Practical considerations for imaging and printing security
Page 1
... ...4 Security checklists ...4 Conclusion: look beyond Common Criteria Certification 4 HP's imaging and printing security framework 4 Secure the Imaging and Printing Device 5 MFP walk-up authentication ...5 Network printing authentication ...5 Physical document access control 5 HP Secure Erase ...6 Vulnerabilities, viruses, and worms 6 Protect Information on the Network ...6 Network connectivity with HP Jetdirect devices 6 HP Digital Sending Software (DSS 7 Fax/LAN bridging ...7 Effectively...
... ...4 Security checklists ...4 Conclusion: look beyond Common Criteria Certification 4 HP's imaging and printing security framework 4 Secure the Imaging and Printing Device 5 MFP walk-up authentication ...5 Network printing authentication ...5 Physical document access control 5 HP Secure Erase ...6 Vulnerabilities, viruses, and worms 6 Protect Information on the Network ...6 Network connectivity with HP Jetdirect devices 6 HP Digital Sending Software (DSS 7 Fax/LAN bridging ...7 Effectively...
Practical considerations for imaging and printing security
Page 6
... IT deployed and trusted devices, such as those with HP Jetdirect devices Network connectivity for small networks lacking sophisticated IT administration. HP Jetdirect provides many secure network protocols and services, including: 802.1x for securing printing and scanning functions. 6 The HP Jetdirect 635n IPv6/IPsec and Gigabit Ethernet internal print server, available November 2005, uses a cryptographic accelerator to provide...
... IT deployed and trusted devices, such as those with HP Jetdirect devices Network connectivity for small networks lacking sophisticated IT administration. HP Jetdirect provides many secure network protocols and services, including: 802.1x for securing printing and scanning functions. 6 The HP Jetdirect 635n IPv6/IPsec and Gigabit Ethernet internal print server, available November 2005, uses a cryptographic accelerator to provide...
HP Jetdirect Security Guidelines
Page 1
... attacks and what is HP doing about preventing those attacks. whitepaper HP Jetdirect Security Guidelines Table of Contents: Introduction ...1 HP Jetdirect Overview ...2 What is an HP Jetdirect?...3 How old is Your HP Jetdirect?...4 Upgrading ...5 HP Jetdirect Administrative Guidelines 6 HP Jetdirect Hacks: TCP Port 9100...7 HP Jetdirect Hacks: Password and SNMP Community Names 9 HP Jetdirect Hacks: Firmware Upgrade 9 HP Jetdirect Hacks: Sniffing Print Jobs and Replaying Them 10 HP Jetdirect Hacks: Printer/MFP...
... attacks and what is HP doing about preventing those attacks. whitepaper HP Jetdirect Security Guidelines Table of Contents: Introduction ...1 HP Jetdirect Overview ...2 What is an HP Jetdirect?...3 How old is Your HP Jetdirect?...4 Upgrading ...5 HP Jetdirect Administrative Guidelines 6 HP Jetdirect Hacks: TCP Port 9100...7 HP Jetdirect Hacks: Password and SNMP Community Names 9 HP Jetdirect Hacks: Firmware Upgrade 9 HP Jetdirect Hacks: Sniffing Print Jobs and Replaying Them 10 HP Jetdirect Hacks: Printer/MFP...
HP Jetdirect Security Guidelines
Page 2
...possible. 2 During this is not a sound practice for the next few million HP Jetdirect products have never had their firmware updated or their configuration changed. An 'Ease of the first print servers to remember that this growth period in the market place regarding protocol suites and... networking infrastructure. At the time HP Jetdirect was introduced, there was a variety of use for imaging and printing devices is actually the result of ...
...possible. 2 During this is not a sound practice for the next few million HP Jetdirect products have never had their firmware updated or their configuration changed. An 'Ease of the first print servers to remember that this growth period in the market place regarding protocol suites and... networking infrastructure. At the time HP Jetdirect was introduced, there was a variety of use for imaging and printing devices is actually the result of ...
HP Jetdirect Security Guidelines
Page 3
...conveys that the PJL parser is false. Let's refer to control who cannot interact with your printing infrastructure. First and foremost, we can also understand what HP Jetdirect can see the standard diagram of the first Networking Protocol offload engines. Centronics mode on a ...a printer had direct connect ports (e.g., serial, parallel) that still remains in IEEE 1284.4. As customers began to network their printers, HP decided to embark on HP Jetdirect. Functional Diagram In Figure 1, you can do . O S OS What is a good investment. 3 When printers were directly connected ...
...conveys that the PJL parser is false. Let's refer to control who cannot interact with your printing infrastructure. First and foremost, we can also understand what HP Jetdirect can see the standard diagram of the first Networking Protocol offload engines. Centronics mode on a ...a printer had direct connect ports (e.g., serial, parallel) that still remains in IEEE 1284.4. As customers began to network their printers, HP decided to embark on HP Jetdirect. Functional Diagram In Figure 1, you can do . O S OS What is a good investment. 3 When printers were directly connected ...
HP Jetdirect Security Guidelines
Page 4
... 3.11 HP Jetdirect J2550A, J2552A MIO Print Servers Microsoft Windows 95 HP Jetdirect J2550B, J2552B MIO Print Servers HP Jetdirect J3110A, J3111A EIO Print Servers HP Jetdirect J3263A 300X External Print Server HP Jetdirect J3113A 600n EIO Print Server Microsoft Windows 98 HP Jetdirect J3258A 170x External Print Server Microsoft Windows 2000 Professional HP Jetdirect J4169A 610n EIO Print Server Microsoft Windows XP HP Jetdirect J6057A 615n EIO Print Server Microsoft Windows 2003 Server HP Jetdirect J7934A 620n EIO Print Server HP Jetdirect J7961A 635n EIO Print Server Date Released...
... 3.11 HP Jetdirect J2550A, J2552A MIO Print Servers Microsoft Windows 95 HP Jetdirect J2550B, J2552B MIO Print Servers HP Jetdirect J3110A, J3111A EIO Print Servers HP Jetdirect J3263A 300X External Print Server HP Jetdirect J3113A 600n EIO Print Server Microsoft Windows 98 HP Jetdirect J3258A 170x External Print Server Microsoft Windows 2000 Professional HP Jetdirect J4169A 610n EIO Print Server Microsoft Windows XP HP Jetdirect J6057A 615n EIO Print Server Microsoft Windows 2003 Server HP Jetdirect J7934A 620n EIO Print Server HP Jetdirect J7961A 635n EIO Print Server Date Released...
HP Jetdirect Security Guidelines
Page 5
Some security features of August 2007 are shown. HP Jetdirect Models: HP Jetdirect J3258G 170x External Parallel Print server J6035G 175x External USB 1.1 Print Server J3263G 300x External Print server J7983G 510X External 3-Port Print Server J7942G en3700 External USB 2.0 Print Server J7934G 620n EIO 10/100 Print Server J7949E Embedded Jetdirect 10/100 (not for sale individually, comes installed on the formatter for certain printers/MFP devices) J7982E...
Some security features of August 2007 are shown. HP Jetdirect Models: HP Jetdirect J3258G 170x External Parallel Print server J6035G 175x External USB 1.1 Print Server J3263G 300x External Print server J7983G 510X External 3-Port Print Server J7942G en3700 External USB 2.0 Print Server J7934G 620n EIO 10/100 Print Server J7949E Embedded Jetdirect 10/100 (not for sale individually, comes installed on the formatter for certain printers/MFP devices) J7982E...
HP Jetdirect Security Guidelines
Page 6
...print server like the 300X will be addressing some public information available about vulnerabilities or attacks against HP Jetdirect and some ways to counteract those devices on the basis of IPv4/IPv6 addresses as well as a security risk. 6 HP Jetdirect Administrative Guidelines In the material that have cryptographic security capability. • SET 2: The 610n, 615n, 620n... to lock the front door and leave your network before upgrading all HP Jetdirect firmware to install a J7961G 635n IPv6/IPsec print server. One of the easiest ways to perform this whitepaper will not upgrade the...
...print server like the 300X will be addressing some public information available about vulnerabilities or attacks against HP Jetdirect and some ways to counteract those devices on the basis of IPv4/IPv6 addresses as well as a security risk. 6 HP Jetdirect Administrative Guidelines In the material that have cryptographic security capability. • SET 2: The 610n, 615n, 620n... to lock the front door and leave your network before upgrading all HP Jetdirect firmware to install a J7961G 635n IPv6/IPsec print server. One of the easiest ways to perform this whitepaper will not upgrade the...
HP Jetdirect Security Guidelines
Page 7
... Embedded Jetdirect J4100A 400n 10Mbps MIO Print server J4106A 400n 10Mbps MIO Print server J3110A 600n 10Mbps EIO Print server J3111A 600n 10Mbps EIO Print server J3113A 600n 10/100 EIO Print server J4169A 610n 10/100 EIO Print Server J6057A 615n 10/100 EIO Print Server J3263A/J3263G 300x External Print server J3265A 500X External 3-Port Print Server J7983G 510X External 3-Port Print Server J7942A/J7942G en3700 External USB 2.0 Print Server J7934A/J7934G 620n...
... Embedded Jetdirect J4100A 400n 10Mbps MIO Print server J4106A 400n 10Mbps MIO Print server J3110A 600n 10Mbps EIO Print server J3111A 600n 10Mbps EIO Print server J3113A 600n 10/100 EIO Print server J4169A 610n 10/100 EIO Print Server J6057A 615n 10/100 EIO Print Server J3263A/J3263G 300x External Print server J3265A 500X External 3-Port Print Server J7983G 510X External 3-Port Print Server J7942A/J7942G en3700 External USB 2.0 Print Server J7934A/J7934G 620n...
HP Jetdirect Security Guidelines
Page 8
...that all TCP/IP traffic to any TCP/IP traffic. It is subject to successfully authenticate the server endpoint (and optionally the client endpoint). Otherwise, SSL/TLS is no different then if they were printing personal items at work , running the printer out of 255.255.255.255. Setup an access.... What about the user at work that really is subject to MITM attacks as HP Jetdirect Ten or less individual computers on a robust PKI to IP address spoofing and Man-in the company. Setup a rule to print but keeps changing the display or doing other subnets, but may not be used by...
...that all TCP/IP traffic to any TCP/IP traffic. It is subject to successfully authenticate the server endpoint (and optionally the client endpoint). Otherwise, SSL/TLS is no different then if they were printing personal items at work , running the printer out of 255.255.255.255. Setup an access.... What about the user at work that really is subject to MITM attacks as HP Jetdirect Ten or less individual computers on a robust PKI to IP address spoofing and Man-in the company. Setup a rule to print but keeps changing the display or doing other subnets, but may not be used by...
HP Jetdirect Security Guidelines
Page 9
...server information. In short, keep your HP Jetdirect, use SNMPv3 automatically. However, when using SSL/TLS, be configured to use the latest client software from being used to print. If the application has proper credentials, it can also utilize SNMPv3 for additional security and HP Web Jetadmin makes using HP... use the well-known default SNMP community names. In case of updating HP Jetdirect firmware: • HP Download Manager / HP Web Jetadmin • FTP • Embedded Web Server When using SNMPv3 easy. Customers can populate the firmware upgrade MIB table ...
...server information. In short, keep your HP Jetdirect, use SNMPv3 automatically. However, when using SSL/TLS, be configured to use the latest client software from being used to print. If the application has proper credentials, it can also utilize SNMPv3 for additional security and HP Web Jetadmin makes using HP... use the well-known default SNMP community names. In case of updating HP Jetdirect firmware: • HP Download Manager / HP Web Jetadmin • FTP • Embedded Web Server When using SNMPv3 easy. Customers can populate the firmware upgrade MIB table ...
HP Jetdirect Security Guidelines
Page 10
... is protected determines how the HP Jetdirect firmware upgrade capability is a fundamental step in the same manner. HP Jetdirect Hacks: Sniffing Print Jobs and Replaying Them Easily available network tools that destination. In some cases, as with PostScript or simple text, a print job can perform effective MITM ...MITM node has a copy of a print job, it can open it to a printer. firmware upgrades; If the MITM node has a copy of a text document that was sent between an email client and email server, it can use the EWS to bypass HP Jetdirect security. While a valid vulnerability, ...
... is protected determines how the HP Jetdirect firmware upgrade capability is a fundamental step in the same manner. HP Jetdirect Hacks: Sniffing Print Jobs and Replaying Them Easily available network tools that destination. In some cases, as with PostScript or simple text, a print job can perform effective MITM ...MITM node has a copy of a print job, it can open it to a printer. firmware upgrades; If the MITM node has a copy of a text document that was sent between an email client and email server, it can use the EWS to bypass HP Jetdirect security. While a valid vulnerability, ...
HP Jetdirect Security Guidelines
Page 11
... file: picasso.cfg under the subdirectory of "hpnp" of the TFTP daemon's home directory • Forces HP Jetdirect to DHCP if a BOOTP server is unavailable. An example of the contents of power with BOOTP and not transition to remain with very little...telnet-config: 0 # # Disable the embedded Web server ews-config: 0 # # disable unused protocols ipx/spx: 0 dlc/llc: 0 ethertalk:0 # # Set a password passwd: Security4Me3 # # Disable SNMP # use with UNIX or Linux environments; Recommended Security Deployments: SET 1 The HP Jetdirect products denoted by SET 1 do not have any ...
... file: picasso.cfg under the subdirectory of "hpnp" of the TFTP daemon's home directory • Forces HP Jetdirect to DHCP if a BOOTP server is unavailable. An example of the contents of power with BOOTP and not transition to remain with very little...telnet-config: 0 # # Disable the embedded Web server ews-config: 0 # # disable unused protocols ipx/spx: 0 dlc/llc: 0 ethertalk:0 # # Set a password passwd: Security4Me3 # # Disable SNMP # use with UNIX or Linux environments; Recommended Security Deployments: SET 1 The HP Jetdirect products denoted by SET 1 do not have any ...
HP Jetdirect Security Guidelines
Page 12
...@PJL DEFAULT PASSWORD = 1776 @PJL DINQUIRE PASSWORD @PJL DEFAULT CPLOCK = ON @PJL DINQUIRE CPLOCK @PJL EOJ %-12345X Recommended Security Deployments: SET 2 For the HP Jetdirect products that are in the left-hand navigation bar, and then the "Wizard" tab. The Security level you want to the printer on... Jetdirect. Press the "Start Wizard" button to this page. A sample configuration is shown here: NOTE: be access via the Networking tab, "Settings" in ...
...@PJL DEFAULT PASSWORD = 1776 @PJL DINQUIRE PASSWORD @PJL DEFAULT CPLOCK = ON @PJL DINQUIRE CPLOCK @PJL EOJ %-12345X Recommended Security Deployments: SET 2 For the HP Jetdirect products that are in the left-hand navigation bar, and then the "Wizard" tab. The Security level you want to the printer on... Jetdirect. Press the "Start Wizard" button to this page. A sample configuration is shown here: NOTE: be access via the Networking tab, "Settings" in ...
HP Jetdirect Security Guidelines
Page 17
Allowing device discovery helps in device management, but may not be required in all environments. 802.1X authentication can also be done. For now, this configuration step is required. For a complete discussion of 802.1X, see HP Jetdirect whitepapers on the topic. Special equipment is skipped. 17 Disable unused print protocols and services.
Allowing device discovery helps in device management, but may not be required in all environments. 802.1X authentication can also be done. For now, this configuration step is required. For a complete discussion of 802.1X, see HP Jetdirect whitepapers on the topic. Special equipment is skipped. 17 Disable unused print protocols and services.
HP Jetdirect Security Guidelines
Page 22
Select "Allow Traffic". Click "Next" 22 We are concerned with management services, so select the service template "All Jetdirect Management Services". Click "Next".
Select "Allow Traffic". Click "Next" 22 We are concerned with management services, so select the service template "All Jetdirect Management Services". Click "Next".
HP Jetdirect Security Guidelines
Page 24
Click "Next". Select the "All Jetdirect Management Services" service template. Click Next. 24 Select "Allow Traffic".
Click "Next". Select the "All Jetdirect Management Services" service template. Click Next. 24 Select "Allow Traffic".
HP Jetdirect Security Guidelines
Page 26
Again, select "All Jetdirect Management Services" for the service template and then click "Next". Click "Next". 26 Select "Drop".
Again, select "All Jetdirect Management Services" for the service template and then click "Next". Click "Next". 26 Select "Drop".
HP Jetdirect Security Guidelines
Page 28
... configuration has been completed, then we did with a management protocol to this time, we'll simply say that you are using HTTPS before navigating to Jetdirect without using IPsec, the packets are dropped by the IP layer. Recommended Security Deployments: SET 4 First and foremost, SET 4 configuration needs to utilize a management protocol...
... configuration has been completed, then we did with a management protocol to this time, we'll simply say that you are using HTTPS before navigating to Jetdirect without using IPsec, the packets are dropped by the IP layer. Recommended Security Deployments: SET 4 First and foremost, SET 4 configuration needs to utilize a management protocol...
HP Jetdirect Security Guidelines
Page 29
Click "Next". Select "Require traffic to be protected with an IPsec/Firewall Policy". Click "Next". 29 Select "All Jetdirect Management Services".
Click "Next". Select "Require traffic to be protected with an IPsec/Firewall Policy". Click "Next". 29 Select "All Jetdirect Management Services".