HP Jetdirect 610n HP Jetdirect Security Guidelines

HP Jetdirect 610n Manual

Get HP Jetdirect 610n PDF manuals and user guides View all HP Jetdirect 610n manuals
Add to My Manuals
Save this manual to your list of manuals

HP Jetdirect 610n manual content summary:

  • HP Jetdirect 610n | HP Jetdirect Security Guidelines - Page 1
    Secure Printing website (http://www.hp.com/go/secureprinting) provide a great deal of information for customers about products, solutions, as well as configuration recommendations. In general, a lot of this information can be put to use on existing HP Jetdirect products, mainly because HP Jetdirect
  • HP Jetdirect 610n | HP Jetdirect Security Guidelines - Page 2
    unboxing them, powering them up, getting a configuration page to find the IP address, adding them to your desktop computer system or printer spooler, and then forgetting about them. Does that last part sound like your printing and imaging security strategy? One of the challenges HP Jetdirect has in
  • HP Jetdirect 610n | HP Jetdirect Security Guidelines - Page 3
    embark on a strategy that still remains in use to this day: Use a smart networking card to implement the various networking infrastructure components to convert encapsulated network data into data for printer consumption. Thus, the HP Jetdirect was born - one of the first Networking Protocol offload
  • HP Jetdirect 610n | HP Jetdirect Security Guidelines - Page 4
    MIO Print Servers Microsoft Windows 95 HP Jetdirect J2550B, J2552B MIO Print Servers HP Jetdirect J3110A, J3111A EIO Print Servers HP Jetdirect J3263A 300X External Print Server HP Jetdirect J3113A 600n EIO Print Server Microsoft Windows 98 HP Jetdirect J3258A 170x External Print Server Microsoft
  • HP Jetdirect 610n | HP Jetdirect Security Guidelines - Page 5
    Parallel Print server J6035G 175x External USB 1.1 Print Server J3263G 300x External Print server J7983G 510X External 3-Port Print Server J7942G en3700 External USB 2.0 Print Server J7934G 620n EIO 10/100 Print Server J7949E Embedded Jetdirect 10/100 (not for sale individually, comes installed on
  • HP Jetdirect 610n | HP Jetdirect Security Guidelines - Page 6
    to install a J7961G 635n IPv6/IPsec print server. Using this product, we can take an older printer like the HP LaserJet 4000 and give it the latest in networking protocol and security support. This flexibility will come in handy as we evaluate the various attacks employed against HP Jetdirect and
  • HP Jetdirect 610n | HP Jetdirect Security Guidelines - Page 7
    server J3265A 500X External 3-Port Print Server J7983G 510X External 3-Port Print Server J7942A/J7942G en3700 External USB 2.0 Print Server J7934A/J7934G 620n EIO 10/100 Print Server J7960A/J7960G 625n EIO 10/100/1000 Print Server J7961A/J7961G 635n EIO 10/100/1000 IPv6/IPsec Print Server Firmware
  • HP Jetdirect 610n | HP Jetdirect Security Guidelines - Page 8
    Which hosts need to print? Only computers on the same subnet as HP Jetdirect Ten or less individual computers on different subnets All hosts in the company. Options Option 1) For SET 1/2/3/4. Eliminate the default gateway (set to 0.0.0.0). This doesn't prevent HP Jetdirect from receiving packets
  • HP Jetdirect 610n | HP Jetdirect Security Guidelines - Page 9
    can populate the firmware upgrade MIB table with TFTP server information. HP Jetdirect uses this information to start a TFTP client and pull down the download file. These applications use the well-known default SNMP community names. However, if an administrator has configured the SNMP SET community
  • HP Jetdirect 610n | HP Jetdirect Security Guidelines - Page 10
    HP Jetdirect firmware upgrade capability is protected. For users of the EWS, HP recommends setting the redirect from HTTP to HTTPS, using a properly signed certificate, and of course specifying a good password. HP Jetdirect Hacks: Sniffing Print and email server, it can use Adobe Acrobat configured
  • HP Jetdirect 610n | HP Jetdirect Security Guidelines - Page 11
    cfg under the subdirectory of "hpnp" of the TFTP daemon's home directory • Forces HP Jetdirect to remain with BOOTP and not transition to DHCP if a BOOTP server is unavailable. An example of the contents of the TFTP configuration file picasso.cfg: # Allow subnet 192.168.40.0 access allow: 192.168.40
  • HP Jetdirect 610n | HP Jetdirect Security Guidelines - Page 12
    the HP Jetdirect products that are in SET 2, the security wizard is recommended for non HP Web Jetadmin users. The security wizard can be access via the Networking tab, "Settings" in the left-hand navigation bar, and then the "Wizard" tab. A sample configuration is shown here: NOTE: be sure to use
  • HP Jetdirect 610n | HP Jetdirect Security Guidelines - Page 13
    First and foremost, set a password. 13
  • HP Jetdirect 610n | HP Jetdirect Security Guidelines - Page 14
    Change the Encryption Strength to "Medium" and check the "Encrypt All Web Communication " checkbox. This checkbox forces HTTPS to be used for all web communication. Uncheck "Enable Telnet and FTP Firmware Update" and "Enable RCFG". 14
  • HP Jetdirect 610n | HP Jetdirect Security Guidelines - Page 15
    Uncheck "Enable SNMPv1/v2" and check Enable "SNMPv3". Provide SNMPv3 parameters. 15
  • HP Jetdirect 610n | HP Jetdirect Security Guidelines - Page 16
    Based upon the customer's environment, read only SNMPv1/v2c access may need to be granted. Some tools such as the HP Standard Port Monitor use SNMPv1/v2c for status. Setup an Access Control List entry. This is another customer environment specific entry. In this example, the subnet 192.168.1.0 is
  • HP Jetdirect 610n | HP Jetdirect Security Guidelines - Page 17
    and services. Allowing device discovery helps in device management, but may not be required in all environments. 802.1X authentication can also be done. Special equipment is required. For a complete discussion of 802.1X, see HP Jetdirect whitepapers on the topic. For now, this configuration step
  • HP Jetdirect 610n | HP Jetdirect Security Guidelines - Page 18
    Deployments: SET 3 First and foremost, SET 3 configuration needs to have the Security Wizard for SET 2 executed. Once the Security Wizard configuration has been completed, then we can begin the Firewall configuration. A sample Firewall configuration is shown where the management protocols are
  • HP Jetdirect 610n | HP Jetdirect Security Guidelines - Page 19
    you are using HTTPS before navigating to this page. Select the drop down box for the Default Rule to be "Allow" and then click "Add Rules..." We have a specific administrator subnet defined for printing and imaging devices. Click the "New" button so we can be very specific about what addresses can
  • HP Jetdirect 610n | HP Jetdirect Security Guidelines - Page 20
    the 192.168.0/24 subnet for the Remote Address. We've also named this address template very clearly. Now for IPv6. Click "New" again. NOTE: If IPv6 is not used on your network, go to TCP/IP settings and disable IPv6 for increased security. You can also skips which use IPv6 in this configuration. 20
  • HP Jetdirect 610n | HP Jetdirect Security Guidelines - Page 21
    Select the appropriate IPv6 addresses and name the address template. Now that we have the address templates, let's create a rule. Rules are processed in priority order from 1 - 10. Let's create an IPv4 rule first. Select the IPv4 address template you created, then click "Next". 21
  • HP Jetdirect 610n | HP Jetdirect Security Guidelines - Page 22
    We are concerned with management services, so select the service template "All Jetdirect Management Services". Click "Next". Select "Allow Traffic". Click "Next" 22
  • HP Jetdirect 610n | HP Jetdirect Security Guidelines - Page 23
    Select "Create another rule". Select the IPv6 address template you created and then click "Next". 23
  • HP Jetdirect 610n | HP Jetdirect Security Guidelines - Page 24
    Select the "All Jetdirect Management Services" service template. Click "Next". Select "Allow Traffic". Click Next. 24
  • HP Jetdirect 610n | HP Jetdirect Security Guidelines - Page 25
    We have allowed management traffic from our IPv4/IPv6 administrative subnet. Now we must create a rule to throw away all other management traffic. Click "Create another rule". Here we select "All IP addresses" which encompasses both IPv4 and IPv6. Click "Next". 25
  • HP Jetdirect 610n | HP Jetdirect Security Guidelines - Page 26
    Again, select "All Jetdirect Management Services" for the service template and then click "Next". Select "Drop". Click "Next". 26
  • HP Jetdirect 610n | HP Jetdirect Security Guidelines - Page 27
    Otherwise, if it is a management service, it will be dropped. All other traffic will be allowed (the default rule is allow). Click "Finish". Select "Yes" for Enable Policy. HTTPS failsafe can be used when trying out configurations. If this is your first firewall configuration, you may want to enable
  • HP Jetdirect 610n | HP Jetdirect Security Guidelines - Page 28
    to communicate with a management protocol to Jetdirect without using IPsec, the packets are dropped by the IP layer. Be sure that you are using HTTPS before navigating to this page. Select "Allow" for the default rule and then click "Add Rules...". Select "All IP Addresses" and click "Next". 28
  • HP Jetdirect 610n | HP Jetdirect Security Guidelines - Page 29
    Select "All Jetdirect Management Services". Click "Next". Select "Require traffic to be protected with an IPsec/Firewall Policy". Click "Next". 29
  • HP Jetdirect 610n | HP Jetdirect Security Guidelines - Page 30
    Click "New". Name the IPsec Template. Some Jetdirect models may require you to configure IKE parameters. However, this model has a quick set of IKE defaults that can be used. The one selected is for more emphasis on Interoperability and less on Security. Click "Next". 30
  • HP Jetdirect 610n | HP Jetdirect Security Guidelines - Page 31
    For example purposes only, Pre-Shared Key Authentication is used. HP does not recommend using PreShared Key Authentication. Certificates or Kerberos is highly recommended. Click "Next". Select the IPsec template you just created. Click "Next". 31
  • HP Jetdirect 610n | HP Jetdirect Security Guidelines - Page 32
    Here is our IPsec policy. If a management protocol is to be used, it must use IPsec. All other traffic is allowed based upon the default rule. Click "Finish". Select "Yes" to enable the IPsec policy. You can also choose to have a failsafe if you would like. Click "OK". 32
  • HP Jetdirect 610n | HP Jetdirect Security Guidelines - Page 33
    /c00731218.pdf IPsec: http://h20000.www2.hp.com/bc/docs/support/SupportManual/c01048192/c01048192.pdf IPv6: http://h20000.www2.hp.com/bc/docs/support/SupportManual/c00840100/c00840100.pdf Using the networking infrastructure to better protect your printing and imaging devices: http://h20000.www2
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
HP Jetdirect Security Guidelines
whitepaper
Table of Contents:
Introduction
.....................................................................................................................................
1
HP Jetdirect Overview
......................................................................................................................
2
What is an HP Jetdirect?
...................................................................................................................
3
How old is Your HP Jetdirect?
............................................................................................................
4
Upgrading
......................................................................................................................................
5
HP Jetdirect Administrative Guidelines
................................................................................................
6
HP Jetdirect Hacks: TCP Port 9100
.....................................................................................................
7
HP Jetdirect Hacks: Password and SNMP Community Names
................................................................
9
HP Jetdirect Hacks: Firmware Upgrade
...............................................................................................
9
HP Jetdirect Hacks: Sniffing Print Jobs and Replaying Them
.................................................................
10
HP Jetdirect Hacks: Printer/MFP access
............................................................................................
10
Recommended Security Deployments: SET 1
......................................................................................
11
Recommended Security Deployments: SET 2
......................................................................................
12
Recommended Security Deployments: SET 3
......................................................................................
18
Recommended Security Deployments: SET 4
......................................................................................
28
Further Reading
.............................................................................................................................
33
Introduction
The availability of public information on the Internet for hacking HP Jetdirect products has prompted
customers to ask HP about how they can protect their printing and imaging devices against such
attacks and what is HP doing about preventing those attacks.
In all fairness, some of this public
information is of rather poor quality and inflammatory; however, some websites detailing the attacks
and the vulnerabilities on HP Jetdirect are informative and raise valid concerns that need to be
addressed.
It is the purpose of this whitepaper to address customer concerns about these attacks and
vulnerabilities and to recommend proper security configurations to help customers protect their
printing and imaging devices.
This whitepaper is only a small part of a broad initiative within HP to
educate our customer base about printing and imaging security.
Resources such as The Secure
Printing website (
) provide a great deal of information for
customers about products, solutions, as well as configuration recommendations. In general, a lot of
this information can be put to use on existing HP Jetdirect products, mainly because HP Jetdirect was
1