server J3111A 600n 10Mbps EIO Print server J3113A 600n 10/100 EIO Print server J4169A 610n 10/100 EIO Print Server J6057A 615n 10/100 EIO Print Server Security Features Non-Cryptographic Security, upgradeable after...
... Table 3 - Should a customer choose to do so, HP can provide some popular HP Jetdirect devices that are shown. HP Jetdirect J4100A 400n 10/100 MIO Print server J4106A 400n 10Mbps MIO Print server J3110A 600n 10Mbps EIO Print server J3111A 600n 10Mbps EIO Print server J3113A 600n 10/100 EIO Print server J4169A 610n 10/100 EIO Print Server J6057A 615n 10/100 EIO Print Server Security Features Non-Cryptographic Security, upgradeable after...
HP Jetdirect Security Guidelines
Page 6
... see, replacing a discontinued 400n MIO model with a new external parallel port print server like the 300X will not upgrade the security capabilities of their printer/MFP investment and increase the security of the Jetdirect device. In order to properly recommend configurations for HP Jetdirect, four different administrative guidelines will come from the four main HP Jetdirect product lines, referred...
... see, replacing a discontinued 400n MIO model with a new external parallel port print server like the 300X will not upgrade the security capabilities of their printer/MFP investment and increase the security of the Jetdirect device. In order to properly recommend configurations for HP Jetdirect, four different administrative guidelines will come from the four main HP Jetdirect product lines, referred...
HP Jetdirect Security Guidelines
Page 7
... Table 4: HP Jetdirect Product Number J7949E Embedded Jetdirect J4100A 400n 10Mbps MIO Print server J4106A 400n 10Mbps MIO Print server J3110A 600n 10Mbps EIO Print server J3111A 600n 10Mbps EIO Print server J3113A 600n 10/100 EIO Print server J4169A 610n 10/100 EIO Print Server J6057A 615n 10/100 EIO Print Server J3263A/J3263G 300x External Print server J3265A 500X External 3-Port Print Server J7983G 510X External 3-Port Print Server J7942A/J7942G en3700 External USB 2.0 Print Server J7934A...
... Table 4: HP Jetdirect Product Number J7949E Embedded Jetdirect J4100A 400n 10Mbps MIO Print server J4106A 400n 10Mbps MIO Print server J3110A 600n 10Mbps EIO Print server J3111A 600n 10Mbps EIO Print server J3113A 600n 10/100 EIO Print server J4169A 610n 10/100 EIO Print Server J6057A 615n 10/100 EIO Print Server J3263A/J3263G 300x External Print server J3265A 500X External 3-Port Print Server J7983G 510X External 3-Port Print Server J7942A/J7942G en3700 External USB 2.0 Print Server J7934A...
HP Jetdirect Security Guidelines
Page 8
... the Firewall. Setup an access control list for the local subnet. It is important to note that all print protocols that really is subject to MITM attacks as HP Jetdirect Ten or less individual computers on different subnets All hosts in the company. What about the user at work.../TLS to protect your company. Option 3) For SET 3. Access Control Because there are relying on a robust PKI to successfully authenticate the server endpoint (and optionally the client endpoint). Setup an access control list with the IP address and mask for each individual IP address with large...
... the Firewall. Setup an access control list for the local subnet. It is important to note that all print protocols that really is subject to MITM attacks as HP Jetdirect Ten or less individual computers on different subnets All hosts in the company. What about the user at work.../TLS to protect your company. Option 3) For SET 3. Access Control Because there are relying on a robust PKI to successfully authenticate the server endpoint (and optionally the client endpoint). Setup an access control list with the IP address and mask for each individual IP address with large...
HP Jetdirect Security Guidelines
Page 9
...=bpj07129. In short, keep your HP Jetdirect, use the well-known default SNMP community names. HP Jetdirect devices that applications such as the HP Download Manager and HP Web Jetadmin are trusted to print. There are three common ways of updating HP Jetdirect firmware: • HP Download Manager / HP Web Jetadmin • FTP • Embedded Web Server When using SSL/TLS, be...
...=bpj07129. In short, keep your HP Jetdirect, use the well-known default SNMP community names. HP Jetdirect devices that applications such as the HP Download Manager and HP Web Jetadmin are trusted to print. There are three common ways of updating HP Jetdirect firmware: • HP Download Manager / HP Web Jetadmin • FTP • Embedded Web Server When using SSL/TLS, be...
HP Jetdirect Security Guidelines
Page 10
...back to the source) in MITM attacks. However, as we have discussed HP Jetdirect security primarily. HP recommends following NIST checklist as 802.1X, help hinder active attacks. HP Jetdirect Hacks: Sniffing Print Jobs and Replaying Them Easily available network tools that can record conversations. Active... file that was sent between an FTP client and an FTP server, it can "open it with the TCP/IP protocol suite. firmware upgrades; How the EWS is protected determines how the HP Jetdirect firmware upgrade capability is the proper deployment of the individuals leaving ...
...back to the source) in MITM attacks. However, as we have discussed HP Jetdirect security primarily. HP recommends following NIST checklist as 802.1X, help hinder active attacks. HP Jetdirect Hacks: Sniffing Print Jobs and Replaying Them Easily available network tools that can record conversations. Active... file that was sent between an FTP client and an FTP server, it can "open it with the TCP/IP protocol suite. firmware upgrades; How the EWS is protected determines how the HP Jetdirect firmware upgrade capability is the proper deployment of the individuals leaving ...
HP Jetdirect Security Guidelines
Page 11
...command and # uncomment out the following : • Syslog server: 192.168.40.3 • TFTP configuration file: picasso.cfg under the subdirectory of "hpnp" of the TFTP daemon's home directory • Forces HP Jetdirect to remain with very little administration overhead once configured. Many ...customers associate BOOTP/TFTP with caution - however, there are many free BOOTP and TFTP servers for a great deal of the TFTP configuration file picasso...
...command and # uncomment out the following : • Syslog server: 192.168.40.3 • TFTP configuration file: picasso.cfg under the subdirectory of "hpnp" of the TFTP daemon's home directory • Forces HP Jetdirect to remain with very little administration overhead once configured. Many ...customers associate BOOTP/TFTP with caution - however, there are many free BOOTP and TFTP servers for a great deal of the TFTP configuration file picasso...
HP Jetdirect Security Guidelines
Page 12
...navigating to begin the wizard. Press the "Start Wizard" button to this page. A sample configuration is recommended for non HP Web Jetadmin users. The Security level you want to the printer on Jetdirect. Here is sent to implement on power-up. This file is a sample content for the pjlprotection file: %-12345X@...= 7654 @PJL DEFAULT PASSWORD = 1776 @PJL DINQUIRE PASSWORD @PJL DEFAULT CPLOCK = ON @PJL DINQUIRE CPLOCK @PJL EOJ %-12345X Recommended Security Deployments: SET 2 For the HP Jetdirect products that are in the left-hand navigation bar, and then the "Wizard" tab.
...navigating to begin the wizard. Press the "Start Wizard" button to this page. A sample configuration is recommended for non HP Web Jetadmin users. The Security level you want to the printer on Jetdirect. Here is sent to implement on power-up. This file is a sample content for the pjlprotection file: %-12345X@...= 7654 @PJL DEFAULT PASSWORD = 1776 @PJL DINQUIRE PASSWORD @PJL DEFAULT CPLOCK = ON @PJL DINQUIRE CPLOCK @PJL EOJ %-12345X Recommended Security Deployments: SET 2 For the HP Jetdirect products that are in the left-hand navigation bar, and then the "Wizard" tab.
HP Jetdirect Security Guidelines
Page 17
For a complete discussion of 802.1X, see HP Jetdirect whitepapers on the topic. For now, this configuration step is required. Special equipment is skipped. 17 Disable unused print protocols and services. Allowing device discovery helps in device management, but may not be required in all environments. 802.1X authentication can also be done.
For a complete discussion of 802.1X, see HP Jetdirect whitepapers on the topic. For now, this configuration step is required. Special equipment is skipped. 17 Disable unused print protocols and services. Allowing device discovery helps in device management, but may not be required in all environments. 802.1X authentication can also be done.
HP Jetdirect Security Guidelines
Page 22
Click "Next" 22 Select "Allow Traffic". Click "Next". We are concerned with management services, so select the service template "All Jetdirect Management Services".
Click "Next" 22 Select "Allow Traffic". Click "Next". We are concerned with management services, so select the service template "All Jetdirect Management Services".
HP Jetdirect Security Guidelines
Page 24
Click "Next". Click Next. 24 Select the "All Jetdirect Management Services" service template. Select "Allow Traffic".
Click "Next". Click Next. 24 Select the "All Jetdirect Management Services" service template. Select "Allow Traffic".
HP Jetdirect Security Guidelines
Page 26
Click "Next". 26 Again, select "All Jetdirect Management Services" for the service template and then click "Next". Select "Drop".
Click "Next". 26 Again, select "All Jetdirect Management Services" for the service template and then click "Next". Select "Drop".
HP Jetdirect Security Guidelines
Page 28
... the Security Wizard for the default rule and then click "Add Rules...". Let's go through the same process as we did with a management protocol to Jetdirect without using HTTPS before navigating to communicate with SET 3, only this page. If an end station tries to this time, we can begin the IPsec...
... the Security Wizard for the default rule and then click "Add Rules...". Let's go through the same process as we did with a management protocol to Jetdirect without using HTTPS before navigating to communicate with SET 3, only this page. If an end station tries to this time, we can begin the IPsec...
HP Jetdirect Security Guidelines
Page 29
Select "All Jetdirect Management Services". Click "Next". Select "Require traffic to be protected with an IPsec/Firewall Policy". Click "Next". 29
Select "All Jetdirect Management Services". Click "Next". Select "Require traffic to be protected with an IPsec/Firewall Policy". Click "Next". 29