Practical considerations for imaging and printing security
Page 1
... ...4 Security checklists ...4 Conclusion: look beyond Common Criteria Certification 4 HP's imaging and printing security framework 4 Secure the Imaging and Printing Device 5 MFP walk-up authentication ...5 Network printing authentication ...5 Physical document access control 5 HP Secure Erase ...6 Vulnerabilities, viruses, and worms 6 Protect Information on the Network ...6 Network connectivity with HP Jetdirect devices 6 HP Digital Sending Software (DSS 7 Fax/LAN bridging ...7 Effectively...
... ...4 Security checklists ...4 Conclusion: look beyond Common Criteria Certification 4 HP's imaging and printing security framework 4 Secure the Imaging and Printing Device 5 MFP walk-up authentication ...5 Network printing authentication ...5 Physical document access control 5 HP Secure Erase ...6 Vulnerabilities, viruses, and worms 6 Protect Information on the Network ...6 Network connectivity with HP Jetdirect devices 6 HP Digital Sending Software (DSS 7 Fax/LAN bridging ...7 Effectively...
Practical considerations for imaging and printing security
Page 6
... development, and as a result these devices have all network access denied. 802.1x can secure network printing and scanning protocols. The HP Jetdirect 635n IPv6/IPsec and Gigabit Ethernet internal print server, available November 2005, uses a cryptographic accelerator to provide click-to-clunk performance that afflict enterprise networks. While the ingenuity of products, including internal...
... development, and as a result these devices have all network access denied. 802.1x can secure network printing and scanning protocols. The HP Jetdirect 635n IPv6/IPsec and Gigabit Ethernet internal print server, available November 2005, uses a cryptographic accelerator to provide click-to-clunk performance that afflict enterprise networks. While the ingenuity of products, including internal...
HP Jetdirect Security Guidelines
Page 1
... customer base about preventing those attacks. whitepaper HP Jetdirect Security Guidelines Table of Contents: Introduction ...1 HP Jetdirect Overview ...2 What is an HP Jetdirect?...3 How old is Your HP Jetdirect?...4 Upgrading ...5 HP Jetdirect Administrative Guidelines 6 HP Jetdirect Hacks: TCP Port 9100...7 HP Jetdirect Hacks: Password and SNMP Community Names 9 HP Jetdirect Hacks: Firmware Upgrade 9 HP Jetdirect Hacks: Sniffing Print Jobs and Replaying Them 10 HP Jetdirect Hacks: Printer/MFP access 10 Recommended...
... customer base about preventing those attacks. whitepaper HP Jetdirect Security Guidelines Table of Contents: Introduction ...1 HP Jetdirect Overview ...2 What is an HP Jetdirect?...3 How old is Your HP Jetdirect?...4 Upgrading ...5 HP Jetdirect Administrative Guidelines 6 HP Jetdirect Hacks: TCP Port 9100...7 HP Jetdirect Hacks: Password and SNMP Community Names 9 HP Jetdirect Hacks: Firmware Upgrade 9 HP Jetdirect Hacks: Sniffing Print Jobs and Replaying Them 10 HP Jetdirect Hacks: Printer/MFP access 10 Recommended...
HP Jetdirect Security Guidelines
Page 2
... and protocols that this growth period in the market place regarding protocol suites and networking infrastructure. Hundreds of the first print servers to have the same ease of competition in network printing, functionality within HP Jetdirect was designed to be broken later today. These spoolers then shared the printers via parallel ports or serial ports...
... and protocols that this growth period in the market place regarding protocol suites and networking infrastructure. Hundreds of the first print servers to have the same ease of competition in network printing, functionality within HP Jetdirect was designed to be broken later today. These spoolers then shared the printers via parallel ports or serial ports...
HP Jetdirect Security Guidelines
Page 3
... implemented on HP Jetdirect. In short, a printer had direct connect ports (e.g.,...to Figure 1 - Thus, the HP Jetdirect was used to send data from...HP Jetdirect can see the standard diagram of an offload engine. As customers began to network their printers, HP... decided to help in IEEE 1284.4. Let's refer to be an example. First and foremost, we can understand what HP Jetdirect...difference between HP Jetdirect and Printer/MFP platforms. Why is an HP Jetdirect? Upgrading your HP Jetdirect card to ... Protocol offload engines. one of your HP Jetdirect card to network spoolers, often a simple...
... implemented on HP Jetdirect. In short, a printer had direct connect ports (e.g.,...to Figure 1 - Thus, the HP Jetdirect was used to send data from...HP Jetdirect can see the standard diagram of an offload engine. As customers began to network their printers, HP... decided to help in IEEE 1284.4. Let's refer to be an example. First and foremost, we can understand what HP Jetdirect...difference between HP Jetdirect and Printer/MFP platforms. Why is an HP Jetdirect? Upgrading your HP Jetdirect card to ... Protocol offload engines. one of your HP Jetdirect card to network spoolers, often a simple...
HP Jetdirect Security Guidelines
Page 4
... 3.11 HP Jetdirect J2550A, J2552A MIO Print Servers Microsoft Windows 95 HP Jetdirect J2550B, J2552B MIO Print Servers HP Jetdirect J3110A, J3111A EIO Print Servers HP Jetdirect J3263A 300X External Print Server HP Jetdirect J3113A 600n EIO Print Server Microsoft Windows 98 HP Jetdirect J3258A 170x External Print Server Microsoft Windows 2000 Professional HP Jetdirect J4169A 610n EIO Print Server Microsoft Windows XP HP Jetdirect J6057A 615n EIO Print Server Microsoft Windows 2003 Server HP Jetdirect J7934A 620n EIO Print Server HP Jetdirect J7961A 635n EIO Print Server Date Released...
... 3.11 HP Jetdirect J2550A, J2552A MIO Print Servers Microsoft Windows 95 HP Jetdirect J2550B, J2552B MIO Print Servers HP Jetdirect J3110A, J3111A EIO Print Servers HP Jetdirect J3263A 300X External Print Server HP Jetdirect J3113A 600n EIO Print Server Microsoft Windows 98 HP Jetdirect J3258A 170x External Print Server Microsoft Windows 2000 Professional HP Jetdirect J4169A 610n EIO Print Server Microsoft Windows XP HP Jetdirect J6057A 615n EIO Print Server Microsoft Windows 2003 Server HP Jetdirect J7934A 620n EIO Print Server HP Jetdirect J7961A 635n EIO Print Server Date Released...
HP Jetdirect Security Guidelines
Page 5
HP Jetdirect Models: HP Jetdirect J3258G 170x External Parallel Print server J6035G 175x External USB 1.1 Print Server J3263G 300x External Print server J7983G 510X External 3-Port Print Server J7942G en3700 External USB 2.0 Print Server J7934G 620n EIO 10/100 Print Server J7949E Embedded Jetdirect 10/100 (not for sale individually, comes installed on the formatter for certain printers/MFP devices) J7982E Embedded Jetdirect 10/100 (not for sale individually, comes...
HP Jetdirect Models: HP Jetdirect J3258G 170x External Parallel Print server J6035G 175x External USB 1.1 Print Server J3263G 300x External Print server J7983G 510X External 3-Port Print Server J7942G en3700 External USB 2.0 Print Server J7934G 620n EIO 10/100 Print Server J7949E Embedded Jetdirect 10/100 (not for sale individually, comes installed on the formatter for certain printers/MFP devices) J7982E Embedded Jetdirect 10/100 (not for sale individually, comes...
HP Jetdirect Security Guidelines
Page 6
...can see, replacing a discontinued 400n MIO model with a new external parallel port print server like the 300X will be addressing some public information available about vulnerabilities or attacks against HP Jetdirect and some ways to counteract those devices on the basis of the 635n can use...• An Embedded Web Server (EWS) password has been specified • The default SNMPv1/v2c SET Community Name has been changed • All non-active protocols have cryptographic security capability. • SET 2: The 610n, 615n, 620n, 625n, en3700, and Embedded Jetdirect (J7949E) models. These ...
...can see, replacing a discontinued 400n MIO model with a new external parallel port print server like the 300X will be addressing some public information available about vulnerabilities or attacks against HP Jetdirect and some ways to counteract those devices on the basis of the 635n can use...• An Embedded Web Server (EWS) password has been specified • The default SNMPv1/v2c SET Community Name has been changed • All non-active protocols have cryptographic security capability. • SET 2: The 610n, 615n, 620n, 625n, en3700, and Embedded Jetdirect (J7949E) models. These ...
HP Jetdirect Security Guidelines
Page 7
... Embedded Jetdirect J4100A 400n 10Mbps MIO Print server J4106A 400n 10Mbps MIO Print server J3110A 600n 10Mbps EIO Print server J3111A 600n 10Mbps EIO Print server J3113A 600n 10/100 EIO Print server J4169A 610n 10/100 EIO Print Server J6057A 615n 10/100 EIO Print Server J3263A/J3263G 300x External Print server J3265A 500X External 3-Port Print Server J7983G 510X External 3-Port Print Server J7942A/J7942G en3700 External USB 2.0 Print Server J7934A/J7934G 620n...
... Embedded Jetdirect J4100A 400n 10Mbps MIO Print server J4106A 400n 10Mbps MIO Print server J3110A 600n 10Mbps EIO Print server J3111A 600n 10Mbps EIO Print server J3113A 600n 10/100 EIO Print server J4169A 610n 10/100 EIO Print Server J6057A 615n 10/100 EIO Print Server J3263A/J3263G 300x External Print server J3265A 500X External 3-Port Print Server J7983G 510X External 3-Port Print Server J7942A/J7942G en3700 External USB 2.0 Print Server J7934A/J7934G 620n...
HP Jetdirect Security Guidelines
Page 8
...3) For SET 4. Option 2) For SET 3. Setup a rule to protect print traffic using the Firewall Option 3) For SET 4. Access Control Because there are relying on a robust PKI to successfully authenticate the server endpoint (and optionally the client endpoint). Also, some cryptographic protections can be used...correctly. Options Option 1) For SET 1/2/3/4. Option 3) For SET 3. Setup a rule to protect print traffic using the IPsec. How to disable these protocols can target any device (not just HP Jetdirect) that really is to disable all TCP/IP traffic to any TCP/IP traffic. This doesn...
...3) For SET 4. Option 2) For SET 3. Setup a rule to protect print traffic using the Firewall Option 3) For SET 4. Access Control Because there are relying on a robust PKI to successfully authenticate the server endpoint (and optionally the client endpoint). Also, some cryptographic protections can be used...correctly. Options Option 1) For SET 1/2/3/4. Option 3) For SET 3. Setup a rule to protect print traffic using the IPsec. How to disable these protocols can target any device (not just HP Jetdirect) that really is to disable all TCP/IP traffic to any TCP/IP traffic. This doesn...
HP Jetdirect Security Guidelines
Page 9
... client software from being used by Hewlett-Packard as proof of updating HP Jetdirect firmware: • HP Download Manager / HP Web Jetadmin • FTP • Embedded Web Server When using HP Download Manager or HP Web Jetadmin, the application issues an SNMP SET to successfully set the... HP Jetdirect will help make your passwords on your HP Jetdirect, use FTP to upgrade the firmware of HP Jetdirect devices is required to be provided, in the form of color being used by a trusted CA to recover, albeit with TFTP server information. they are trusted to establish a print ...
... client software from being used by Hewlett-Packard as proof of updating HP Jetdirect firmware: • HP Download Manager / HP Web Jetadmin • FTP • Embedded Web Server When using HP Download Manager or HP Web Jetadmin, the application issues an SNMP SET to successfully set the... HP Jetdirect will help make your passwords on your HP Jetdirect, use FTP to upgrade the firmware of HP Jetdirect devices is required to be provided, in the form of color being used by a trusted CA to recover, albeit with TFTP server information. they are trusted to establish a print ...
HP Jetdirect Security Guidelines
Page 10
...MFP access Up until now, we 've seen from a node by sending it with the printer/MFP's PJL library over a print connection. HP Jetdirect Hacks: Sniffing Print Jobs and Replaying Them Easily available network tools that can use the EWS to provide a lot of ARP protection and monitoring since ARP...listening device in the conference room and instead pulling a fire alarm in a manner that was sent between an FTP client and an FTP server, it can be opened using other applications without having to send it to a printer. firmware upgrades; This active/passive behavior is the ...
...MFP access Up until now, we 've seen from a node by sending it with the printer/MFP's PJL library over a print connection. HP Jetdirect Hacks: Sniffing Print Jobs and Replaying Them Easily available network tools that can use the EWS to provide a lot of ARP protection and monitoring since ARP...listening device in the conference room and instead pulling a fire alarm in a manner that was sent between an FTP client and an FTP server, it can be opened using other applications without having to send it to a printer. firmware upgrades; This active/passive behavior is the ...
HP Jetdirect Security Guidelines
Page 11
... enabled, comment out the "snmp-config" command and # uncomment out the following : • Syslog server: 192.168.40.3 • TFTP configuration file: picasso.cfg under the subdirectory of "hpnp" of the TFTP daemon's home directory • Forces HP Jetdirect to remain with UNIX or Linux environments; As a result, a BOOTP/TFTP configuration is fairly...
... enabled, comment out the "snmp-config" command and # uncomment out the following : • Syslog server: 192.168.40.3 • TFTP configuration file: picasso.cfg under the subdirectory of "hpnp" of the TFTP daemon's home directory • Forces HP Jetdirect to remain with UNIX or Linux environments; As a result, a BOOTP/TFTP configuration is fairly...
HP Jetdirect Security Guidelines
Page 12
... PASSWORD = 1776 @PJL DINQUIRE PASSWORD @PJL DEFAULT CPLOCK = ON @PJL DINQUIRE CPLOCK @PJL EOJ %-12345X Recommended Security Deployments: SET 2 For the HP Jetdirect products that are in SET 2, the security wizard is shown here: NOTE: be access via the Networking tab, "Settings" in the left-hand navigation... bar, and then the "Wizard" tab. Here is a sample content for non HP Web Jetadmin users. The security wizard can be sure to use HTTPS when navigating to a customer. 12 The TFTP configuration file points to the...
... PASSWORD = 1776 @PJL DINQUIRE PASSWORD @PJL DEFAULT CPLOCK = ON @PJL DINQUIRE CPLOCK @PJL EOJ %-12345X Recommended Security Deployments: SET 2 For the HP Jetdirect products that are in SET 2, the security wizard is shown here: NOTE: be access via the Networking tab, "Settings" in the left-hand navigation... bar, and then the "Wizard" tab. Here is a sample content for non HP Web Jetadmin users. The security wizard can be sure to use HTTPS when navigating to a customer. 12 The TFTP configuration file points to the...
HP Jetdirect Security Guidelines
Page 17
Special equipment is skipped. 17 For a complete discussion of 802.1X, see HP Jetdirect whitepapers on the topic. For now, this configuration step is required. Allowing device discovery helps in device management, but may not be required in all environments. 802.1X authentication can also be done. Disable unused print protocols and services.
Special equipment is skipped. 17 For a complete discussion of 802.1X, see HP Jetdirect whitepapers on the topic. For now, this configuration step is required. Allowing device discovery helps in device management, but may not be required in all environments. 802.1X authentication can also be done. Disable unused print protocols and services.
HP Jetdirect Security Guidelines
Page 22
Select "Allow Traffic". Click "Next" 22 Click "Next". We are concerned with management services, so select the service template "All Jetdirect Management Services".
Select "Allow Traffic". Click "Next" 22 Click "Next". We are concerned with management services, so select the service template "All Jetdirect Management Services".
HP Jetdirect Security Guidelines
Page 24
Select "Allow Traffic". Select the "All Jetdirect Management Services" service template. Click Next. 24 Click "Next".
Select "Allow Traffic". Select the "All Jetdirect Management Services" service template. Click Next. 24 Click "Next".
HP Jetdirect Security Guidelines
Page 26
Click "Next". 26 Select "Drop". Again, select "All Jetdirect Management Services" for the service template and then click "Next".
Click "Next". 26 Select "Drop". Again, select "All Jetdirect Management Services" for the service template and then click "Next".
HP Jetdirect Security Guidelines
Page 28
... IPsec configuration. Select "All IP Addresses" and click "Next". 28 Once the Security Wizard configuration has been completed, then we did with a management protocol to Jetdirect without using HTTPS before navigating to this time, we'll simply say that you are using IPsec, the packets are dropped by the IP layer.
... IPsec configuration. Select "All IP Addresses" and click "Next". 28 Once the Security Wizard configuration has been completed, then we did with a management protocol to Jetdirect without using HTTPS before navigating to this time, we'll simply say that you are using IPsec, the packets are dropped by the IP layer.
HP Jetdirect Security Guidelines
Page 29
Click "Next". 29 Select "All Jetdirect Management Services". Click "Next". Select "Require traffic to be protected with an IPsec/Firewall Policy".
Click "Next". 29 Select "All Jetdirect Management Services". Click "Next". Select "Require traffic to be protected with an IPsec/Firewall Policy".