Practical considerations for imaging and printing security
Page 1
... ...4 Security checklists ...4 Conclusion: look beyond Common Criteria Certification 4 HP's imaging and printing security framework 4 Secure the Imaging and Printing Device 5 MFP walk-up authentication ...5 Network printing authentication ...5 Physical document access control 5 HP Secure Erase ...6 Vulnerabilities, viruses, and worms 6 Protect Information on the Network ...6 Network connectivity with HP Jetdirect devices 6 HP Digital Sending Software (DSS 7 Fax/LAN bridging ...7 Effectively...
... ...4 Security checklists ...4 Conclusion: look beyond Common Criteria Certification 4 HP's imaging and printing security framework 4 Secure the Imaging and Printing Device 5 MFP walk-up authentication ...5 Network printing authentication ...5 Physical document access control 5 HP Secure Erase ...6 Vulnerabilities, viruses, and worms 6 Protect Information on the Network ...6 Network connectivity with HP Jetdirect devices 6 HP Digital Sending Software (DSS 7 Fax/LAN bridging ...7 Effectively...
Practical considerations for imaging and printing security
Page 6
... -clunk performance that only IT deployed and trusted devices, such as those with HP Jetdirect devices Network connectivity for HP imaging and printing devices is the recommended protocol for securing printing and scanning functions. 6 The HP Jetdirect 635n IPv6/IPsec and Gigabit Ethernet internal print server, available November 2005, uses a cryptographic accelerator to provide click-to the 802.1x...
... -clunk performance that only IT deployed and trusted devices, such as those with HP Jetdirect devices Network connectivity for HP imaging and printing devices is the recommended protocol for securing printing and scanning functions. 6 The HP Jetdirect 635n IPv6/IPsec and Gigabit Ethernet internal print server, available November 2005, uses a cryptographic accelerator to provide click-to the 802.1x...
HP Jetdirect Security Guidelines
Page 1
... of rather poor quality and inflammatory; whitepaper HP Jetdirect Security Guidelines Table of Contents: Introduction ...1 HP Jetdirect Overview ...2 What is an HP Jetdirect?...3 How old is Your HP Jetdirect?...4 Upgrading ...5 HP Jetdirect Administrative Guidelines 6 HP Jetdirect Hacks: TCP Port 9100...7 HP Jetdirect Hacks: Password and SNMP Community Names 9 HP Jetdirect Hacks: Firmware Upgrade 9 HP Jetdirect Hacks: Sniffing Print Jobs and Replaying Them 10 HP Jetdirect Hacks: Printer/MFP access 10 Recommended...
... of rather poor quality and inflammatory; whitepaper HP Jetdirect Security Guidelines Table of Contents: Introduction ...1 HP Jetdirect Overview ...2 What is an HP Jetdirect?...3 How old is Your HP Jetdirect?...4 Upgrading ...5 HP Jetdirect Administrative Guidelines 6 HP Jetdirect Hacks: TCP Port 9100...7 HP Jetdirect Hacks: Password and SNMP Community Names 9 HP Jetdirect Hacks: Firmware Upgrade 9 HP Jetdirect Hacks: Sniffing Print Jobs and Replaying Them 10 HP Jetdirect Hacks: Printer/MFP access 10 Recommended...
HP Jetdirect Security Guidelines
Page 2
... imaging security strategy? At one of thousands, and perhaps a few years may in the printing industry. Hundreds of the first print servers to widely implement security protocols such as well-known default security settings. Protocol suites such as AppleTalk, DLC/LLC, and IPX..., it is important to remember that this growth period in order to computers called spoolers. At the time HP Jetdirect was introduced, there was designed to allow users to print to Jetdirect immediately. Fast forwarding to the present, we have never had been adopted (or hyped) almost as much ...
... imaging security strategy? At one of thousands, and perhaps a few years may in the printing industry. Hundreds of the first print servers to widely implement security protocols such as well-known default security settings. Protocol suites such as AppleTalk, DLC/LLC, and IPX..., it is important to remember that this growth period in order to computers called spoolers. At the time HP Jetdirect was introduced, there was designed to allow users to print to Jetdirect immediately. Fast forwarding to the present, we have never had been adopted (or hyped) almost as much ...
HP Jetdirect Security Guidelines
Page 3
... on the Internet conveys that is this diagram, we can also understand what HP Jetdirect can understand what HP Jetdirect cannot do to control who cannot interact with your printing infrastructure. As customers demanded faster data transfer speeds and richer status, these protocols... on a strategy that implemented a hardware protocol and converted encapsulated data into data for printer consumption. Upgrading your HP Jetdirect card to provide your HP Jetdirect card to help in the security of the first Networking Protocol offload engines. In short, a printer had direct...
... on the Internet conveys that is this diagram, we can also understand what HP Jetdirect can understand what HP Jetdirect cannot do to control who cannot interact with your printing infrastructure. As customers demanded faster data transfer speeds and richer status, these protocols... on a strategy that implemented a hardware protocol and converted encapsulated data into data for printer consumption. Upgrading your HP Jetdirect card to provide your HP Jetdirect card to help in the security of the first Networking Protocol offload engines. In short, a printer had direct...
HP Jetdirect Security Guidelines
Page 4
... 3.11 HP Jetdirect J2550A, J2552A MIO Print Servers Microsoft Windows 95 HP Jetdirect J2550B, J2552B MIO Print Servers HP Jetdirect J3110A, J3111A EIO Print Servers HP Jetdirect J3263A 300X External Print Server HP Jetdirect J3113A 600n EIO Print Server Microsoft Windows 98 HP Jetdirect J3258A 170x External Print Server Microsoft Windows 2000 Professional HP Jetdirect J4169A 610n EIO Print Server Microsoft Windows XP HP Jetdirect J6057A 615n EIO Print Server Microsoft Windows 2003 Server HP Jetdirect J7934A 620n EIO Print Server HP Jetdirect J7961A 635n EIO Print Server Date Released...
... 3.11 HP Jetdirect J2550A, J2552A MIO Print Servers Microsoft Windows 95 HP Jetdirect J2550B, J2552B MIO Print Servers HP Jetdirect J3110A, J3111A EIO Print Servers HP Jetdirect J3263A 300X External Print Server HP Jetdirect J3113A 600n EIO Print Server Microsoft Windows 98 HP Jetdirect J3258A 170x External Print Server Microsoft Windows 2000 Professional HP Jetdirect J4169A 610n EIO Print Server Microsoft Windows XP HP Jetdirect J6057A 615n EIO Print Server Microsoft Windows 2003 Server HP Jetdirect J7934A 620n EIO Print Server HP Jetdirect J7961A 635n EIO Print Server Date Released...
HP Jetdirect Security Guidelines
Page 5
... Non-Cryptographic Security, upgradeable after purchase SSL/TLS for Management, SNMPv3 Table 3 - HP Jetdirect Models: HP Jetdirect J3258G 170x External Parallel Print server J6035G 175x External USB 1.1 Print Server J3263G 300x External Print server J7983G 510X External 3-Port Print Server J7942G en3700 External USB 2.0 Print Server J7934G 620n EIO 10/100 Print Server J7949E Embedded Jetdirect 10/100 (not for sale individually, comes installed on the formatter for certain...
... Non-Cryptographic Security, upgradeable after purchase SSL/TLS for Management, SNMPv3 Table 3 - HP Jetdirect Models: HP Jetdirect J3258G 170x External Parallel Print server J6035G 175x External USB 1.1 Print Server J3263G 300x External Print server J7983G 510X External 3-Port Print Server J7942G en3700 External USB 2.0 Print Server J7934G 620n EIO 10/100 Print Server J7949E Embedded Jetdirect 10/100 (not for sale individually, comes installed on the formatter for certain...
HP Jetdirect Security Guidelines
Page 6
...MIO model with a new external parallel port print server like the 300X will come from the four main HP Jetdirect product lines, referred to install a J7961G 635n IPv6/IPsec print server. In order to properly recommend configurations for HP Jetdirect, four different administrative guidelines will need to..., 600n models. One of their printing and imaging infrastructure. Printers that have an MIO slot like the LaserJet IIIsi and LaserJet 4si have cryptographic security capability. • SET 2: The 610n, 615n, 620n, 625n, en3700, and Embedded Jetdirect (J7949E) models. The EIO slot...
...MIO model with a new external parallel port print server like the 300X will come from the four main HP Jetdirect product lines, referred to install a J7961G 635n IPv6/IPsec print server. In order to properly recommend configurations for HP Jetdirect, four different administrative guidelines will need to..., 600n models. One of their printing and imaging infrastructure. Printers that have an MIO slot like the LaserJet IIIsi and LaserJet 4si have cryptographic security capability. • SET 2: The 610n, 615n, 620n, 625n, en3700, and Embedded Jetdirect (J7949E) models. The EIO slot...
HP Jetdirect Security Guidelines
Page 7
... Embedded Jetdirect J4100A 400n 10Mbps MIO Print server J4106A 400n 10Mbps MIO Print server J3110A 600n 10Mbps EIO Print server J3111A 600n 10Mbps EIO Print server J3113A 600n 10/100 EIO Print server J4169A 610n 10/100 EIO Print Server J6057A 615n 10/100 EIO Print Server J3263A/J3263G 300x External Print server J3265A 500X External 3-Port Print Server J7983G 510X External 3-Port Print Server J7942A/J7942G en3700 External USB 2.0 Print Server J7934A/J7934G 620n...
... Embedded Jetdirect J4100A 400n 10Mbps MIO Print server J4106A 400n 10Mbps MIO Print server J3110A 600n 10Mbps EIO Print server J3111A 600n 10Mbps EIO Print server J3113A 600n 10/100 EIO Print server J4169A 610n 10/100 EIO Print Server J6057A 615n 10/100 EIO Print Server J3263A/J3263G 300x External Print server J3265A 500X External 3-Port Print Server J7983G 510X External 3-Port Print Server J7942A/J7942G en3700 External USB 2.0 Print Server J7934A/J7934G 620n...
HP Jetdirect Security Guidelines
Page 8
... What about the user at work that is subject to successfully authenticate the server endpoint (and optionally the client endpoint). Option 2) For SET 3. It is subject to MITM attacks as HP Jetdirect Ten or less individual computers on a robust PKI to IP address spoofing... and Man-in the company. This doesn't prevent HP Jetdirect from receiving packets from other mischief with large print jobs, etc... Setup a rule to protect print traffic using the Firewall Option 3) For SET 4. Option 4) For SET 4. Option 1) For ...
... What about the user at work that is subject to successfully authenticate the server endpoint (and optionally the client endpoint). Option 2) For SET 3. It is subject to MITM attacks as HP Jetdirect Ten or less individual computers on a robust PKI to IP address spoofing... and Man-in the company. This doesn't prevent HP Jetdirect from receiving packets from other mischief with large print jobs, etc... Setup a rule to protect print traffic using the Firewall Option 3) For SET 4. Option 4) For SET 4. Option 1) For ...
HP Jetdirect Security Guidelines
Page 9
... has been specified, it can be entered to utilize FTP 9 they are trusted to establish a print connection, they are three common ways of updating HP Jetdirect firmware: • HP Download Manager / HP Web Jetadmin • FTP • Embedded Web Server When using HP's Universal Print Driver (UPD), which facilitates reports on these devices to something new. In addition...
... has been specified, it can be entered to utilize FTP 9 they are trusted to establish a print connection, they are three common ways of updating HP Jetdirect firmware: • HP Download Manager / HP Web Jetadmin • FTP • Embedded Web Server When using HP's Universal Print Driver (UPD), which facilitates reports on these devices to something new. In addition...
HP Jetdirect Security Guidelines
Page 10
...an FTP server, it can be configured to HTTPS, using other applications without having to send it is analogously similar to a person not being able to plant the listening device in the conference room and instead pulling a fire alarm in a conference room to printing. HP Jetdirect Hacks: Printer...it to all the data sent between that source and that was sent between an email client and email server, it can use the EWS to bypass HP Jetdirect security. firmware upgrades; Properly deployed cryptographic protocols are also used to force network infrastructure equipment to help ...
...an FTP server, it can be configured to HTTPS, using other applications without having to send it is analogously similar to a person not being able to plant the listening device in the conference room and instead pulling a fire alarm in a conference room to printing. HP Jetdirect Hacks: Printer...it to all the data sent between that source and that was sent between an email client and email server, it can use the EWS to bypass HP Jetdirect security. firmware upgrades; Properly deployed cryptographic protocols are also used to force network infrastructure equipment to help ...
HP Jetdirect Security Guidelines
Page 11
...a BOOTP/TFTP configuration is fairly easy. however, there are many free BOOTP and TFTP servers for a great deal of the TFTP daemon's home directory • Forces HP Jetdirect to DHCP if a BOOTP server is unavailable. An example UNIX configuration will be enabled, comment out the "snmp-config"... command and # uncomment out the following : • Syslog server: 192.168.40.3 • TFTP configuration file: ...
...a BOOTP/TFTP configuration is fairly easy. however, there are many free BOOTP and TFTP servers for a great deal of the TFTP daemon's home directory • Forces HP Jetdirect to DHCP if a BOOTP server is unavailable. An example UNIX configuration will be enabled, comment out the "snmp-config"... command and # uncomment out the following : • Syslog server: 192.168.40.3 • TFTP configuration file: ...
HP Jetdirect Security Guidelines
Page 12
... PASSWORD = 7654 @PJL DEFAULT PASSWORD = 1776 @PJL DINQUIRE PASSWORD @PJL DEFAULT CPLOCK = ON @PJL DINQUIRE CPLOCK @PJL EOJ %-12345X Recommended Security Deployments: SET 2 For the HP Jetdirect products that are in the left-hand navigation bar, and then the "Wizard" tab. Here, we are going to choose "Custom Security" to show all... via the Networking tab, "Settings" in SET 2, the security wizard is shown here: NOTE: be sure to use HTTPS when navigating to the printer on Jetdirect. Here is a sample content for non HP Web Jetadmin users. This file is sent to this page.
... PASSWORD = 7654 @PJL DEFAULT PASSWORD = 1776 @PJL DINQUIRE PASSWORD @PJL DEFAULT CPLOCK = ON @PJL DINQUIRE CPLOCK @PJL EOJ %-12345X Recommended Security Deployments: SET 2 For the HP Jetdirect products that are in the left-hand navigation bar, and then the "Wizard" tab. Here, we are going to choose "Custom Security" to show all... via the Networking tab, "Settings" in SET 2, the security wizard is shown here: NOTE: be sure to use HTTPS when navigating to the printer on Jetdirect. Here is a sample content for non HP Web Jetadmin users. This file is sent to this page.
HP Jetdirect Security Guidelines
Page 17
Allowing device discovery helps in device management, but may not be required in all environments. 802.1X authentication can also be done. Special equipment is skipped. 17 For a complete discussion of 802.1X, see HP Jetdirect whitepapers on the topic. For now, this configuration step is required. Disable unused print protocols and services.
Allowing device discovery helps in device management, but may not be required in all environments. 802.1X authentication can also be done. Special equipment is skipped. 17 For a complete discussion of 802.1X, see HP Jetdirect whitepapers on the topic. For now, this configuration step is required. Disable unused print protocols and services.
HP Jetdirect Security Guidelines
Page 22
Click "Next". Click "Next" 22 Select "Allow Traffic". We are concerned with management services, so select the service template "All Jetdirect Management Services".
Click "Next". Click "Next" 22 Select "Allow Traffic". We are concerned with management services, so select the service template "All Jetdirect Management Services".
HP Jetdirect Security Guidelines
Page 24
Select "Allow Traffic". Click "Next". Click Next. 24 Select the "All Jetdirect Management Services" service template.
Select "Allow Traffic". Click "Next". Click Next. 24 Select the "All Jetdirect Management Services" service template.
HP Jetdirect Security Guidelines
Page 26
Click "Next". 26 Again, select "All Jetdirect Management Services" for the service template and then click "Next". Select "Drop".
Click "Next". 26 Again, select "All Jetdirect Management Services" for the service template and then click "Next". Select "Drop".
HP Jetdirect Security Guidelines
Page 28
Let's go through the same process as we did with a management protocol to Jetdirect without using HTTPS before navigating to this time, we can begin the IPsec configuration. Once the Security Wizard configuration has been completed, then we 'll ...
Let's go through the same process as we did with a management protocol to Jetdirect without using HTTPS before navigating to this time, we can begin the IPsec configuration. Once the Security Wizard configuration has been completed, then we 'll ...
HP Jetdirect Security Guidelines
Page 29
Select "All Jetdirect Management Services". Click "Next". Click "Next". 29 Select "Require traffic to be protected with an IPsec/Firewall Policy".
Select "All Jetdirect Management Services". Click "Next". Click "Next". 29 Select "Require traffic to be protected with an IPsec/Firewall Policy".