Practical considerations for imaging and printing security
Page 1
... ...4 Security checklists ...4 Conclusion: look beyond Common Criteria Certification 4 HP's imaging and printing security framework 4 Secure the Imaging and Printing Device 5 MFP walk-up authentication ...5 Network printing authentication ...5 Physical document access control 5 HP Secure Erase ...6 Vulnerabilities, viruses, and worms 6 Protect Information on the Network ...6 Network connectivity with HP Jetdirect devices 6 HP Digital Sending Software (DSS 7 Fax/LAN bridging ...7 Effectively...
... ...4 Security checklists ...4 Conclusion: look beyond Common Criteria Certification 4 HP's imaging and printing security framework 4 Secure the Imaging and Printing Device 5 MFP walk-up authentication ...5 Network printing authentication ...5 Physical document access control 5 HP Secure Erase ...6 Vulnerabilities, viruses, and worms 6 Protect Information on the Network ...6 Network connectivity with HP Jetdirect devices 6 HP Digital Sending Software (DSS 7 Fax/LAN bridging ...7 Effectively...
Practical considerations for imaging and printing security
Page 6
... HP Jetdirect devices Network connectivity for HP imaging and printing devices is provided by hostile network environments. • Chai HP's Chai provides a means to -clunk performance that rivals unsecured protocols, and supports the IPsec implementations available in HP's imaging and printing product development, and as a result these devices have all trace magnetic information. The HP Jetdirect 635n IPv6/IPsec and Gigabit Ethernet internal print server...
... HP Jetdirect devices Network connectivity for HP imaging and printing devices is provided by hostile network environments. • Chai HP's Chai provides a means to -clunk performance that rivals unsecured protocols, and supports the IPsec implementations available in HP's imaging and printing product development, and as a result these devices have all trace magnetic information. The HP Jetdirect 635n IPv6/IPsec and Gigabit Ethernet internal print server...
HP Jetdirect Security Guidelines
Page 1
... public information on existing HP Jetdirect products, mainly because HP Jetdirect was 1 whitepaper HP Jetdirect Security Guidelines Table of Contents: Introduction ...1 HP Jetdirect Overview ...2 What is an HP Jetdirect?...3 How old is Your HP Jetdirect?...4 Upgrading ...5 HP Jetdirect Administrative Guidelines 6 HP Jetdirect Hacks: TCP Port 9100...7 HP Jetdirect Hacks: Password and SNMP Community Names 9 HP Jetdirect Hacks: Firmware Upgrade 9 HP Jetdirect Hacks: Sniffing Print Jobs and Replaying Them 10 HP Jetdirect Hacks: Printer/MFP access...
... public information on existing HP Jetdirect products, mainly because HP Jetdirect was 1 whitepaper HP Jetdirect Security Guidelines Table of Contents: Introduction ...1 HP Jetdirect Overview ...2 What is an HP Jetdirect?...3 How old is Your HP Jetdirect?...4 Upgrading ...5 HP Jetdirect Administrative Guidelines 6 HP Jetdirect Hacks: TCP Port 9100...7 HP Jetdirect Hacks: Password and SNMP Community Names 9 HP Jetdirect Hacks: Firmware Upgrade 9 HP Jetdirect Hacks: Sniffing Print Jobs and Replaying Them 10 HP Jetdirect Hacks: Printer/MFP access...
HP Jetdirect Security Guidelines
Page 2
... sentence. Hundreds of the first print servers to computers called spoolers. These spoolers then shared the printers via parallel ports or serial ports to widely implement security protocols such as Ethernet. HP Jetdirect was designed to allow users to print to a spooler. HP Jetdirect would automatically initialize all protocols to...suites such as AppleTalk, DLC/LLC, and IPX/SPX were deployed widely and had as much as SSL/TLS, SNMPv3, 802.1X, and IPsec. At the other ways of proprietary protocols as well as possible. 2 The length limits of Use' design criterion now has an arch ...
... sentence. Hundreds of the first print servers to computers called spoolers. These spoolers then shared the printers via parallel ports or serial ports to widely implement security protocols such as Ethernet. HP Jetdirect was designed to allow users to print to a spooler. HP Jetdirect would automatically initialize all protocols to...suites such as AppleTalk, DLC/LLC, and IPX/SPX were deployed widely and had as much as SSL/TLS, SNMPv3, 802.1X, and IPsec. At the other ways of proprietary protocols as well as possible. 2 The length limits of Use' design criterion now has an arch ...
HP Jetdirect Security Guidelines
Page 3
... protocol and converted encapsulated data into data for printer consumption. Secondly, we can also understand what HP Jetdirect can understand what HP Jetdirect cannot do to help in the security of your printing infrastructure. As an example, some information on HP Jetdirect. In short, a printer had direct connect ports (e.g., serial, parallel) that the PJL parser is this...
... protocol and converted encapsulated data into data for printer consumption. Secondly, we can also understand what HP Jetdirect can understand what HP Jetdirect cannot do to help in the security of your printing infrastructure. As an example, some information on HP Jetdirect. In short, a printer had direct connect ports (e.g., serial, parallel) that the PJL parser is this...
HP Jetdirect Security Guidelines
Page 4
... 3.11 HP Jetdirect J2550A, J2552A MIO Print Servers Microsoft Windows 95 HP Jetdirect J2550B, J2552B MIO Print Servers HP Jetdirect J3110A, J3111A EIO Print Servers HP Jetdirect J3263A 300X External Print Server HP Jetdirect J3113A 600n EIO Print Server Microsoft Windows 98 HP Jetdirect J3258A 170x External Print Server Microsoft Windows 2000 Professional HP Jetdirect J4169A 610n EIO Print Server Microsoft Windows XP HP Jetdirect J6057A 615n EIO Print Server Microsoft Windows 2003 Server HP Jetdirect J7934A 620n EIO Print Server HP Jetdirect J7961A 635n EIO Print Server Date Released...
... 3.11 HP Jetdirect J2550A, J2552A MIO Print Servers Microsoft Windows 95 HP Jetdirect J2550B, J2552B MIO Print Servers HP Jetdirect J3110A, J3111A EIO Print Servers HP Jetdirect J3263A 300X External Print Server HP Jetdirect J3113A 600n EIO Print Server Microsoft Windows 98 HP Jetdirect J3258A 170x External Print Server Microsoft Windows 2000 Professional HP Jetdirect J4169A 610n EIO Print Server Microsoft Windows XP HP Jetdirect J6057A 615n EIO Print Server Microsoft Windows 2003 Server HP Jetdirect J7934A 620n EIO Print Server HP Jetdirect J7961A 635n EIO Print Server Date Released...
HP Jetdirect Security Guidelines
Page 5
... in Table 2 - Upgrading Upgrading your HP Jetdirect devices is highly recommended. Discontinued HP Jetdirect Models 5 Discontinued HP Jetdirect Models, some guidelines. First, if the HP Jetdirect device was introduced before the year 2000, HP recommends that are available for certain printers/MFP devices) J7997G 630n EIO 10/100/1000 Print Server J7961G 635n EIO 10/100/1000 IPv6/IPsec Print Server Security Features Non-Cryptographic Security...
... in Table 2 - Upgrading Upgrading your HP Jetdirect devices is highly recommended. Discontinued HP Jetdirect Models 5 Discontinued HP Jetdirect Models, some guidelines. First, if the HP Jetdirect device was introduced before the year 2000, HP recommends that are available for certain printers/MFP devices) J7997G 630n EIO 10/100/1000 Print Server J7961G 635n EIO 10/100/1000 IPv6/IPsec Print Server Security Features Non-Cryptographic Security...
HP Jetdirect Security Guidelines
Page 6
.... As a reminder, these devices is the ability to install a J7961G 635n IPv6/IPsec print server. These models have cryptographic security capability. • SET 2: The 610n, 615n, 620n, 625n, en3700, and Embedded Jetdirect (J7949E) models. One of those attacks. SET 2 can allow/drop packets on the HP LaserJet 4000 almost ten years ago. Before using the techniques presented...
.... As a reminder, these devices is the ability to install a J7961G 635n IPv6/IPsec print server. These models have cryptographic security capability. • SET 2: The 610n, 615n, 620n, 625n, en3700, and Embedded Jetdirect (J7949E) models. One of those attacks. SET 2 can allow/drop packets on the HP LaserJet 4000 almost ten years ago. Before using the techniques presented...
HP Jetdirect Security Guidelines
Page 7
.../100 Print Server J7960A/J7960G 625n EIO 10/100/1000 Print Server J7961A/J7961G 635n EIO 10/100/1000 IPv6/IPsec Print Server Firmware Version V.33.14/V.33.15 K.08.49 K.08.49 G.08.49 G.08.49 G.08.49 L.25.57 R.25.57 H.08.60 J.08.60 J.08.60 V.28.22 V.29.20 V.29.29 V.36.11 Table 4 - HP Jetdirect Hacks...
.../100 Print Server J7960A/J7960G 625n EIO 10/100/1000 Print Server J7961A/J7961G 635n EIO 10/100/1000 IPv6/IPsec Print Server Firmware Version V.33.14/V.33.15 K.08.49 K.08.49 G.08.49 G.08.49 G.08.49 L.25.57 R.25.57 H.08.60 J.08.60 J.08.60 V.28.22 V.29.20 V.29.29 V.36.11 Table 4 - HP Jetdirect Hacks...
HP Jetdirect Security Guidelines
Page 8
... Firewall Option 3) For SET 4. Option 2) For SET 3. Setup a rule to successfully authenticate the server endpoint (and optionally the client endpoint). It is subject to MITM attacks as HP Jetdirect Ten or less individual computers on SSL/TLS to protect print traffic using IPsec Table 5 - As a result, TCP connections cannot be two entries: IP - 15.0.0.0 mask...
... Firewall Option 3) For SET 4. Option 2) For SET 3. Setup a rule to successfully authenticate the server endpoint (and optionally the client endpoint). It is subject to MITM attacks as HP Jetdirect Ten or less individual computers on SSL/TLS to protect print traffic using IPsec Table 5 - As a result, TCP connections cannot be two entries: IP - 15.0.0.0 mask...
HP Jetdirect Security Guidelines
Page 9
...application has proper credentials, it can be provided, in the form of updating HP Jetdirect firmware: • HP Download Manager / HP Web Jetadmin • FTP • Embedded Web Server When using SNMPv3 easy. HP Jetdirect uses this information to SNMPv3. Customers can be configured to use FTP to... additional protections can also utilize SNMPv3 for FTP firmware upgrades. There are three common ways of Color Access Controls using HP's Universal Print Driver (UPD), which facilitates reports on users and their how their source. These applications use the latest client software ...
...application has proper credentials, it can be provided, in the form of updating HP Jetdirect firmware: • HP Download Manager / HP Web Jetadmin • FTP • Embedded Web Server When using SNMPv3 easy. HP Jetdirect uses this information to SNMPv3. Customers can be configured to use FTP to... additional protections can also utilize SNMPv3 for FTP firmware upgrades. There are three common ways of Color Access Controls using HP's Universal Print Driver (UPD), which facilitates reports on users and their how their source. These applications use the latest client software ...
HP Jetdirect Security Guidelines
Page 10
... server, it is analogously similar to a person not being able to plant the listening device in the conference room and instead pulling a fire alarm in a conference room to help protect against passive and active sniffing attacks. firmware upgrades; HP Jetdirect Hacks: Sniffing Print ...signed certificate, and of ARP protection and monitoring since ARP poisoning is the proper deployment of IPsec (SET 4) as with the printer/MFP's PJL library over a print connection. HP recommends the proper deployment of cryptographic protocols such as a guideline to all the data sent...
... server, it is analogously similar to a person not being able to plant the listening device in the conference room and instead pulling a fire alarm in a conference room to help protect against passive and active sniffing attacks. firmware upgrades; HP Jetdirect Hacks: Sniffing Print ...signed certificate, and of ARP protection and monitoring since ARP poisoning is the proper deployment of IPsec (SET 4) as with the printer/MFP's PJL library over a print connection. HP recommends the proper deployment of cryptographic protocols such as a guideline to all the data sent...
HP Jetdirect Security Guidelines
Page 11
...fairly easy. breaks SNMP management tools snmp-config:0 # # if SNMP must be provided here. Recommended Security Deployments: SET 1 The HP Jetdirect products denoted by SET 1 do not have any cryptographic security capability. Many customers associate BOOTP/TFTP with caution - An example of the... very little administration overhead once configured. however, there are many free BOOTP and TFTP servers for a great deal of the TFTP daemon's home directory • Forces HP Jetdirect to DHCP if a BOOTP server is unavailable. picasso:\ :hn:\ :ht=ether:\ :vm=rfc1048:\ :ha=0001E6123456:\ ...
...fairly easy. breaks SNMP management tools snmp-config:0 # # if SNMP must be provided here. Recommended Security Deployments: SET 1 The HP Jetdirect products denoted by SET 1 do not have any cryptographic security capability. Many customers associate BOOTP/TFTP with caution - An example of the... very little administration overhead once configured. however, there are many free BOOTP and TFTP servers for a great deal of the TFTP daemon's home directory • Forces HP Jetdirect to DHCP if a BOOTP server is unavailable. picasso:\ :hn:\ :ht=ether:\ :vm=rfc1048:\ :ha=0001E6123456:\ ...
HP Jetdirect Security Guidelines
Page 12
... going to choose "Custom Security" to show all the options that are available to implement on power-up. Here is recommended for non HP Web Jetadmin users. A sample configuration is sent to this page. This file is shown here: NOTE: be access via the Networking tab...DEFAULT PASSWORD = 1776 @PJL DINQUIRE PASSWORD @PJL DEFAULT CPLOCK = ON @PJL DINQUIRE CPLOCK @PJL EOJ %-12345X Recommended Security Deployments: SET 2 For the HP Jetdirect products that are in the left-hand navigation bar, and then the "Wizard" tab. Press the "Start Wizard" button to a parameter file called "...
... going to choose "Custom Security" to show all the options that are available to implement on power-up. Here is recommended for non HP Web Jetadmin users. A sample configuration is sent to this page. This file is shown here: NOTE: be access via the Networking tab...DEFAULT PASSWORD = 1776 @PJL DINQUIRE PASSWORD @PJL DEFAULT CPLOCK = ON @PJL DINQUIRE CPLOCK @PJL EOJ %-12345X Recommended Security Deployments: SET 2 For the HP Jetdirect products that are in the left-hand navigation bar, and then the "Wizard" tab. Press the "Start Wizard" button to a parameter file called "...
HP Jetdirect Security Guidelines
Page 17
Allowing device discovery helps in device management, but may not be required in all environments. 802.1X authentication can also be done. For now, this configuration step is required. Disable unused print protocols and services. For a complete discussion of 802.1X, see HP Jetdirect whitepapers on the topic. Special equipment is skipped. 17
Allowing device discovery helps in device management, but may not be required in all environments. 802.1X authentication can also be done. For now, this configuration step is required. Disable unused print protocols and services. For a complete discussion of 802.1X, see HP Jetdirect whitepapers on the topic. Special equipment is skipped. 17
HP Jetdirect Security Guidelines
Page 22
Click "Next". We are concerned with management services, so select the service template "All Jetdirect Management Services". Select "Allow Traffic". Click "Next" 22
Click "Next". We are concerned with management services, so select the service template "All Jetdirect Management Services". Select "Allow Traffic". Click "Next" 22
HP Jetdirect Security Guidelines
Page 24
Select "Allow Traffic". Click Next. 24 Select the "All Jetdirect Management Services" service template. Click "Next".
Select "Allow Traffic". Click Next. 24 Select the "All Jetdirect Management Services" service template. Click "Next".
HP Jetdirect Security Guidelines
Page 26
Select "Drop". Click "Next". 26 Again, select "All Jetdirect Management Services" for the service template and then click "Next".
Select "Drop". Click "Next". 26 Again, select "All Jetdirect Management Services" for the service template and then click "Next".
HP Jetdirect Security Guidelines
Page 28
..., SET 4 configuration needs to have the Security Wizard for the default rule and then click "Add Rules...". Be sure that all IP addresses must use IPsec to utilize a management protocol. Select "All IP Addresses" and click "Next". 28 Once the Security Wizard configuration has been completed, then we 'll simply say... you are dropped by the IP layer. Select "Allow" for SET 2 executed. Let's go through the same process as we did with a management protocol to Jetdirect without using IPsec, the packets are using HTTPS before navigating to this time, we can begin the...
..., SET 4 configuration needs to have the Security Wizard for the default rule and then click "Add Rules...". Be sure that all IP addresses must use IPsec to utilize a management protocol. Select "All IP Addresses" and click "Next". 28 Once the Security Wizard configuration has been completed, then we 'll simply say... you are dropped by the IP layer. Select "Allow" for SET 2 executed. Let's go through the same process as we did with a management protocol to Jetdirect without using IPsec, the packets are using HTTPS before navigating to this time, we can begin the...
HP Jetdirect Security Guidelines
Page 29
Click "Next". Select "All Jetdirect Management Services". Click "Next". 29 Select "Require traffic to be protected with an IPsec/Firewall Policy".
Click "Next". Select "All Jetdirect Management Services". Click "Next". 29 Select "Require traffic to be protected with an IPsec/Firewall Policy".