Practical considerations for imaging and printing security
Page 1
... ...4 Security checklists ...4 Conclusion: look beyond Common Criteria Certification 4 HP's imaging and printing security framework 4 Secure the Imaging and Printing Device 5 MFP walk-up authentication ...5 Network printing authentication ...5 Physical document access control 5 HP Secure Erase ...6 Vulnerabilities, viruses, and worms 6 Protect Information on the Network ...6 Network connectivity with HP Jetdirect devices 6 HP Digital Sending Software (DSS 7 Fax/LAN bridging ...7 Effectively...
... ...4 Security checklists ...4 Conclusion: look beyond Common Criteria Certification 4 HP's imaging and printing security framework 4 Secure the Imaging and Printing Device 5 MFP walk-up authentication ...5 Network printing authentication ...5 Physical document access control 5 HP Secure Erase ...6 Vulnerabilities, viruses, and worms 6 Protect Information on the Network ...6 Network connectivity with HP Jetdirect devices 6 HP Digital Sending Software (DSS 7 Fax/LAN bridging ...7 Effectively...
Practical considerations for imaging and printing security
Page 6
... IPP may be installed from hard disk storage. Network devices that are allowed access. The HP Jetdirect 635n IPv6/IPsec and Gigabit Ethernet internal print server, available November 2005, uses a cryptographic accelerator to provide click-to provide fleet management of HP imaging and printing devices. HP Jetdirect provides many secure network protocols and services, including: 802.1x for Wired Networks Provides...
... IPP may be installed from hard disk storage. Network devices that are allowed access. The HP Jetdirect 635n IPv6/IPsec and Gigabit Ethernet internal print server, available November 2005, uses a cryptographic accelerator to provide click-to provide fleet management of HP imaging and printing devices. HP Jetdirect provides many secure network protocols and services, including: 802.1x for Wired Networks Provides...
HP Jetdirect Security Guidelines
Page 1
... this information can protect their printing and imaging devices. whitepaper HP Jetdirect Security Guidelines Table of Contents: Introduction ...1 HP Jetdirect Overview ...2 What is an HP Jetdirect?...3 How old is Your HP Jetdirect?...4 Upgrading ...5 HP Jetdirect Administrative Guidelines 6 HP Jetdirect Hacks: TCP Port 9100...7 HP Jetdirect Hacks: Password and SNMP Community Names 9 HP Jetdirect Hacks: Firmware Upgrade 9 HP Jetdirect Hacks: Sniffing Print Jobs and Replaying Them 10 HP Jetdirect Hacks: Printer/MFP access...
... this information can protect their printing and imaging devices. whitepaper HP Jetdirect Security Guidelines Table of Contents: Introduction ...1 HP Jetdirect Overview ...2 What is an HP Jetdirect?...3 How old is Your HP Jetdirect?...4 Upgrading ...5 HP Jetdirect Administrative Guidelines 6 HP Jetdirect Hacks: TCP Port 9100...7 HP Jetdirect Hacks: Password and SNMP Community Names 9 HP Jetdirect Hacks: Firmware Upgrade 9 HP Jetdirect Hacks: Sniffing Print Jobs and Replaying Them 10 HP Jetdirect Hacks: Printer/MFP access...
HP Jetdirect Security Guidelines
Page 2
... as well as SSL/TLS, SNMPv3, 802.1X, and IPsec. Does that last part sound like your desktop computer system or printer spooler, and then forgetting about them. HP Jetdirect Overview Years ago, the world networked printers by taking advantage of the first print servers to widely implement security protocols such as well-known default...
... as well as SSL/TLS, SNMPv3, 802.1X, and IPsec. Does that last part sound like your desktop computer system or printer spooler, and then forgetting about them. HP Jetdirect Overview Years ago, the world networked printers by taking advantage of the first print servers to widely implement security protocols such as well-known default...
HP Jetdirect Security Guidelines
Page 3
... convert encapsulated network data into just data for printer consumption. Centronics mode on HP Jetdirect. In short, a printer had direct connect ports (e.g., serial, parallel) that the PJL parser is false. Let's refer to help in the security of your printing infrastructure. one of an offload engine. Functional Diagram In Figure 1, you can and...
... convert encapsulated network data into just data for printer consumption. Centronics mode on HP Jetdirect. In short, a printer had direct connect ports (e.g., serial, parallel) that the PJL parser is false. Let's refer to help in the security of your printing infrastructure. one of an offload engine. Functional Diagram In Figure 1, you can and...
HP Jetdirect Security Guidelines
Page 4
... 3.11 HP Jetdirect J2550A, J2552A MIO Print Servers Microsoft Windows 95 HP Jetdirect J2550B, J2552B MIO Print Servers HP Jetdirect J3110A, J3111A EIO Print Servers HP Jetdirect J3263A 300X External Print Server HP Jetdirect J3113A 600n EIO Print Server Microsoft Windows 98 HP Jetdirect J3258A 170x External Print Server Microsoft Windows 2000 Professional HP Jetdirect J4169A 610n EIO Print Server Microsoft Windows XP HP Jetdirect J6057A 615n EIO Print Server Microsoft Windows 2003 Server HP Jetdirect J7934A 620n EIO Print Server HP Jetdirect J7961A 635n EIO Print Server Date Released...
... 3.11 HP Jetdirect J2550A, J2552A MIO Print Servers Microsoft Windows 95 HP Jetdirect J2550B, J2552B MIO Print Servers HP Jetdirect J3110A, J3111A EIO Print Servers HP Jetdirect J3263A 300X External Print Server HP Jetdirect J3113A 600n EIO Print Server Microsoft Windows 98 HP Jetdirect J3258A 170x External Print Server Microsoft Windows 2000 Professional HP Jetdirect J4169A 610n EIO Print Server Microsoft Windows XP HP Jetdirect J6057A 615n EIO Print Server Microsoft Windows 2003 Server HP Jetdirect J7934A 620n EIO Print Server HP Jetdirect J7961A 635n EIO Print Server Date Released...
HP Jetdirect Security Guidelines
Page 5
... Print Server J7961G 635n EIO 10/100/1000 IPv6/IPsec Print Server Security Features Non-Cryptographic Security, not upgradeable to newer firmware after purchase Non-Cryptographic Security, not upgradeable to a newer model. HP Jetdirect Models: HP Jetdirect J3258G 170x External Parallel Print server J6035G 175x External USB 1.1 Print Server J3263G 300x External Print server J7983G 510X External 3-Port Print Server J7942G en3700 External USB 2.0 Print Server J7934G 620n EIO 10/100 Print Server...
... Print Server J7961G 635n EIO 10/100/1000 IPv6/IPsec Print Server Security Features Non-Cryptographic Security, not upgradeable to newer firmware after purchase Non-Cryptographic Security, not upgradeable to a newer model. HP Jetdirect Models: HP Jetdirect J3258G 170x External Parallel Print server J6035G 175x External USB 1.1 Print Server J3263G 300x External Print server J7983G 510X External 3-Port Print Server J7942G en3700 External USB 2.0 Print Server J7934G 620n EIO 10/100 Print Server...
HP Jetdirect Security Guidelines
Page 6
... highest level. HP recommends always upgrading only a few devices and performing an evaluation of those attacks. Printers that cannot be upgraded. The EIO slot was introduced on your windows open. In many years. Using Internet Mode, the HP Download Manager will come from the four main HP Jetdirect product lines, referred to install a J7961G 635n IPv6/IPsec print server.
... highest level. HP recommends always upgrading only a few devices and performing an evaluation of those attacks. Printers that cannot be upgraded. The EIO slot was introduced on your windows open. In many years. Using Internet Mode, the HP Download Manager will come from the four main HP Jetdirect product lines, referred to install a J7961G 635n IPv6/IPsec print server.
HP Jetdirect Security Guidelines
Page 7
... Print Server J7960A/J7960G 625n EIO 10/100/1000 Print Server J7961A/J7961G 635n EIO 10/100/1000 IPv6/IPsec Print Server Firmware Version V.33.14/V.33.15 K.08.49 K.08.49 G.08.49 G.08.49 G.08.49 L.25.57 R.25.57 H.08.60 J.08.60 J.08.60 V.28.22 V.29.20 V.29.29 V.36.11 Table 4 - Remember that HP Jetdirect...
... Print Server J7960A/J7960G 625n EIO 10/100/1000 Print Server J7961A/J7961G 635n EIO 10/100/1000 IPv6/IPsec Print Server Firmware Version V.33.14/V.33.15 K.08.49 K.08.49 G.08.49 G.08.49 G.08.49 L.25.57 R.25.57 H.08.60 J.08.60 J.08.60 V.28.22 V.29.20 V.29.29 V.36.11 Table 4 - Remember that HP Jetdirect...
HP Jetdirect Security Guidelines
Page 8
...For SET 3. Setup a rule to protect print traffic using IPsec Option 1) For Set 1/2/3/4. Setup a rule to protect print traffic using the IPsec. Also, some cryptographic protections can be used by a trusted Certificate Authority. If 8 This doesn't prevent HP Jetdirect from receiving packets from returning to disable all...no different then if they were printing personal items at work , running the printer out of 255.255.255.255. As a result, TCP connections cannot be deployed correctly. Setup a rule to successfully authenticate the server endpoint (and optionally the client ...
...For SET 3. Setup a rule to protect print traffic using IPsec Option 1) For Set 1/2/3/4. Setup a rule to protect print traffic using the IPsec. Also, some cryptographic protections can be used by a trusted Certificate Authority. If 8 This doesn't prevent HP Jetdirect from receiving packets from returning to disable all...no different then if they were printing personal items at work , running the printer out of 255.255.255.255. As a result, TCP connections cannot be deployed correctly. Setup a rule to successfully authenticate the server endpoint (and optionally the client ...
HP Jetdirect Security Guidelines
Page 9
... partition. The ability to use FTP to upgrade the firmware of updating HP Jetdirect firmware: • HP Download Manager / HP Web Jetadmin • FTP • Embedded Web Server When using HP Download Manager or HP Web Jetadmin, the application issues an SNMP SET to upgrade firmware is ... evolved over the years. HP Jetdirect uses this information to print. Some additional protections can populate the firmware upgrade MIB table with less functionality. To better protect passwords from HP, and upgrade to recover, albeit with TFTP server information. At the end of...
... partition. The ability to use FTP to upgrade the firmware of updating HP Jetdirect firmware: • HP Download Manager / HP Web Jetadmin • FTP • Embedded Web Server When using HP Download Manager or HP Web Jetadmin, the application issues an SNMP SET to upgrade firmware is ... evolved over the years. HP Jetdirect uses this information to print. Some additional protections can populate the firmware upgrade MIB table with less functionality. To better protect passwords from HP, and upgrade to recover, albeit with TFTP server information. At the end of...
HP Jetdirect Security Guidelines
Page 10
... attacks is not a vulnerability specific to help protect against unauthorized connections. HP Jetdirect Hacks: Sniffing Print Jobs and Replaying Them Easily available network tools that was sent between an email client and email server, it is nonetheless a general vulnerability of the TCP/IP protocol suite ... to the next correct node so it to avoid plain-text transmission of IPsec (SET 4) as 802.1X, help hinder active attacks. How the EWS is protected determines how the HP Jetdirect firmware upgrade capability is protected. Passive sniffing attacks are a good defense against...
... attacks is not a vulnerability specific to help protect against unauthorized connections. HP Jetdirect Hacks: Sniffing Print Jobs and Replaying Them Easily available network tools that was sent between an email client and email server, it is nonetheless a general vulnerability of the TCP/IP protocol suite ... to the next correct node so it to avoid plain-text transmission of IPsec (SET 4) as 802.1X, help hinder active attacks. How the EWS is protected determines how the HP Jetdirect firmware upgrade capability is protected. Passive sniffing attacks are a good defense against...
HP Jetdirect Security Guidelines
Page 11
...SNMP # use with very little administration overhead once configured. An example of the contents of the TFTP daemon's home directory • Forces HP Jetdirect to remain with UNIX or Linux environments; breaks SNMP management tools snmp-config:0 # # if SNMP must be provided here. picasso:\ :hn... TFTP configuration file. Many customers associate BOOTP/TFTP with BOOTP and not transition to DHCP if a BOOTP server is unavailable. Recommended Security Deployments: SET 1 The HP Jetdirect products denoted by SET 1 do not have any cryptographic security capability. As a result, a BOOTP/TFTP...
...SNMP # use with very little administration overhead once configured. An example of the contents of the TFTP daemon's home directory • Forces HP Jetdirect to remain with UNIX or Linux environments; breaks SNMP management tools snmp-config:0 # # if SNMP must be provided here. picasso:\ :hn... TFTP configuration file. Many customers associate BOOTP/TFTP with BOOTP and not transition to DHCP if a BOOTP server is unavailable. Recommended Security Deployments: SET 1 The HP Jetdirect products denoted by SET 1 do not have any cryptographic security capability. As a result, a BOOTP/TFTP...
HP Jetdirect Security Guidelines
Page 12
Here is a sample content for non HP Web Jetadmin users. The Security level you want to this page. A sample configuration is shown here: NOTE: be access via the Networking tab, "Settings" in ... PASSWORD = 7654 @PJL DEFAULT PASSWORD = 1776 @PJL DINQUIRE PASSWORD @PJL DEFAULT CPLOCK = ON @PJL DINQUIRE CPLOCK @PJL EOJ %-12345X Recommended Security Deployments: SET 2 For the HP Jetdirect products that are in the left-hand navigation bar, and then the "Wizard" tab. Here, we are going to choose "Custom Security" to show all...
Here is a sample content for non HP Web Jetadmin users. The Security level you want to this page. A sample configuration is shown here: NOTE: be access via the Networking tab, "Settings" in ... PASSWORD = 7654 @PJL DEFAULT PASSWORD = 1776 @PJL DINQUIRE PASSWORD @PJL DEFAULT CPLOCK = ON @PJL DINQUIRE CPLOCK @PJL EOJ %-12345X Recommended Security Deployments: SET 2 For the HP Jetdirect products that are in the left-hand navigation bar, and then the "Wizard" tab. Here, we are going to choose "Custom Security" to show all...
HP Jetdirect Security Guidelines
Page 17
Special equipment is skipped. 17 Allowing device discovery helps in device management, but may not be required in all environments. 802.1X authentication can also be done. For now, this configuration step is required. For a complete discussion of 802.1X, see HP Jetdirect whitepapers on the topic. Disable unused print protocols and services.
Special equipment is skipped. 17 Allowing device discovery helps in device management, but may not be required in all environments. 802.1X authentication can also be done. For now, this configuration step is required. For a complete discussion of 802.1X, see HP Jetdirect whitepapers on the topic. Disable unused print protocols and services.
HP Jetdirect Security Guidelines
Page 22
We are concerned with management services, so select the service template "All Jetdirect Management Services". Select "Allow Traffic". Click "Next". Click "Next" 22
We are concerned with management services, so select the service template "All Jetdirect Management Services". Select "Allow Traffic". Click "Next". Click "Next" 22
HP Jetdirect Security Guidelines
Page 24
Select "Allow Traffic". Select the "All Jetdirect Management Services" service template. Click "Next". Click Next. 24
Select "Allow Traffic". Select the "All Jetdirect Management Services" service template. Click "Next". Click Next. 24
HP Jetdirect Security Guidelines
Page 26
Select "Drop". Click "Next". 26 Again, select "All Jetdirect Management Services" for the service template and then click "Next".
Select "Drop". Click "Next". 26 Again, select "All Jetdirect Management Services" for the service template and then click "Next".
HP Jetdirect Security Guidelines
Page 28
Select "Allow" for SET 2 executed. Be sure that all IP addresses must use IPsec to utilize a management protocol. Select "All IP Addresses" and click "Next". 28 Recommended Security Deployments: SET 4 First and foremost, SET 4 configuration needs to have the ... that you are dropped by the IP layer. If an end station tries to this time, we can begin the IPsec configuration. Let's go through the same process as we did with a management protocol to Jetdirect without using IPsec, the packets are using HTTPS before navigating to communicate with SET 3, only this page.
Select "Allow" for SET 2 executed. Be sure that all IP addresses must use IPsec to utilize a management protocol. Select "All IP Addresses" and click "Next". 28 Recommended Security Deployments: SET 4 First and foremost, SET 4 configuration needs to have the ... that you are dropped by the IP layer. If an end station tries to this time, we can begin the IPsec configuration. Let's go through the same process as we did with a management protocol to Jetdirect without using IPsec, the packets are using HTTPS before navigating to communicate with SET 3, only this page.
HP Jetdirect Security Guidelines
Page 29
Select "Require traffic to be protected with an IPsec/Firewall Policy". Select "All Jetdirect Management Services". Click "Next". 29 Click "Next".
Select "Require traffic to be protected with an IPsec/Firewall Policy". Select "All Jetdirect Management Services". Click "Next". 29 Click "Next".