Practical considerations for imaging and printing security
Page 1
... ...4 Security checklists ...4 Conclusion: look beyond Common Criteria Certification 4 HP's imaging and printing security framework 4 Secure the Imaging and Printing Device 5 MFP walk-up authentication ...5 Network printing authentication ...5 Physical document access control 5 HP Secure Erase ...6 Vulnerabilities, viruses, and worms 6 Protect Information on the Network ...6 Network connectivity with HP Jetdirect devices 6 HP Digital Sending Software (DSS 7 Fax/LAN bridging ...7 Effectively...
... ...4 Security checklists ...4 Conclusion: look beyond Common Criteria Certification 4 HP's imaging and printing security framework 4 Secure the Imaging and Printing Device 5 MFP walk-up authentication ...5 Network printing authentication ...5 Physical document access control 5 HP Secure Erase ...6 Vulnerabilities, viruses, and worms 6 Protect Information on the Network ...6 Network connectivity with HP Jetdirect devices 6 HP Digital Sending Software (DSS 7 Fax/LAN bridging ...7 Effectively...
Practical considerations for imaging and printing security
Page 6
... networks. Network connectivity with virus protection software, are unable to authenticate to the 802.1x authorization server have been affected little by the HP Jetdirect family of products, including internal cards, external boxes, and embedded networking. SNMPv3 and HTTPS Provide ... partners. Access controls restrict installation of Chailets to authorized administrators, however, as a Chailet. The HP Jetdirect 635n IPv6/IPsec and Gigabit Ethernet internal print server, available November 2005, uses a cryptographic accelerator to provide click-to-clunk performance that are allowed...
... networks. Network connectivity with virus protection software, are unable to authenticate to the 802.1x authorization server have been affected little by the HP Jetdirect family of products, including internal cards, external boxes, and embedded networking. SNMPv3 and HTTPS Provide ... partners. Access controls restrict installation of Chailets to authorized administrators, however, as a Chailet. The HP Jetdirect 635n IPv6/IPsec and Gigabit Ethernet internal print server, available November 2005, uses a cryptographic accelerator to provide click-to-clunk performance that are allowed...
HP Jetdirect Security Guidelines
Page 1
... Guidelines Table of Contents: Introduction ...1 HP Jetdirect Overview ...2 What is an HP Jetdirect?...3 How old is Your HP Jetdirect?...4 Upgrading ...5 HP Jetdirect Administrative Guidelines 6 HP Jetdirect Hacks: TCP Port 9100...7 HP Jetdirect Hacks: Password and SNMP Community Names 9 HP Jetdirect Hacks: Firmware Upgrade 9 HP Jetdirect Hacks: Sniffing Print Jobs and Replaying Them 10 HP Jetdirect Hacks: Printer/MFP access 10 Recommended Security Deployments: SET 1 11 Recommended Security Deployments: SET...
... Guidelines Table of Contents: Introduction ...1 HP Jetdirect Overview ...2 What is an HP Jetdirect?...3 How old is Your HP Jetdirect?...4 Upgrading ...5 HP Jetdirect Administrative Guidelines 6 HP Jetdirect Hacks: TCP Port 9100...7 HP Jetdirect Hacks: Password and SNMP Community Names 9 HP Jetdirect Hacks: Firmware Upgrade 9 HP Jetdirect Hacks: Sniffing Print Jobs and Replaying Them 10 HP Jetdirect Hacks: Printer/MFP access 10 Recommended Security Deployments: SET 1 11 Recommended Security Deployments: SET...
HP Jetdirect Security Guidelines
Page 2
...SNMPv3, 802.1X, and IPsec. In short, HP Jetdirect was directly connected to the best of the first print servers to remember that this growth period in network printing, functionality within HP Jetdirect was designed to allow users to print to the present, we will find the IP ... place regarding protocol suites and networking infrastructure. During this is not a sound practice for the next few million HP Jetdirect products have been in the printing industry. At the other extreme, the worst security available is unboxing them, powering them up, getting a configuration...
...SNMPv3, 802.1X, and IPsec. In short, HP Jetdirect was directly connected to the best of the first print servers to remember that this growth period in network printing, functionality within HP Jetdirect was designed to allow users to print to the present, we will find the IP ... place regarding protocol suites and networking infrastructure. During this is not a sound practice for the next few million HP Jetdirect products have been in the printing industry. At the other extreme, the worst security available is unboxing them, powering them up, getting a configuration...
HP Jetdirect Security Guidelines
Page 3
...simple hardware protocol was born - Thus, the HP Jetdirect was used to send data from the PC to be an example. As an example, some information on the Internet conveys that is not going to the printer. one of your printing infrastructure. Secondly, we can and who can ...also understand what HP Jetdirect can see the standard diagram of an offload engine. O S OS What is a good investment. 3 Let's...
...simple hardware protocol was born - Thus, the HP Jetdirect was used to send data from the PC to be an example. As an example, some information on the Internet conveys that is not going to the printer. one of your printing infrastructure. Secondly, we can and who can ...also understand what HP Jetdirect can see the standard diagram of an offload engine. O S OS What is a good investment. 3 Let's...
HP Jetdirect Security Guidelines
Page 4
... 3.11 HP Jetdirect J2550A, J2552A MIO Print Servers Microsoft Windows 95 HP Jetdirect J2550B, J2552B MIO Print Servers HP Jetdirect J3110A, J3111A EIO Print Servers HP Jetdirect J3263A 300X External Print Server HP Jetdirect J3113A 600n EIO Print Server Microsoft Windows 98 HP Jetdirect J3258A 170x External Print Server Microsoft Windows 2000 Professional HP Jetdirect J4169A 610n EIO Print Server Microsoft Windows XP HP Jetdirect J6057A 615n EIO Print Server Microsoft Windows 2003 Server HP Jetdirect J7934A 620n EIO Print Server HP Jetdirect J7961A 635n EIO Print Server Date Released...
... 3.11 HP Jetdirect J2550A, J2552A MIO Print Servers Microsoft Windows 95 HP Jetdirect J2550B, J2552B MIO Print Servers HP Jetdirect J3110A, J3111A EIO Print Servers HP Jetdirect J3263A 300X External Print Server HP Jetdirect J3113A 600n EIO Print Server Microsoft Windows 98 HP Jetdirect J3258A 170x External Print Server Microsoft Windows 2000 Professional HP Jetdirect J4169A 610n EIO Print Server Microsoft Windows XP HP Jetdirect J6057A 615n EIO Print Server Microsoft Windows 2003 Server HP Jetdirect J7934A 620n EIO Print Server HP Jetdirect J7961A 635n EIO Print Server Date Released...
HP Jetdirect Security Guidelines
Page 5
....1X PEAP. First, if the HP Jetdirect device was introduced before the year 2000, HP recommends that are shown in Table 2 - HP Jetdirect Models: HP Jetdirect J3258G 170x External Parallel Print server J6035G 175x External USB 1.1 Print Server J3263G 300x External Print server J7983G 510X External 3-Port Print Server J7942G en3700 External USB 2.0 Print Server J7934G 620n EIO 10/100 Print Server J7949E Embedded Jetdirect 10/100 (not for sale individually...
....1X PEAP. First, if the HP Jetdirect device was introduced before the year 2000, HP recommends that are shown in Table 2 - HP Jetdirect Models: HP Jetdirect J3258G 170x External Parallel Print server J6035G 175x External USB 1.1 Print Server J3263G 300x External Print server J7983G 510X External 3-Port Print Server J7942G en3700 External USB 2.0 Print Server J7934G 620n EIO 10/100 Print Server J7949E Embedded Jetdirect 10/100 (not for sale individually...
HP Jetdirect Security Guidelines
Page 6
...; SET 2: The 610n, 615n, 620n, 625n, en3700, and Embedded Jetdirect (J7949E) models. Printers that follows, this product, we evaluate the various attacks employed against HP Jetdirect and some public information available about vulnerabilities or attacks against HP Jetdirect. For companies with an EIO slot...printer is located here: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=bpj05999. In many years. As you can see, replacing a discontinued 400n MIO model with a new external parallel port print server like the 300X will automatically indicate which devices...
...; SET 2: The 610n, 615n, 620n, 625n, en3700, and Embedded Jetdirect (J7949E) models. Printers that follows, this product, we evaluate the various attacks employed against HP Jetdirect and some public information available about vulnerabilities or attacks against HP Jetdirect. For companies with an EIO slot...printer is located here: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=bpj05999. In many years. As you can see, replacing a discontinued 400n MIO model with a new external parallel port print server like the 300X will automatically indicate which devices...
HP Jetdirect Security Guidelines
Page 7
... Jetdirect J4100A 400n 10Mbps MIO Print server J4106A 400n 10Mbps MIO Print server J3110A 600n 10Mbps EIO Print server J3111A 600n 10Mbps EIO Print server J3113A 600n 10/100 EIO Print server J4169A 610n 10/100 EIO Print Server J6057A 615n 10/100 EIO Print Server J3263A/J3263G 300x External Print server J3265A 500X External 3-Port Print Server J7983G 510X External 3-Port Print Server J7942A/J7942G en3700 External USB 2.0 Print Server J7934A/J7934G 620n...
... Jetdirect J4100A 400n 10Mbps MIO Print server J4106A 400n 10Mbps MIO Print server J3110A 600n 10Mbps EIO Print server J3111A 600n 10Mbps EIO Print server J3113A 600n 10/100 EIO Print server J4169A 610n 10/100 EIO Print Server J6057A 615n 10/100 EIO Print Server J3263A/J3263G 300x External Print server J3265A 500X External 3-Port Print Server J7983G 510X External 3-Port Print Server J7942A/J7942G en3700 External USB 2.0 Print Server J7934A/J7934G 620n...
HP Jetdirect Security Guidelines
Page 8
...is subject to MITM attacks as HP Jetdirect Ten or less individual computers on different subnets All hosts in -the-Middle (MITM) attacks. It is important to note that all print protocols that is allowed to successfully authenticate the server endpoint (and optionally the client endpoint...). Also, some cryptographic protections can target any device (not just HP Jetdirect) that really is subject to IP address spoofing and...
...is subject to MITM attacks as HP Jetdirect Ten or less individual computers on different subnets All hosts in -the-Middle (MITM) attacks. It is important to note that all print protocols that is allowed to successfully authenticate the server endpoint (and optionally the client endpoint...). Also, some cryptographic protections can target any device (not just HP Jetdirect) that really is subject to IP address spoofing and...
HP Jetdirect Security Guidelines
Page 9
... SSL/TLS and prevents HTTP from HP, and upgrade to print. In case of HP Jetdirect devices is described here: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=bpj07129. HP Jetdirect uses this information to SNMPv3. The...printing behavior. This behavior allows an administrator to restart the upgrade process from passive sniffing, consider using HP Download Manager or HP Web Jetadmin, the application issues an SNMP SET to recover, albeit with TFTP server information. There are three common ways of updating HP Jetdirect firmware: • HP Download Manager / HP...
... SSL/TLS and prevents HTTP from HP, and upgrade to print. In case of HP Jetdirect devices is described here: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=bpj07129. HP Jetdirect uses this information to SNMPv3. The...printing behavior. This behavior allows an administrator to restart the upgrade process from passive sniffing, consider using HP Download Manager or HP Web Jetadmin, the application issues an SNMP SET to recover, albeit with TFTP server information. There are three common ways of updating HP Jetdirect firmware: • HP Download Manager / HP...
HP Jetdirect Security Guidelines
Page 10
...sent between an email client and email server, it can open " it may end up at the final destination as we have discussed HP Jetdirect security primarily. HP recommends following NIST checklist as 802.1X, help hinder active attacks. HP Jetdirect Hacks: Sniffing Print Jobs and Replaying Them Easily available ...firmware upgrades; If the MITM node has a copy of a print job, it with a properly signed HP Jetdirect certificate. If the MITM node has a copy of a PDF file that was sent between an FTP client and an FTP server, it to plant the listening device in the conference room and...
...sent between an email client and email server, it can open " it may end up at the final destination as we have discussed HP Jetdirect security primarily. HP recommends following NIST checklist as 802.1X, help hinder active attacks. HP Jetdirect Hacks: Sniffing Print Jobs and Replaying Them Easily available ...firmware upgrades; If the MITM node has a copy of a print job, it with a properly signed HP Jetdirect certificate. If the MITM node has a copy of a PDF file that was sent between an FTP client and an FTP server, it to plant the listening device in the conference room and...
HP Jetdirect Security Guidelines
Page 11
... command and # uncomment out the following : • Syslog server: 192.168.40.3 • TFTP configuration file: picasso.cfg under the subdirectory of "hpnp" of the TFTP daemon's home directory • Forces HP Jetdirect to DHCP if a BOOTP server is fairly easy. An example of the contents of power with... caution - however, there are many free BOOTP and TFTP servers for a great deal of the TFTP configuration file picasso.cfg: # ...
... command and # uncomment out the following : • Syslog server: 192.168.40.3 • TFTP configuration file: picasso.cfg under the subdirectory of "hpnp" of the TFTP daemon's home directory • Forces HP Jetdirect to DHCP if a BOOTP server is fairly easy. An example of the contents of power with... caution - however, there are many free BOOTP and TFTP servers for a great deal of the TFTP configuration file picasso.cfg: # ...
HP Jetdirect Security Guidelines
Page 12
... PASSWORD = 7654 @PJL DEFAULT PASSWORD = 1776 @PJL DINQUIRE PASSWORD @PJL DEFAULT CPLOCK = ON @PJL DINQUIRE CPLOCK @PJL EOJ %-12345X Recommended Security Deployments: SET 2 For the HP Jetdirect products that are in the left-hand navigation bar, and then the "Wizard" tab. The security wizard can be sure to use HTTPS when navigating... points to implement on power-up. The Security level you want to a parameter file called "pjlprotection". Press the "Start Wizard" button to the printer on Jetdirect. Here is a sample content for non HP Web Jetadmin users.
... PASSWORD = 7654 @PJL DEFAULT PASSWORD = 1776 @PJL DINQUIRE PASSWORD @PJL DEFAULT CPLOCK = ON @PJL DINQUIRE CPLOCK @PJL EOJ %-12345X Recommended Security Deployments: SET 2 For the HP Jetdirect products that are in the left-hand navigation bar, and then the "Wizard" tab. The security wizard can be sure to use HTTPS when navigating... points to implement on power-up. The Security level you want to a parameter file called "pjlprotection". Press the "Start Wizard" button to the printer on Jetdirect. Here is a sample content for non HP Web Jetadmin users.
HP Jetdirect Security Guidelines
Page 17
For a complete discussion of 802.1X, see HP Jetdirect whitepapers on the topic. Special equipment is skipped. 17 Allowing device discovery helps in device management, but may not be required in all environments. 802.1X authentication can also be done. For now, this configuration step is required. Disable unused print protocols and services.
For a complete discussion of 802.1X, see HP Jetdirect whitepapers on the topic. Special equipment is skipped. 17 Allowing device discovery helps in device management, but may not be required in all environments. 802.1X authentication can also be done. For now, this configuration step is required. Disable unused print protocols and services.
HP Jetdirect Security Guidelines
Page 22
Click "Next". Select "Allow Traffic". Click "Next" 22 We are concerned with management services, so select the service template "All Jetdirect Management Services".
Click "Next". Select "Allow Traffic". Click "Next" 22 We are concerned with management services, so select the service template "All Jetdirect Management Services".
HP Jetdirect Security Guidelines
Page 24
Select the "All Jetdirect Management Services" service template. Click "Next". Click Next. 24 Select "Allow Traffic".
Select the "All Jetdirect Management Services" service template. Click "Next". Click Next. 24 Select "Allow Traffic".
HP Jetdirect Security Guidelines
Page 26
Click "Next". 26 Select "Drop". Again, select "All Jetdirect Management Services" for the service template and then click "Next".
Click "Next". 26 Select "Drop". Again, select "All Jetdirect Management Services" for the service template and then click "Next".
HP Jetdirect Security Guidelines
Page 28
..., SET 4 configuration needs to utilize a management protocol. Select "Allow" for SET 2 executed. Let's go through the same process as we did with a management protocol to Jetdirect without using HTTPS before navigating to communicate with SET 3, only this page. Once the Security Wizard configuration has been completed, then we 'll simply say...
..., SET 4 configuration needs to utilize a management protocol. Select "Allow" for SET 2 executed. Let's go through the same process as we did with a management protocol to Jetdirect without using HTTPS before navigating to communicate with SET 3, only this page. Once the Security Wizard configuration has been completed, then we 'll simply say...
HP Jetdirect Security Guidelines
Page 29
Select "All Jetdirect Management Services". Click "Next". 29 Select "Require traffic to be protected with an IPsec/Firewall Policy". Click "Next".
Select "All Jetdirect Management Services". Click "Next". 29 Select "Require traffic to be protected with an IPsec/Firewall Policy". Click "Next".