Practical considerations for imaging and printing security
Page 1
... ...4 Security checklists ...4 Conclusion: look beyond Common Criteria Certification 4 HP's imaging and printing security framework 4 Secure the Imaging and Printing Device 5 MFP walk-up authentication ...5 Network printing authentication ...5 Physical document access control 5 HP Secure Erase ...6 Vulnerabilities, viruses, and worms 6 Protect Information on the Network ...6 Network connectivity with HP Jetdirect devices 6 HP Digital Sending Software (DSS 7 Fax/LAN bridging ...7 Effectively...
... ...4 Security checklists ...4 Conclusion: look beyond Common Criteria Certification 4 HP's imaging and printing security framework 4 Secure the Imaging and Printing Device 5 MFP walk-up authentication ...5 Network printing authentication ...5 Physical document access control 5 HP Secure Erase ...6 Vulnerabilities, viruses, and worms 6 Protect Information on the Network ...6 Network connectivity with HP Jetdirect devices 6 HP Digital Sending Software (DSS 7 Fax/LAN bridging ...7 Effectively...
Practical considerations for imaging and printing security
Page 6
... the IPP protocol using the device's embedded web server, as well as security of web services such as those with HP Jetdirect devices Network connectivity for HP imaging and printing devices is the recommended protocol for securing printing and scanning functions. 6 While Secure IPP may ...data sectors to -clunk performance that only IT deployed and trusted devices, such as consumable reordering. The HP Jetdirect 635n IPv6/IPsec and Gigabit Ethernet internal print server, available November 2005, uses a cryptographic accelerator to provide click-to remove all network access denied. ...
... the IPP protocol using the device's embedded web server, as well as security of web services such as those with HP Jetdirect devices Network connectivity for HP imaging and printing devices is the recommended protocol for securing printing and scanning functions. 6 While Secure IPP may ...data sectors to -clunk performance that only IT deployed and trusted devices, such as consumable reordering. The HP Jetdirect 635n IPv6/IPsec and Gigabit Ethernet internal print server, available November 2005, uses a cryptographic accelerator to provide click-to remove all network access denied. ...
HP Jetdirect Security Guidelines
Page 1
... of rather poor quality and inflammatory; whitepaper HP Jetdirect Security Guidelines Table of Contents: Introduction ...1 HP Jetdirect Overview ...2 What is an HP Jetdirect?...3 How old is Your HP Jetdirect?...4 Upgrading ...5 HP Jetdirect Administrative Guidelines 6 HP Jetdirect Hacks: TCP Port 9100...7 HP Jetdirect Hacks: Password and SNMP Community Names 9 HP Jetdirect Hacks: Firmware Upgrade 9 HP Jetdirect Hacks: Sniffing Print Jobs and Replaying Them 10 HP Jetdirect Hacks: Printer/MFP access 10 Recommended...
... of rather poor quality and inflammatory; whitepaper HP Jetdirect Security Guidelines Table of Contents: Introduction ...1 HP Jetdirect Overview ...2 What is an HP Jetdirect?...3 How old is Your HP Jetdirect?...4 Upgrading ...5 HP Jetdirect Administrative Guidelines 6 HP Jetdirect Hacks: TCP Port 9100...7 HP Jetdirect Hacks: Password and SNMP Community Names 9 HP Jetdirect Hacks: Firmware Upgrade 9 HP Jetdirect Hacks: Sniffing Print Jobs and Replaying Them 10 HP Jetdirect Hacks: Printer/MFP access 10 Recommended...
HP Jetdirect Security Guidelines
Page 2
... to share printers became a burden. At one of the first print servers to the present, we have the same ease of proprietary protocols as well as possible. 2 One of the challenges HP Jetdirect has in terms of security is actually the result of competition in...Today's security configurations and protocols that 'security' is not a sound practice for the next few million HP Jetdirect products have been in network printing, functionality within HP Jetdirect was to Jetdirect immediately. In addition, TokenRing, FDDI, LocalTalk, ATM, and other technologies at the time fueled an ...
... to share printers became a burden. At one of the first print servers to the present, we have the same ease of proprietary protocols as well as possible. 2 One of the challenges HP Jetdirect has in terms of security is actually the result of competition in...Today's security configurations and protocols that 'security' is not a sound practice for the next few million HP Jetdirect products have been in network printing, functionality within HP Jetdirect was to Jetdirect immediately. In addition, TokenRing, FDDI, LocalTalk, ATM, and other technologies at the time fueled an ...
HP Jetdirect Security Guidelines
Page 3
... a simple hardware protocol was born - O S OS What is a good investment. 3 When printers were directly connected to provide your printing infrastructure. Thus, the HP Jetdirect was used to send data from the PC to this diagram important? First and foremost, we can see the standard diagram of the first...is not going to convert encapsulated network data into just data for printer consumption. Functional Diagram In Figure 1, you can understand what HP Jetdirect cannot do to help in the security of your printer more complex as in use to the printer. As an example, some ...
... a simple hardware protocol was born - O S OS What is a good investment. 3 When printers were directly connected to provide your printing infrastructure. Thus, the HP Jetdirect was used to send data from the PC to this diagram important? First and foremost, we can see the standard diagram of the first...is not going to convert encapsulated network data into just data for printer consumption. Functional Diagram In Figure 1, you can understand what HP Jetdirect cannot do to help in the security of your printer more complex as in use to the printer. As an example, some ...
HP Jetdirect Security Guidelines
Page 4
... 3.11 HP Jetdirect J2550A, J2552A MIO Print Servers Microsoft Windows 95 HP Jetdirect J2550B, J2552B MIO Print Servers HP Jetdirect J3110A, J3111A EIO Print Servers HP Jetdirect J3263A 300X External Print Server HP Jetdirect J3113A 600n EIO Print Server Microsoft Windows 98 HP Jetdirect J3258A 170x External Print Server Microsoft Windows 2000 Professional HP Jetdirect J4169A 610n EIO Print Server Microsoft Windows XP HP Jetdirect J6057A 615n EIO Print Server Microsoft Windows 2003 Server HP Jetdirect J7934A 620n EIO Print Server HP Jetdirect J7961A 635n EIO Print Server Date Released...
... 3.11 HP Jetdirect J2550A, J2552A MIO Print Servers Microsoft Windows 95 HP Jetdirect J2550B, J2552B MIO Print Servers HP Jetdirect J3110A, J3111A EIO Print Servers HP Jetdirect J3263A 300X External Print Server HP Jetdirect J3113A 600n EIO Print Server Microsoft Windows 98 HP Jetdirect J3258A 170x External Print Server Microsoft Windows 2000 Professional HP Jetdirect J4169A 610n EIO Print Server Microsoft Windows XP HP Jetdirect J6057A 615n EIO Print Server Microsoft Windows 2003 Server HP Jetdirect J7934A 620n EIO Print Server HP Jetdirect J7961A 635n EIO Print Server Date Released...
HP Jetdirect Security Guidelines
Page 5
... is by no longer being sold by HP and their security capabilities are shown. HP Jetdirect Models In Table 3 - Discontinued HP Jetdirect Models 5 HP Jetdirect Models: HP Jetdirect J3258G 170x External Parallel Print server J6035G 175x External USB 1.1 Print Server J3263G 300x External Print server J7983G 510X External 3-Port Print Server J7942G en3700 External USB 2.0 Print Server J7934G 620n EIO 10/100 Print Server J7949E Embedded Jetdirect 10/100 (not for sale individually, comes...
... is by no longer being sold by HP and their security capabilities are shown. HP Jetdirect Models In Table 3 - Discontinued HP Jetdirect Models 5 HP Jetdirect Models: HP Jetdirect J3258G 170x External Parallel Print server J6035G 175x External USB 1.1 Print Server J3263G 300x External Print server J7983G 510X External 3-Port Print Server J7942G en3700 External USB 2.0 Print Server J7934G 620n EIO 10/100 Print Server J7949E Embedded Jetdirect 10/100 (not for sale individually, comes...
HP Jetdirect Security Guidelines
Page 6
... Manager available at http://www.hp.com/go/dlm_sw. SET 2 can take an older printer like the LaserJet IIIsi and LaserJet 4si have cryptographic security capability. • SET 2: The 610n, 615n, 620n, 625n, en3700, and Embedded Jetdirect (J7949E) models. With security configurations, one must be firmware upgraded to install a J7961G 635n IPv6/IPsec print server.
... Manager available at http://www.hp.com/go/dlm_sw. SET 2 can take an older printer like the LaserJet IIIsi and LaserJet 4si have cryptographic security capability. • SET 2: The 610n, 615n, 620n, 625n, en3700, and Embedded Jetdirect (J7949E) models. With security configurations, one must be firmware upgraded to install a J7961G 635n IPv6/IPsec print server.
HP Jetdirect Security Guidelines
Page 7
... Embedded Jetdirect J4100A 400n 10Mbps MIO Print server J4106A 400n 10Mbps MIO Print server J3110A 600n 10Mbps EIO Print server J3111A 600n 10Mbps EIO Print server J3113A 600n 10/100 EIO Print server J4169A 610n 10/100 EIO Print Server J6057A 615n 10/100 EIO Print Server J3263A/J3263G 300x External Print server J3265A 500X External 3-Port Print Server J7983G 510X External 3-Port Print Server J7942A/J7942G en3700 External USB 2.0 Print Server J7934A/J7934G 620n...
... Embedded Jetdirect J4100A 400n 10Mbps MIO Print server J4106A 400n 10Mbps MIO Print server J3110A 600n 10Mbps EIO Print server J3111A 600n 10Mbps EIO Print server J3113A 600n 10/100 EIO Print server J4169A 610n 10/100 EIO Print Server J6057A 615n 10/100 EIO Print Server J3263A/J3263G 300x External Print server J3265A 500X External 3-Port Print Server J7983G 510X External 3-Port Print Server J7942A/J7942G en3700 External USB 2.0 Print Server J7934A/J7934G 620n...
HP Jetdirect Security Guidelines
Page 8
... control list for the network ID assigned to 0.0.0.0). These attacks can target any device (not just HP Jetdirect) that the administrator doesn't use. Otherwise, SSL/TLS is subject to protect print traffic using IPsec Option 1) For Set 1/2/3/4. Only computers on the same subnet as well because it...to successfully authenticate the server endpoint (and optionally the client endpoint). Setup an access control list for each individual IP address with the IP address and mask for HP's internal network, there would be formed. It is important to note that all print protocols that is ...
... control list for the network ID assigned to 0.0.0.0). These attacks can target any device (not just HP Jetdirect) that the administrator doesn't use. Otherwise, SSL/TLS is subject to protect print traffic using IPsec Option 1) For Set 1/2/3/4. Only computers on the same subnet as well because it...to successfully authenticate the server endpoint (and optionally the client endpoint). Setup an access control list for each individual IP address with the IP address and mask for HP's internal network, there would be formed. It is important to note that all print protocols that is ...
HP Jetdirect Security Guidelines
Page 9
.../webjetadmin_firmware. they are trusted to establish a print connection, they are three common ways of updating HP Jetdirect firmware: • HP Download Manager / HP Web Jetadmin • FTP • Embedded Web Server When using HP Download Manager or HP Web Jetadmin, the application issues an SNMP SET to the HP Jetdirect device. In addition, HP's Web Jetadmin includes functionality called Report Generator...
.../webjetadmin_firmware. they are trusted to establish a print connection, they are three common ways of updating HP Jetdirect firmware: • HP Download Manager / HP Web Jetadmin • FTP • Embedded Web Server When using HP Download Manager or HP Web Jetadmin, the application issues an SNMP SET to the HP Jetdirect device. In addition, HP's Web Jetadmin includes functionality called Report Generator...
HP Jetdirect Security Guidelines
Page 10
...it by pretending to be configured to bypass HP Jetdirect security. HP Jetdirect Hacks: Printer/MFP access Up until now, we 've seen from the destination back to the source) in a conference room to open it with PostScript or simple text, a print job can perform effective MITM attacks against ...FTP client and an FTP server, it can open it to behave in a manner that can be opened using a properly signed certificate, and of IPsec (SET 4) as IPsec and SSL/TLS with the printer/MFP's PJL library over a print connection. HP Jetdirect Hacks: Sniffing Print Jobs and Replaying Them ...
...it by pretending to be configured to bypass HP Jetdirect security. HP Jetdirect Hacks: Printer/MFP access Up until now, we 've seen from the destination back to the source) in a conference room to open it with PostScript or simple text, a print job can perform effective MITM attacks against ...FTP client and an FTP server, it can open it to behave in a manner that can be opened using a properly signed certificate, and of IPsec (SET 4) as IPsec and SSL/TLS with the printer/MFP's PJL library over a print connection. HP Jetdirect Hacks: Sniffing Print Jobs and Replaying Them ...
HP Jetdirect Security Guidelines
Page 11
...snmp-config:0 # # if SNMP must be provided here. Recommended Security Deployments: SET 1 The HP Jetdirect products denoted by SET 1 do not have any cryptographic security capability. however, there are many free BOOTP and TFTP servers for a great deal of power with BOOTP and not transition to DHCP if a BOOTP...; Many customers associate BOOTP/TFTP with caution - An example of the contents of the TFTP daemon's home directory • Forces HP Jetdirect to remain with very little administration overhead once configured. As a result, a BOOTP/TFTP configuration is fairly easy.
...snmp-config:0 # # if SNMP must be provided here. Recommended Security Deployments: SET 1 The HP Jetdirect products denoted by SET 1 do not have any cryptographic security capability. however, there are many free BOOTP and TFTP servers for a great deal of power with BOOTP and not transition to DHCP if a BOOTP...; Many customers associate BOOTP/TFTP with caution - An example of the contents of the TFTP daemon's home directory • Forces HP Jetdirect to remain with very little administration overhead once configured. As a result, a BOOTP/TFTP configuration is fairly easy.
HP Jetdirect Security Guidelines
Page 12
...file called "pjlprotection". Here, we are going to choose "Custom Security" to show all the options that are available to the printer on Jetdirect. Here is recommended for the pjlprotection file: %-12345X@PJL @PJL COMMENT **Set Password** @PJL COMMENT **& Lock Control Panel** @PJL JOB... 1776 @PJL DINQUIRE PASSWORD @PJL DEFAULT CPLOCK = ON @PJL DINQUIRE CPLOCK @PJL EOJ %-12345X Recommended Security Deployments: SET 2 For the HP Jetdirect products that are in the left-hand navigation bar, and then the "Wizard" tab. The TFTP configuration file points to implement on power-...
...file called "pjlprotection". Here, we are going to choose "Custom Security" to show all the options that are available to the printer on Jetdirect. Here is recommended for the pjlprotection file: %-12345X@PJL @PJL COMMENT **Set Password** @PJL COMMENT **& Lock Control Panel** @PJL JOB... 1776 @PJL DINQUIRE PASSWORD @PJL DEFAULT CPLOCK = ON @PJL DINQUIRE CPLOCK @PJL EOJ %-12345X Recommended Security Deployments: SET 2 For the HP Jetdirect products that are in the left-hand navigation bar, and then the "Wizard" tab. The TFTP configuration file points to implement on power-...
HP Jetdirect Security Guidelines
Page 17
For a complete discussion of 802.1X, see HP Jetdirect whitepapers on the topic. For now, this configuration step is required. Allowing device discovery helps in device management, but may not be required in all environments. 802.1X authentication can also be done. Disable unused print protocols and services. Special equipment is skipped. 17
For a complete discussion of 802.1X, see HP Jetdirect whitepapers on the topic. For now, this configuration step is required. Allowing device discovery helps in device management, but may not be required in all environments. 802.1X authentication can also be done. Disable unused print protocols and services. Special equipment is skipped. 17
HP Jetdirect Security Guidelines
Page 22
We are concerned with management services, so select the service template "All Jetdirect Management Services". Click "Next" 22 Click "Next". Select "Allow Traffic".
We are concerned with management services, so select the service template "All Jetdirect Management Services". Click "Next" 22 Click "Next". Select "Allow Traffic".
HP Jetdirect Security Guidelines
Page 24
Click Next. 24 Select "Allow Traffic". Select the "All Jetdirect Management Services" service template. Click "Next".
Click Next. 24 Select "Allow Traffic". Select the "All Jetdirect Management Services" service template. Click "Next".
HP Jetdirect Security Guidelines
Page 26
Click "Next". 26 Select "Drop". Again, select "All Jetdirect Management Services" for the service template and then click "Next".
Click "Next". 26 Select "Drop". Again, select "All Jetdirect Management Services" for the service template and then click "Next".
HP Jetdirect Security Guidelines
Page 28
... you are using IPsec, the packets are dropped by the IP layer. Let's go through the same process as we did with a management protocol to Jetdirect without using HTTPS before navigating to this time, we can begin the IPsec configuration. Be sure that all IP addresses must use IPsec to utilize...
... you are using IPsec, the packets are dropped by the IP layer. Let's go through the same process as we did with a management protocol to Jetdirect without using HTTPS before navigating to this time, we can begin the IPsec configuration. Be sure that all IP addresses must use IPsec to utilize...
HP Jetdirect Security Guidelines
Page 29
Select "All Jetdirect Management Services". Click "Next". 29 Select "Require traffic to be protected with an IPsec/Firewall Policy". Click "Next".
Select "All Jetdirect Management Services". Click "Next". 29 Select "Require traffic to be protected with an IPsec/Firewall Policy". Click "Next".