HP Jetdirect Security Guidelines
Page 1
... customer concerns about preventing those attacks. whitepaper HP Jetdirect Security Guidelines Table of Contents: Introduction ...1 HP Jetdirect Overview ...2 What is an HP Jetdirect?...3 How old is Your HP Jetdirect?...4 Upgrading ...5 HP Jetdirect Administrative Guidelines 6 HP Jetdirect Hacks: TCP Port 9100...7 HP Jetdirect Hacks: Password and SNMP Community Names 9 HP Jetdirect Hacks: Firmware Upgrade 9 HP Jetdirect Hacks: Sniffing Print Jobs and Replaying Them 10 HP Jetdirect Hacks: Printer/MFP access 10 Recommended Security...
... customer concerns about preventing those attacks. whitepaper HP Jetdirect Security Guidelines Table of Contents: Introduction ...1 HP Jetdirect Overview ...2 What is an HP Jetdirect?...3 How old is Your HP Jetdirect?...4 Upgrading ...5 HP Jetdirect Administrative Guidelines 6 HP Jetdirect Hacks: TCP Port 9100...7 HP Jetdirect Hacks: Password and SNMP Community Names 9 HP Jetdirect Hacks: Firmware Upgrade 9 HP Jetdirect Hacks: Sniffing Print Jobs and Replaying Them 10 HP Jetdirect Hacks: Printer/MFP access 10 Recommended Security...
HP Jetdirect Security Guidelines
Page 6
...password has been specified • The default SNMPv1/v2c SET Community Name has been changed • All non-active protocols have been discontinued for securing these... for securing these devices do not have the most security capability in networking protocol and security support. HP recommends always upgrading only a few devices and performing an evaluation of IPv4...500x, 510x, 400n, 600n models. As a reminder, these devices is located here: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=bpj07576 • SET 3: The 630n and Embedded Jetdirect (J7982E, J7987E, ...
...password has been specified • The default SNMPv1/v2c SET Community Name has been changed • All non-active protocols have been discontinued for securing these... for securing these devices do not have the most security capability in networking protocol and security support. HP recommends always upgrading only a few devices and performing an evaluation of IPv4...500x, 510x, 400n, 600n models. As a reminder, these devices is located here: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=bpj07576 • SET 3: The 630n and Embedded Jetdirect (J7982E, J7987E, ...
HP Jetdirect Security Guidelines
Page 9
... to update the HP Jetdirect certificate to a certificate issued by HP Jetdirect to upgrade firmware is described here: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=bpj07129. HP Jetdirect Hacks: Password and SNMP Community Names HP Jetdirect password and SNMP Community Name behavior has definitely evolved...software and firmware, change your HP Jetdirect, use FTP to upgrade the firmware of HP Jetdirect devices is described here: http://www.hp.com/go/webjetadmin_firmware. In case of an upgrade programming failure (due to a network outage, client lockup, printer ...
... to update the HP Jetdirect certificate to a certificate issued by HP Jetdirect to upgrade firmware is described here: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=bpj07129. HP Jetdirect Hacks: Password and SNMP Community Names HP Jetdirect password and SNMP Community Name behavior has definitely evolved...software and firmware, change your HP Jetdirect, use FTP to upgrade the firmware of HP Jetdirect devices is described here: http://www.hp.com/go/webjetadmin_firmware. In case of an upgrade programming failure (due to a network outage, client lockup, printer ...
HP Jetdirect Security Guidelines
Page 11
...; TFTP configuration file: picasso.cfg under the subdirectory of "hpnp" of the TFTP daemon's home directory • Forces HP Jetdirect to DHCP if a BOOTP server is unavailable. An example of the contents of power with BOOTP and not transition to ... :T151="BOOTP-ONLY": This configuration provides the following : # set-community-name: Security4Me3 # get-community-name: notpublic # default-get-community: 0 # # parameter file parm-file: hpnp/pjlprotection # 11 Recommended Security Deployments: SET 1 The HP Jetdirect products denoted by SET 1 do not have any cryptographic security capability. ...
...; TFTP configuration file: picasso.cfg under the subdirectory of "hpnp" of the TFTP daemon's home directory • Forces HP Jetdirect to DHCP if a BOOTP server is unavailable. An example of the contents of power with BOOTP and not transition to ... :T151="BOOTP-ONLY": This configuration provides the following : # set-community-name: Security4Me3 # get-community-name: notpublic # default-get-community: 0 # # parameter file parm-file: hpnp/pjlprotection # 11 Recommended Security Deployments: SET 1 The HP Jetdirect products denoted by SET 1 do not have any cryptographic security capability. ...
HP JetDirect Print Servers 600N/400N/500X/300X Administrator's Guide - 5969-3521
Page 33
... the routers are properly configured. The BOOTP reply may not be located on your network. Configuration parameters retrieved via TFTP are not secure. If you specify a community name for your printer, select a name that contains its MAC (hardware) address. When the HP JetDirect print server is powered on, it broadcasts a BOOTP request that is different from...
... the routers are properly configured. The BOOTP reply may not be located on your network. Configuration parameters retrieved via TFTP are not secure. If you specify a community name for your printer, select a name that contains its MAC (hardware) address. When the HP JetDirect print server is powered on, it broadcasts a BOOTP request that is different from...
HP JetDirect Print Servers 600N/400N/500X/300X Administrator's Guide - 5969-3521
Page 35
...server that specifies the relative path name of 2) The gateway IP address tag. For file format information, refer to your HP JetDirect print server, such as host names, must be used by the HP JetDirect print server to the path....Names, such as SNMP (Simple Network Management Protocol) or non-default settings, an additional configuration file can contain only letters, numbers, periods, or hyphens.The underline character (_) is 33 characters. TFTP Configuration File Entries To provide additional configuration parameters for your system documentation or online help for communications...
...server that specifies the relative path name of 2) The gateway IP address tag. For file format information, refer to your HP JetDirect print server, such as host names, must be used by the HP JetDirect print server to the path....Names, such as SNMP (Simple Network Management Protocol) or non-default settings, an additional configuration file can contain only letters, numbers, periods, or hyphens.The underline character (_) is 33 characters. TFTP Configuration File Entries To provide additional configuration parameters for your system documentation or online help for communications...
HP JetDirect Print Servers 600N/400N/500X/300X Administrator's Guide - 5969-3521
Page 36
# # Example of an HP JetDirect TFTP Configuration File # # Allow only Subnet 13.10.10 access to peripheral. # Up to four 'allow' entries can be written via TFTP. # Up to 10 'allow' entries can be written via SNMP. # 'allow' may include single IP addresses. # allow: 13.10.10.0 255.255.255.0 # # # Disable Telnet # telnet: 0 # # Enable the embedded web server # ews-config: 1 # # Detect SNMP unauthorized usage # authentication-trap: on # # Send Traps to 13.10.10.1 # trap-dest: 13.10.10.1 # # Specify the Set Community Name # set-community-name: 1homer2 # # End of file 30 TCP/IP Configuration EN
# # Example of an HP JetDirect TFTP Configuration File # # Allow only Subnet 13.10.10 access to peripheral. # Up to four 'allow' entries can be written via TFTP. # Up to 10 'allow' entries can be written via SNMP. # 'allow' may include single IP addresses. # allow: 13.10.10.0 255.255.255.0 # # # Disable Telnet # telnet: 0 # # Enable the embedded web server # ews-config: 1 # # Detect SNMP unauthorized usage # authentication-trap: on # # Send Traps to 13.10.10.1 # trap-dest: 13.10.10.1 # # Specify the Set Community Name # set-community-name: 1homer2 # # End of file 30 TCP/IP Configuration EN
HP JetDirect Print Servers 600N/400N/500X/300X Administrator's Guide - 5969-3521
Page 38
... be set -communityname: Specifies a password that are sent by the HP JetDirect print server to . Newer HP JetDirect EIO cards will not support the separate SNMP authentification trap setting. (All SNMP traps will respond to those traps. set in the print server's host access list. Community names must have a trap daemon to listen to . This may contain...
... be set -communityname: Specifies a password that are sent by the HP JetDirect print server to . Newer HP JetDirect EIO cards will not support the separate SNMP authentification trap setting. (All SNMP traps will respond to those traps. set in the print server's host access list. Community names must have a trap daemon to listen to . This may contain...
HP JetDirect Print Servers 600N/400N/500X/300X Administrator's Guide - 5969-3521
Page 56
... Parameter Examples (2 of 2) Port and Banner port:2 Page Example banner:0 Set Community Name Example set-cmntyname: my_network DHCP Parameter dhcp-config: Example 1 Host Name Example (to assign or change a name) host-name: MY_PRINTER For multiport JetDirect print servers, 'port' specifies the port that enables external network management entities to 32 alpha and numeric characters and can be...
... Parameter Examples (2 of 2) Port and Banner port:2 Page Example banner:0 Set Community Name Example set-cmntyname: my_network DHCP Parameter dhcp-config: Example 1 Host Name Example (to assign or change a name) host-name: MY_PRINTER For multiport JetDirect print servers, 'port' specifies the port that enables external network management entities to 32 alpha and numeric characters and can be...
HP JetDirect Print Servers 600N/400N/500X/300X Administrator's Guide - 5969-3521
Page 103
...Default Gateway. The NET and NODE information can verify whether or not this is the only device using the Phase 2 EtherTalk protocol. Name and zone verify you are printed on the configuration page. 7 DLC/LLC status Lists the server address after it has information (Table... below READY) indicates that the Default Gateway is even enabled. If a router is used to verify that is communicating correctly on the network. EN Troubleshooting the HP JetDirect Print Server 97 Note: Only the first 18 characters of the router. Table 6.1 MIO and EIO Ethernet Configuration ...
...Default Gateway. The NET and NODE information can verify whether or not this is the only device using the Phase 2 EtherTalk protocol. Name and zone verify you are printed on the configuration page. 7 DLC/LLC status Lists the server address after it has information (Table... below READY) indicates that the Default Gateway is even enabled. If a router is used to verify that is communicating correctly on the network. EN Troubleshooting the HP JetDirect Print Server 97 Note: Only the first 18 characters of the router. Table 6.1 MIO and EIO Ethernet Configuration ...
HP JetDirect Print Servers 600N/400N/500X/300X Administrator's Guide - 5969-3521
Page 117
... awaiting data. If UNKNOWN is listed, the HP JetDirect print server is still trying to determine which network number to the NetWare data being transferred over the network. The RCVD count indicates how many packets have been received for communication between server and printer. The name of the NetWare file server or print server. Excessive retransmissions...
... awaiting data. If UNKNOWN is listed, the HP JetDirect print server is still trying to determine which network number to the NetWare data being transferred over the network. The RCVD count indicates how many packets have been received for communication between server and printer. The name of the NetWare file server or print server. Excessive retransmissions...
HP JetDirect Print Servers 600N/400N/500X/300X Administrator's Guide - 5969-3521
Page 120
... configured for GetRequests. This parameter is omitted when the print server is configured from the host. 114 HP JetDirect Configuration Page Messages EN NOT SPECIFIED indicates that the print server will not accept any SNMP community names for the print server. ALL indicates that the server's IP address field in the BOOTP reply packet...
... configured for GetRequests. This parameter is omitted when the print server is configured from the host. 114 HP JetDirect Configuration Page Messages EN NOT SPECIFIED indicates that the print server will not accept any SNMP community names for the print server. ALL indicates that the server's IP address field in the BOOTP reply packet...
HP JetDirect Print Servers 600N/400N/500X/300X Administrator's Guide - 5969-3521
Page 128
... located in the directory at this time or a communications problem may not be located in the specified NDS context. NDS ERR: UNRESOLVD PRNTR OBJ The printer object cannot be running at this HP JetDirect print server. Check licenses on the network. The server may be located in the NDS directory...QUEUE The print queue object cannot be FIND TREE caused because the file server is not supported. NDS ERR: SRVR NAME UNRESOLVD The file server on the network cannot be located. Make sure that the print server object is defined in the NDS directory. NDS PRINT OBJ The ...
... located in the directory at this time or a communications problem may not be located in the specified NDS context. NDS ERR: UNRESOLVD PRNTR OBJ The printer object cannot be running at this HP JetDirect print server. Check licenses on the network. The server may be located in the NDS directory...QUEUE The print queue object cannot be FIND TREE caused because the file server is not supported. NDS ERR: SRVR NAME UNRESOLVD The file server on the network cannot be located. Make sure that the print server object is defined in the NDS directory. NDS PRINT OBJ The ...
HP JetDirect Print Servers 600N/400N/500X/300X Administrator's Guide - 5969-3521
Page 130
...transfers data in one direction only (to create the print server object. The HP JetDirect print server detected that has been detected for network communications using switches or jumpers. For MIO cards, a "-M" suffix indicates the configuration has been manually set using a 10/...HP JetDirect print server logs on the configuration page if none of 15) Message PARALLEL PORT X: Description CENTRONICS indicates a standard parallel connection that supports an enhanced capabilities port. When this message is displayed, the other AppleTalk messages (ADDRESS, APPLETALK NAME, ZONE NAME...
...transfers data in one direction only (to create the print server object. The HP JetDirect print server detected that has been detected for network communications using switches or jumpers. For MIO cards, a "-M" suffix indicates the configuration has been manually set using a 10/...HP JetDirect print server logs on the configuration page if none of 15) Message PARALLEL PORT X: Description CENTRONICS indicates a standard parallel connection that supports an enhanced capabilities port. When this message is displayed, the other AppleTalk messages (ADDRESS, APPLETALK NAME, ZONE NAME...
HP JetDirect Print Servers 600N/400N/500X/300X Administrator's Guide - 5969-3521
Page 158
...LLC 115 EtherTalk/LocalTalk 112 HP JetDirect 109, 115 TCP/IP 113 MFG ID 121 MODE 110 N NDPS, see HP IP/IPX printer gateway for NDPS NDS AUTHENTICATION ERROR 121 CONNECTION STATE ERROR 122 PRINT OBJ QUEUE LIST ERROR 122 PRINT SERVER NAME ERROR 123 PRINTER OBJ ...UNRESOLVED QUEUE 122 NetWare networks configuration messages 110 testing communication with JetAdmin 91 network EtherTalk or LocalTalk (Mac OS) 16 verifying configuration 18 NETWORK FRAME TYPE RCVD 111 network printer configuration NT 3.51 69 NT 4.0 70 NIS (Network Information Service) 26 NO QUEUE ASSIGNED 123 NODE NAME 110 NOT CONFIGURED ...
...LLC 115 EtherTalk/LocalTalk 112 HP JetDirect 109, 115 TCP/IP 113 MFG ID 121 MODE 110 N NDPS, see HP IP/IPX printer gateway for NDPS NDS AUTHENTICATION ERROR 121 CONNECTION STATE ERROR 122 PRINT OBJ QUEUE LIST ERROR 122 PRINT SERVER NAME ERROR 123 PRINTER OBJ ...UNRESOLVED QUEUE 122 NetWare networks configuration messages 110 testing communication with JetAdmin 91 network EtherTalk or LocalTalk (Mac OS) 16 verifying configuration 18 NETWORK FRAME TYPE RCVD 111 network printer configuration NT 3.51 69 NT 4.0 70 NIS (Network Information Service) 26 NO QUEUE ASSIGNED 123 NODE NAME 110 NOT CONFIGURED ...