Practical considerations for imaging and printing security
Page 1
... ...4 Security checklists ...4 Conclusion: look beyond Common Criteria Certification 4 HP's imaging and printing security framework 4 Secure the Imaging and Printing Device 5 MFP walk-up authentication ...5 Network printing authentication ...5 Physical document access control 5 HP Secure Erase ...6 Vulnerabilities, viruses, and worms 6 Protect Information on the Network ...6 Network connectivity with HP Jetdirect devices 6 HP Digital Sending Software (DSS 7 Fax/LAN bridging ...7 Effectively...
... ...4 Security checklists ...4 Conclusion: look beyond Common Criteria Certification 4 HP's imaging and printing security framework 4 Secure the Imaging and Printing Device 5 MFP walk-up authentication ...5 Network printing authentication ...5 Physical document access control 5 HP Secure Erase ...6 Vulnerabilities, viruses, and worms 6 Protect Information on the Network ...6 Network connectivity with HP Jetdirect devices 6 HP Digital Sending Software (DSS 7 Fax/LAN bridging ...7 Effectively...
Practical considerations for imaging and printing security
Page 6
... Network connectivity for secure management using SSL/TLS, secure IPP requires no additional configuration and is implemented as HP and its partners. The HP Jetdirect 635n IPv6/IPsec and Gigabit Ethernet internal print server, available November 2005, uses a cryptographic accelerator to provide click-to the Ethernet network. While Secure IPP may be installed from known...
... Network connectivity for secure management using SSL/TLS, secure IPP requires no additional configuration and is implemented as HP and its partners. The HP Jetdirect 635n IPv6/IPsec and Gigabit Ethernet internal print server, available November 2005, uses a cryptographic accelerator to provide click-to the Ethernet network. While Secure IPP may be installed from known...
HP Jetdirect Security Guidelines
Page 1
... of rather poor quality and inflammatory; whitepaper HP Jetdirect Security Guidelines Table of Contents: Introduction ...1 HP Jetdirect Overview ...2 What is an HP Jetdirect?...3 How old is Your HP Jetdirect?...4 Upgrading ...5 HP Jetdirect Administrative Guidelines 6 HP Jetdirect Hacks: TCP Port 9100...7 HP Jetdirect Hacks: Password and SNMP Community Names 9 HP Jetdirect Hacks: Firmware Upgrade 9 HP Jetdirect Hacks: Sniffing Print Jobs and Replaying Them 10 HP Jetdirect Hacks: Printer/MFP access 10 Recommended...
... of rather poor quality and inflammatory; whitepaper HP Jetdirect Security Guidelines Table of Contents: Introduction ...1 HP Jetdirect Overview ...2 What is an HP Jetdirect?...3 How old is Your HP Jetdirect?...4 Upgrading ...5 HP Jetdirect Administrative Guidelines 6 HP Jetdirect Hacks: TCP Port 9100...7 HP Jetdirect Hacks: Password and SNMP Community Names 9 HP Jetdirect Hacks: Firmware Upgrade 9 HP Jetdirect Hacks: Sniffing Print Jobs and Replaying Them 10 HP Jetdirect Hacks: Printer/MFP access 10 Recommended...
HP Jetdirect Security Guidelines
Page 2
... printer spooler, and then forgetting about them . During this is actually the result of the first print servers to be broken later today. Today's security configurations and protocols that this growth period in network printing, functionality within HP Jetdirect was designed to be "plug-n-play " and reliable. In today's increasingly security focused environment, we will...
... printer spooler, and then forgetting about them . During this is actually the result of the first print servers to be broken later today. Today's security configurations and protocols that this growth period in network printing, functionality within HP Jetdirect was designed to be "plug-n-play " and reliable. In today's increasingly security focused environment, we will...
HP Jetdirect Security Guidelines
Page 3
... your printing infrastructure. Secondly, we know that implemented a hardware protocol and converted encapsulated data into data for printer consumption. Based upon this diagram, we can do . First and foremost, we can understand what HP Jetdirect can also understand what HP Jetdirect cannot ... As customers demanded faster data transfer speeds and richer status, these protocols became more PJL parsing protection is an HP Jetdirect? Thus, the HP Jetdirect was used to send data from the PC to convert encapsulated network data into just data for printer consumption. Functional...
... your printing infrastructure. Secondly, we know that implemented a hardware protocol and converted encapsulated data into data for printer consumption. Based upon this diagram, we can do . First and foremost, we can understand what HP Jetdirect can also understand what HP Jetdirect cannot ... As customers demanded faster data transfer speeds and richer status, these protocols became more PJL parsing protection is an HP Jetdirect? Thus, the HP Jetdirect was used to send data from the PC to convert encapsulated network data into just data for printer consumption. Functional...
HP Jetdirect Security Guidelines
Page 4
... 3.11 HP Jetdirect J2550A, J2552A MIO Print Servers Microsoft Windows 95 HP Jetdirect J2550B, J2552B MIO Print Servers HP Jetdirect J3110A, J3111A EIO Print Servers HP Jetdirect J3263A 300X External Print Server HP Jetdirect J3113A 600n EIO Print Server Microsoft Windows 98 HP Jetdirect J3258A 170x External Print Server Microsoft Windows 2000 Professional HP Jetdirect J4169A 610n EIO Print Server Microsoft Windows XP HP Jetdirect J6057A 615n EIO Print Server Microsoft Windows 2003 Server HP Jetdirect J7934A 620n EIO Print Server HP Jetdirect J7961A 635n EIO Print Server Date Released...
... 3.11 HP Jetdirect J2550A, J2552A MIO Print Servers Microsoft Windows 95 HP Jetdirect J2550B, J2552B MIO Print Servers HP Jetdirect J3110A, J3111A EIO Print Servers HP Jetdirect J3263A 300X External Print Server HP Jetdirect J3113A 600n EIO Print Server Microsoft Windows 98 HP Jetdirect J3258A 170x External Print Server Microsoft Windows 2000 Professional HP Jetdirect J4169A 610n EIO Print Server Microsoft Windows XP HP Jetdirect J6057A 615n EIO Print Server Microsoft Windows 2003 Server HP Jetdirect J7934A 620n EIO Print Server HP Jetdirect J7961A 635n EIO Print Server Date Released...
HP Jetdirect Security Guidelines
Page 5
... for Management, SNMPv3, 802.1X PEAP, 802.1X EAP-TLS. HP Jetdirect J4100A 400n 10/100 MIO Print server J4106A 400n 10Mbps MIO Print server J3110A 600n 10Mbps EIO Print server J3111A 600n 10Mbps EIO Print server J3113A 600n 10/100 EIO Print server J4169A 610n 10/100 EIO Print Server J6057A 615n 10/100 EIO Print Server Security Features Non-Cryptographic Security, upgradeable after purchase Non-Cryptographic Security...
... for Management, SNMPv3, 802.1X PEAP, 802.1X EAP-TLS. HP Jetdirect J4100A 400n 10/100 MIO Print server J4106A 400n 10Mbps MIO Print server J3110A 600n 10Mbps EIO Print server J3111A 600n 10Mbps EIO Print server J3113A 600n 10/100 EIO Print server J4169A 610n 10/100 EIO Print Server J6057A 615n 10/100 EIO Print Server Security Features Non-Cryptographic Security, upgradeable after purchase Non-Cryptographic Security...
HP Jetdirect Security Guidelines
Page 6
... 400n, 600n models. In many years. SET 2 can use the administrative guideline referenced for SET 2 products, but a more updated administrative tool available via the EWS for HP Jetdirect, four ...print server. HP Jetdirect Administrative Guidelines In the material that follows, this product, we evaluate the various attacks employed against HP Jetdirect and some public information available about vulnerabilities or attacks against HP Jetdirect. One of the Jetdirect device. These administrative guidelines come in HP Jetdirect's product line. Using Internet Mode, the HP...
... 400n, 600n models. In many years. SET 2 can use the administrative guideline referenced for SET 2 products, but a more updated administrative tool available via the EWS for HP Jetdirect, four ...print server. HP Jetdirect Administrative Guidelines In the material that follows, this product, we evaluate the various attacks employed against HP Jetdirect and some public information available about vulnerabilities or attacks against HP Jetdirect. One of the Jetdirect device. These administrative guidelines come in HP Jetdirect's product line. Using Internet Mode, the HP...
HP Jetdirect Security Guidelines
Page 7
... 4: HP Jetdirect Product Number J7949E Embedded Jetdirect J4100A 400n 10Mbps MIO Print server J4106A 400n 10Mbps MIO Print server J3110A 600n 10Mbps EIO Print server J3111A 600n 10Mbps EIO Print server J3113A 600n 10/100 EIO Print server J4169A 610n 10/100 EIO Print Server J6057A 615n 10/100 EIO Print Server J3263A/J3263G 300x External Print server J3265A 500X External 3-Port Print Server J7983G 510X External 3-Port Print Server J7942A/J7942G en3700 External USB 2.0 Print Server J7934A...
... 4: HP Jetdirect Product Number J7949E Embedded Jetdirect J4100A 400n 10Mbps MIO Print server J4106A 400n 10Mbps MIO Print server J3110A 600n 10Mbps EIO Print server J3111A 600n 10Mbps EIO Print server J3113A 600n 10/100 EIO Print server J4169A 610n 10/100 EIO Print Server J6057A 615n 10/100 EIO Print Server J3263A/J3263G 300x External Print server J3265A 500X External 3-Port Print Server J7983G 510X External 3-Port Print Server J7942A/J7942G en3700 External USB 2.0 Print Server J7934A...
HP Jetdirect Security Guidelines
Page 8
... PKI to successfully authenticate the server endpoint (and optionally the client endpoint). Which hosts need to have the certificates used but does prevent the responses from returning to those remote subnets. Options Option 1) For SET 1/2/3/4. This doesn't prevent HP Jetdirect from receiving packets from other mischief with large print jobs, etc... As a result, TCP...
... PKI to successfully authenticate the server endpoint (and optionally the client endpoint). Which hosts need to have the certificates used but does prevent the responses from returning to those remote subnets. Options Option 1) For SET 1/2/3/4. This doesn't prevent HP Jetdirect from receiving packets from other mischief with large print jobs, etc... As a result, TCP...
HP Jetdirect Security Guidelines
Page 9
... by a trusted CA to recover, albeit with TFTP server information. Some additional protections can populate the firmware upgrade MIB table with less functionality. However, when using HP's Universal Print Driver (UPD), which facilitates reports on your HP Jetdirect, use SNMPv3 automatically. In case of their printing behavior. HP Jetdirect uses this information to the latest Web Jetadmin management...
... by a trusted CA to recover, albeit with TFTP server information. Some additional protections can populate the firmware upgrade MIB table with less functionality. However, when using HP's Universal Print Driver (UPD), which facilitates reports on your HP Jetdirect, use SNMPv3 automatically. In case of their printing behavior. HP Jetdirect uses this information to the latest Web Jetadmin management...
HP Jetdirect Security Guidelines
Page 10
... meeting conversation. However, printer/MFPs can be configured to provide a lot of a print job, it can be configured to a printer. if telnet has been disabled to printing. HP Jetdirect Hacks: Sniffing Print Jobs and Replaying Them Easily available network tools that was sent between that source and ... the data sent between an FTP client and an FTP server, it may end up at the final destination as a guideline to bypass HP Jetdirect security. also, this means is described here: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=bpj07572. In addition, ...
... meeting conversation. However, printer/MFPs can be configured to provide a lot of a print job, it can be configured to a printer. if telnet has been disabled to printing. HP Jetdirect Hacks: Sniffing Print Jobs and Replaying Them Easily available network tools that was sent between that source and ... the data sent between an FTP client and an FTP server, it may end up at the final destination as a guideline to bypass HP Jetdirect security. also, this means is described here: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=bpj07572. In addition, ...
HP Jetdirect Security Guidelines
Page 11
....cfg: # Allow subnet 192.168.40.0 access allow: 192.168.40.0 255.255.255.0 # # Disable Telnet telnet-config: 0 # # Disable the embedded Web server ews-config: 0 # # disable unused protocols ipx/spx: 0 dlc/llc: 0 ethertalk:0 # # Set a password passwd: Security4Me3 # # Disable SNMP # use with... UNIX or Linux environments; however, there are many free BOOTP and TFTP servers for a great deal of the TFTP daemon's home directory • Forces HP Jetdirect to DHCP if a BOOTP server is fairly easy. This configuration file allows for Windows and setup is unavailable. picasso:\ :...
....cfg: # Allow subnet 192.168.40.0 access allow: 192.168.40.0 255.255.255.0 # # Disable Telnet telnet-config: 0 # # Disable the embedded Web server ews-config: 0 # # disable unused protocols ipx/spx: 0 dlc/llc: 0 ethertalk:0 # # Set a password passwd: Security4Me3 # # Disable SNMP # use with... UNIX or Linux environments; however, there are many free BOOTP and TFTP servers for a great deal of the TFTP daemon's home directory • Forces HP Jetdirect to DHCP if a BOOTP server is fairly easy. This configuration file allows for Windows and setup is unavailable. picasso:\ :...
HP Jetdirect Security Guidelines
Page 12
... PASSWORD = 1776 @PJL DINQUIRE PASSWORD @PJL DEFAULT CPLOCK = ON @PJL DINQUIRE CPLOCK @PJL EOJ %-12345X Recommended Security Deployments: SET 2 For the HP Jetdirect products that are in SET 2, the security wizard is shown here: NOTE: be access via the Networking tab, "Settings" in the left-hand navigation...choose "Custom Security" to show all the options that are available to begin the wizard. This file is a sample content for non HP Web Jetadmin users. Here is sent to a parameter file called "pjlprotection". The security wizard can be sure to use HTTPS when navigating...
... PASSWORD = 1776 @PJL DINQUIRE PASSWORD @PJL DEFAULT CPLOCK = ON @PJL DINQUIRE CPLOCK @PJL EOJ %-12345X Recommended Security Deployments: SET 2 For the HP Jetdirect products that are in SET 2, the security wizard is shown here: NOTE: be access via the Networking tab, "Settings" in the left-hand navigation...choose "Custom Security" to show all the options that are available to begin the wizard. This file is a sample content for non HP Web Jetadmin users. Here is sent to a parameter file called "pjlprotection". The security wizard can be sure to use HTTPS when navigating...
HP Jetdirect Security Guidelines
Page 17
Special equipment is skipped. 17 For now, this configuration step is required. Allowing device discovery helps in device management, but may not be required in all environments. 802.1X authentication can also be done. Disable unused print protocols and services. For a complete discussion of 802.1X, see HP Jetdirect whitepapers on the topic.
Special equipment is skipped. 17 For now, this configuration step is required. Allowing device discovery helps in device management, but may not be required in all environments. 802.1X authentication can also be done. Disable unused print protocols and services. For a complete discussion of 802.1X, see HP Jetdirect whitepapers on the topic.
HP Jetdirect Security Guidelines
Page 22
Select "Allow Traffic". Click "Next" 22 We are concerned with management services, so select the service template "All Jetdirect Management Services". Click "Next".
Select "Allow Traffic". Click "Next" 22 We are concerned with management services, so select the service template "All Jetdirect Management Services". Click "Next".
HP Jetdirect Security Guidelines
Page 24
Select "Allow Traffic". Select the "All Jetdirect Management Services" service template. Click Next. 24 Click "Next".
Select "Allow Traffic". Select the "All Jetdirect Management Services" service template. Click Next. 24 Click "Next".
HP Jetdirect Security Guidelines
Page 26
Click "Next". 26 Select "Drop". Again, select "All Jetdirect Management Services" for the service template and then click "Next".
Click "Next". 26 Select "Drop". Again, select "All Jetdirect Management Services" for the service template and then click "Next".
HP Jetdirect Security Guidelines
Page 28
... must use IPsec to this time, we can begin the IPsec configuration. Let's go through the same process as we did with a management protocol to Jetdirect without using IPsec, the packets are using HTTPS before navigating to utilize a management protocol.
... must use IPsec to this time, we can begin the IPsec configuration. Let's go through the same process as we did with a management protocol to Jetdirect without using IPsec, the packets are using HTTPS before navigating to utilize a management protocol.
HP Jetdirect Security Guidelines
Page 29
Select "All Jetdirect Management Services". Click "Next". Click "Next". 29 Select "Require traffic to be protected with an IPsec/Firewall Policy".
Select "All Jetdirect Management Services". Click "Next". Click "Next". 29 Select "Require traffic to be protected with an IPsec/Firewall Policy".