HP Jetdirect Security Guidelines
Page 1
... to educate our customer base about printing and imaging security. whitepaper HP Jetdirect Security Guidelines Table of Contents: Introduction ...1 HP Jetdirect Overview ...2 What is an HP Jetdirect?...3 How old is Your HP Jetdirect?...4 Upgrading ...5 HP Jetdirect Administrative Guidelines 6 HP Jetdirect Hacks: TCP Port 9100...7 HP Jetdirect Hacks: Password and SNMP Community Names 9 HP Jetdirect Hacks: Firmware Upgrade 9 HP Jetdirect Hacks: Sniffing Print Jobs and Replaying Them 10 HP Jetdirect Hacks: Printer/MFP access 10 Recommended...
... to educate our customer base about printing and imaging security. whitepaper HP Jetdirect Security Guidelines Table of Contents: Introduction ...1 HP Jetdirect Overview ...2 What is an HP Jetdirect?...3 How old is Your HP Jetdirect?...4 Upgrading ...5 HP Jetdirect Administrative Guidelines 6 HP Jetdirect Hacks: TCP Port 9100...7 HP Jetdirect Hacks: Password and SNMP Community Names 9 HP Jetdirect Hacks: Firmware Upgrade 9 HP Jetdirect Hacks: Sniffing Print Jobs and Replaying Them 10 HP Jetdirect Hacks: Printer/MFP access 10 Recommended...
HP Jetdirect Security Guidelines
Page 6
...615n, 620n, 625n, en3700, and Embedded Jetdirect (J7949E) models. For companies with an EIO slot are still being sold today. Using Internet Mode, the HP Download Manager will automatically indicate which devices need to be firmware upgraded to the highest level as we can ...635n model and the CM8000 Color MFP series (J7974E). As you can see, replacing a discontinued 400n MIO model with a new external parallel port print server like the 300X will not upgrade the security capabilities of having an EIO based printer is the ability to install a J7961G 635n IPv6/IPsec print server...
...615n, 620n, 625n, en3700, and Embedded Jetdirect (J7949E) models. For companies with an EIO slot are still being sold today. Using Internet Mode, the HP Download Manager will automatically indicate which devices need to be firmware upgraded to the highest level as we can ...635n model and the CM8000 Color MFP series (J7974E). As you can see, replacing a discontinued 400n MIO model with a new external parallel port print server like the 300X will not upgrade the security capabilities of having an EIO based printer is the ability to install a J7961G 635n IPv6/IPsec print server...
HP Jetdirect Security Guidelines
Page 9
... a print connection, they are digitally signed by a trusted CA to properly avoid MITM attacks. HP Jetdirect uses this information to start a TFTP client and pull down during the upgrade, etc...), HP Jetdirect will help make your passwords on your HP Jetdirect, use FTP to upgrade the firmware of updating HP Jetdirect firmware: • HP Download Manager / HP Web Jetadmin • FTP • Embedded Web Server When...
... a print connection, they are digitally signed by a trusted CA to properly avoid MITM attacks. HP Jetdirect uses this information to start a TFTP client and pull down during the upgrade, etc...), HP Jetdirect will help make your passwords on your HP Jetdirect, use FTP to upgrade the firmware of updating HP Jetdirect firmware: • HP Download Manager / HP Web Jetadmin • FTP • Embedded Web Server When...
HP Jetdirect Security Guidelines
Page 10
... EWS is protected determines how the HP Jetdirect firmware upgrade capability is described here: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=bpj07572. HP Jetdirect Hacks: Sniffing Print Jobs and Replaying Them Easily available network tools that can perform effective MITM attacks against the ... email client and email server, it can record conversations. If the MITM node has a copy of cryptographic protocols such as with the printer/MFP's PJL library over a print connection. These tools often claim to a printer. In some cases, as IPsec and SSL/TLS with ...
... EWS is protected determines how the HP Jetdirect firmware upgrade capability is described here: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=bpj07572. HP Jetdirect Hacks: Sniffing Print Jobs and Replaying Them Easily available network tools that can perform effective MITM attacks against the ... email client and email server, it can record conversations. If the MITM node has a copy of cryptographic protocols such as with the printer/MFP's PJL library over a print connection. These tools often claim to a printer. In some cases, as IPsec and SSL/TLS with ...
HP Jetdirect Print Server Administrator's Guide (Firmware V.36)
Page 5
... contents 1 Introducing the HP Jetdirect Print Server Supported Print Servers ...1 Supported Network Protocols ...2 Security Protocols ...4 SNMP (IP and IPX) ...4 HTTPS ...4 Authentication ...4 EAP/802.1X Server-Based Authentication 4 IPsec/Firewall ...5 Supplied Manuals ...5 HP Support ...5 HP Online Support ...5 Firmware Upgrades ...5 Firmware Installation Tools 6 HP Support By Phone ...6 Product Registration ...6 Product Accessibility ...7 2 HP Software Solutions Summary HP Install Network Printer Wizard (Windows 10 Requirements ...10 HP Jetdirect Printer Installer for UNIX...
... contents 1 Introducing the HP Jetdirect Print Server Supported Print Servers ...1 Supported Network Protocols ...2 Security Protocols ...4 SNMP (IP and IPX) ...4 HTTPS ...4 Authentication ...4 EAP/802.1X Server-Based Authentication 4 IPsec/Firewall ...5 Supplied Manuals ...5 HP Support ...5 HP Online Support ...5 Firmware Upgrades ...5 Firmware Installation Tools 6 HP Support By Phone ...6 Product Registration ...6 Product Accessibility ...7 2 HP Software Solutions Summary HP Install Network Printer Wizard (Windows 10 Requirements ...10 HP Jetdirect Printer Installer for UNIX...
HP Jetdirect Print Server Administrator's Guide (Firmware V.36)
Page 7
Settings ...77 Firmware Upgrade 80 LPD Queues ...80 USB Settings ...82 Support Info ...83 Refresh Rate ...83 Privacy Settings ...83 Select Language ...84 Security: Settings ...84 Status ...84 Wizard...95 Network Statistics ...95 Protocol Info ...95 Configuration Page ...95 Other Links ...95 ? (Help) ...95 Support ...95 5 IPsec/Firewall Configuration (V.36.xx) Default Rule Example ...100 IPsec Security Associations (SA) ...100 HP Jetdirect IPsec/Firewall Wizard 101 Limitations to Rules, Templates and Services 101 Step 1: Specify Address Template 102 Create Address Template 103 Step 2: Specify...
Settings ...77 Firmware Upgrade 80 LPD Queues ...80 USB Settings ...82 Support Info ...83 Refresh Rate ...83 Privacy Settings ...83 Select Language ...84 Security: Settings ...84 Status ...84 Wizard...95 Network Statistics ...95 Protocol Info ...95 Configuration Page ...95 Other Links ...95 ? (Help) ...95 Support ...95 5 IPsec/Firewall Configuration (V.36.xx) Default Rule Example ...100 IPsec Security Associations (SA) ...100 HP Jetdirect IPsec/Firewall Wizard 101 Limitations to Rules, Templates and Services 101 Step 1: Specify Address Template 102 Create Address Template 103 Step 2: Specify...
HP Jetdirect Print Server Administrator's Guide (Firmware V.36)
Page 12
... IPP (Internet Printing Protocol) TCP/IPv6 FTP (File Transfer Protocol) printing (Direct Mode printing) Microsoft Windows XP (32- The HP Jetdirect print server product number and installed firmware version can be identified using various methods, including the HP Jetdirect configuration page (see HP Jetdirect Configuration Pages on page 127), Telnet (see TCP/IP Configuration on page 17), embedded Web server (see "Firmware Upgrades on page 5". Supported...
... IPP (Internet Printing Protocol) TCP/IPv6 FTP (File Transfer Protocol) printing (Direct Mode printing) Microsoft Windows XP (32- The HP Jetdirect print server product number and installed firmware version can be identified using various methods, including the HP Jetdirect configuration page (see HP Jetdirect Configuration Pages on page 127), Telnet (see TCP/IP Configuration on page 17), embedded Web server (see "Firmware Upgrades on page 5". Supported...
HP Jetdirect Print Server Administrator's Guide (Firmware V.36)
Page 15
... depend on the print server over your print server model, firmware upgrade files may control IP traffic using both IPv4 and IPv6 networks. Firmware upgrade files may be obtained from Hewlett-Packard at: http://www.hp.com/go/webjetadmin_firmware ENWW Supplied Manuals 5 Value-featured print servers, such as HP Jetdirect en1700 do not support IPsec may be downloaded and installed on the HP Jetdirect print server product and the...
... depend on the print server over your print server model, firmware upgrade files may control IP traffic using both IPv4 and IPv6 networks. Firmware upgrade files may be obtained from Hewlett-Packard at: http://www.hp.com/go/webjetadmin_firmware ENWW Supplied Manuals 5 Value-featured print servers, such as HP Jetdirect en1700 do not support IPsec may be downloaded and installed on the HP Jetdirect print server product and the...
HP Jetdirect Print Server Administrator's Guide (Firmware V.36)
Page 16
... set, it must be used to transfer a firmware upgrade image file to log into the device. For the most recent HP support telephone numbers and available services worldwide, visit: http://www.hp.com/support NOTE: For toll-free support in the USA and Canada, call . Contact your HP Jetdirect print server, use the device IP address or host...
... set, it must be used to transfer a firmware upgrade image file to log into the device. For the most recent HP support telephone numbers and available services worldwide, visit: http://www.hp.com/support NOTE: For toll-free support in the USA and Canada, call . Contact your HP Jetdirect print server, use the device IP address or host...
HP Jetdirect Print Server Administrator's Guide (Firmware V.36)
Page 19
... your network, allows you can share the printer for direct-mode (peer-topeer) printing. Solaris1 Fedora Core and SuSE Linux NetWare1 Remote firmware upgrades for IPv6 printing on page 10 Windows 2000, XP, Server 2003 For TCP/IP direct-mode printing. TCP/IPv4 and TCP/IPv6 HP Jetdirect print servers: Wizard version 5.0 ● (or later) is available for you. ENWW 9 NOTE: Printer...
... your network, allows you can share the printer for direct-mode (peer-topeer) printing. Solaris1 Fedora Core and SuSE Linux NetWare1 Remote firmware upgrades for IPv6 printing on page 10 Windows 2000, XP, Server 2003 For TCP/IP direct-mode printing. TCP/IPv4 and TCP/IPv6 HP Jetdirect print servers: Wizard version 5.0 ● (or later) is available for you. ENWW 9 NOTE: Printer...
HP Jetdirect Print Server Administrator's Guide (Firmware V.36)
Page 43
... name of time, in seconds, that determines which SNMP SetRequests (control functions) the HP Jetdirect print server will be re-selected. 1: Allows the sending of the embedded Web server. The default is required. 2: Prompt the user to allow sending data on product ...1 (default): Enables DHCP requests. SNMP snmp-config: Enables or disables SNMP operation on ." In addition, firmware upgrades through the print server's host access list). Community names must match the print server's "set to 0, the refresh rate is disabled. web-refresh: Specifies the time interval (1-99999 seconds)...
... name of time, in seconds, that determines which SNMP SetRequests (control functions) the HP Jetdirect print server will be re-selected. 1: Allows the sending of the embedded Web server. The default is required. 2: Prompt the user to allow sending data on product ...1 (default): Enables DHCP requests. SNMP snmp-config: Enables or disables SNMP operation on ." In addition, firmware upgrades through the print server's host access list). Community names must match the print server's "set to 0, the refresh rate is disabled. web-refresh: Specifies the time interval (1-99999 seconds)...
HP Jetdirect Print Server Administrator's Guide (Firmware V.36)
Page 45
...HP Jetdirect 635n print servers: except for the attached printer or device. ● MLC: (Multiple Logical Channels) An HP-proprietary communication mode that allows multiple channels of the hub/switch port. (A 1000T half-duplex selection is not supported.) upgrade: To configure one direction only (to the printer). The command format is: upgrade...: where, is the IP address of the TFTP server, specifies the firmware version of the upgrade file, specifies and must match the product number of the print server, is set depending on the HP Jetdirect print server. ●...
...HP Jetdirect 635n print servers: except for the attached printer or device. ● MLC: (Multiple Logical Channels) An HP-proprietary communication mode that allows multiple channels of the hub/switch port. (A 1000T half-duplex selection is not supported.) upgrade: To configure one direction only (to the printer). The command format is: upgrade...: where, is the IP address of the TFTP server, specifies the firmware version of the upgrade file, specifies and must match the product number of the print server, is set depending on the HP Jetdirect print server. ●...
HP Jetdirect Print Server Administrator's Guide (Firmware V.36)
Page 59
...-multicast idle-timeout Specifies an alphanumeric string of IP version 4 multicast packets by the print server. 0 disables. 1 (default) enables. Apple Bonjour will depend on the printer, typically port 9100 printing or LPD binps. Enable or disable the ability to download firmware upgrade files to session. An integer (1to 3600) that use for Service Location Protocol...
...-multicast idle-timeout Specifies an alphanumeric string of IP version 4 multicast packets by the print server. 0 disables. 1 (default) enables. Apple Bonjour will depend on the printer, typically port 9100 printing or LPD binps. Enable or disable the ability to download firmware upgrade files to session. An integer (1to 3600) that use for Service Location Protocol...
HP Jetdirect Print Server Administrator's Guide (Firmware V.36)
Page 62
... SetRequests (control functions) the HP Jetdirect print server will disable all SNMP agents (SNMP v1, v2, v3) as well as communications with SNMP management applications. Disabling this parameter may limit configuration access through current HP downloading utilities will respond to . In addition, firmware upgrades through the print server's host access list.) Community names must match the print server's "set -cmnty-name...
... SetRequests (control functions) the HP Jetdirect print server will disable all SNMP agents (SNMP v1, v2, v3) as well as communications with SNMP management applications. Disabling this parameter may limit configuration access through current HP downloading utilities will respond to . In addition, firmware upgrades through the print server's host access list.) Community names must match the print server's "set -cmnty-name...
HP Jetdirect Print Server Administrator's Guide (Firmware V.36)
Page 64
... on the HP Jetdirect print server. (Read-only parameter) Indicates the current AppleTalk configuration status. Table 3-3 Telnet Commands and Parameters (continued) appletalk Enables or disables AppleTalk (EtherTalk) protocol operation on the print server (if supported). 0 disables. 1 (default) enables. Name Print Type Zone Phase Status DLC/LLC dlc/llc-config (Read-only parameter) The name of a firmware upgrade file. 54...
... on the HP Jetdirect print server. (Read-only parameter) Indicates the current AppleTalk configuration status. Table 3-3 Telnet Commands and Parameters (continued) appletalk Enables or disables AppleTalk (EtherTalk) protocol operation on the print server (if supported). 0 disables. 1 (default) enables. Name Print Type Zone Phase Status DLC/LLC dlc/llc-config (Read-only parameter) The name of a firmware upgrade file. 54...
HP Jetdirect Print Server Administrator's Guide (Firmware V.36)
Page 65
... is used , a user-specified string of exactly 12 hexadecimal digits must match the product number of the print server, is enabled only for flow control of the firmware upgrade file. AUTO or 1: Flow control is enabled only for both received and transmit data. (For wired 10...1000T network. MASTER or 1: The device is used for data transmitted to configure the print server as a 1000T master device. Enable or disable access by HP Web service applications to XML-based data on the HP Jetdirect print server. 1 (default): Enable 0: Disable Enable or disable the Microsoft Web Services Dynamic ...
... is used , a user-specified string of exactly 12 hexadecimal digits must match the product number of the print server, is enabled only for flow control of the firmware upgrade file. AUTO or 1: Flow control is enabled only for both received and transmit data. (For wired 10...1000T network. MASTER or 1: The device is used for data transmitted to configure the print server as a 1000T master device. Enable or disable access by HP Web service applications to XML-based data on the HP Jetdirect print server. 1 (default): Enable 0: Disable Enable or disable the Microsoft Web Services Dynamic ...
HP Jetdirect Print Server Administrator's Guide (Firmware V.36)
Page 87
...disable SLP (Service Location Protocol), used by the print server. Settings on page 77: for enabling miscellaneous advanced protocols and functions ● Firmware Upgrade on page 80: to update your HP Jetdirect print server with new features and enhancements ● LPD Queues... on page 83: to automatically discover and identify the HP Jetdirect print server. It is always "Jetdirect". Settings The Misc. See ...
...disable SLP (Service Location Protocol), used by the print server. Settings on page 77: for enabling miscellaneous advanced protocols and functions ● Firmware Upgrade on page 80: to update your HP Jetdirect print server with new features and enhancements ● LPD Queues... on page 83: to automatically discover and identify the HP Jetdirect print server. It is always "Jetdirect". Settings The Misc. See ...
HP Jetdirect Print Server Administrator's Guide (Firmware V.36)
Page 90
...upgrade file, visit HP online support at: http://www.hp.com/go to 5 user-specified LPD queues will depend on page 153. Check the upgrade file version and verify that page, do the following: 1. If not, then you to upgrade. For more recent than the print server's installed version. NOTE: Value-based print servers do not need to upgrade the print server...queues can set up to locate it . See Table 4-13 LPD Queues Tab Settings on the Jetdirect print server. The firmware upgrade file for setting up with new features. LPD Queues The LPD Queues page allows you can be...
...upgrade file, visit HP online support at: http://www.hp.com/go to 5 user-specified LPD queues will depend on page 153. Check the upgrade file version and verify that page, do the following: 1. If not, then you to upgrade. For more recent than the print server's installed version. NOTE: Value-based print servers do not need to upgrade the print server...queues can set up to locate it . See Table 4-13 LPD Queues Tab Settings on the Jetdirect print server. The firmware upgrade file for setting up with new features. LPD Queues The LPD Queues page allows you can be...
HP Jetdirect Print Server Administrator's Guide (Firmware V.36)
Page 103
... parameters prior to upgrade firmware on for client authentication on the print server. Multicast IPv4. If enabled (checked), the print server will send and receive IP version 4 multicast packets. If this parameter is recommended. 802.1X Authentication (Full-featured print servers only) This page... a port's access to configure 802.1X authentication settings on the Jetdirect print server as required for IP address and name resolution (through those services. If enabled (checked), the HP Jetdirect print server sends SLP packets, which are not secure protocols and device passwords ...
... parameters prior to upgrade firmware on for client authentication on the print server. Multicast IPv4. If enabled (checked), the print server will send and receive IP version 4 multicast packets. If this parameter is recommended. 802.1X Authentication (Full-featured print servers only) This page... a port's access to configure 802.1X authentication settings on the Jetdirect print server as required for IP address and name resolution (through those services. If enabled (checked), the HP Jetdirect print server sends SLP packets, which are not secure protocols and device passwords ...
HP Jetdirect Print Server Administrator's Guide (Firmware V.36)
Page 196
...server HP Web Jetadmin 62 HTTPS security 91, 113 LPD setup 80 NetWare objects 64 TFTP configuration file 32 Upgrading firmware 80 Using 61 Viewing 62 Web browsers 62 Encapsulating Security Payload 110, 111 Encryption 802.1X 93 HTTPS 91 IKEv1 109, 110 IPsec 106 SNMP v3 92 Error messages HP Jetdirect...58 Failsafe 100 Firewall Control panel menu 174 embedded Web server 97 FIRMWARE REVISION 130 Firmware upgrades embedded Web server 80 Obtaining 5 TFTP configuration 35 Flow control 55 FRAME TYPE 137 FRAMING ERRORS RCVD 133 FTP printing Commands 167 Example 168 Exiting 167 Introduction 165 TFTP ...
...server HP Web Jetadmin 62 HTTPS security 91, 113 LPD setup 80 NetWare objects 64 TFTP configuration file 32 Upgrading firmware 80 Using 61 Viewing 62 Web browsers 62 Encapsulating Security Payload 110, 111 Encryption 802.1X 93 HTTPS 91 IKEv1 109, 110 IPsec 106 SNMP v3 92 Error messages HP Jetdirect...58 Failsafe 100 Firewall Control panel menu 174 embedded Web server 97 FIRMWARE REVISION 130 Firmware upgrades embedded Web server 80 Obtaining 5 TFTP configuration 35 Flow control 55 FRAME TYPE 137 FRAMING ERRORS RCVD 133 FTP printing Commands 167 Example 168 Exiting 167 Introduction 165 TFTP ...