Practical considerations for imaging and printing security
Page 1
... ...4 Security checklists ...4 Conclusion: look beyond Common Criteria Certification 4 HP's imaging and printing security framework 4 Secure the Imaging and Printing Device 5 MFP walk-up authentication ...5 Network printing authentication ...5 Physical document access control 5 HP Secure Erase ...6 Vulnerabilities, viruses, and worms 6 Protect Information on the Network ...6 Network connectivity with HP Jetdirect devices 6 HP Digital Sending Software (DSS 7 Fax/LAN bridging ...7 Effectively...
... ...4 Security checklists ...4 Conclusion: look beyond Common Criteria Certification 4 HP's imaging and printing security framework 4 Secure the Imaging and Printing Device 5 MFP walk-up authentication ...5 Network printing authentication ...5 Physical document access control 5 HP Secure Erase ...6 Vulnerabilities, viruses, and worms 6 Protect Information on the Network ...6 Network connectivity with HP Jetdirect devices 6 HP Digital Sending Software (DSS 7 Fax/LAN bridging ...7 Effectively...
Practical considerations for imaging and printing security
Page 6
...controls restrict installation of Chailets to authorized administrators, however, as it is implemented as a Chailet. The HP Jetdirect 635n IPv6/IPsec and Gigabit Ethernet internal print server, available November 2005, uses a cryptographic accelerator to provide click-to remove all trace magnetic information. Secure.... HTTPS using the device's embedded web server, as well as security of web services such as HP and its products meet the threat posed by the HP Jetdirect family of the imaging and printing device. HP Secure Erase HP Secure Erase implements the Department of Defense ...
...controls restrict installation of Chailets to authorized administrators, however, as it is implemented as a Chailet. The HP Jetdirect 635n IPv6/IPsec and Gigabit Ethernet internal print server, available November 2005, uses a cryptographic accelerator to provide click-to remove all trace magnetic information. Secure.... HTTPS using the device's embedded web server, as well as security of web services such as HP and its products meet the threat posed by the HP Jetdirect family of the imaging and printing device. HP Secure Erase HP Secure Erase implements the Department of Defense ...
HP Jetdirect Security Guidelines
Page 1
... of rather poor quality and inflammatory; whitepaper HP Jetdirect Security Guidelines Table of Contents: Introduction ...1 HP Jetdirect Overview ...2 What is an HP Jetdirect?...3 How old is Your HP Jetdirect?...4 Upgrading ...5 HP Jetdirect Administrative Guidelines 6 HP Jetdirect Hacks: TCP Port 9100...7 HP Jetdirect Hacks: Password and SNMP Community Names 9 HP Jetdirect Hacks: Firmware Upgrade 9 HP Jetdirect Hacks: Sniffing Print Jobs and Replaying Them 10 HP Jetdirect Hacks: Printer/MFP access 10 Recommended...
... of rather poor quality and inflammatory; whitepaper HP Jetdirect Security Guidelines Table of Contents: Introduction ...1 HP Jetdirect Overview ...2 What is an HP Jetdirect?...3 How old is Your HP Jetdirect?...4 Upgrading ...5 HP Jetdirect Administrative Guidelines 6 HP Jetdirect Hacks: TCP Port 9100...7 HP Jetdirect Hacks: Password and SNMP Community Names 9 HP Jetdirect Hacks: Firmware Upgrade 9 HP Jetdirect Hacks: Sniffing Print Jobs and Replaying Them 10 HP Jetdirect Hacks: Printer/MFP access 10 Recommended...
HP Jetdirect Security Guidelines
Page 2
... as well-known default security settings. Does that 'security' is a process. Hundreds of being "plug-n-play" and reliable. HP Jetdirect Overview Years ago, the world networked printers by taking advantage of the first print servers to never unpack them once you are new to security and secure configurations, it is important to have been...
... as well-known default security settings. Does that 'security' is a process. Hundreds of being "plug-n-play" and reliable. HP Jetdirect Overview Years ago, the world networked printers by taking advantage of the first print servers to never unpack them once you are new to security and secure configurations, it is important to have been...
HP Jetdirect Security Guidelines
Page 3
... a good investment. Functional Diagram Figure 1 - As an example, some information on the Internet conveys that the PJL parser is an HP Jetdirect? Upgrading your printing infrastructure. As customers began to network their printers, HP decided to network spoolers, often a simple hardware protocol was born - First and foremost, we can see the standard diagram of...
... a good investment. Functional Diagram Figure 1 - As an example, some information on the Internet conveys that the PJL parser is an HP Jetdirect? Upgrading your printing infrastructure. As customers began to network their printers, HP decided to network spoolers, often a simple hardware protocol was born - First and foremost, we can see the standard diagram of...
HP Jetdirect Security Guidelines
Page 4
... 3.11 HP Jetdirect J2550A, J2552A MIO Print Servers Microsoft Windows 95 HP Jetdirect J2550B, J2552B MIO Print Servers HP Jetdirect J3110A, J3111A EIO Print Servers HP Jetdirect J3263A 300X External Print Server HP Jetdirect J3113A 600n EIO Print Server Microsoft Windows 98 HP Jetdirect J3258A 170x External Print Server Microsoft Windows 2000 Professional HP Jetdirect J4169A 610n EIO Print Server Microsoft Windows XP HP Jetdirect J6057A 615n EIO Print Server Microsoft Windows 2003 Server HP Jetdirect J7934A 620n EIO Print Server HP Jetdirect J7961A 635n EIO Print Server Date Released...
... 3.11 HP Jetdirect J2550A, J2552A MIO Print Servers Microsoft Windows 95 HP Jetdirect J2550B, J2552B MIO Print Servers HP Jetdirect J3110A, J3111A EIO Print Servers HP Jetdirect J3263A 300X External Print Server HP Jetdirect J3113A 600n EIO Print Server Microsoft Windows 98 HP Jetdirect J3258A 170x External Print Server Microsoft Windows 2000 Professional HP Jetdirect J4169A 610n EIO Print Server Microsoft Windows XP HP Jetdirect J6057A 615n EIO Print Server Microsoft Windows 2003 Server HP Jetdirect J7934A 620n EIO Print Server HP Jetdirect J7961A 635n EIO Print Server Date Released...
HP Jetdirect Security Guidelines
Page 5
... firmware: SSL/TLS for Management, SNMPv3, 802.1X PEAP. Discontinued HP Jetdirect Models 5 HP Jetdirect J4100A 400n 10/100 MIO Print server J4106A 400n 10Mbps MIO Print server J3110A 600n 10Mbps EIO Print server J3111A 600n 10Mbps EIO Print server J3113A 600n 10/100 EIO Print server J4169A 610n 10/100 EIO Print Server J6057A 615n 10/100 EIO Print Server Security Features Non-Cryptographic Security, upgradeable after purchase Non-Cryptographic Security...
... firmware: SSL/TLS for Management, SNMPv3, 802.1X PEAP. Discontinued HP Jetdirect Models 5 HP Jetdirect J4100A 400n 10/100 MIO Print server J4106A 400n 10Mbps MIO Print server J3110A 600n 10Mbps EIO Print server J3111A 600n 10Mbps EIO Print server J3113A 600n 10/100 EIO Print server J4169A 610n 10/100 EIO Print Server J6057A 615n 10/100 EIO Print Server Security Features Non-Cryptographic Security, upgradeable after purchase Non-Cryptographic Security...
HP Jetdirect Security Guidelines
Page 6
.... As you can see, replacing a discontinued 400n MIO model with a new external parallel port print server like the LaserJet IIIsi and LaserJet 4si have the most security capability in HP Jetdirect's product line. In order to properly recommend configurations for HP Jetdirect, four different administrative guidelines will come from the four main HP Jetdirect product lines, referred to use the...
.... As you can see, replacing a discontinued 400n MIO model with a new external parallel port print server like the LaserJet IIIsi and LaserJet 4si have the most security capability in HP Jetdirect's product line. In order to properly recommend configurations for HP Jetdirect, four different administrative guidelines will come from the four main HP Jetdirect product lines, referred to use the...
HP Jetdirect Security Guidelines
Page 7
... Table 4: HP Jetdirect Product Number J7949E Embedded Jetdirect J4100A 400n 10Mbps MIO Print server J4106A 400n 10Mbps MIO Print server J3110A 600n 10Mbps EIO Print server J3111A 600n 10Mbps EIO Print server J3113A 600n 10/100 EIO Print server J4169A 610n 10/100 EIO Print Server J6057A 615n 10/100 EIO Print Server J3263A/J3263G 300x External Print server J3265A 500X External 3-Port Print Server J7983G 510X External 3-Port Print Server J7942A/J7942G en3700 External USB 2.0 Print Server J7934A...
... Table 4: HP Jetdirect Product Number J7949E Embedded Jetdirect J4100A 400n 10Mbps MIO Print server J4106A 400n 10Mbps MIO Print server J3110A 600n 10Mbps EIO Print server J3111A 600n 10Mbps EIO Print server J3113A 600n 10/100 EIO Print server J4169A 610n 10/100 EIO Print Server J6057A 615n 10/100 EIO Print Server J3263A/J3263G 300x External Print server J3265A 500X External 3-Port Print Server J7983G 510X External 3-Port Print Server J7942A/J7942G en3700 External USB 2.0 Print Server J7934A...
HP Jetdirect Security Guidelines
Page 8
... using the Firewall Option 3) For SET 4. For instance, if you need to successfully authenticate the server endpoint (and optionally the client endpoint). Option 4) For SET 4. How to protect print traffic using the IPsec. If 8 Option 2) For SET 1/2/3/4. Setup an access control list for the...For SET 3. Option 1) For SET 1/2/3/4. Setup an access control list for the local subnet. This doesn't prevent HP Jetdirect from receiving packets from returning to print but keeps changing the display or doing other subnets, but may not be used by SSL/TLS to be properly ...
... using the Firewall Option 3) For SET 4. For instance, if you need to successfully authenticate the server endpoint (and optionally the client endpoint). Option 4) For SET 4. How to protect print traffic using the IPsec. If 8 Option 2) For SET 1/2/3/4. Setup an access control list for the...For SET 3. Option 1) For SET 1/2/3/4. Setup an access control list for the local subnet. This doesn't prevent HP Jetdirect from receiving packets from returning to print but keeps changing the display or doing other subnets, but may not be used by SSL/TLS to be properly ...
HP Jetdirect Security Guidelines
Page 9
...restart the upgrade process from being used to the HP Jetdirect device. After you have upgraded all software and firmware, change your HP Jetdirect devices behave the same regarding their printing behavior. HP Web Jetadmin can populate the firmware upgrade MIB ...HP Jetdirect firmware: • HP Download Manager / HP Web Jetadmin • FTP • Embedded Web Server When using HP Download Manager or HP Web Jetadmin, the application issues an SNMP SET to access the EWS (if the administrator so desires). HP Jetdirect devices that applications such as the HP Download Manager and HP...
...restart the upgrade process from being used to the HP Jetdirect device. After you have upgraded all software and firmware, change your HP Jetdirect devices behave the same regarding their printing behavior. HP Web Jetadmin can populate the firmware upgrade MIB ...HP Jetdirect firmware: • HP Download Manager / HP Web Jetadmin • FTP • Embedded Web Server When using HP Download Manager or HP Web Jetadmin, the application issues an SNMP SET to access the EWS (if the administrator so desires). HP Jetdirect devices that applications such as the HP Download Manager and HP...
HP Jetdirect Security Guidelines
Page 10
... person not being able to open " it can use the EWS to all the data sent between an FTP client and an FTP server, it by pretending to be another node on the network can be configured to behave in MITM attacks. If the MITM node has ... a valid vulnerability, it to a printer. HP Jetdirect Hacks: Sniffing Print Jobs and Replaying Them Easily available network tools that allows passive sniffing. However, as a solution to printing. For users of the EWS, HP recommends setting the redirect from our functional diagram, HP Jetdirect controls the networking stack and does not parse PJL...
... person not being able to open " it can use the EWS to all the data sent between an FTP client and an FTP server, it by pretending to be another node on the network can be configured to behave in MITM attacks. If the MITM node has ... a valid vulnerability, it to a printer. HP Jetdirect Hacks: Sniffing Print Jobs and Replaying Them Easily available network tools that allows passive sniffing. However, as a solution to printing. For users of the EWS, HP recommends setting the redirect from our functional diagram, HP Jetdirect controls the networking stack and does not parse PJL...
HP Jetdirect Security Guidelines
Page 11
... little administration overhead once configured. As a result, a BOOTP/TFTP configuration is fairly easy. however, there are many free BOOTP and TFTP servers for a great deal of the TFTP daemon's home directory • Forces HP Jetdirect to DHCP if a BOOTP server is unavailable. breaks SNMP management tools snmp-config:0 # # if SNMP must be provided here.
... little administration overhead once configured. As a result, a BOOTP/TFTP configuration is fairly easy. however, there are many free BOOTP and TFTP servers for a great deal of the TFTP daemon's home directory • Forces HP Jetdirect to DHCP if a BOOTP server is unavailable. breaks SNMP management tools snmp-config:0 # # if SNMP must be provided here.
HP Jetdirect Security Guidelines
Page 12
...DEFAULT PASSWORD = 1776 @PJL DINQUIRE PASSWORD @PJL DEFAULT CPLOCK = ON @PJL DINQUIRE CPLOCK @PJL EOJ %-12345X Recommended Security Deployments: SET 2 For the HP Jetdirect products that are in the left-hand navigation bar, and then the "Wizard" tab. Press the "Start Wizard" button to a customer. 12 A ...sample configuration is sent to this page. The TFTP configuration file points to implement on power-up. Here is a sample content for non HP Web Jetadmin users. The Security level you want to a parameter file called "pjlprotection". The security wizard can be sure to use HTTPS ...
...DEFAULT PASSWORD = 1776 @PJL DINQUIRE PASSWORD @PJL DEFAULT CPLOCK = ON @PJL DINQUIRE CPLOCK @PJL EOJ %-12345X Recommended Security Deployments: SET 2 For the HP Jetdirect products that are in the left-hand navigation bar, and then the "Wizard" tab. Press the "Start Wizard" button to a customer. 12 A ...sample configuration is sent to this page. The TFTP configuration file points to implement on power-up. Here is a sample content for non HP Web Jetadmin users. The Security level you want to a parameter file called "pjlprotection". The security wizard can be sure to use HTTPS ...
HP Jetdirect Security Guidelines
Page 17
Special equipment is skipped. 17 For now, this configuration step is required. For a complete discussion of 802.1X, see HP Jetdirect whitepapers on the topic. Disable unused print protocols and services. Allowing device discovery helps in device management, but may not be required in all environments. 802.1X authentication can also be done.
Special equipment is skipped. 17 For now, this configuration step is required. For a complete discussion of 802.1X, see HP Jetdirect whitepapers on the topic. Disable unused print protocols and services. Allowing device discovery helps in device management, but may not be required in all environments. 802.1X authentication can also be done.
HP Jetdirect Security Guidelines
Page 22
Click "Next". Select "Allow Traffic". Click "Next" 22 We are concerned with management services, so select the service template "All Jetdirect Management Services".
Click "Next". Select "Allow Traffic". Click "Next" 22 We are concerned with management services, so select the service template "All Jetdirect Management Services".
HP Jetdirect Security Guidelines
Page 24
Click "Next". Select the "All Jetdirect Management Services" service template. Select "Allow Traffic". Click Next. 24
Click "Next". Select the "All Jetdirect Management Services" service template. Select "Allow Traffic". Click Next. 24
HP Jetdirect Security Guidelines
Page 26
Select "Drop". Click "Next". 26 Again, select "All Jetdirect Management Services" for the service template and then click "Next".
Select "Drop". Click "Next". 26 Again, select "All Jetdirect Management Services" for the service template and then click "Next".
HP Jetdirect Security Guidelines
Page 28
... end station tries to this time, we can begin the IPsec configuration. Let's go through the same process as we did with a management protocol to Jetdirect without using HTTPS before navigating to communicate with SET 3, only this page. Select "All IP Addresses" and click "Next". 28
... end station tries to this time, we can begin the IPsec configuration. Let's go through the same process as we did with a management protocol to Jetdirect without using HTTPS before navigating to communicate with SET 3, only this page. Select "All IP Addresses" and click "Next". 28
HP Jetdirect Security Guidelines
Page 29
Select "Require traffic to be protected with an IPsec/Firewall Policy". Click "Next". 29 Click "Next". Select "All Jetdirect Management Services".
Select "Require traffic to be protected with an IPsec/Firewall Policy". Click "Next". 29 Click "Next". Select "All Jetdirect Management Services".