HP J2550B White Paper
Contents
1. Print Protocols and Services Allowing x A device discovery helps in device Select the protocols and services that you want to enable Enable Print Protocols Enable Print Services Enable Device Discovery C IPX SPX 9100 SLP C AppleTalk CO LPD mDNS management mata C DLCALLe C IPP Multicast IPv4 but may not be O FTP required in all environments 8 Local intranet 802 1X authentication cane can also be TCPAP Setting 802 1x Authentication done Special ihe WARNING Use caution when changing the print server s authentication settings you may lose your ee connection equipment gt ele nguage Enable Protocols C PEAP J EAP TLS required For a paremman User Name NPIE8014E complete Password discussion of H Confirm Password 802 X see sl Server ID i o Require Exact Match HP Jetdirect Encryption Strength Low DES 56 bit RC4 128 bit or 3DES 168 bit Jetdirect Certificate whitepapers on stwork Statist bi Protocol In CA Certificate Not Installed Authentication Behavior Reauthenticate on Apply the topic For now this configuration Other Links ee Help step is skipped Support E Local intranet 17 Configuration Review Configuration Review You have selected the following security settings Verify that your settings are correct Click Back to change your settings Click Finish when you are ready to complete the configuration Authorization A2. disable unused protocols ipx spx 0 dic llc 0 ethertalk 0 Set a password passwd Security4Me3 Disable SNMP use with caution breaks SNMP management tools snmp config 0 if SNMP must be enabled comment out the snmp config command and uncomment out the following set community name Security4Me3 get community name notpublic default get community 0 parameter file parm file honp pjlprotection 11 The TFTP configuration file points to a parameter file called pjlprotection This file is sent to the printer on power up Here is a sample content for the pjlprotection file lt ESC gt 12345X PJL lt CR gt lt LF gt PJL COMMENT Set Password lt CR gt lt LF gt PJL COMMENT amp Lock Control Panel lt CRs lt LF gt PJL JOB PASSWORD 7654 lt CR gt lt LF gt PJL DEFAULT PASSWORD 1776 lt CR gt lt LF gt PJL DINQUIRE PASSWORD lt CR gt lt LF gt PJL DEFAULT CPLOCK ON lt CR gt lt LF gt PJL DINQUIRE CPLOCK lt CR gt lt LF gt PJL EOJ lt CR gt lt LF gt lt ESC gt 12345X Recommended Security Deployments SET 2 For the HP Jetdirect products that are in SET 2 the security wizard is recommended for non HP Web Jetadmin users The security wizard can be access via the Networking tab Settings in the left hand navigation bar and then the Wizard tab A sample configuration is shown here NOTE be sure to use HTTPS fu when
3. Table 5 Access Control Because there are many print protocols supported over TCP the next logical step is to disable all print protocols that the administrator doesn t use How to disable these protocols can be found in the administrative guidelines for the appropriate product SET It is important to note that all TCP IP traffic to any device not just HP Jetdirect that is not cryptographically protected is subject to IP address spoofing and Man in the Middle MITM attacks These attacks can target any TCP IP traffic Also some cryptographic protections can be used but may not be deployed correctly For instance if you are relying on SSL TLS to protect your data you need to have the certificates used by SSL TLS to be properly signed by a trusted Certiticate Authority Otherwise SSL TLS is subject to MITM attacks as well because it depends on a robust PKI to successtully authenticate the server endpoint and optionally the client endpoint What about the user at work that is allowed to print but keeps changing the display or doing other mischief with the printer using TCP Port 9100 Well that really is no different then if they were printing personal items at work running the printer out of consumables with large print jobs etc If 8 they are trusted to establish a print connection they are trusted to print Some additional protections can be provided in the form of Color Access Controls using HP s Universal Print Driver UP
4. Diagnostics Network Statistics Protocol Info Configuration Page j Hetworking Configuration TCPAP Settings Network Settings Other Settings Privacy Settings Security Settings Authorization Mgmt Protocols 802 1 Authentication Diagnostics Network Statistics Protocol Info Configuration Page IPsec Firewall Policy ETI g i Enable IPsec Firewall IPsec Firewall Rules Match Criteria Action on Match Address Template Services Template Action O acEoEogodngog Default Rule All Services All IP Addresses Add Rules Delete Rules Warning Changing IPsec Firewall settings may result in temporary loss of connection EOE IPsec Firewall Policy f supor M Rule 1 Specify Address Template Specify the Address Template that will be applied to this rule Predefined templates listed below contain common address choices Select a predefined template or click New to define your own Address Templates All IP Addresses All IPv4 Addresses All IPv6 Addresses All link local IPv6 All non link local IP 6 ce eee Note Predefined templates will create multiple rules 28 Select All Jetdirect Management Services Click Next Select Require traffic to be protected with an IPsec Firewall Policy Click Next Configuration TCPAP Settings Network Settings Other Settings Privacy Settings Security Settings Authorization Mgmt Pro
5. Select Lanquage Security Settings Authorization Mgmt Protocols 802 1 Authentication Diagnostics Network Statistics Protocol Info Configuration Page Firewall Policy Create Address Template Address Template Name IPv6_Management_Subnet Local Address IP Address 1921 68 0 23 x Predefined Addresses All IPv6 Addresses ni IP Address Range to Do E C IP Address Prefix e 9 192 168 1 1 24 E d Firewall Policy Remote Address IP Address Predefined Addresses All IPv4 Addresses v IP Address Range lto IP Address Pretix e 9 192 168 1 1 24 2001 0DB8 64 PKB conct Rule 1 Specify Address Template Specify the Address Template that will be applied to this rule Predefined templates listed below contain common address choices Select a predefined template or click Nevy to define your own Address Templates AILIP Addresses All IPv4 Addresses All IPv6 Addresses All link local IPv6 All non link local IPv6 IPy4 Management Subnet IPv6_Management_Subnet Note Predefined templates will create multiple rules 21 EOE Se We are concerned with PY Hetworking management Configurati o9 all ce Firewall Policy Eco Network Settings select the Other Settings Rule 1 Specify Service Template i Privacy Setti Service Sa Specify the Service Template that will be applied to this rule Pre
6. the Jetdirect menu on the control panel of the printer will contain a reset option For external printer servers the administrator may perform a cold reset of the device See your printer manual for instructions on how to perform a cold reset Warning Changing IPsec Firewall settings may result in temporary loss of connection Firewall Policy Rule 3 Specify Address Template Specify the Address Template that will be applied to this rule Predefined templates listed below contain common address choices Select a predefined template or click Nevy to define your own Address Templates All IPv4 Addresses All IPv6 Addresses All link local IPv6 All non link local IPv6 IPv4_Management_Subnet IP 6_Management_Subnet Note Predefined templates will create multiple rules 25 Again select All Jetdirect Management Services for the service template and then click Next Select Drop Click Next Configuration TCPAP Settings Network Settings Other Settings Privacy Settings Select Language Security Settings Authorization Mgmt Protocols Hetworking 602 1 Authentication Firewall Diagnostics Network Statistics Protocol Info Configuration Page Configuration TCPAP Settings Network Settings Other Settings Privacy Settings Select Lanquage Security Settings Authorization Mgmt Protocols 602 1 Authentication Diagnostics Network Statistics Protocol Info Configuration Pag
7. 1 Authentication upon the default rule Click Finish Diagnostics Network Statistics Protocol Info Configuration Page Oo ni Dian UOUN All Services 10 Default Rule AIP Addresses To return to the beginning of the IPsec Firewall Wizard and create an additional rule click Create Another Rule To apply all rules click Finish Warning An invalid IPsec Firewall configuration can result in the device being inaccessible over the network To recover from this condition physical access to the device is required For internal print servers the Jetdirect menu on the control panel of the printer will contain a reset option For external printer servers the administrator may perform a cold reset of the device See your printer manual for instructions on how to perform a cold reset Warning Changing IPsec Firewall settings may result in temporary loss of connection Select Yes to enable the IPsec policy You can also choose to have a failsate if you would like Click OK Configuration TCPAP Settings Network Settings Other Settings The IPsec Firewall Policy has not been enabled Would you like to enable the policy now ves No Privacy Settings Security Settings Authorization Mgmt Protocols 802 1 Authentication Would you like to enable the Failsafe Option This option ensures HTTPS remains accessible even if it is blocked by the IPsec Firevvall policy This allows the
8. CONFIGURATION Settings navigating to Network Settings Wizard Restore Defaults this page rwa Saltire Press the Start select Language Welcome to the HP Jetdirect Security Wizard button secur Configuration Wizard to begin the Settings E The HP Jetdirect Security Configuration Wizard allows you to configure security Authorization settings for HP Jetdirect print server management WIZQa rd Wont Pr CLO OTS 02 1 Authentication Start Vizard Caution lf you use HP Web Jetadmin to manage your devices we strongly recommend 3 that you configure HF Jetdirect security settings using HP Web Jetadmin WE Statistics Protoc ol into Configuration Pad i aJ Local intranet The Security level you want a to implement TePIP Settings Security Level on Jetdirect eee Basic Security Here we are b g a i i Basic Security will require setting a password for configuration management The device may be going to ria aele ae managed through standard management interfaces including the Web Server Telnet and SNMP choose PELUT Enhanced Security Recommended 1 Enhanced Security provides encrypted communications for device management and requires a Custom ATASA TEAN password for configuration management The device may be managed using the Web Server and s w gmt Prote SNMPv3 Telnet RCFG FTP Firmware Updates and SNMPv1 v2 will be disabled Security to Custom Security show all the Custom
9. Firewall Template that will be applied to this rule Click New to create an Security IPsec Firevvall template or select a previously defined template Settings Authorization Mgmt Protocols 802 1 Authentication IPsec Firewall Templates Diagnostics Network Statistics Protocol Info Configuration Page Name the IPsec Template LN enori Some Jetdirect cumanaiceso models may TCPAP Settings i Network Setti require you to i mate Create IPsec Template Other Settings IPsec Template Name PSk con fi g ure KE Privacy Settings Authentication Type IPsec Firewall Policy parameters SAEN Settings However this ERE internet Key Exchange Version 1 IKEv1 ern ey Excnange version y model has a higint Protocols Set IKE Defaults quick set of IKE ida aana High interoperability Low security Diagnostics can be used Network Statistics Th e one Protocol Info selec te d is fo r Configuration Page more emphasis on Interoperability and less on Security Click Next C Manual Keys ELO Se 30 For example purposes only E Networking Pre Shared Key connguration Authentication TCPAP Settings Network Setti is used HP on l a Identity Authentication Other Settings does not IPsec Firewall Policy Privacy Settings recommend Security Identity Authentication Options e psa pre shared Key Authorization Certificat Shared Key iani retecbls ertificates A
10. able to plant the listening device in the conference room and instead pulling a fire alarm in the building then recording the conversation of the individuals leaving the conference room Properly deployed cryptographic protocols are a good defense against passive and active sniffing attacks Networking infrastructure equipment can be configured to help hinder active attacks Port access controls such as 802 1X help protect against unauthorized connections In addition many switch vendors offer various flavors of ARP protection and monitoring since ARP poisoning is a fundamental step in MITM attacks The detense against TCP IP MITM attacks is the proper deployment of cryptographic protocols such as IPsec and SSL TLS with a properly signed HP Jetdirect certificate HP recommends the proper deployment of IPsec SET 4 as a solution to this general vulnerability with the TCP IP protocol suite HP Jetdirect Hacks Printer MFP access Up until now we have discussed HP Jetdirect security primarily Some publicly available applications intertace directly with the printer MFP s PJL library over a print connection These tools often claim to bypass HP Jetdirect security However as we ve seen from our functional diagram HP Jetdirect controls the networking stack and does not parse PJL and cannot be configured to block PJL commands However printer MFPs can be configured to provide a lot of security too HP recommends following NIST checklist as a guidelin
11. devices that belong to SET 2 3 or 4 support SNMPv3 HP Jetdirect Hacks Firmware Upgrade A nice overview of the various methods used by HP Jetdirect to upgrade firmware is described here http www hp com go webjetadmin_tirmware All HP Jetdirect firmware files follow the same basic format a recovery partition and a main functionality partition In case of an upgrade programming failure due to a network outage client lockup printer powered down during the upgrade etc HP Jetdirect will be able to recover albeit with less functionality This behavior allows an administrator to restart the upgrade process from the recovery partition and regain full functionality without having to contact HP support There are three common ways of updating HP Jetdirect firmware e HP Download Manager HP Web Jetadmin e FIP e Embedded Web Server When using HP Download Manager or HP Web Jetadmin the application issues an SNMP SET to the HP Jetdirect device If the application has proper credentials it can populate the firmware upgrade MIB table with TFTP server information HP Jetdirect uses this information to start a TFTP client and pull down the download tile These applications use the well known default SNMP community names However if an administrator has configured the SNMP SET community name then the application must know it to successtully set the TFTP MIB objects for firmware upgrade Customers can also utilize SNMPv3 for additional secur
12. eci ress I empilate Other Settings P p networ o to Privacy Setti g TERN didi Specify the Address Template that will be applied to this rule Predefined templates listed below contain TC P J P setti ng S Select Language common address choices Select a predefined template or click New to define your own 5 i an d d ISa ble si Address Templates Settings AIP Addresses l Pv fo r Authorization All IPv4 Addresses All IPv6 Addresses increased Mgmt Protocols All link local IPv6 802 1 Authentication All non link local IPv6 n mr IPv4_Management_Subnet security You can also skips Diagnostics which use IPv6 Network Statistics Oa ee E rey fal Protocol Info Note Predefined templates will create multiple rules in this contiguration EO oe 20 Select the appropriate IPv6 addresses and name the address template Now that we have the address templates let s create a rule Rules are processed in priority order from 1 10 Let s create an IPv4 rule first Select the IPv4 address template you created then click Next Hetworking Configuration TCPAP Settings Network Settings Other Settings Privacy Settings Select Lanquage Security Settings Authorization Mgmt Protocols 802 1 Authentication Firewall Diagnostics Network Statistics Protocol Info Configuration Page Hetworking Configuration TCPAP Settings Network Settings Other Settings Privacy Settings
13. rule Predefined templates listed below contain common address choices Select a predefined template or click Nevy to define your own Address Templates All IPv4 Addresses All IPv6 Addresses All link local IPv6 All non link local IPv6 oo Uslets Note Predefined templates will create multiple rules 19 We ll define the REESE tetworking IPv4 address Configurati memen Firewall Policy Eag ran g e fi rst s TCPAP Settings Network Setti Select All Pv4 je ig Create Address Template M Other Settings Addresses for piven 5 tin iment Seat local A d d aE saattais Address Template Name IP 4_Management_subn Security a an d th en we Local Address Remote Address i Settings C IP Address C IP Address Spec ifi ed the Authorization 1921 68 0 23 9 2 6 8 0 24 Mk ii Predefined Addresses Predefined Addresses subnet for the ha feeb AO _ AlliPv4 Addresses AlPv4 Addresses O Cc R em ot e Diegriantics IP Address Range IP Address Range Address Network Statistics Pt Ct Protocol Info O O E We ve also e g 192 168 1 1724 e g 192 168 1 1 24 named this 192 168 0 0 ppo address O z4 template very clearly Configuration Page IP Address Prefix IP Address Prefix Now for IPv Click New D Hetworking again NOTE If EO l i Firewall Polic IPv is not used TCPAP Settings y EZE H on your OTEREN Rule 1 Specify Address Templat ule 1
14. the form of the least amount of security option 1 to higher levels of security options gt 1 Which hosts need to print Options Only computers on the same subnet as HP Option 1 For SET 1 2 3 4 Eliminate the Jetdirect default gateway set to 0 0 0 0 This doesn t prevent HP Jetdirect from receiving packets from other subnets but does prevent the responses from returning to those remote subnets As a result TCP connections cannot be formed Option 2 For SET 1 2 3 4 Setup an access control list with the IP address and mask for the local subnet Option 3 For SET 3 Setup a rule to protect print traffic using the Firewall Option 4 For SET 4 Setup a rule to protect print traffic using the IPsec Ten or less individual computers on different Option 1 For SET 1 2 3 4 Setup an subnets access control list for each individual IP address with a mask of 255 255 255 255 Option 2 For SET 3 Setup a rule to protect print traffic using the Firewall Option 3 For SET 4 Setup a rule to protect print traffic using IPsec All hosts in the company Option 1 For Set 1 2 3 4 Setup an access control list for the network ID assigned to your company As an example for HP s internal network there would be two entries IP 15 0 0 0 mask 255 0 0 0 and IP 16 0 0 0 mask 255 0 0 0 Option 2 For SET 3 Setup a rule to protect print traffic using the Firewall Option 3 For SET 4 Setup a rule to protect print traffic using IPsec
15. to be another node and then forwards the IP packets to the next correct node so it may end up at the final destination as if no interception had taken place also this MITM node intercepts packets traveling in the opposite direction from the destination back to the source in the same manner What this means is that the MITM node has a copy of all the data sent between that source and that destination If the MITM node has a copy of a PDF file that was sent between an email client and email server it can use Adobe Acrobat Reader to open it If the MITM node has a copy of a text document that was sent between an FTP client and an FTP server it can open it with a text editor If the MITM node has a copy of a print job it can open it by sending it to a printer In some cases as with PostScript or simple text a print job can be opened using other applications without having to send it to a printer While a valid vulnerability it is nonetheless a general vulnerability of the TCP IP protocol suite and is not a vulnerability specific to printing Passive sniffing attacks are where another node on the network can record conversations These attacks are analogously similar to using listening device hidden in a conference room to record a meeting conversation Active attacks are also used to force network infrastructure equipment to behave in a manner that allows passive sniffing This active passive behavior is analogously similar to a person not being
16. Addresses All IPv6 Addresses All link local IPv6 All non link local IPv6 IPv4_Management_Subnet IP 6_ Management Subnet D oo ooo Note Predefined templates will create multiple rules 23 Select the All Jetdirect Management Services service template Click Next Select Allow Traffic Click Next Networking Configuration TCPAP Settings Network Settings Other Settings Privacy Settings Select Lanquage Security Settings Authorization Mgmt Protocols 602 1 Authentication Diagnostics Network Statistics Protocol Info Configuration Page Hetworking Configuration TCPAP Settings Network Settings Other Settings Privacy Settings Select Lanquage Security Settings Authorization Mgmt Protocols 602 1 Authentication Disgnostice Network Statistics Protocol Info Configuration Page Firewall Policy Ex Rule 2 Specify Service Template Specify the Service Template that will be applied to this rule Predefined templates listed below contain common groups of services Service Templates All Services All Jetdirect Print Services All Jetdirect Management Services All Printer MFP Services All Discovery Services EON oe Firewall Policy Ex i Rule 2 Specify Action VY hat action would you like to perform on the traffic that matches the criteria in the Address and Service Templates Allow traffic O Drop traffic 24 We have allowed management tra
17. D which allow an administrator to control the amount of color being used by a user In addition HP s Web Jetadmin includes functionality called Report Generator which facilitates reports on users and their how their printing behavior This functionality is useful for auditing and understanding printer usage HP Jetdirect Hacks Password and SNMP Community Names HP Jetdirect password and SNMP Community Name behavior has definitely evolved over the years An excellent resource for the history and current behavior is located here hito h20000 www 2 hp com bizsupport TechSupport Document jsp objectID c00004828 In short keep your firmware updated on your HP Jetdirect use the latest client software from HP and upgrade to the latest Web Jetadmin management software After you have upgraded all software and firmware change your passwords on these devices to something new This process will help make your HP Jetdirect devices behave the same regarding their password handling To better protect passwords from passive sniffing consider using SSL TLS SET 2 3 4 support automatic redirection to SSL TLS and prevents HTTP trom being used to access the EWS if the administrator so desires However when using SSL TLS be sure to update the HP Jetdirect certificate to a certificate issued by a trusted CA to properly avoid MITM attacks Also consider migrating to SNMPv3 HP Web Jetadmin can be contigured to use SNMPv3 automatically HP Jetdirect
18. HP Jetdirect Security Guidelines Table of Contents rado OM asthe ect cate ceteptus E tase A E E E E S PAP MeN OS at ace tre cerca cece eesg saan O i paces coctecsaasaeaeneeoedand 2 NOTTS AP VSN a sees ngs Ea a R EEE 3 How old is Xoor HP Jaldirecii castes cenert susdacesve tonne noen seon EEn Oae S EN TETE TEE aTe TEE VAGOS 4 We e aeee cee E E E EE A A E E EE EEE E E 5 HP Jetdirect Administrative Guidelines a i cczc cove sesiesenscs dnneasnlsnunnscs dadevseumeet sas daavasodematt nda dsVeasoninereeas deers 6 PIP Jeldireci Hacks TOP Poit 1 OO meccsnek e a a ne ai 7 HP Jetdirect Hacks Password and SNMP Community Names 0 cccccccceeesseeeseeceeeeeesseeeeeeeeseeeasaaeeees 9 HP Jetdirect Hacks Firmware Upgrade cscs cote cece sbeasisaessdetncaawndamaastaasveivaeesinnedshaiingh seadnessctiessueueuatncndeawiuees 9 HP Jetdirect Hacks Sniffing Print Jobs and Replaying Them ccccccssssssseeeeeceececeeeceeeeeeeesssssaeeeeeeeeees 10 HP Jetdirect Hacks Printer MFP ACCESS ccceccecceececeeccecceccecceccucceccuceuseuseuscuecuecuecescueseuceecetcetsensentens 10 Recommended Security Deployments SET 1 ccccccessseeecceeceeeeseeeeeeeeeeeeeeeseeeeeeeeeeeeessaeeeeeeeeeeeeaaaenees 11 Recommended Security Deployments SET 2 ccccccccssseeecceceeeee eee eeeeeeeeeeeesseeeeeeeeeeeessaaeeeeeeeeeeeeaaaeeees 12 Recommended Security Deployments SET 3 cccccccssseeecceeeeeee see eeeeeeeeeeeesseeeeeeeeeeeeessaeeeeeeeeeega
19. In order to properly recommend configurations for HP Jetdirect four different administrative guidelines will need to be used These administrative guidelines come from the four main HP Jetdirect product lines referred to as SETs e SET 1 The 170x 300x 500x 510x 400n 600n models The administrative guideline for securing these devices is located here htto h20000 www2 hp com bizsupport TechSupport Document jsp objectID bpj05999 As a reminder these devices do not have cryptographic security capability e SET 2 The 610n 615n 620n 625n en3700 and Embedded Jetdirect J7949E models SET 2 can use the administrative guideline referenced for SET 1 products but a more updated administrative tool available via the EWS for securing these devices is located here htto h20000 www2 hp com bizsupport TechSupport Document jsp objectID bpj07576 e SET 3 The 630n and Embedded Jetdirect J7982E J7987E J7991E and J7992E models SET 3 can use the administrative guideline referenced for SET 2 products but have additional security by means of a Firewall The Firewall can allow drop packets on the basis of IPv4 IPv6 addresses as well as service types e SET 4 The 635n model and the CM8000 Color MFP series J7974E These models have the most security capability in HP Jetdirect s product line With security contigurations one must be careful not to lock the front door and leave your windows open In many cases one must lock d
20. MPv1 v2 for legacy management tools You may use both SNMPv3 and SNMPyv1 v2 simultaneously however only SNMPv3 provides security through user authentication and data encryption To use SNMPy3 an SNMPv3 account must be configured on the HP Jetdirect print server The exclusive use of SNMPv3 is recommended Caution If you use HP Web Jetadmin to manage your devices we strongly recommend that you configure HP Jetdirect security settings using HP Web Jetadmin If you enable SNMPv3 here any existing SNMPv3 accounts will be erased Click Cancel to exit this wizard C Enable SNMPv1 v2 Enable SNMPv3 Recommended Local intranet Provide SNMPv3 ae parameters rcpap settings SNMPv3 Configuration You must specify an account to be used for SNMPv3 access The User Name is the SNMPyv3 account user name The Authentication Key 16 byte hexadecimal is used to authenticate the contents of the packet using the MDS algorithm The Privacy Key 16 byte hexadecimal is used to encrypt the data portion of the SNMP packet using the DES algorithm The Context Name refers to the view context in which this user can access SNMP objects User Name Admin Authentication Key St oo000000000000000000000000000C Algorithm MDS Privacy Key O2000000000000000000000000000000 Algorithm DES Context Name Jetdirect cai T Emi 15 Based upon the customer s environment read only SNMPv1 v2c access may need to be granted
21. Security allows independent configuration of security features allowing you to enable or options that are DIAGN disable specific settings for your environment available to a customer 8 u Local intranet 12 First and foremost set a password Administrator Account Use the fields below to set or change the Administrator Password When set the Administrator Password will be required before you can access and change configuration parameters To disable the Administrator Password leave the entries blank User Name Admin Password TOO Confirm Password eeccceece Other Links s Aa 13 Change the Encryption Strength to Medium and check the Encrypt All Web Communication checkbox This checkbox forces HTTPS to be used for all web communication Uncheck Enable Telnet and FTP Firmware Update and Enable RCFG Other Links ha J lt M Done Web Mgmt You can securely manage the network device using a Web browser and the HTTPS protocol To authenticate the HP Jetdirect Web Server when HTTPS is used you may configure a certificate or use the pre installed self signed X 509 Certificate The encryption strength specifies what ciphers the Web server will use for secure communications The Web Server can be configured to force all connections to use HTTPS only which encrypts all Web communication except IPP Or it can be configure
22. Some tools such as the HP Standard Port Monitor use SNMPv1 v2c for status Other Links car fm Done Setup an Access Control List entry This is another customer environment specific entry In this example the subnet 192 168 1 0 is protected by the ACL Uncheck Allow Web Server HTTP n access to force HTTP checking to be done in the ACL Other Links SNMP Configuration Youve chosen to disable SNMPy142 for device management Some tools such as the Microsoft Port Monitor rely on SNMPv1 v2 for device discovery and status To allow the continued use of these tools you can enable read only access for SNMPyv1 v2 commands Enable SNMPv1 v2 read only access J Local intranet Access Control Access Control Lists ACL allow you to Save IP Address Mask specify which IP addresses on your network are allowed access to the device 192 168 1 0 255 255 255 0 If the list is empty then any system is g allowed access Note ACLs may prevent device access when Proxy Servers or Network Address Translators are used By default the ACL does not check HTTP connections i e Web Server or Internet Print Protocol You can force the ACL to check HTTP connections by clearing the checkbox below 2 pm n bee SS Ge eee o O Allow Web Server HTTP access THRO RBORBORRO 8 a Local intranet 16 Disable unused print protocols ae and services TcPAP Settings
23. aaee ees 18 Recommended Security Deployments SET 4 cccccccssseeeccceeeeee see eeeeeeeeeeeesseeeeeeeeeeeesssaeeeeeeeeeeesaaaeeees 28 Forner Re OCING erresen eE a EEEE E EE EREE E E E E OREA E E O EE 33 Introduction The availability of public information on the Internet for hacking HP Jetdirect products has prompted customers to ask HP about how they can protect their printing and imaging devices against such attacks and what is HP doing about preventing those attacks In all fairness some of this public information is of rather poor quality and inflammatory however some websites detailing the attacks and the vulnerabilities on HP Jetdirect are informative and raise valid concerns that need to be addressed It is the purpose of this whitepaper to address customer concerns about these attacks and vulnerabilities and to recommend proper security configurations to help customers protect their printing and imaging devices This whitepaper is only a small part of a broad initiative within HP to educate our customer base about printing and imaging security Resources such as The Secure Printing website http www hp com go secureprinting provide a great deal of information for customers about products solutions as well as configuration recommendations In general a lot of this information can be put to use on existing HP Jetdirect products mainly because HP Jetdirect was O invent one of the first print servers to widely implement se
24. administrator to test the policy without inadvertently locking themselves out of the device EMER t is recommended that the Failsafe Option be disabled once the policy has been successfully tested Diagnostics Network Statistics Warning Changing IPsec Firewall settings may result in temporary loss of connection Sa Protocol Info Configuration Page 32 Further Reading 802 1X htto h20000 www2 hp com bc docs support SupportManual c0073 1218 c00731218 pdf IPsec htto h20000 www 2 hp com bc docs support SupportManual c0 1048 192 c01048192 pdf IPv6 hito h20000 www2 hp com bc docs support SupportManual c00840 100 c00840100 pdf Using the networking infrastructure to better protect your printing and imaging devices http h20000 www2 hp com bc docs support SupportManual c00707837 c00707837 pdf 33
25. curity protocols such as SSL TLS SNMPv3 802 1X and IPsec If you are new to security and secure configurations it is important to remember that security is a process Today s security configurations and protocols that are thought to be unbreakable for the next few years may in fact be broken later today At one extreme the best security available for imaging and printing devices is to never unpack them once you buy them At the other extreme the worst security available is unboxing them powering them up getting a contiguration page to find the IP address adding them to your desktop computer system or printer spooler and then forgetting about them Does that last part sound like your printing and imaging security strategy One of the challenges HP Jetdirect has in terms of security is actually the result of being plug n play and reliable As we will find out plug n play and security often do not belong in the same sentence Hundreds of thousands and perhaps a few million HP Jetdirect products have been in use for years and have never had their firmware updated or their configuration changed In today s increasingly security focused environment we know that this is not a sound practice for maintaining the proper operation of an infrastructure regardless of the type of device in question HP Jetdirect Overview Years ago the world networked printers by connecting them via parallel ports or serial ports to compute
26. d to allow both HTTP unencrypted or HTTPS connections In secure environments you should choose to encrypt all Web communications Otherwise sensitive management data Administrator Password SNMP Community Names and secret keys may be compromised Configure a new certificate Medium RC4 128 bit or 3DES 168 bit Encrypt All Web Communication not including IPP Encryption Strength e Local intranet Management Tools C Enable Telnet Telnet provides device management using the Telnet protocol FTP Firmware and FTP Firmware Update allows the device firmware to be updated using the FTP protocol Update F Telnet and FTP do not provide security or privacy for the Administrator Password The password may be intercepted from the network Disabling Telnet and FTP Firmware Update is recommended RCFG is a remote configuration protocol for IPX networks RCFG may be required by older network management tools to configure Novell Net Vare parameters Disabling RCFG will not affect the use of IPX SPX Direct Mode peer to peer printing C Enable RCFG Disabling RCFG is recommended amp amp Local intranet 14 Uncheck Enable SNMPv1 v2 and check F bl E SNMP allows you to manage your network device using SNMP management tools such as HP napie Priva a P z Web Jetadmin and HP Openview SNMPv3 SNMP Configuration HP Jetdirect print servers support SNMPvy3 for secure management tools as well as SN
27. defined templates listed below contain u Select Language common groups of services template All ae i Security Service Templates J etd irect Settings All Services M ana g ement Authorization All Jetdirect Print Services All Jetdirect Management Services n Services Mgmt Protocols All Printer MFP Services 802 1 Authentication All Discovery Services u n m Click Next Firewall Diagnostics Network Statistics Protocol Info Configuration Page EON M ee Select Allow Traffic Click D etworking j N ext Configuration eno Firewall Policy Support M ings Network Settings Other Settings Privacy Settings Rule 1 Specify Action What action would you like to perform on the traffic that matches the criteria in the Address and Service Select Lanquage Templates Security Settings Authorization Mgmt Protocols 602 1 Authentication Allow traffic c Drop traffic Diagnostics Network Statistics Configuration Page 22 Select Create another rule DY networking Configuration TCPAP Settings Network Settings Other Settings Privacy Settings Select Lanquage Security Settings Authorization Mart Protocols 802 1 Authentication Diagnostics Network Statistics Protocol Info Configuration Page Select the IPv address template you Co ttetworking created and Corfiguretien then click TCPAP Settings u N ad n Network Settings Other Setti
28. dministrator Password Set Jetdirect Certificate Installed CA Certificate Not Installed Access Control Enabled Web Interface Encrypt All Web Communication Enabled Encryption Strength Medium RC4 128 bit or 3DES 168 bit SNMP SNMPv3 Enabled Other Links SNMPv1 v2 Read Only Access Enabled Help SNMPv1 v2 Get Community Name Not Set Defaults to public Support HP Home 802 1x Authentication 8 a Local intranet Configuration review Click moe A OVLA IA MUUIGHULAUVII ugent h AD Eaa Authentication Type Open System Disabled Finish to set PPE ttina EAP User Name NPIE8014E the ther Setting EAP Password Not Set Server ID Not Set configuration Other Protocols IPX SPX Disabled AppleTalk Disabled DLC LLC Disabled 9100 Printing Enabled LPD Printing Disabled IPP Printing Disabled FTP Printing Disabled SLP Config Enabled mDNS Enabled Multicast IPv4 Enabled RCFG Disabled Other Links Enable Telnet and FTP Firmware Update Disabled Help S _ oa M 3090 0 0OoONoN D __ _ O ee HE Home t Local intranet Recommended Security Deployments SET 3 First and foremost SET 3 configuration needs to have the Security Wizard for SET 2 executed Once the Security Wizard configuration has been completed then we can begin the Firewall configuration A sample Firewall configuration is shown where the management protoc
29. e Hetworking Firewall Policy Exam a Rule 3 Specify Service Template Specify the Service Template that will be applied to this rule Predefined templates listed below contain common groups of services Service Templates All Services All Jetdirect Print Services All Jetdirect Management Services All Printer MFP Services All Discovery Services EO oe Firewall Policy Ex Rule 3 Specify Action VY hat action would you like to perform on the traffic that matches the criteria in the Address and Service Templates C Allow traffic 26 We can now see our policy Rules are processed from 1 to 10 Ifa packet comes from or is going to our defined IPv4 IPv subnet the rule Hetworking Configuration TCPAP Settings Network Settings Other Settings Privacy Settings Select Lanquage Security Settings Authorization Mgmt Protocols 602 1 Authentication Firewall Firewall Policy Rule Summary Firewall Rules Match Criteria IPy4_Management_Subnet IP 6_Management_Subnet AILIP Addresses IPv4 AIIP Addresses IPV6 Rue Address Template Services Template Action All Jetdirect Management Services All Jetdirect Management Services All Jetdirect Management Services All Jetdirect Management Services Action on Match Allow traffic Allow traffic Drop traffic Drop traffic Diagnostics Network Statistics will match and it will be allowed Otherwise if it is a P
30. e the Failsafe Option This option ensures HTTPS remains accessible even if it is blocked by the Firewall policy This allows the administrator to test the policy without inadvertently locking themselves out of the device It is recommended that the Failsafe Option be disabled once the policy has been successfully tested Firewall Diagnostics Warning Changing IPsec Firewall settings may result in temporary loss of connection Network Statistics a Protocol Info Configuration Page 27 Recommended Security Deployments SET 4 First and foremost SET 4 configuration needs to have the Security Wizard for SET 2 executed Once the Security Wizard configuration has been completed then we can begin the IPsec configuration Let s go through the same process as we did with SET 3 only this time we ll simply say that all IP addresses must use IPsec to utilize a management protocol If an end station tries to communicate with a management protocol to Jetdirect without using IPsec the packets are dropped by the IP layer Be sure that you are using HTTPS before navigating to this page Select Allow for the default rule and then click Add Rules Select All IP Addresses and click Next Hetworking Configuration T CPAP Settings Network Settings Other Settings P rivacy Settings Security Settings Authorization Mart Protocols 802 1 Authentication t Ir IPsec Firewall
31. e to all customers concerned about printer MFP security http www hp com united states business catalog nist_checklist html 10 Recommended Security Deployments SET 1 The HP Jetdirect products denoted by SET 1 do not have any cryptographic security capability As a result a BOOTP TFIP configuration is recommended as we can specify several control parameters via the TFTP configuration tile This configuration file allows for a great deal of power with very little administration overhead once configured Many customers associate BOOTP TFIP with UNIX or Linux environments however there are many free BOOTP and TFTP servers for Windows and setup is fairly easy An example UNIX configuration will be provided here picasso An ht ether vm rtc1048 ha 0001E6123456 Iip 192 168 40 39 sM 255 255 255 0 gw 192 168 40 1 Ig 192 168 40 3 1144 hpnp picasso cfg T151 BOOTP ONLY This configuration provides the following e Syslog server 192 168 40 3 e FTP configuration file picasso cfg under the subdirectory of hpnp of the TFTP daemon s home directory e Forces HP Jetdirect to remain with BOOTP and not transition to DHCP if a BOOTP server is unavailable An example of the contents of the TFTP configuration file picasso cfg Allow subnet 192 168 40 0 access allow 192 168 40 0 255 255 255 0 Disable Telnet telnet config O Disable the embedded Web server ews config 0
32. ffic from our IPv4 IPv6 administrative subnet Now we must create a rule to throw away all other management traffic Click Create another rule Here we select All IP addresses which encompasses both IPv4 and IPv6 Click Next Hetworking Configuration TCPAP Settings Network Settings Other Settings Privacy Settings Select Language Security Settings Authorization Mart Protocols 802 1 Authentication Diagnostics Network Statistics Protocol Info Configuration Page Hetworking Configuration TCPAP Settings Network Settings Other Settings Privacy Settings Select Lanquage Security Settings Authorization Mgmt Protocols 802 1 Authentication Diagnostics Network Statistics Protocol Info Configuration Page Firewall Policy Rule Summary Firewall Rules Match Criteria Address Template Services Template IPv4_Management_Subnet All Jetdirect Management Services IP 6_Management_Subnet All Jetdirect Management Services Allow traffic Allow traffic om nun On s amp h par o Default Rule All IP Addresses All Services To return to the beginning of the Firewall Wizard and create an additional Firewall rule click Create Another Rule To apply all rules click Finish Warning An invalid Firewall configuration can result in the device being inaccessible over the network To recover from this condition physical access to the device is required For internal print servers
33. ground information let s look at some of the reported vulnerabilities and attacks on HP Jetdirect HP Jetdirect Hacks TCP Port 9100 TCP port 9100 was one of the first ways developed for sending print data to a printer Some public references talk about a print protocol that exists on TCP port 9100 There isn t one Raw data delivered to the TCP layer on the HP Jetdirect device is sent to the printer as if it had been delivered over a parallel port serial port or any other port TCP port 9100 is the fastest and most efficient way of delivering data to a printer using the TCP IP protocol suite The most common hack for TCP Port 9100 is send a job to that port that has some PJL commands in it These PJL command can do a variety of things one of the most common ones being to change the control panel display Remember that HP Jetdirect is stripping off the TCP IP headers and presenting this data directly to the printer The printer is processing the PJL data as if the printer was directly connected to a PC Many years ago printer drivers would use the PJL command suite to control the printer in a variety of ways As we can see in the networking world there is a potential for misuse How does an Administrator prevent TCP Port 9100 from being misused Based upon what we ve learned about HP Jetdirect so far we know we have to control who can and who cannot establish a TCP connection to TCP Port 9100 Table 5 shows us some options presented in
34. ices is by no means a requirement but is highly recommended Should a customer choose to do so HP can provide some guidelines First if the HP Jetdirect device was introduced before the year 2000 HP recommends that it be upgraded to a newer model Some security features of the models that are available for customers to purchase as of August 2007 are shown in Table 2 HP Jetdirect Models HP Jetdirect Security Features J3258G 170x External Parallel Print server Non Cryptographic Security not upgradeable to newer firmware after purchase J6035G 175x External USB 1 1 Print Server Non Cryptographic Security not upgradeable to newer firmware after purchase upgradeable after purchase upgradeable after purchase 802 1X PEAP 802 1X PEAP J79A9E Embedded Jetdirect 10 100 not for sale Running V 33 14 or later firmware individually comes installed on the formatter for SSL TLS for Management SNMPv3 certain printers MFP devices 802 1X PEAP J7982E Embedded Jetdirect 10 100 not for sale Firewall SSL TLS for Management individually comes installed on the formatter for SNMPv3 802 1X PEAP 802 1X EAP TLS certain printers MFP devices SNMPv3 802 1X PEAP 802 1X EAP TLS IPsec Firewall SSL TLS for Management Print Server SNMPv3 802 1X PEAP 802 1X EAP TLS Table 2 HP Jetdirect Models In Table 3 Discontinued HP Jetdirect Models some popular HP Jetdirect devices that are no longer being sold by HP and their securit
35. ity and HP Web Jetadmin makes using SNMPv3 easy Also note that applications such as the HP Download Manager and HP Web Jetadmin are digitally signed by Hewlett Packard as proof of their source The ability to use FTP to upgrade the firmware of HP Jetdirect devices is described here http 7h20000 www2 hp com bizsupport TechSupport Document jsp objectID bpj07129 At the end of the document is a Security section detailing the security precautions available for FTP firmware upgrades Essentially if a password has been specitied it is required to be entered to utilize FTP 9 firmware upgrades if telnet has been disabled to avoid plain text transmission of the password FTP upgrades are also disabled The ability to use the EWS to upgrade HP Jetdirect devices is described here http h20000 www2 hp com bizsupport TechSupport Document jsp objectID bpj07572 How the EWS is protected determines how the HP Jetdirect firmware upgrade capability is protected For users of the EWS HP recommends setting the redirect from HTTP to HTTPS using a properly signed certiticate and of course specifying a good password HP Jetdirect Hacks Sniffing Print Jobs and Replaying Them Easily available network tools that can perform effective MITM attacks against the TCP IP protocol suite has caused of a lot of concern among customers Let s review what a MITM attack against the TCP IP protocol suite does A node intercepts IP packets from a node by pretending
36. nfrastructure components to convert encapsulated network data into data for printer consumption Thus the HP Jetdirect was born one of the first Networking Protocol offload engines Let s refer to Figure 1 Functional Diagram HTTP Proxy Server Chai VM Management Data Port Driver Port Driver Digital Sending EIO MIO EIO MIO Parallel USB Parallel USB etc etc Management Data Applications 9100 LPD IPR FTP PJL PCL PS Interpreter SNMP HP Jetdirect Printer MFP Figure 1 Functional Diagram In Figure 1 you can see the standard diagram of an offload engine This diagram is by no means comprehensive but does convey the difference between HP Jetdirect and Printer MFP platforms Why is this diagram important First and foremost we can understand what HP Jetdirect can do to help in the security of your printing infrastructure Secondly we can also understand what HP Jetdirect cannot do As an example some information on the Internet conveys that the PJL parser is implemented on HP Jetdirect Based upon this diagram we know that is false Upgrading your HP Jetdirect card to provide your printer more PJL parsing protection is not going to be a good investment Upgrading your HP Jetdirect card to control who can and who cannot interact with your printer is a good investment How old is Your HP Jetdirect Once in a while when doing an inventory of a network an administrator may discover s
37. ngs Privacy Settings Select Language Security Settings Authorization Mgmt Protocols 802 1 Authentication rewal Diagnostics Network Statistics Protocol Info Configuration Page Firewall Policy Rule Summary Firewall Rules Match Criteria Action on Match Rule Address Template Services Template IPv4_Management_Subnet All Jetdirect Management Services Allow traffic oon Don fF Wh peN mm Default Rule All IP Addresses All Services To return to the beginning of the Firewall Wizard and create an additional Firewall rule click Create Another Rule To apply all rules click Finish Warning An invalid Firewall configuration can result in the device being inaccessible over the network To recover from this condition physical access to the device is required For internal print servers the Jetdirect menu on the control panel of the printer will contain a reset option For external printer servers the administrator may perform a cold reset of the device See your printer manual for instructions on how to perform a cold reset Warning Changing IPsec Firewall settings may result in temporary loss of connection Firewall Policy EDs a Rule 2 Specify Address Template Specify the Address Template that will be applied to this rule Predefined templates listed below contain common address choices Select a predefined template or click Nevy to define your own Address Templates AIP Addresses All IPv4
38. ols are restricted to a specific IP subnet range 18 Be sure that you are using HTTPS before navigating to this page Select the drop down box for the Detault Rule to be Allow and then click Add Rules We have a specific administrator subnet defined for printing and imaging devices Click the New button so we can be very specific about what addresses can manage the device Configuration TCPAP Settings Network Settings Other Settings Hetworking Privacy Settings Select Lanquage Security Settings Authorization Mgmt Protocols 802 1 Authentication F rewall Diegnostics Network Statistics Protocol Info Configuration Page Hetworking Configuration TCPAP Settings Network Settings Other Settings Privacy Settings Select Lanquage Security Settings Authorization Mgmt Protocols 602 1 Authentication F rewall Diagnostics Network Statistics Protocol Info Configuration Page Firewall Policy Enable Firewall Firewall Rules mw E m im Oo Ea i ia fi a la i Default Rule Add Rules Firewall Policy All IP Addresses Match Criteria Address Template Services Template Action Delete Rules Warning Changing IPsec Firewall settings may result in temporary loss of connection Rule 1 Specify Address Template All Services Exam g Action on Match E EJ g Specify the Address Template that will be applied to this
39. ome network connected devices that rather old but are still working The same is true for printers and HP Jetdirect devices An easy way to get an inventory of your HP Jetdirect devices is to use the HP Download Manager available here http www hp com go dlm_sw This utility allows you to discover printers and their HP Jetdirect devices on the network For an in depth management platform try HP Web Jetadmin available here http www hp com go webjetadmin Keep in mind you don t have to update the firmware on your HP Jetdirect products if you don t want to HP does recommend it but for this particular section we simply want to tind HP Jetdirect devices and based upon their product number see how old they are Refer to Table 1 HP Jetdirect Aging Description Date Released Microsoft Windows 95 August 1995 _ _ S HP Jetdirect J2550B J2552B MIO Print Servers HP Jetdirect J31 10A J3111A EIO Print Servers HP Jetdirect J3263A 300X External Print Server HP Jetdirect J3113A 600n EIO Print Server Microsoft Windows 98 HP Jetdirect J3258A 170x External Print Server Microsoft Windows 2000 Professional HP Jetdirect J4169A 610n EIO Print Server Microsoft Windows XP HP Jetdirect J6057A 615n EIO Print Server April 2002 Microsoft Windows 2003 Server HP Jetdirect J7934A 620n EIO Print Server HP Jetdirect J7961A 635n EIO Print Server Table 1 HP Jetdirect Aging Table 1 is by no means complete Many Jetdirect cards we
40. own several things before securing one thing can be effective Before using the techniques presented here the administrator at the very least should do the following e Update all HP Jetdirect firmware to the highest level One of the easiest ways to perform this operation is to use the HP Download Manager available at http www hp com go dlm_sw Using Internet Mode the HP Download Manager will automatically indicate which devices need to be upgraded HP recommends always upgrading only a few devices and performing an evaluation of those devices on your network before upgrading all devices to the latest firmware e An Embedded Web Server EWS password has been specified e The default SNMPv1 v2c SET Community Name has been changed e All non active protocols have been disabled e g IPX SPX AppleTalk e Mark any product that cannot be firmware upgraded to the highest level as a security risk 6 e A guideline to popular HP Jetdirect devices and the firmware they should be running as of August of 2007 is shown in Table 4 HP Jetdirect Product Number Firmware Version JZ7942A J7942G en3700 External USB 2 0 Print V 28 22 Server J7934A J7934G 620n EIO 10 100 Print Server V 29 20 Server IPv6 IPsec Print Server Table 4 Jetdirect Firmware Versions NOTE For some Embedded Jetdirect products you ll need to upgrade the printer MFP firmware to update the JDI firmware Now that we covered enough back
41. re introduced before 1994 however some popular HP Jetdirect products are listed there and compared to some of the Microsoft Windows introduction dates It would be rare to tind a reputable security analyst willing to spend time discussing the security issues associated with Microsoft Windows for Workgroups 3 11 and Microsoft Windows 95 in today s environment When viewing public information about the security vulnerabilities of HP Jetdirect devices be sure to keep in mind how old the devices may be At the time of this writing August 2007 migrating to Microsoft Windows XP SP2 and Microsoft Windows 2003 SP2 is very important to get the most security protection for desktops and servers Microsoft provides many guidelines to the proper configurations of their products and many security consultants make a living by helping customers deploy these configurations Customers are willing to carry this expense because the security of their data is very important to them If your printing infrastructure is important to you should you not consider upgrading it and implementing recommended security contigurations as well As a point of comparison some companies place a lot of their faith in a printing infrastructure that they developed in the early 1990s How many of these customers would also be willing to run Microsoft Windows 95 on their desktops and Microsoft Windows Advanced Server 3 51 on their servers today Upgrading Upgrading your HP Jetdirect dev
42. rotocol Info Oo nN Dia UOUN Configuration Page pat Oo TS To return to the beginning of the Firewall Wizard and create an additional Firewall rule click Create Another Rule To apply all rules click Finish management service it will be dropped All other traffic will be allowed the detault rule Warning An invalid Firewall configuration can result in the device being inaccessible over the network To recover from this condition physical access to the device is required For internal print servers the Jetdirect menu on the control panel of the printer will contain a reset option For external printer servers the administrator may perform a cold reset of the device See your printer manual for instructions on how to perform a cold reset Warning Changing IPsec Firewall settings may result in temporary loss of connection is allow Click Finish Select Yes for Enable Policy HTTPS failsafe can be used when trying out configurations If this is your first firewall contiguration you may want to enable it and then disable it once it has been tested Click Ok Configuration TCPAP Settings Network Settings Other Settings Privacy Settings Hetworking The Firewall Policy has not been enabled Would you like to enable the policy now Select Lanquage ves C No Security Settings Authorization Mgmt Protocols 802 1 Authentication Would you like to enabl
43. rs called spoolers These spoolers then shared the printers via networking protocols such as LPD to clients on the network The length limits of serial and parallel based cables prohibited printers from moving too far trom the spoolers The incredible print quality of the HP LaserJet printers compared to other technologies at the time fueled an unprecedented growth in the printing industry The complexity and capability of printers increased and the need to connect to a spooler in order to share printers became a burden HP Jetdirect was designed to allow users to share printers on the network without the need of direct attachment to a spooler While migrating to networking printers the goal was to have the same ease of use as a directly connected printer HP Jetdirect would automatically initialize all protocols to the best of its ability in order to allow users to print to Jetdirect immediately Popular HP tools such as Jetadmin simplitied configuration of HP Jetdirect devices by taking advantage of proprietary protocols as well as well known default security settings At the time HP Jetdirect was introduced there was a variety of competition in the market place regarding protocol suites and networking infrastructure Protocol suites such as AppleTalk DLC LLC and IPX SPX were deployed widely and had as much market share as TCP IP In addition Token Ring FDDI LocalTalk ATM and other ways of transporting frames had been adopted or hyped almos
44. t as much as Ethernet During this growth period in network printing functionality within HP Jetdirect was designed to promote Ease of Use to reduce support calls and to provide a rich customer experience regardless of the protocol or networking infrastructure they were using In short HP Jetdirect was designed to be plug n play on the network and behave as if the printer was directly connected to your PC Fast forwarding to the present we have clear winners in intranet networking connectivity TCP IP and Ethernet An Ease of Use design criterion now has an arch nemesis Security Customers are starting to ask how to deploy printing and imaging devices securely rather than how to deploy them as fast and painlessly as possible What is an HP Jetdirect When printers were directly connected to network spoolers offen a simple hardware protocol was used to send data from the PC to the printer Centronics mode on a parallel port would be an example As customers demanded faster data transfer speeds and richer status these protocols became more complex as in IEEE 1284 4 In short a printer had direct connect ports e g serial parallel that implemented a hardware protocol and converted encapsulated data into just data for printer consumption As customers began to network their printers HP decided to embark on a strategy that still remains in use to this day Use a smart networking card to implement the various networking i
45. tocols 02 1 Authentication Diagnostics Network Statistics Protocol Info Configuration Page Configuration TCPAP Settings Network Settings Other Settings Privacy Settings Security Settings Authorization Mart Protocols 802 1 Authentication Diagnostics Network Statistics Protocol Info Configuration Page Psec Firewall Policy Rule 1 Specify Service Template Specify the Service Template that will be applied to this rule Predefined templates listed below contain common groups of services Service Templates All Services All Jetdirect Print Services All Jetdirect Management Services All Printer MFP Services All Discovery Services alaiz Warning Only the All Services template will protect applications added to the device after IPsec Firewall rules have been saved Otherwise a new rule must be created to protect that new network application with the IPsec Firevvall policy IPsec Firewall Policy Rule 1 Specify Action os Se Ex a What action would you like to perform on the traffic that matches the criteria in the Address and Service Templates Allow traffic to pass without IPsec Firewall protection Drop traffic Require traffic to be protected with an IPsec Firewall policy 29 es es fetworking Configuration Psec Firewall Policy ETJ i TCPAP Settings Network Settings Other Settings Privacy Settings Rule 1 Specify IPsec Firewall Template Specify the IPsec
46. uthentication 802 1 Authentication Jetdirect Certificate Certificates or IPsecFirewal Status Installed Kerberos is ae View Network Statistics od hi g h ly Protocol Info CA Certificate recommen d ed Configuration Page Status Installed Click Next view C Kerberos Status Not Configured EON M Select the IPsec template you EES Networking just created Configuration Click Next Teri Setina Network Settings Other Settings Privacy Settings Psec Firewall Policy Ez a Rule 1 Specify IPsec Firewall Template Specify the IPsec Firewall Template that will be applied to this rule Click New to create an Security IPsec Firevvall template or select a previously defined template Settings Authorization Marmt Protocols 802 1 Authentication m Desc EFireywsl IPsecFirewal IPsec Firewall Templates Diagnostics Network Statistics Protocol Info Configuration Page EN E 31 Here is our IPsec policy If a management protocol is to be used it must use IPsec All other traffic is allowed based Configuration TCPAP Settings Network Settings Other Settings Privacy Settings Security Settings Authorization IPsec Firewall Policy Rule Summary IPsec Firewall Rules Match Criteria Rue Address Template Services Template AIP Addresses IPv4 All Jetdirect Management Services PSK AIP Addresses IPv6 All Jetdirect Management Services PSK Mgmt Protocols 802
47. y capabilities are shown HP Jetdirect Security Features upgradeable after purchase upgradeable after purchase upgradeable after purchase upgradeable after purchase upgradeable after purchase Table 3 Discontinued HP Jetdirect Models 5 As you can see replacing a discontinued 400n MIO model with a new external parallel port print server like the 300X will not upgrade the security capabilities of the Jetdirect device Printers that have an MIO slot like the LaserJet IIlsi and LaserJet 4si have been discontinued for many years Printers and MFPs with an EIO slot are still being sold today The EIO slot was introduced on the HP LaserJet 4000 almost ten years ago One of the great features of having an EIO based printer is the ability to install a J7961G 635n IPv6 IPsec print server Using this product we can take an older printer like the HP LaserJet 4000 and give it the latest in networking protocol and security support This flexibility will come in handy as we evaluate the various attacks employed against HP Jetdirect and some ways to counteract those attacks For companies with a lot of EIO based printers proper deployment of the 635n can protect their printer MFP investment and increase the security of their printing and imaging intrastructure HP Jetdirect Administrative Guidelines In the material that follows this whitepaper will be addressing some public information available about vulnerabilities or attacks against HP Jetdirect
Download Pdf Manuals
Related Search