Practical considerations for imaging and printing security
Page 1
... ...4 Security checklists ...4 Conclusion: look beyond Common Criteria Certification 4 HP's imaging and printing security framework 4 Secure the Imaging and Printing Device 5 MFP walk-up authentication ...5 Network printing authentication ...5 Physical document access control 5 HP Secure Erase ...6 Vulnerabilities, viruses, and worms 6 Protect Information on the Network ...6 Network connectivity with HP Jetdirect devices 6 HP Digital Sending Software (DSS 7 Fax/LAN bridging ...7 Effectively...
... ...4 Security checklists ...4 Conclusion: look beyond Common Criteria Certification 4 HP's imaging and printing security framework 4 Secure the Imaging and Printing Device 5 MFP walk-up authentication ...5 Network printing authentication ...5 Physical document access control 5 HP Secure Erase ...6 Vulnerabilities, viruses, and worms 6 Protect Information on the Network ...6 Network connectivity with HP Jetdirect devices 6 HP Digital Sending Software (DSS 7 Fax/LAN bridging ...7 Effectively...
Practical considerations for imaging and printing security
Page 6
... protocol for Wired Networks Provides access control to the 802.1x authorization server have been affected little by the HP Jetdirect family of Chailets to extend an imaging and printing device's functionality. Network devices that rivals unsecured protocols, and supports the...an algorithm to repetitively overwrite hard disk data sectors to -clunk performance that are allowed access. The HP Jetdirect 635n IPv6/IPsec and Gigabit Ethernet internal print server, available November 2005, uses a cryptographic accelerator to provide click-to remove all current major operating systems...
... protocol for Wired Networks Provides access control to the 802.1x authorization server have been affected little by the HP Jetdirect family of Chailets to extend an imaging and printing device's functionality. Network devices that rivals unsecured protocols, and supports the...an algorithm to repetitively overwrite hard disk data sectors to -clunk performance that are allowed access. The HP Jetdirect 635n IPv6/IPsec and Gigabit Ethernet internal print server, available November 2005, uses a cryptographic accelerator to provide click-to remove all current major operating systems...
HP Jetdirect Security Guidelines
Page 1
... educate our customer base about printing and imaging security. whitepaper HP Jetdirect Security Guidelines Table of Contents: Introduction ...1 HP Jetdirect Overview ...2 What is an HP Jetdirect?...3 How old is Your HP Jetdirect?...4 Upgrading ...5 HP Jetdirect Administrative Guidelines 6 HP Jetdirect Hacks: TCP Port 9100...7 HP Jetdirect Hacks: Password and SNMP Community Names 9 HP Jetdirect Hacks: Firmware Upgrade 9 HP Jetdirect Hacks: Sniffing Print Jobs and Replaying Them 10 HP Jetdirect Hacks: Printer/MFP access...
... educate our customer base about printing and imaging security. whitepaper HP Jetdirect Security Guidelines Table of Contents: Introduction ...1 HP Jetdirect Overview ...2 What is an HP Jetdirect?...3 How old is Your HP Jetdirect?...4 Upgrading ...5 HP Jetdirect Administrative Guidelines 6 HP Jetdirect Hacks: TCP Port 9100...7 HP Jetdirect Hacks: Password and SNMP Community Names 9 HP Jetdirect Hacks: Firmware Upgrade 9 HP Jetdirect Hacks: Sniffing Print Jobs and Replaying Them 10 HP Jetdirect Hacks: Printer/MFP access...
HP Jetdirect Security Guidelines
Page 2
...that 'security' is a process. In short, HP Jetdirect was designed to promote 'Ease-of the protocol or networking infrastructure they were using. HP Jetdirect would automatically initialize all protocols to the best of the first print servers to widely implement security protocols such as if the... printer was designed to allow users to print to your printing and imaging security strategy? At...
...that 'security' is a process. In short, HP Jetdirect was designed to promote 'Ease-of the protocol or networking infrastructure they were using. HP Jetdirect would automatically initialize all protocols to the best of the first print servers to widely implement security protocols such as if the... printer was designed to allow users to print to your printing and imaging security strategy? At...
HP Jetdirect Security Guidelines
Page 3
... to implement the various networking infrastructure components to the printer. Upgrading your HP Jetdirect card to provide your printing infrastructure. Centronics mode on a strategy that is an HP Jetdirect? Thus, the HP Jetdirect was used to send data from the PC to convert encapsulated network data... printer is not going to Figure 1 - As an example, some information on HP Jetdirect. This diagram is by no means comprehensive, but does convey the difference between HP Jetdirect and Printer/MFP platforms. Why is implemented on the Internet conveys that implemented a ...
... to implement the various networking infrastructure components to the printer. Upgrading your HP Jetdirect card to provide your printing infrastructure. Centronics mode on a strategy that is an HP Jetdirect? Thus, the HP Jetdirect was used to send data from the PC to convert encapsulated network data... printer is not going to Figure 1 - As an example, some information on HP Jetdirect. This diagram is by no means comprehensive, but does convey the difference between HP Jetdirect and Printer/MFP platforms. Why is implemented on the Internet conveys that implemented a ...
HP Jetdirect Security Guidelines
Page 4
... 3.11 HP Jetdirect J2550A, J2552A MIO Print Servers Microsoft Windows 95 HP Jetdirect J2550B, J2552B MIO Print Servers HP Jetdirect J3110A, J3111A EIO Print Servers HP Jetdirect J3263A 300X External Print Server HP Jetdirect J3113A 600n EIO Print Server Microsoft Windows 98 HP Jetdirect J3258A 170x External Print Server Microsoft Windows 2000 Professional HP Jetdirect J4169A 610n EIO Print Server Microsoft Windows XP HP Jetdirect J6057A 615n EIO Print Server Microsoft Windows 2003 Server HP Jetdirect J7934A 620n EIO Print Server HP Jetdirect J7961A 635n EIO Print Server Date Released...
... 3.11 HP Jetdirect J2550A, J2552A MIO Print Servers Microsoft Windows 95 HP Jetdirect J2550B, J2552B MIO Print Servers HP Jetdirect J3110A, J3111A EIO Print Servers HP Jetdirect J3263A 300X External Print Server HP Jetdirect J3113A 600n EIO Print Server Microsoft Windows 98 HP Jetdirect J3258A 170x External Print Server Microsoft Windows 2000 Professional HP Jetdirect J4169A 610n EIO Print Server Microsoft Windows XP HP Jetdirect J6057A 615n EIO Print Server Microsoft Windows 2003 Server HP Jetdirect J7934A 620n EIO Print Server HP Jetdirect J7961A 635n EIO Print Server Date Released...
HP Jetdirect Security Guidelines
Page 5
... for Management, SNMPv3, 802.1X PEAP, 802.1X EAP-TLS. Discontinued HP Jetdirect Models 5 HP Jetdirect Models: HP Jetdirect J3258G 170x External Parallel Print server J6035G 175x External USB 1.1 Print Server J3263G 300x External Print server J7983G 510X External 3-Port Print Server J7942G en3700 External USB 2.0 Print Server J7934G 620n EIO 10/100 Print Server J7949E Embedded Jetdirect 10/100 (not for sale individually, comes installed on the formatter for...
... for Management, SNMPv3, 802.1X PEAP, 802.1X EAP-TLS. Discontinued HP Jetdirect Models 5 HP Jetdirect Models: HP Jetdirect J3258G 170x External Parallel Print server J6035G 175x External USB 1.1 Print Server J3263G 300x External Print server J7983G 510X External 3-Port Print Server J7942G en3700 External USB 2.0 Print Server J7934G 620n EIO 10/100 Print Server J7949E Embedded Jetdirect 10/100 (not for sale individually, comes installed on the formatter for...
HP Jetdirect Security Guidelines
Page 6
...available via the EWS for SET 2 products, but have cryptographic security capability. • SET 2: The 610n, 615n, 620n, 625n, en3700, and Embedded Jetdirect (J7949E) models. SET 2 can use the administrative guideline referenced for securing these devices do the following: • Update ..., replacing a discontinued 400n MIO model with a new external parallel port print server like the 300X will be addressing some public information available about vulnerabilities or attacks against HP Jetdirect and some ways to counteract those devices on your windows open. These administrative...
...available via the EWS for SET 2 products, but have cryptographic security capability. • SET 2: The 610n, 615n, 620n, 625n, en3700, and Embedded Jetdirect (J7949E) models. SET 2 can use the administrative guideline referenced for securing these devices do the following: • Update ..., replacing a discontinued 400n MIO model with a new external parallel port print server like the 300X will be addressing some public information available about vulnerabilities or attacks against HP Jetdirect and some ways to counteract those devices on your windows open. These administrative...
HP Jetdirect Security Guidelines
Page 7
... Jetdirect J4100A 400n 10Mbps MIO Print server J4106A 400n 10Mbps MIO Print server J3110A 600n 10Mbps EIO Print server J3111A 600n 10Mbps EIO Print server J3113A 600n 10/100 EIO Print server J4169A 610n 10/100 EIO Print Server J6057A 615n 10/100 EIO Print Server J3263A/J3263G 300x External Print server J3265A 500X External 3-Port Print Server J7983G 510X External 3-Port Print Server J7942A/J7942G en3700 External USB 2.0 Print Server J7934A/J7934G 620n...
... Jetdirect J4100A 400n 10Mbps MIO Print server J4106A 400n 10Mbps MIO Print server J3110A 600n 10Mbps EIO Print server J3111A 600n 10Mbps EIO Print server J3113A 600n 10/100 EIO Print server J4169A 610n 10/100 EIO Print Server J6057A 615n 10/100 EIO Print Server J3263A/J3263G 300x External Print server J3265A 500X External 3-Port Print Server J7983G 510X External 3-Port Print Server J7942A/J7942G en3700 External USB 2.0 Print Server J7934A/J7934G 620n...
HP Jetdirect Security Guidelines
Page 8
...This doesn't prevent HP Jetdirect from receiving packets from other subnets, but keeps changing the display or doing other mischief with large print jobs, etc... Setup a rule to protect print traffic using IPsec Option 1) For Set 1/2/3/4. As an example, for HP's internal network, ...returning to those remote subnets. Eliminate the default gateway (set to protect print traffic using the Firewall. Access Control Because there are relying on a robust PKI to successfully authenticate the server endpoint (and optionally the client endpoint). As a result, TCP connections...
...This doesn't prevent HP Jetdirect from receiving packets from other subnets, but keeps changing the display or doing other mischief with large print jobs, etc... Setup a rule to protect print traffic using IPsec Option 1) For Set 1/2/3/4. As an example, for HP's internal network, ...returning to those remote subnets. Eliminate the default gateway (set to protect print traffic using the Firewall. Access Control Because there are relying on a robust PKI to successfully authenticate the server endpoint (and optionally the client endpoint). As a result, TCP connections...
HP Jetdirect Security Guidelines
Page 9
... update the HP Jetdirect certificate to a certificate issued by a trusted CA to recover, albeit with TFTP server information. There are three common ways of updating HP Jetdirect firmware: • HP Download Manager / HP Web Jetadmin • FTP • Embedded Web Server When using... entered to start a TFTP client and pull down during the upgrade, etc...), HP Jetdirect will help make your HP Jetdirect devices behave the same regarding their printing behavior. All HP Jetdirect firmware files follow the same basic format: a recovery partition and a main functionality...
... update the HP Jetdirect certificate to a certificate issued by a trusted CA to recover, albeit with TFTP server information. There are three common ways of updating HP Jetdirect firmware: • HP Download Manager / HP Web Jetadmin • FTP • Embedded Web Server When using... entered to start a TFTP client and pull down during the upgrade, etc...), HP Jetdirect will help make your HP Jetdirect devices behave the same regarding their printing behavior. All HP Jetdirect firmware files follow the same basic format: a recovery partition and a main functionality...
HP Jetdirect Security Guidelines
Page 10
...server, it can record conversations. In some cases, as with PostScript or simple text, a print job can be configured to help protect against TCP/IP MITM attacks is a fundamental step in the building then recording the conversation of a print job, it can open it to block PJL commands. HP Jetdirect... similar to using other applications without having to all the data sent between an FTP client and an FTP server, it can "open it to upgrade HP Jetdirect devices is that the MITM node has a copy of cryptographic protocols such as if no interception had taken place...
...server, it can record conversations. In some cases, as with PostScript or simple text, a print job can be configured to help protect against TCP/IP MITM attacks is a fundamental step in the building then recording the conversation of a print job, it can open it to block PJL commands. HP Jetdirect... similar to using other applications without having to all the data sent between an FTP client and an FTP server, it can "open it to upgrade HP Jetdirect devices is that the MITM node has a copy of cryptographic protocols such as if no interception had taken place...
HP Jetdirect Security Guidelines
Page 11
...snmp-config" command and # uncomment out the following : • Syslog server: 192.168.40.3 • TFTP configuration file: picasso.cfg under the subdirectory of "hpnp" of the TFTP daemon's home directory • Forces HP Jetdirect to remain with caution - however, there are many free BOOTP and TFTP... servers for a great deal of the TFTP configuration file picasso.cfg: # Allow subnet 192.168.40.0 access ...
...snmp-config" command and # uncomment out the following : • Syslog server: 192.168.40.3 • TFTP configuration file: picasso.cfg under the subdirectory of "hpnp" of the TFTP daemon's home directory • Forces HP Jetdirect to remain with caution - however, there are many free BOOTP and TFTP... servers for a great deal of the TFTP configuration file picasso.cfg: # Allow subnet 192.168.40.0 access ...
HP Jetdirect Security Guidelines
Page 12
... page. The security wizard can be sure to use HTTPS when navigating to implement on power-up. Here is a sample content for non HP Web Jetadmin users. This file is recommended for the pjlprotection file: %-12345X@PJL @PJL COMMENT **Set Password** @PJL COMMENT **& Lock Control... PASSWORD = 1776 @PJL DINQUIRE PASSWORD @PJL DEFAULT CPLOCK = ON @PJL DINQUIRE CPLOCK @PJL EOJ %-12345X Recommended Security Deployments: SET 2 For the HP Jetdirect products that are in the left-hand navigation bar, and then the "Wizard" tab. A sample configuration is shown here: NOTE: be access via the...
... page. The security wizard can be sure to use HTTPS when navigating to implement on power-up. Here is a sample content for non HP Web Jetadmin users. This file is recommended for the pjlprotection file: %-12345X@PJL @PJL COMMENT **Set Password** @PJL COMMENT **& Lock Control... PASSWORD = 1776 @PJL DINQUIRE PASSWORD @PJL DEFAULT CPLOCK = ON @PJL DINQUIRE CPLOCK @PJL EOJ %-12345X Recommended Security Deployments: SET 2 For the HP Jetdirect products that are in the left-hand navigation bar, and then the "Wizard" tab. A sample configuration is shown here: NOTE: be access via the...
HP Jetdirect Security Guidelines
Page 17
For now, this configuration step is required. For a complete discussion of 802.1X, see HP Jetdirect whitepapers on the topic. Disable unused print protocols and services. Special equipment is skipped. 17 Allowing device discovery helps in device management, but may not be required in all environments. 802.1X authentication can also be done.
For now, this configuration step is required. For a complete discussion of 802.1X, see HP Jetdirect whitepapers on the topic. Disable unused print protocols and services. Special equipment is skipped. 17 Allowing device discovery helps in device management, but may not be required in all environments. 802.1X authentication can also be done.
HP Jetdirect Security Guidelines
Page 22
Select "Allow Traffic". Click "Next" 22 Click "Next". We are concerned with management services, so select the service template "All Jetdirect Management Services".
Select "Allow Traffic". Click "Next" 22 Click "Next". We are concerned with management services, so select the service template "All Jetdirect Management Services".
HP Jetdirect Security Guidelines
Page 24
Click "Next". Click Next. 24 Select the "All Jetdirect Management Services" service template. Select "Allow Traffic".
Click "Next". Click Next. 24 Select the "All Jetdirect Management Services" service template. Select "Allow Traffic".
HP Jetdirect Security Guidelines
Page 26
Select "Drop". Click "Next". 26 Again, select "All Jetdirect Management Services" for the service template and then click "Next".
Select "Drop". Click "Next". 26 Again, select "All Jetdirect Management Services" for the service template and then click "Next".
HP Jetdirect Security Guidelines
Page 28
... we 'll simply say that you are dropped by the IP layer. Let's go through the same process as we did with a management protocol to Jetdirect without using IPsec, the packets are using HTTPS before navigating to this time, we can begin the IPsec configuration. Select "All IP Addresses" and click...
... we 'll simply say that you are dropped by the IP layer. Let's go through the same process as we did with a management protocol to Jetdirect without using IPsec, the packets are using HTTPS before navigating to this time, we can begin the IPsec configuration. Select "All IP Addresses" and click...
HP Jetdirect Security Guidelines
Page 29
Select "Require traffic to be protected with an IPsec/Firewall Policy". Select "All Jetdirect Management Services". Click "Next". Click "Next". 29
Select "Require traffic to be protected with an IPsec/Firewall Policy". Select "All Jetdirect Management Services". Click "Next". Click "Next". 29