Practical considerations for imaging and printing security
Page 1
... ...4 Security checklists ...4 Conclusion: look beyond Common Criteria Certification 4 HP's imaging and printing security framework 4 Secure the Imaging and Printing Device 5 MFP walk-up authentication ...5 Network printing authentication ...5 Physical document access control 5 HP Secure Erase ...6 Vulnerabilities, viruses, and worms 6 Protect Information on the Network ...6 Network connectivity with HP Jetdirect devices 6 HP Digital Sending Software (DSS 7 Fax/LAN bridging ...7 Effectively...
... ...4 Security checklists ...4 Conclusion: look beyond Common Criteria Certification 4 HP's imaging and printing security framework 4 Secure the Imaging and Printing Device 5 MFP walk-up authentication ...5 Network printing authentication ...5 Physical document access control 5 HP Secure Erase ...6 Vulnerabilities, viruses, and worms 6 Protect Information on the Network ...6 Network connectivity with HP Jetdirect devices 6 HP Digital Sending Software (DSS 7 Fax/LAN bridging ...7 Effectively...
Practical considerations for imaging and printing security
Page 6
..., Chailets should only be used for Wired Networks Provides access control to the Ethernet network. The HP Jetdirect 635n IPv6/IPsec and Gigabit Ethernet internal print server, available November 2005, uses a cryptographic accelerator to provide click-to the 802.1x authorization server have been affected little by maintaining their integrity. Vulnerabilities, viruses, and worms Vulnerability assessments are unable...
..., Chailets should only be used for Wired Networks Provides access control to the Ethernet network. The HP Jetdirect 635n IPv6/IPsec and Gigabit Ethernet internal print server, available November 2005, uses a cryptographic accelerator to provide click-to the 802.1x authorization server have been affected little by maintaining their integrity. Vulnerabilities, viruses, and worms Vulnerability assessments are unable...
HP Jetdirect Security Guidelines
Page 1
... addressed. This whitepaper is HP doing about preventing those attacks. whitepaper HP Jetdirect Security Guidelines Table of Contents: Introduction ...1 HP Jetdirect Overview ...2 What is an HP Jetdirect?...3 How old is Your HP Jetdirect?...4 Upgrading ...5 HP Jetdirect Administrative Guidelines 6 HP Jetdirect Hacks: TCP Port 9100...7 HP Jetdirect Hacks: Password and SNMP Community Names 9 HP Jetdirect Hacks: Firmware Upgrade 9 HP Jetdirect Hacks: Sniffing Print Jobs and Replaying Them 10 HP Jetdirect Hacks: Printer/MFP...
... addressed. This whitepaper is HP doing about preventing those attacks. whitepaper HP Jetdirect Security Guidelines Table of Contents: Introduction ...1 HP Jetdirect Overview ...2 What is an HP Jetdirect?...3 How old is Your HP Jetdirect?...4 Upgrading ...5 HP Jetdirect Administrative Guidelines 6 HP Jetdirect Hacks: TCP Port 9100...7 HP Jetdirect Hacks: Password and SNMP Community Names 9 HP Jetdirect Hacks: Firmware Upgrade 9 HP Jetdirect Hacks: Sniffing Print Jobs and Replaying Them 10 HP Jetdirect Hacks: Printer/MFP...
HP Jetdirect Security Guidelines
Page 2
...' is to provide a rich customer experience regardless of thousands, and perhaps a few years may in the printing industry. Does that this growth period in network printing, functionality within HP Jetdirect was directly connected to find out, "plug-n-play" and "security" often do not belong in use as... via parallel ports or serial ports to widely implement security protocols such as SSL/TLS, SNMPv3, 802.1X, and IPsec. The complexity and capability of the first print servers to computers called spoolers. An 'Ease of being "plug-n-play " on the network. At the other extreme,...
...' is to provide a rich customer experience regardless of thousands, and perhaps a few years may in the printing industry. Does that this growth period in network printing, functionality within HP Jetdirect was directly connected to find out, "plug-n-play" and "security" often do not belong in use as... via parallel ports or serial ports to widely implement security protocols such as SSL/TLS, SNMPv3, 802.1X, and IPsec. The complexity and capability of the first print servers to computers called spoolers. An 'Ease of being "plug-n-play " on the network. At the other extreme,...
HP Jetdirect Security Guidelines
Page 3
...1284.4. Let's refer to the printer. First and foremost, we can understand what HP Jetdirect can also understand what HP Jetdirect cannot do to embark on HP Jetdirect. one of your printing infrastructure. Secondly, we know that still remains in use to this day: Use a... good investment. This diagram is by no means comprehensive, but does convey the difference between HP Jetdirect and Printer/MFP platforms. Why is an HP Jetdirect? Upgrading your HP Jetdirect card to convert encapsulated network data into just data for printer consumption. Functional Diagram In Figure...
...1284.4. Let's refer to the printer. First and foremost, we can understand what HP Jetdirect can also understand what HP Jetdirect cannot do to embark on HP Jetdirect. one of your printing infrastructure. Secondly, we know that still remains in use to this day: Use a... good investment. This diagram is by no means comprehensive, but does convey the difference between HP Jetdirect and Printer/MFP platforms. Why is an HP Jetdirect? Upgrading your HP Jetdirect card to convert encapsulated network data into just data for printer consumption. Functional Diagram In Figure...
HP Jetdirect Security Guidelines
Page 4
... 3.11 HP Jetdirect J2550A, J2552A MIO Print Servers Microsoft Windows 95 HP Jetdirect J2550B, J2552B MIO Print Servers HP Jetdirect J3110A, J3111A EIO Print Servers HP Jetdirect J3263A 300X External Print Server HP Jetdirect J3113A 600n EIO Print Server Microsoft Windows 98 HP Jetdirect J3258A 170x External Print Server Microsoft Windows 2000 Professional HP Jetdirect J4169A 610n EIO Print Server Microsoft Windows XP HP Jetdirect J6057A 615n EIO Print Server Microsoft Windows 2003 Server HP Jetdirect J7934A 620n EIO Print Server HP Jetdirect J7961A 635n EIO Print Server Date Released...
... 3.11 HP Jetdirect J2550A, J2552A MIO Print Servers Microsoft Windows 95 HP Jetdirect J2550B, J2552B MIO Print Servers HP Jetdirect J3110A, J3111A EIO Print Servers HP Jetdirect J3263A 300X External Print Server HP Jetdirect J3113A 600n EIO Print Server Microsoft Windows 98 HP Jetdirect J3258A 170x External Print Server Microsoft Windows 2000 Professional HP Jetdirect J4169A 610n EIO Print Server Microsoft Windows XP HP Jetdirect J6057A 615n EIO Print Server Microsoft Windows 2003 Server HP Jetdirect J7934A 620n EIO Print Server HP Jetdirect J7961A 635n EIO Print Server Date Released...
HP Jetdirect Security Guidelines
Page 5
... year 2000, HP recommends that are available for customers to newer firmware after purchase Non-Cryptographic Security, upgradeable after purchase Non-Cryptographic Security, upgradeable after purchase SSL/TLS for Management, SNMPv3 SSL/TLS for certain printers/MFP devices) J7997G 630n EIO 10/100/1000 Print Server J7961G 635n EIO 10/100/1000 IPv6/IPsec Print Server Security Features...
... year 2000, HP recommends that are available for customers to newer firmware after purchase Non-Cryptographic Security, upgradeable after purchase Non-Cryptographic Security, upgradeable after purchase SSL/TLS for Management, SNMPv3 SSL/TLS for certain printers/MFP devices) J7997G 630n EIO 10/100/1000 Print Server J7961G 635n EIO 10/100/1000 IPv6/IPsec Print Server Security Features...
HP Jetdirect Security Guidelines
Page 6
...635n IPv6/IPsec print server. The EIO slot was introduced on your windows open. This flexibility will be used. These models have the most security capability in networking protocol and security support. Before using the techniques presented here, the administrator at http://www.hp.com/go/dlm_sw. One of the great features of the Jetdirect...of EIO based printers, proper deployment of the 635n can use the HP Download Manager available at the very least should do not have been discontinued for HP Jetdirect, four different administrative guidelines will automatically indicate ...
...635n IPv6/IPsec print server. The EIO slot was introduced on your windows open. This flexibility will be used. These models have the most security capability in networking protocol and security support. Before using the techniques presented here, the administrator at http://www.hp.com/go/dlm_sw. One of the great features of the Jetdirect...of EIO based printers, proper deployment of the 635n can use the HP Download Manager available at the very least should do not have been discontinued for HP Jetdirect, four different administrative guidelines will automatically indicate ...
HP Jetdirect Security Guidelines
Page 7
.../100 Print Server J7960A/J7960G 625n EIO 10/100/1000 Print Server J7961A/J7961G 635n EIO 10/100/1000 IPv6/IPsec Print Server Firmware Version V.33.14/V.33.15 K.08.49 K.08.49 G.08.49 G.08.49 G.08.49 L.25.57 R.25.57 H.08.60 J.08.60 J.08.60 V.28.22 V.29.20 V.29.29 V.36.11 Table 4 - HP Jetdirect Hacks...
.../100 Print Server J7960A/J7960G 625n EIO 10/100/1000 Print Server J7961A/J7961G 635n EIO 10/100/1000 IPv6/IPsec Print Server Firmware Version V.33.14/V.33.15 K.08.49 K.08.49 G.08.49 G.08.49 G.08.49 L.25.57 R.25.57 H.08.60 J.08.60 J.08.60 V.28.22 V.29.20 V.29.29 V.36.11 Table 4 - HP Jetdirect Hacks...
HP Jetdirect Security Guidelines
Page 8
... is subject to successfully authenticate the server endpoint (and optionally the client endpoint). Which hosts need to have the certificates used but does prevent the responses from other mischief with large print jobs, etc... This doesn't prevent HP Jetdirect from receiving packets from returning to protect print traffic using IPsec Table 5 - Setup a rule to those remote...
... is subject to successfully authenticate the server endpoint (and optionally the client endpoint). Which hosts need to have the certificates used but does prevent the responses from other mischief with large print jobs, etc... This doesn't prevent HP Jetdirect from receiving packets from returning to protect print traffic using IPsec Table 5 - Setup a rule to those remote...
HP Jetdirect Security Guidelines
Page 9
... are trusted to establish a print connection, they are three common ways of updating HP Jetdirect firmware: • HP Download Manager / HP Web Jetadmin • FTP • Embedded Web Server When using HP Download Manager or HP Web Jetadmin, the application issues an SNMP SET to the HP Jetdirect device. HP Jetdirect Hacks: Password and SNMP Community Names HP Jetdirect password and SNMP Community Name...
... are trusted to establish a print connection, they are three common ways of updating HP Jetdirect firmware: • HP Download Manager / HP Web Jetadmin • FTP • Embedded Web Server When using HP Download Manager or HP Web Jetadmin, the application issues an SNMP SET to the HP Jetdirect device. HP Jetdirect Hacks: Password and SNMP Community Names HP Jetdirect password and SNMP Community Name...
HP Jetdirect Security Guidelines
Page 10
... source) in MITM attacks. HP Jetdirect Hacks: Sniffing Print Jobs and Replaying Them Easily available network tools that was sent between an FTP client and an FTP server, it can open it . If the MITM node has a copy of a print job, it can perform effective...course specifying a good password. HP recommends the proper deployment of cryptographic protocols such as a solution to a printer. This active/passive behavior is the proper deployment of IPsec (SET 4) as IPsec and SSL/TLS with the printer/MFP's PJL library over a print connection. Active attacks are a...
... source) in MITM attacks. HP Jetdirect Hacks: Sniffing Print Jobs and Replaying Them Easily available network tools that was sent between an FTP client and an FTP server, it can open it . If the MITM node has a copy of a print job, it can perform effective...course specifying a good password. HP recommends the proper deployment of cryptographic protocols such as a solution to a printer. This active/passive behavior is the proper deployment of IPsec (SET 4) as IPsec and SSL/TLS with the printer/MFP's PJL library over a print connection. Active attacks are a...
HP Jetdirect Security Guidelines
Page 11
....168.40.3 • TFTP configuration file: picasso.cfg under the subdirectory of "hpnp" of the TFTP daemon's home directory • Forces HP Jetdirect to DHCP if a BOOTP server is recommended as we can specify several control parameters via the TFTP configuration file. picasso:\ :hn:\ :ht=ether:\ :vm=rfc1048:\ :ha=0001E6123456:\ :ip=192....BOOTP and not transition to remain with caution - An example of the contents of power with UNIX or Linux environments; Recommended Security Deployments: SET 1 The HP Jetdirect products denoted by SET 1 do not have any cryptographic security capability.
....168.40.3 • TFTP configuration file: picasso.cfg under the subdirectory of "hpnp" of the TFTP daemon's home directory • Forces HP Jetdirect to DHCP if a BOOTP server is recommended as we can specify several control parameters via the TFTP configuration file. picasso:\ :hn:\ :ht=ether:\ :vm=rfc1048:\ :ha=0001E6123456:\ :ip=192....BOOTP and not transition to remain with caution - An example of the contents of power with UNIX or Linux environments; Recommended Security Deployments: SET 1 The HP Jetdirect products denoted by SET 1 do not have any cryptographic security capability.
HP Jetdirect Security Guidelines
Page 12
... to implement on power-up. The Security level you want to a customer. 12 Here is a sample content for non HP Web Jetadmin users. Press the "Start Wizard" button to the printer on Jetdirect. This file is recommended for the pjlprotection file: %-12345X@PJL @PJL COMMENT **Set Password** @PJL COMMENT **& Lock Control ... = 7654 @PJL DEFAULT PASSWORD = 1776 @PJL DINQUIRE PASSWORD @PJL DEFAULT CPLOCK = ON @PJL DINQUIRE CPLOCK @PJL EOJ %-12345X Recommended Security Deployments: SET 2 For the HP Jetdirect products that are in the left-hand navigation bar, and then the "Wizard" tab.
... to implement on power-up. The Security level you want to a customer. 12 Here is a sample content for non HP Web Jetadmin users. Press the "Start Wizard" button to the printer on Jetdirect. This file is recommended for the pjlprotection file: %-12345X@PJL @PJL COMMENT **Set Password** @PJL COMMENT **& Lock Control ... = 7654 @PJL DEFAULT PASSWORD = 1776 @PJL DINQUIRE PASSWORD @PJL DEFAULT CPLOCK = ON @PJL DINQUIRE CPLOCK @PJL EOJ %-12345X Recommended Security Deployments: SET 2 For the HP Jetdirect products that are in the left-hand navigation bar, and then the "Wizard" tab.
HP Jetdirect Security Guidelines
Page 17
Allowing device discovery helps in device management, but may not be required in all environments. 802.1X authentication can also be done. For now, this configuration step is required. For a complete discussion of 802.1X, see HP Jetdirect whitepapers on the topic. Special equipment is skipped. 17 Disable unused print protocols and services.
Allowing device discovery helps in device management, but may not be required in all environments. 802.1X authentication can also be done. For now, this configuration step is required. For a complete discussion of 802.1X, see HP Jetdirect whitepapers on the topic. Special equipment is skipped. 17 Disable unused print protocols and services.
HP Jetdirect Security Guidelines
Page 22
Click "Next" 22 Select "Allow Traffic". Click "Next". We are concerned with management services, so select the service template "All Jetdirect Management Services".
Click "Next" 22 Select "Allow Traffic". Click "Next". We are concerned with management services, so select the service template "All Jetdirect Management Services".
HP Jetdirect Security Guidelines
Page 24
Click "Next". Click Next. 24 Select the "All Jetdirect Management Services" service template. Select "Allow Traffic".
Click "Next". Click Next. 24 Select the "All Jetdirect Management Services" service template. Select "Allow Traffic".
HP Jetdirect Security Guidelines
Page 26
Click "Next". 26 Again, select "All Jetdirect Management Services" for the service template and then click "Next". Select "Drop".
Click "Next". 26 Again, select "All Jetdirect Management Services" for the service template and then click "Next". Select "Drop".
HP Jetdirect Security Guidelines
Page 28
Be sure that all IP addresses must use IPsec to Jetdirect without using IPsec, the packets are using HTTPS before navigating to have the Security Wizard for the default rule and then click "Add Rules...". If an end station ... configuration has been completed, then we did with a management protocol to utilize a management protocol. Let's go through the same process as we can begin the IPsec configuration.
Be sure that all IP addresses must use IPsec to Jetdirect without using IPsec, the packets are using HTTPS before navigating to have the Security Wizard for the default rule and then click "Add Rules...". If an end station ... configuration has been completed, then we did with a management protocol to utilize a management protocol. Let's go through the same process as we can begin the IPsec configuration.
HP Jetdirect Security Guidelines
Page 29
Select "Require traffic to be protected with an IPsec/Firewall Policy". Select "All Jetdirect Management Services". Click "Next". Click "Next". 29
Select "Require traffic to be protected with an IPsec/Firewall Policy". Select "All Jetdirect Management Services". Click "Next". Click "Next". 29