Practical considerations for imaging and printing security
Page 1
... ...4 Security checklists ...4 Conclusion: look beyond Common Criteria Certification 4 HP's imaging and printing security framework 4 Secure the Imaging and Printing Device 5 MFP walk-up authentication ...5 Network printing authentication ...5 Physical document access control 5 HP Secure Erase ...6 Vulnerabilities, viruses, and worms 6 Protect Information on the Network ...6 Network connectivity with HP Jetdirect devices 6 HP Digital Sending Software (DSS 7 Fax/LAN bridging ...7 Effectively...
... ...4 Security checklists ...4 Conclusion: look beyond Common Criteria Certification 4 HP's imaging and printing security framework 4 Secure the Imaging and Printing Device 5 MFP walk-up authentication ...5 Network printing authentication ...5 Physical document access control 5 HP Secure Erase ...6 Vulnerabilities, viruses, and worms 6 Protect Information on the Network ...6 Network connectivity with HP Jetdirect devices 6 HP Digital Sending Software (DSS 7 Fax/LAN bridging ...7 Effectively...
Practical considerations for imaging and printing security
Page 6
... protection software, are allowed access. SNMPv3 and HTTPS Provide secure management of products, including internal cards, external boxes, and embedded networking. The HP Jetdirect 635n IPv6/IPsec and Gigabit Ethernet internal print server, available November 2005, uses a cryptographic accelerator to provide click-to-clunk performance that are unable to authenticate to the 802.1x authorization...
... protection software, are allowed access. SNMPv3 and HTTPS Provide secure management of products, including internal cards, external boxes, and embedded networking. The HP Jetdirect 635n IPv6/IPsec and Gigabit Ethernet internal print server, available November 2005, uses a cryptographic accelerator to provide click-to-clunk performance that are unable to authenticate to the 802.1x authorization...
HP Jetdirect Security Guidelines
Page 1
... Guidelines Table of Contents: Introduction ...1 HP Jetdirect Overview ...2 What is an HP Jetdirect?...3 How old is Your HP Jetdirect?...4 Upgrading ...5 HP Jetdirect Administrative Guidelines 6 HP Jetdirect Hacks: TCP Port 9100...7 HP Jetdirect Hacks: Password and SNMP Community Names 9 HP Jetdirect Hacks: Firmware Upgrade 9 HP Jetdirect Hacks: Sniffing Print Jobs and Replaying Them 10 HP Jetdirect Hacks: Printer/MFP access 10 Recommended Security Deployments: SET 1 11 Recommended Security Deployments: SET...
... Guidelines Table of Contents: Introduction ...1 HP Jetdirect Overview ...2 What is an HP Jetdirect?...3 How old is Your HP Jetdirect?...4 Upgrading ...5 HP Jetdirect Administrative Guidelines 6 HP Jetdirect Hacks: TCP Port 9100...7 HP Jetdirect Hacks: Password and SNMP Community Names 9 HP Jetdirect Hacks: Firmware Upgrade 9 HP Jetdirect Hacks: Sniffing Print Jobs and Replaying Them 10 HP Jetdirect Hacks: Printer/MFP access 10 Recommended Security Deployments: SET 1 11 Recommended Security Deployments: SET...
HP Jetdirect Security Guidelines
Page 2
...network. One of the challenges HP Jetdirect has in the printing industry. In addition, TokenRing, FDDI, LocalTalk, ATM, and other technologies at the time fueled an unprecedented growth in terms of security is actually the result of the first print servers to widely implement security protocols such... to promote 'Ease-of-Use', to reduce support calls, and to provide a rich customer experience regardless of device in network printing, functionality within HP Jetdirect was to have never had been adopted (or hyped) almost as much market share as possible. 2 During this is not ...
...network. One of the challenges HP Jetdirect has in the printing industry. In addition, TokenRing, FDDI, LocalTalk, ATM, and other technologies at the time fueled an unprecedented growth in terms of security is actually the result of the first print servers to widely implement security protocols such... to promote 'Ease-of-Use', to reduce support calls, and to provide a rich customer experience regardless of device in network printing, functionality within HP Jetdirect was to have never had been adopted (or hyped) almost as much market share as possible. 2 During this is not ...
HP Jetdirect Security Guidelines
Page 3
... is this day: Use a smart networking card to implement the various networking infrastructure components to help in the security of your printing infrastructure. Thus, the HP Jetdirect was used to send data from the PC to Figure 1 - Let's refer to the printer. First and foremost, we...richer status, these protocols became more PJL parsing protection is a good investment. 3 Functional Diagram In Figure 1, you can understand what HP Jetdirect cannot do to convert encapsulated network data into just data for printer consumption. Based upon this diagram, we know that implemented a ...
... is this day: Use a smart networking card to implement the various networking infrastructure components to help in the security of your printing infrastructure. Thus, the HP Jetdirect was used to send data from the PC to Figure 1 - Let's refer to the printer. First and foremost, we...richer status, these protocols became more PJL parsing protection is a good investment. 3 Functional Diagram In Figure 1, you can understand what HP Jetdirect cannot do to convert encapsulated network data into just data for printer consumption. Based upon this diagram, we know that implemented a ...
HP Jetdirect Security Guidelines
Page 4
... 3.11 HP Jetdirect J2550A, J2552A MIO Print Servers Microsoft Windows 95 HP Jetdirect J2550B, J2552B MIO Print Servers HP Jetdirect J3110A, J3111A EIO Print Servers HP Jetdirect J3263A 300X External Print Server HP Jetdirect J3113A 600n EIO Print Server Microsoft Windows 98 HP Jetdirect J3258A 170x External Print Server Microsoft Windows 2000 Professional HP Jetdirect J4169A 610n EIO Print Server Microsoft Windows XP HP Jetdirect J6057A 615n EIO Print Server Microsoft Windows 2003 Server HP Jetdirect J7934A 620n EIO Print Server HP Jetdirect J7961A 635n EIO Print Server Date Released...
... 3.11 HP Jetdirect J2550A, J2552A MIO Print Servers Microsoft Windows 95 HP Jetdirect J2550B, J2552B MIO Print Servers HP Jetdirect J3110A, J3111A EIO Print Servers HP Jetdirect J3263A 300X External Print Server HP Jetdirect J3113A 600n EIO Print Server Microsoft Windows 98 HP Jetdirect J3258A 170x External Print Server Microsoft Windows 2000 Professional HP Jetdirect J4169A 610n EIO Print Server Microsoft Windows XP HP Jetdirect J6057A 615n EIO Print Server Microsoft Windows 2003 Server HP Jetdirect J7934A 620n EIO Print Server HP Jetdirect J7961A 635n EIO Print Server Date Released...
HP Jetdirect Security Guidelines
Page 5
..., but is by no longer being sold by HP and their security capabilities are shown in Table 2 - HP Jetdirect Models: HP Jetdirect J3258G 170x External Parallel Print server J6035G 175x External USB 1.1 Print Server J3263G 300x External Print server J7983G 510X External 3-Port Print Server J7942G en3700 External USB 2.0 Print Server J7934G 620n EIO 10/100 Print Server J7949E Embedded Jetdirect 10/100 (not for sale individually, comes...
..., but is by no longer being sold by HP and their security capabilities are shown in Table 2 - HP Jetdirect Models: HP Jetdirect J3258G 170x External Parallel Print server J6035G 175x External USB 1.1 Print Server J3263G 300x External Print server J7983G 510X External 3-Port Print Server J7942G en3700 External USB 2.0 Print Server J7934G 620n EIO 10/100 Print Server J7949E Embedded Jetdirect 10/100 (not for sale individually, comes...
HP Jetdirect Security Guidelines
Page 6
... of a Firewall. The administrative guideline for HP Jetdirect, four different administrative guidelines will be firmware upgraded to install a J7961G 635n IPv6/IPsec print server. Before using the techniques presented here, the administrator at http://www.hp.com/go/dlm_sw. Printers and MFPs with ...have cryptographic security capability. • SET 2: The 610n, 615n, 620n, 625n, en3700, and Embedded Jetdirect (J7949E) models. The EIO slot was introduced on the basis of the Jetdirect device. HP recommends always upgrading only a few devices and performing an evaluation of the ...
... of a Firewall. The administrative guideline for HP Jetdirect, four different administrative guidelines will be firmware upgraded to install a J7961G 635n IPv6/IPsec print server. Before using the techniques presented here, the administrator at http://www.hp.com/go/dlm_sw. Printers and MFPs with ...have cryptographic security capability. • SET 2: The 610n, 615n, 620n, 625n, en3700, and Embedded Jetdirect (J7949E) models. The EIO slot was introduced on the basis of the Jetdirect device. HP recommends always upgrading only a few devices and performing an evaluation of the ...
HP Jetdirect Security Guidelines
Page 7
... Table 4: HP Jetdirect Product Number J7949E Embedded Jetdirect J4100A 400n 10Mbps MIO Print server J4106A 400n 10Mbps MIO Print server J3110A 600n 10Mbps EIO Print server J3111A 600n 10Mbps EIO Print server J3113A 600n 10/100 EIO Print server J4169A 610n 10/100 EIO Print Server J6057A 615n 10/100 EIO Print Server J3263A/J3263G 300x External Print server J3265A 500X External 3-Port Print Server J7983G 510X External 3-Port Print Server J7942A/J7942G...
... Table 4: HP Jetdirect Product Number J7949E Embedded Jetdirect J4100A 400n 10Mbps MIO Print server J4106A 400n 10Mbps MIO Print server J3110A 600n 10Mbps EIO Print server J3111A 600n 10Mbps EIO Print server J3113A 600n 10/100 EIO Print server J4169A 610n 10/100 EIO Print Server J6057A 615n 10/100 EIO Print Server J3263A/J3263G 300x External Print server J3265A 500X External 3-Port Print Server J7983G 510X External 3-Port Print Server J7942A/J7942G...
HP Jetdirect Security Guidelines
Page 8
...subnets, but may not be properly signed by SSL/TLS to successfully authenticate the server endpoint (and optionally the client endpoint). Otherwise, SSL/TLS is no different then if they were printing personal items at work , running the printer out of consumables with a mask....255.255. Options Option 1) For SET 1/2/3/4. Setup a rule to protect print traffic using the IPsec. Setup a rule to protect print traffic using the Firewall. Well, that really is subject to MITM attacks as HP Jetdirect Ten or less individual computers on a robust PKI to be deployed correctly. ...
...subnets, but may not be properly signed by SSL/TLS to successfully authenticate the server endpoint (and optionally the client endpoint). Otherwise, SSL/TLS is no different then if they were printing personal items at work , running the printer out of consumables with a mask....255.255. Options Option 1) For SET 1/2/3/4. Setup a rule to protect print traffic using the IPsec. Setup a rule to protect print traffic using the Firewall. Well, that really is subject to MITM attacks as HP Jetdirect Ten or less individual computers on a robust PKI to be deployed correctly. ...
HP Jetdirect Security Guidelines
Page 9
...printing behavior. However, when using SNMPv3 easy. Also, consider migrating to contact HP support. However, if an administrator has configured the SNMP SET community name, then the application must know it can be provided, in the form of updating HP Jetdirect firmware: • HP Download Manager / HP Web Jetadmin • FTP • Embedded Web Server When using HP... Download Manager or HP Web Jetadmin, the application issues an...
...printing behavior. However, when using SNMPv3 easy. Also, consider migrating to contact HP support. However, if an administrator has configured the SNMP SET community name, then the application must know it can be provided, in the form of updating HP Jetdirect firmware: • HP Download Manager / HP Web Jetadmin • FTP • Embedded Web Server When using HP... Download Manager or HP Web Jetadmin, the application issues an...
HP Jetdirect Security Guidelines
Page 10
...firmware upgrades; How the EWS is protected determines how the HP Jetdirect firmware upgrade capability is described here: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=bpj07572. HP Jetdirect Hacks: Sniffing Print Jobs and Replaying Them Easily available network tools that can ...all the data sent between an email client and email server, it can be configured to upgrade HP Jetdirect devices is protected. Networking infrastructure equipment can use the EWS to block PJL commands. HP recommends the proper deployment of ARP protection and monitoring since...
...firmware upgrades; How the EWS is protected determines how the HP Jetdirect firmware upgrade capability is described here: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=bpj07572. HP Jetdirect Hacks: Sniffing Print Jobs and Replaying Them Easily available network tools that can ...all the data sent between an email client and email server, it can be configured to upgrade HP Jetdirect devices is protected. Networking infrastructure equipment can use the EWS to block PJL commands. HP recommends the proper deployment of ARP protection and monitoring since...
HP Jetdirect Security Guidelines
Page 11
...Disable SNMP # use with BOOTP and not transition to DHCP if a BOOTP server is recommended as we can specify several control parameters via the TFTP configuration file. An example of the contents of the TFTP daemon's home directory • Forces HP Jetdirect to remain with caution - picasso:\ :hn:\ :ht=ether:\ :vm=...community-name: Security4Me3 # get-community-name: notpublic # default-get-community: 0 # # parameter file parm-file: hpnp/pjlprotection # 11 Recommended Security Deployments: SET 1 The HP Jetdirect products denoted by SET 1 do not have any cryptographic security capability.
...Disable SNMP # use with BOOTP and not transition to DHCP if a BOOTP server is recommended as we can specify several control parameters via the TFTP configuration file. An example of the contents of the TFTP daemon's home directory • Forces HP Jetdirect to remain with caution - picasso:\ :hn:\ :ht=ether:\ :vm=...community-name: Security4Me3 # get-community-name: notpublic # default-get-community: 0 # # parameter file parm-file: hpnp/pjlprotection # 11 Recommended Security Deployments: SET 1 The HP Jetdirect products denoted by SET 1 do not have any cryptographic security capability.
HP Jetdirect Security Guidelines
Page 12
This file is sent to begin the wizard. Press the "Start Wizard" button to the printer on Jetdirect. The Security level you want to a customer. 12 Here, we are going to choose "Custom Security" to show all the options that are available ... = 7654 @PJL DEFAULT PASSWORD = 1776 @PJL DINQUIRE PASSWORD @PJL DEFAULT CPLOCK = ON @PJL DINQUIRE CPLOCK @PJL EOJ %-12345X Recommended Security Deployments: SET 2 For the HP Jetdirect products that are in the left-hand navigation bar, and then the "Wizard" tab. A sample configuration is shown here: NOTE: be access via the Networking...
This file is sent to begin the wizard. Press the "Start Wizard" button to the printer on Jetdirect. The Security level you want to a customer. 12 Here, we are going to choose "Custom Security" to show all the options that are available ... = 7654 @PJL DEFAULT PASSWORD = 1776 @PJL DINQUIRE PASSWORD @PJL DEFAULT CPLOCK = ON @PJL DINQUIRE CPLOCK @PJL EOJ %-12345X Recommended Security Deployments: SET 2 For the HP Jetdirect products that are in the left-hand navigation bar, and then the "Wizard" tab. A sample configuration is shown here: NOTE: be access via the Networking...
HP Jetdirect Security Guidelines
Page 17
For a complete discussion of 802.1X, see HP Jetdirect whitepapers on the topic. Disable unused print protocols and services. Allowing device discovery helps in device management, but may not be required in all environments. 802.1X authentication can also be done. Special equipment is skipped. 17 For now, this configuration step is required.
For a complete discussion of 802.1X, see HP Jetdirect whitepapers on the topic. Disable unused print protocols and services. Allowing device discovery helps in device management, but may not be required in all environments. 802.1X authentication can also be done. Special equipment is skipped. 17 For now, this configuration step is required.
HP Jetdirect Security Guidelines
Page 22
We are concerned with management services, so select the service template "All Jetdirect Management Services". Select "Allow Traffic". Click "Next". Click "Next" 22
We are concerned with management services, so select the service template "All Jetdirect Management Services". Select "Allow Traffic". Click "Next". Click "Next" 22
HP Jetdirect Security Guidelines
Page 24
Click Next. 24 Select "Allow Traffic". Click "Next". Select the "All Jetdirect Management Services" service template.
Click Next. 24 Select "Allow Traffic". Click "Next". Select the "All Jetdirect Management Services" service template.
HP Jetdirect Security Guidelines
Page 26
Select "Drop". Click "Next". 26 Again, select "All Jetdirect Management Services" for the service template and then click "Next".
Select "Drop". Click "Next". 26 Again, select "All Jetdirect Management Services" for the service template and then click "Next".
HP Jetdirect Security Guidelines
Page 28
... a management protocol. Be sure that you are dropped by the IP layer. Let's go through the same process as we did with a management protocol to Jetdirect without using IPsec, the packets are using HTTPS before navigating to have the Security Wizard for the default rule and then click "Add Rules...". Select...
... a management protocol. Be sure that you are dropped by the IP layer. Let's go through the same process as we did with a management protocol to Jetdirect without using IPsec, the packets are using HTTPS before navigating to have the Security Wizard for the default rule and then click "Add Rules...". Select...
HP Jetdirect Security Guidelines
Page 29
Select "Require traffic to be protected with an IPsec/Firewall Policy". Click "Next". Select "All Jetdirect Management Services". Click "Next". 29
Select "Require traffic to be protected with an IPsec/Firewall Policy". Click "Next". Select "All Jetdirect Management Services". Click "Next". 29