Practical considerations for imaging and printing security
Page 1
... ...4 Security checklists ...4 Conclusion: look beyond Common Criteria Certification 4 HP's imaging and printing security framework 4 Secure the Imaging and Printing Device 5 MFP walk-up authentication ...5 Network printing authentication ...5 Physical document access control 5 HP Secure Erase ...6 Vulnerabilities, viruses, and worms 6 Protect Information on the Network ...6 Network connectivity with HP Jetdirect devices 6 HP Digital Sending Software (DSS 7 Fax/LAN bridging ...7 Effectively...
... ...4 Security checklists ...4 Conclusion: look beyond Common Criteria Certification 4 HP's imaging and printing security framework 4 Secure the Imaging and Printing Device 5 MFP walk-up authentication ...5 Network printing authentication ...5 Physical document access control 5 HP Secure Erase ...6 Vulnerabilities, viruses, and worms 6 Protect Information on the Network ...6 Network connectivity with HP Jetdirect devices 6 HP Digital Sending Software (DSS 7 Fax/LAN bridging ...7 Effectively...
Practical considerations for imaging and printing security
Page 6
...The secure form of the IPP protocol using the device's embedded web server, as well as security of HP imaging and printing devices. The HP Jetdirect 635n IPv6/IPsec and Gigabit Ethernet internal print server, available November 2005, uses a cryptographic accelerator to provide click-to ...extend an imaging and printing device's functionality. HTTPS using SSL/TLS provides security...
...The secure form of the IPP protocol using the device's embedded web server, as well as security of HP imaging and printing devices. The HP Jetdirect 635n IPv6/IPsec and Gigabit Ethernet internal print server, available November 2005, uses a cryptographic accelerator to provide click-to ...extend an imaging and printing device's functionality. HTTPS using SSL/TLS provides security...
HP Jetdirect Security Guidelines
Page 1
... educate our customer base about printing and imaging security. whitepaper HP Jetdirect Security Guidelines Table of Contents: Introduction ...1 HP Jetdirect Overview ...2 What is an HP Jetdirect?...3 How old is Your HP Jetdirect?...4 Upgrading ...5 HP Jetdirect Administrative Guidelines 6 HP Jetdirect Hacks: TCP Port 9100...7 HP Jetdirect Hacks: Password and SNMP Community Names 9 HP Jetdirect Hacks: Firmware Upgrade 9 HP Jetdirect Hacks: Sniffing Print Jobs and Replaying Them 10 HP Jetdirect Hacks: Printer/MFP access...
... educate our customer base about printing and imaging security. whitepaper HP Jetdirect Security Guidelines Table of Contents: Introduction ...1 HP Jetdirect Overview ...2 What is an HP Jetdirect?...3 How old is Your HP Jetdirect?...4 Upgrading ...5 HP Jetdirect Administrative Guidelines 6 HP Jetdirect Hacks: TCP Port 9100...7 HP Jetdirect Hacks: Password and SNMP Community Names 9 HP Jetdirect Hacks: Firmware Upgrade 9 HP Jetdirect Hacks: Sniffing Print Jobs and Replaying Them 10 HP Jetdirect Hacks: Printer/MFP access...
HP Jetdirect Security Guidelines
Page 2
... of transporting frames had as much as if the printer was to have the same ease of the first print servers to computers called spoolers. Popular HP tools, such as a directly connected printer. Today's security configurations and protocols that are thought to share printers...that 'security' is a process. At one of use for the next few million HP Jetdirect products have been in network printing, functionality within HP Jetdirect was designed to allow users to print to Jetdirect immediately. The length limits of Use' design criterion now has an arch nemesis: '...
... of transporting frames had as much as if the printer was to have the same ease of the first print servers to computers called spoolers. Popular HP tools, such as a directly connected printer. Today's security configurations and protocols that are thought to share printers...that 'security' is a process. At one of use for the next few million HP Jetdirect products have been in network printing, functionality within HP Jetdirect was designed to allow users to print to Jetdirect immediately. The length limits of Use' design criterion now has an arch nemesis: '...
HP Jetdirect Security Guidelines
Page 3
... your printing infrastructure. When printers were directly connected to network spoolers, often a simple hardware protocol was born - As customers began to network their printers, HP decided to convert encapsulated network data into just data for printer consumption. Thus, the HP Jetdirect was ... Use a smart networking card to implement the various networking infrastructure components to embark on HP Jetdirect. Upgrading your HP Jetdirect card to control who can also understand what HP Jetdirect can see the standard diagram of your printer more complex as in the security of ...
... your printing infrastructure. When printers were directly connected to network spoolers, often a simple hardware protocol was born - As customers began to network their printers, HP decided to convert encapsulated network data into just data for printer consumption. Thus, the HP Jetdirect was ... Use a smart networking card to implement the various networking infrastructure components to embark on HP Jetdirect. Upgrading your HP Jetdirect card to control who can also understand what HP Jetdirect can see the standard diagram of your printer more complex as in the security of ...
HP Jetdirect Security Guidelines
Page 4
... 3.11 HP Jetdirect J2550A, J2552A MIO Print Servers Microsoft Windows 95 HP Jetdirect J2550B, J2552B MIO Print Servers HP Jetdirect J3110A, J3111A EIO Print Servers HP Jetdirect J3263A 300X External Print Server HP Jetdirect J3113A 600n EIO Print Server Microsoft Windows 98 HP Jetdirect J3258A 170x External Print Server Microsoft Windows 2000 Professional HP Jetdirect J4169A 610n EIO Print Server Microsoft Windows XP HP Jetdirect J6057A 615n EIO Print Server Microsoft Windows 2003 Server HP Jetdirect J7934A 620n EIO Print Server HP Jetdirect J7961A 635n EIO Print Server Date Released...
... 3.11 HP Jetdirect J2550A, J2552A MIO Print Servers Microsoft Windows 95 HP Jetdirect J2550B, J2552B MIO Print Servers HP Jetdirect J3110A, J3111A EIO Print Servers HP Jetdirect J3263A 300X External Print Server HP Jetdirect J3113A 600n EIO Print Server Microsoft Windows 98 HP Jetdirect J3258A 170x External Print Server Microsoft Windows 2000 Professional HP Jetdirect J4169A 610n EIO Print Server Microsoft Windows XP HP Jetdirect J6057A 615n EIO Print Server Microsoft Windows 2003 Server HP Jetdirect J7934A 620n EIO Print Server HP Jetdirect J7961A 635n EIO Print Server Date Released...
HP Jetdirect Security Guidelines
Page 5
.../TLS for Management, SNMPv3 Table 3 - Upgrading Upgrading your HP Jetdirect devices is highly recommended. HP Jetdirect J4100A 400n 10/100 MIO Print server J4106A 400n 10Mbps MIO Print server J3110A 600n 10Mbps EIO Print server J3111A 600n 10Mbps EIO Print server J3113A 600n 10/100 EIO Print server J4169A 610n 10/100 EIO Print Server J6057A 615n 10/100 EIO Print Server Security Features Non-Cryptographic Security, upgradeable after purchase Non...
.../TLS for Management, SNMPv3 Table 3 - Upgrading Upgrading your HP Jetdirect devices is highly recommended. HP Jetdirect J4100A 400n 10/100 MIO Print server J4106A 400n 10Mbps MIO Print server J3110A 600n 10Mbps EIO Print server J3111A 600n 10Mbps EIO Print server J3113A 600n 10/100 EIO Print server J4169A 610n 10/100 EIO Print Server J6057A 615n 10/100 EIO Print Server Security Features Non-Cryptographic Security, upgradeable after purchase Non...
HP Jetdirect Security Guidelines
Page 6
... level as SETs. • SET 1: The 170x, 300x, 500x, 510x, 400n, 600n models. HP recommends always upgrading only a few devices and performing an evaluation of the Jetdirect device. For companies with an EIO slot are still being sold today. These models have additional...The 610n, 615n, 620n, 625n, en3700, and Embedded Jetdirect (J7949E) models. Using Internet Mode, the HP Download Manager will automatically indicate which devices need to be addressing some ways to install a J7961G 635n IPv6/IPsec print server. One of the great features of a Firewall. In order...
... level as SETs. • SET 1: The 170x, 300x, 500x, 510x, 400n, 600n models. HP recommends always upgrading only a few devices and performing an evaluation of the Jetdirect device. For companies with an EIO slot are still being sold today. These models have additional...The 610n, 615n, 620n, 625n, en3700, and Embedded Jetdirect (J7949E) models. Using Internet Mode, the HP Download Manager will automatically indicate which devices need to be addressing some ways to install a J7961G 635n IPv6/IPsec print server. One of the great features of a Firewall. In order...
HP Jetdirect Security Guidelines
Page 7
... 4: HP Jetdirect Product Number J7949E Embedded Jetdirect J4100A 400n 10Mbps MIO Print server J4106A 400n 10Mbps MIO Print server J3110A 600n 10Mbps EIO Print server J3111A 600n 10Mbps EIO Print server J3113A 600n 10/100 EIO Print server J4169A 610n 10/100 EIO Print Server J6057A 615n 10/100 EIO Print Server J3263A/J3263G 300x External Print server J3265A 500X External 3-Port Print Server J7983G 510X External 3-Port Print Server J7942A/J7942G en3700 External USB 2.0 Print Server J7934A...
... 4: HP Jetdirect Product Number J7949E Embedded Jetdirect J4100A 400n 10Mbps MIO Print server J4106A 400n 10Mbps MIO Print server J3110A 600n 10Mbps EIO Print server J3111A 600n 10Mbps EIO Print server J3113A 600n 10/100 EIO Print server J4169A 610n 10/100 EIO Print Server J6057A 615n 10/100 EIO Print Server J3263A/J3263G 300x External Print server J3265A 500X External 3-Port Print Server J7983G 510X External 3-Port Print Server J7942A/J7942G en3700 External USB 2.0 Print Server J7934A...
HP Jetdirect Security Guidelines
Page 8
...for the network ID assigned to successfully authenticate the server endpoint (and optionally the client endpoint). These attacks can be properly signed by SSL/TLS to disable these protocols can target any device (not just HP Jetdirect) that is not cryptographically protected is subject to...work that the administrator doesn't use. Setup a rule to protect print traffic using IPsec Table 5 - Otherwise, SSL/TLS is allowed to note that all print protocols that is subject to MITM attacks as HP Jetdirect Ten or less individual computers on different subnets All hosts in -the...
...for the network ID assigned to successfully authenticate the server endpoint (and optionally the client endpoint). These attacks can be properly signed by SSL/TLS to disable these protocols can target any device (not just HP Jetdirect) that is not cryptographically protected is subject to...work that the administrator doesn't use. Setup a rule to protect print traffic using IPsec Table 5 - Otherwise, SSL/TLS is allowed to note that all print protocols that is subject to MITM attacks as HP Jetdirect Ten or less individual computers on different subnets All hosts in -the...
HP Jetdirect Security Guidelines
Page 9
... credentials, it can be able to recover, albeit with TFTP server information. they are trusted to establish a print connection, they are three common ways of updating HP Jetdirect firmware: • HP Download Manager / HP Web Jetadmin • FTP • Embedded Web Server When using HP Download Manager or HP Web Jetadmin, the application issues an SNMP SET to the...
... credentials, it can be able to recover, albeit with TFTP server information. they are trusted to establish a print connection, they are three common ways of updating HP Jetdirect firmware: • HP Download Manager / HP Web Jetadmin • FTP • Embedded Web Server When using HP Download Manager or HP Web Jetadmin, the application issues an SNMP SET to the...
HP Jetdirect Security Guidelines
Page 10
... a PDF file that was sent between an email client and email server, it can record conversations. If the MITM node has a copy of the EWS, HP recommends setting the redirect from our functional diagram, HP Jetdirect controls the networking stack and does not parse PJL and cannot be configured...conference room. Passive sniffing attacks are analogously similar to the next correct node so it with the printer/MFP's PJL library over a print connection. These attacks are where another node and then forwards the IP packets to using other applications without having to avoid plain-text...
... a PDF file that was sent between an email client and email server, it can record conversations. If the MITM node has a copy of the EWS, HP recommends setting the redirect from our functional diagram, HP Jetdirect controls the networking stack and does not parse PJL and cannot be configured...conference room. Passive sniffing attacks are analogously similar to the next correct node so it with the printer/MFP's PJL library over a print connection. These attacks are where another node and then forwards the IP packets to using other applications without having to avoid plain-text...
HP Jetdirect Security Guidelines
Page 11
... snmp-config:0 # # if SNMP must be provided here. An example of the contents of the TFTP daemon's home directory • Forces HP Jetdirect to DHCP if a BOOTP server is recommended as we can specify several control parameters via the TFTP configuration file. picasso:\ :hn:\ :ht=ether:\ :vm=rfc1048:\ :ha=...set-community-name: Security4Me3 # get-community-name: notpublic # default-get-community: 0 # # parameter file parm-file: hpnp/pjlprotection # 11 Recommended Security Deployments: SET 1 The HP Jetdirect products denoted by SET 1 do not have any cryptographic security capability.
... snmp-config:0 # # if SNMP must be provided here. An example of the contents of the TFTP daemon's home directory • Forces HP Jetdirect to DHCP if a BOOTP server is recommended as we can specify several control parameters via the TFTP configuration file. picasso:\ :hn:\ :ht=ether:\ :vm=rfc1048:\ :ha=...set-community-name: Security4Me3 # get-community-name: notpublic # default-get-community: 0 # # parameter file parm-file: hpnp/pjlprotection # 11 Recommended Security Deployments: SET 1 The HP Jetdirect products denoted by SET 1 do not have any cryptographic security capability.
HP Jetdirect Security Guidelines
Page 12
... PASSWORD = 7654 @PJL DEFAULT PASSWORD = 1776 @PJL DINQUIRE PASSWORD @PJL DEFAULT CPLOCK = ON @PJL DINQUIRE CPLOCK @PJL EOJ %-12345X Recommended Security Deployments: SET 2 For the HP Jetdirect products that are in SET 2, the security wizard is shown here: NOTE: be access via the Networking tab, "Settings" in the left-hand navigation bar.... Here is sent to a parameter file called "pjlprotection". Press the "Start Wizard" button to this page. The TFTP configuration file points to the printer on Jetdirect. This file is a sample content for non...
... PASSWORD = 7654 @PJL DEFAULT PASSWORD = 1776 @PJL DINQUIRE PASSWORD @PJL DEFAULT CPLOCK = ON @PJL DINQUIRE CPLOCK @PJL EOJ %-12345X Recommended Security Deployments: SET 2 For the HP Jetdirect products that are in SET 2, the security wizard is shown here: NOTE: be access via the Networking tab, "Settings" in the left-hand navigation bar.... Here is sent to a parameter file called "pjlprotection". Press the "Start Wizard" button to this page. The TFTP configuration file points to the printer on Jetdirect. This file is a sample content for non...
HP Jetdirect Security Guidelines
Page 17
For a complete discussion of 802.1X, see HP Jetdirect whitepapers on the topic. Special equipment is skipped. 17 For now, this configuration step is required. Disable unused print protocols and services. Allowing device discovery helps in device management, but may not be required in all environments. 802.1X authentication can also be done.
For a complete discussion of 802.1X, see HP Jetdirect whitepapers on the topic. Special equipment is skipped. 17 For now, this configuration step is required. Disable unused print protocols and services. Allowing device discovery helps in device management, but may not be required in all environments. 802.1X authentication can also be done.
HP Jetdirect Security Guidelines
Page 22
We are concerned with management services, so select the service template "All Jetdirect Management Services". Click "Next" 22 Select "Allow Traffic". Click "Next".
We are concerned with management services, so select the service template "All Jetdirect Management Services". Click "Next" 22 Select "Allow Traffic". Click "Next".
HP Jetdirect Security Guidelines
Page 24
Click "Next". Click Next. 24 Select the "All Jetdirect Management Services" service template. Select "Allow Traffic".
Click "Next". Click Next. 24 Select the "All Jetdirect Management Services" service template. Select "Allow Traffic".
HP Jetdirect Security Guidelines
Page 26
Again, select "All Jetdirect Management Services" for the service template and then click "Next". Click "Next". 26 Select "Drop".
Again, select "All Jetdirect Management Services" for the service template and then click "Next". Click "Next". 26 Select "Drop".
HP Jetdirect Security Guidelines
Page 28
... we 'll simply say that you are dropped by the IP layer. Let's go through the same process as we did with a management protocol to Jetdirect without using IPsec, the packets are using HTTPS before navigating to have the Security Wizard for the default rule and then click "Add Rules...".
... we 'll simply say that you are dropped by the IP layer. Let's go through the same process as we did with a management protocol to Jetdirect without using IPsec, the packets are using HTTPS before navigating to have the Security Wizard for the default rule and then click "Add Rules...".
HP Jetdirect Security Guidelines
Page 29
Click "Next". Click "Next". 29 Select "Require traffic to be protected with an IPsec/Firewall Policy". Select "All Jetdirect Management Services".
Click "Next". Click "Next". 29 Select "Require traffic to be protected with an IPsec/Firewall Policy". Select "All Jetdirect Management Services".