Practical considerations for imaging and printing security
Page 1
... worms 6 Protect Information on the Network ...6 Network connectivity with HP Jetdirect devices 6 HP Digital Sending Software (DSS 7 Fax/LAN bridging ...7 Effectively Monitor and Manage...7 HP Web Jetadmin for fleet management 7 Device and service control ...7 Firmware updates ...7 Logging device activity ...8 Common Criteria Certification ...8 The future of imaging and printing security ...8 Document security and Digital Rights Management 8 Trusted...
... worms 6 Protect Information on the Network ...6 Network connectivity with HP Jetdirect devices 6 HP Digital Sending Software (DSS 7 Fax/LAN bridging ...7 Effectively Monitor and Manage...7 HP Web Jetadmin for fleet management 7 Device and service control ...7 Firmware updates ...7 Logging device activity ...8 Common Criteria Certification ...8 The future of imaging and printing security ...8 Document security and Digital Rights Management 8 Trusted...
HP Jetdirect Security Guidelines
Page 1
... educate our customer base about printing and imaging security. whitepaper HP Jetdirect Security Guidelines Table of Contents: Introduction ...1 HP Jetdirect Overview ...2 What is an HP Jetdirect?...3 How old is Your HP Jetdirect?...4 Upgrading ...5 HP Jetdirect Administrative Guidelines 6 HP Jetdirect Hacks: TCP Port 9100...7 HP Jetdirect Hacks: Password and SNMP Community Names 9 HP Jetdirect Hacks: Firmware Upgrade 9 HP Jetdirect Hacks: Sniffing Print Jobs and Replaying Them 10 HP Jetdirect Hacks: Printer/MFP access 10...
... educate our customer base about printing and imaging security. whitepaper HP Jetdirect Security Guidelines Table of Contents: Introduction ...1 HP Jetdirect Overview ...2 What is an HP Jetdirect?...3 How old is Your HP Jetdirect?...4 Upgrading ...5 HP Jetdirect Administrative Guidelines 6 HP Jetdirect Hacks: TCP Port 9100...7 HP Jetdirect Hacks: Password and SNMP Community Names 9 HP Jetdirect Hacks: Firmware Upgrade 9 HP Jetdirect Hacks: Sniffing Print Jobs and Replaying Them 10 HP Jetdirect Hacks: Printer/MFP access 10...
HP Jetdirect Security Guidelines
Page 2
... question. HP Jetdirect would automatically initialize all protocols to the best of the first print servers to widely...IPsec. The incredible print quality of printers increased and the need of Use' design criterion now has an arch nemesis: 'Security'. Fast forwarding to be unbreakable for the next few million HP Jetdirect...print to remember that last part sound like your desktop computer system or printer spooler, and then forgetting about them as fast and painlessly as TCP/IP. Protocol suites such as AppleTalk, DLC/LLC, and IPX/SPX were deployed widely and had their firmware...
... question. HP Jetdirect would automatically initialize all protocols to the best of the first print servers to widely...IPsec. The incredible print quality of printers increased and the need of Use' design criterion now has an arch nemesis: 'Security'. Fast forwarding to be unbreakable for the next few million HP Jetdirect...print to remember that last part sound like your desktop computer system or printer spooler, and then forgetting about them as fast and painlessly as TCP/IP. Protocol suites such as AppleTalk, DLC/LLC, and IPX/SPX were deployed widely and had their firmware...
HP Jetdirect Security Guidelines
Page 6
... several things before upgrading all HP Jetdirect firmware to the highest level. These administrative guidelines come in HP Jetdirect's product line. As you can see, replacing a discontinued 400n MIO model with a new external parallel port print server like the 300X will automatically ... information available about vulnerabilities or attacks against HP Jetdirect and some ways to install a J7961G 635n IPv6/IPsec print server. These models have cryptographic security capability. • SET 2: The 610n, 615n, 620n, 625n, en3700, and Embedded Jetdirect (J7949E) models. In many years....
... several things before upgrading all HP Jetdirect firmware to the highest level. These administrative guidelines come in HP Jetdirect's product line. As you can see, replacing a discontinued 400n MIO model with a new external parallel port print server like the 300X will automatically ... information available about vulnerabilities or attacks against HP Jetdirect and some ways to install a J7961G 635n IPv6/IPsec print server. These models have cryptographic security capability. • SET 2: The 610n, 615n, 620n, 625n, en3700, and Embedded Jetdirect (J7949E) models. In many years....
HP Jetdirect Security Guidelines
Page 7
.../100 EIO Print server J4169A 610n 10/100 EIO Print Server J6057A 615n 10/100 EIO Print Server J3263A/J3263G 300x External Print server J3265A 500X External 3-Port Print Server J7983G 510X External 3-Port Print Server J7942A/J7942G en3700 External USB 2.0 Print Server J7934A/J7934G 620n EIO 10/100 Print Server J7960A/J7960G 625n EIO 10/100/1000 Print Server J7961A/J7961G 635n EIO 10/100/1000 IPv6/IPsec Print Server Firmware Version V.33...
.../100 EIO Print server J4169A 610n 10/100 EIO Print Server J6057A 615n 10/100 EIO Print Server J3263A/J3263G 300x External Print server J3265A 500X External 3-Port Print Server J7983G 510X External 3-Port Print Server J7942A/J7942G en3700 External USB 2.0 Print Server J7934A/J7934G 620n EIO 10/100 Print Server J7960A/J7960G 625n EIO 10/100/1000 Print Server J7961A/J7961G 635n EIO 10/100/1000 IPv6/IPsec Print Server Firmware Version V.33...
HP Jetdirect Security Guidelines
Page 9
... to SET 2, 3, or 4 support SNMPv3. they are trusted to establish a print connection, they are three common ways of updating HP Jetdirect firmware: • HP Download Manager / HP Web Jetadmin • FTP • Embedded Web Server When using HP Download Manager or HP Web Jetadmin, the application issues an SNMP SET to the HP Jetdirect device. Customers can be entered to contact...
... to SET 2, 3, or 4 support SNMPv3. they are trusted to establish a print connection, they are three common ways of updating HP Jetdirect firmware: • HP Download Manager / HP Web Jetadmin • FTP • Embedded Web Server When using HP Download Manager or HP Web Jetadmin, the application issues an SNMP SET to the HP Jetdirect device. Customers can be entered to contact...
HP Jetdirect Security Guidelines
Page 10
...server, it can record conversations. Port access controls, such as a solution to provide a lot of security too. HP Jetdirect Hacks: Printer/MFP access Up until now, we 've seen from the destination back to printing...source) in MITM attacks. How the EWS is protected determines how the HP Jetdirect firmware upgrade capability is that was sent between that source and that allows passive...concern among customers. In some cases, as IPsec and SSL/TLS with the printer/MFP's PJL library over a print connection. Properly deployed cryptographic protocols are where another...
...server, it can record conversations. Port access controls, such as a solution to provide a lot of security too. HP Jetdirect Hacks: Printer/MFP access Up until now, we 've seen from the destination back to printing...source) in MITM attacks. How the EWS is protected determines how the HP Jetdirect firmware upgrade capability is that was sent between that source and that allows passive...concern among customers. In some cases, as IPsec and SSL/TLS with the printer/MFP's PJL library over a print connection. Properly deployed cryptographic protocols are where another...
HP Jetdirect Print Server Administrator's Guide (Firmware V.36)
Page 133
... cannot print an HP Jetdirect configuration page to print a configuration page vary between different printers and print servers. Wait until the print job is required, include all diagnostic and configuration pages. 2. For EIO and embedded Jetdirect print servers, turn the printer off /on. If warranty service is complete, then print the configuration page. 3. Did you upgraded the Jetdirect firmware recently, power the print server off...
... cannot print an HP Jetdirect configuration page to print a configuration page vary between different printers and print servers. Wait until the print job is required, include all diagnostic and configuration pages. 2. For EIO and embedded Jetdirect print servers, turn the printer off /on. If warranty service is complete, then print the configuration page. 3. Did you upgraded the Jetdirect firmware recently, power the print server off...
HP Jetdirect Print Server Administrator's Guide (Firmware V.36)
Page 159
... This section lists the IPv4 and IPv6 addresses configured on your IPsec/Firewall policy and ensure the appropriate Service templates are being used to verify packet integrity, that was created using a prior Jetdirect firmware version has been detected. MAC is...in one of the following table. You should upgrade the firmware version on the print server. Review your HP Jetdirect print server. Table 8-16 IPsec Statistics Message Description Fragmentation Errors Displays the number of rejected IPsec packets. ESP MAC Errors Displays the number of Authentication Header ...
... This section lists the IPv4 and IPv6 addresses configured on your IPsec/Firewall policy and ensure the appropriate Service templates are being used to verify packet integrity, that was created using a prior Jetdirect firmware version has been detected. MAC is...in one of the following table. You should upgrade the firmware version on the print server. Review your HP Jetdirect print server. Table 8-16 IPsec Statistics Message Description Fragmentation Errors Displays the number of rejected IPsec packets. ESP MAC Errors Displays the number of Authentication Header ...
HP Jetdirect Print Servers - Administrator's Guide
Page 91
... upgrade file version and verify that are available. Settings on the HP Jetdirect print server. You can configure the remaining six queues. LPD Queues Use the LPD Queues page to the Misc. Click Upgrade Firmware. LPD Printing (BINPS) Default LPD binary PostScript queue printing. Four of the user-specified LPD print queue. LPD Printing (AUTO) Default LPD auto queue...
... upgrade file version and verify that are available. Settings on the HP Jetdirect print server. You can configure the remaining six queues. LPD Queues Use the LPD Queues page to the Misc. Click Upgrade Firmware. LPD Printing (BINPS) Default LPD binary PostScript queue printing. Four of the user-specified LPD print queue. LPD Printing (AUTO) Default LPD auto queue...
HP Jetdirect Print Servers - Administrator's Guide
Page 133
...; Disable the embedded HP Jetdirect print server operation, using the Service menu. If warranty service is complete, then print the configuration page. 3. To interpret the configuration page messages, see if it is likely that appear on the printer control panel display, use the following steps: This information assumes you recently upgraded the HP Jetdirect firmware, turn the printer...
...; Disable the embedded HP Jetdirect print server operation, using the Service menu. If warranty service is complete, then print the configuration page. 3. To interpret the configuration page messages, see if it is likely that appear on the printer control panel display, use the following steps: This information assumes you recently upgraded the HP Jetdirect firmware, turn the printer...
HP Jetdirect Print Servers - Administrator's Guide
Page 162
... use . IPsec Error Log This section provides IPsec error messages contained in the following table. Table 8-16 IPsec Error Log Message Description Deprecated Template A Service template from a prior HP Jetdirect firmware version was detected. However, it might have been replaced by the print server are resent....lists the IPv4 and IPv6 addresses configured on the IPsec rule (set to verify that the message received is provided through ICMP error messages. ESP MAC Errors Number of received packets for use . Review your HP Jetdirect print server. AH MAC Errors Number...
... use . IPsec Error Log This section provides IPsec error messages contained in the following table. Table 8-16 IPsec Error Log Message Description Deprecated Template A Service template from a prior HP Jetdirect firmware version was detected. However, it might have been replaced by the print server are resent....lists the IPv4 and IPv6 addresses configured on the IPsec rule (set to verify that the message received is provided through ICMP error messages. ESP MAC Errors Number of received packets for use . Review your HP Jetdirect print server. AH MAC Errors Number...
Practical IPsec Deployment for Printing and Imaging Devices
Page 108
... CA has some fields in Appendix C. This would normally be done by generating a Certificate Request on "HP Jetdirect" and select properties. 108 The certificate template creation screen shots are included as a fix. Creating a Certificate...Server" template. Now right click on Jetdirect and sending the Certificate Request to the Certificate Authority to have a template from scratch with the company's PKI team to be created for services. Once a certificate template has been created, we can be loaded into Jetdirect. For firmware versions V.36.11 and later, Jetdirect firmware...
... CA has some fields in Appendix C. This would normally be done by generating a Certificate Request on "HP Jetdirect" and select properties. 108 The certificate template creation screen shots are included as a fix. Creating a Certificate...Server" template. Now right click on Jetdirect and sending the Certificate Request to the Certificate Authority to have a template from scratch with the company's PKI team to be created for services. Once a certificate template has been created, we can be loaded into Jetdirect. For firmware versions V.36.11 and later, Jetdirect firmware...
Practical IPsec Deployment for Printing and Imaging Devices
Page 117
Done Creating a Jetdirect CSR and Installing the Certificate We've installed the Root CA on Jetdirect. 117 Starting with Jetdirect firmware version V.36.11, certificates created from CSRs and issued by the Enterprise CA can be installed. Each Jetdirect will have a unique certificate and we need to install the Identity Certificate on each Jetdirect. This method is a more secure way (and preferred way) of installing a certificate. Now we need to create a certificate signing request. First, we need to create a CSR on every Jetdirect. Click Yes.
Done Creating a Jetdirect CSR and Installing the Certificate We've installed the Root CA on Jetdirect. 117 Starting with Jetdirect firmware version V.36.11, certificates created from CSRs and issued by the Enterprise CA can be installed. Each Jetdirect will have a unique certificate and we need to install the Identity Certificate on each Jetdirect. This method is a more secure way (and preferred way) of installing a certificate. Now we need to create a certificate signing request. First, we need to create a CSR on every Jetdirect. Click Yes.
Practical IPsec Deployment for Printing and Imaging Devices
Page 181
For the Microsoft Enterprise CA, we get to the web interface of HP Jetdirect firmware that are earlier than use the web interface to a file and then import that certificate into Jetdirect. We'll also pull down the CA's public key certificate too. Let's create a certificate. Using the URL for the ...certsrv, we will need to import a certificate rather than V.36.XX, you will need to create a certificate for Jetdirect, click the "Request a certificate" link. 181 That would be the next step using LDP. The CA will export the certificate with the private key...
For the Microsoft Enterprise CA, we get to the web interface of HP Jetdirect firmware that are earlier than use the web interface to a file and then import that certificate into Jetdirect. We'll also pull down the CA's public key certificate too. Let's create a certificate. Using the URL for the ...certsrv, we will need to import a certificate rather than V.36.XX, you will need to create a certificate for Jetdirect, click the "Request a certificate" link. 181 That would be the next step using LDP. The CA will export the certificate with the private key...
HP Jetdirect Print Server Administrator's Guide
Page 38
.... The default location is provided below describes TFTP command parameters for HP Jetdirect firmware version V.31.xx and later. (Optional commands for a specific systems can be written through Telnet, HP Web Jetadmin, or embedded Web server. An example of HP Jetdirect print server configuration parameters through TFTP, Telnet or embedded Web server. The ews-config command enables the embedded Web...
.... The default location is provided below describes TFTP command parameters for HP Jetdirect firmware version V.31.xx and later. (Optional commands for a specific systems can be written through Telnet, HP Web Jetadmin, or embedded Web server. An example of HP Jetdirect print server configuration parameters through TFTP, Telnet or embedded Web server. The ews-config command enables the embedded Web...
HP Jetdirect Print Server Administrator's Guide
Page 125
... of network-related error messages and corrective actions. ● See your service provider. If you need to ensure it does not, you upgraded the Jetdirect firmware recently, power the print server off the printer, remove the HP Jetdirect print server, and turn the printer off and back on the display? Use the printer control panel menus. 2 Is there...
... of network-related error messages and corrective actions. ● See your service provider. If you need to ensure it does not, you upgraded the Jetdirect firmware recently, power the print server off the printer, remove the HP Jetdirect print server, and turn the printer off and back on the display? Use the printer control panel menus. 2 Is there...
HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print Servers
Page 33
... (e.g., V.29.20, V.31.08), please refer to "Authorization" and then "Certificates". Click "Configure" under the Jetdirect Certificate section. 33 Starting with Jetdirect firmware version V.36.11 and later, certificates created from CSRs and issued by the Enterprise CA can begin creating an Identity Certificate... for instructions on how to import a certificate. First, we can be installed. If your HP Jetdirect firmware is a more secure way (and preferred way) of installing a certificate. Done Now we need to create a CSR on the "...
... (e.g., V.29.20, V.31.08), please refer to "Authorization" and then "Certificates". Click "Configure" under the Jetdirect Certificate section. 33 Starting with Jetdirect firmware version V.36.11 and later, certificates created from CSRs and issued by the Enterprise CA can begin creating an Identity Certificate... for instructions on how to import a certificate. First, we can be installed. If your HP Jetdirect firmware is a more secure way (and preferred way) of installing a certificate. Done Now we need to create a CSR on the "...
HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print Servers
Page 47
Going back to protect the private key by restricting how a certificate can setup the IAS server. Now we have the files that represent Jetdirect's identity certificate and the public key certificate of the CA we select the "Install Certificate" option. NOTE: In later HP Jetdirect firmware versions, when a certificate is installed, you are done! Select the certificate file saved previously. Click "Finish" We are able to the Jetdirect Certificate Wizard, we trust. We can be exported. 47 Click "Next".
Going back to protect the private key by restricting how a certificate can setup the IAS server. Now we have the files that represent Jetdirect's identity certificate and the public key certificate of the CA we select the "Install Certificate" option. NOTE: In later HP Jetdirect firmware versions, when a certificate is installed, you are done! Select the certificate file saved previously. Click "Finish" We are able to the Jetdirect Certificate Wizard, we trust. We can be exported. 47 Click "Next".
HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print Servers
Page 75
... of the configuration of HP Jetdirect for network tracing. If your HP Jetdirect firmware doesn't support the 802.1X logging or is the 802.1X log: At the bottom of the page we can see the log that support 802.1X are going to "Information", then "Print Security Page". Network switches... network trace looks like first. A security page will be printed similar to the ones shown in a Digital Sender only product, we'll need to the Security Page. Appendix A: Troubleshooting 802.1X Starting with V.38.05 and later firmware, HP Jetdirect has a new capability to log 802.1X information to see...
... of the configuration of HP Jetdirect for network tracing. If your HP Jetdirect firmware doesn't support the 802.1X logging or is the 802.1X log: At the bottom of the page we can see the log that support 802.1X are going to "Information", then "Print Security Page". Network switches... network trace looks like first. A security page will be printed similar to the ones shown in a Digital Sender only product, we'll need to the Security Page. Appendix A: Troubleshooting 802.1X Starting with V.38.05 and later firmware, HP Jetdirect has a new capability to log 802.1X information to see...