HP 170X HP Jetdirect Security Guidelines - Page 8

Option 3 For SET 4. Setup a rule

Get HP 170X - JetDirect Print Server PDF manuals and user guides
UPC - 882780300699
View all HP 170X manuals
Add to My Manuals
Save this manual to your list of manuals

Page 8 highlights

Which hosts need to print? Only computers on the same subnet as HP Jetdirect Ten or less individual computers on different subnets All hosts in the company. Options Option 1) For SET 1/2/3/4. Eliminate the default gateway (set to 0.0.0.0). This doesn't prevent HP Jetdirect from receiving packets from other subnets, but does prevent the responses from returning to those remote subnets. As a result, TCP connections cannot be formed. Option 2) For SET 1/2/3/4. Setup an access control list with the IP address and mask for the local subnet. Option 3) For SET 3. Setup a rule to protect print traffic using the Firewall. Option 4) For SET 4. Setup a rule to protect print traffic using the IPsec. Option 1) For SET 1/2/3/4. Setup an access control list for each individual IP address with a mask of 255.255.255.255. Option 2) For SET 3. Setup a rule to protect print traffic using the Firewall Option 3) For SET 4. Setup a rule to protect print traffic using IPsec Option 1) For Set 1/2/3/4. Setup an access control list for the network ID assigned to your company. As an example, for HP's internal network, there would be two entries: IP - 15.0.0.0 mask - 255.0.0.0 and IP -16.0.0.0 mask - 255.0.0.0. Option 2) For SET 3. Setup a rule to protect print traffic using the Firewall Option 3) For SET 4. Setup a rule to protect print traffic using IPsec Table 5 - Access Control Because there are many print protocols supported over TCP, the next logical step is to disable all print protocols that the administrator doesn't use. How to disable these protocols can be found in the administrative guidelines for the appropriate product SET. It is important to note that all TCP/IP traffic to any device (not just HP Jetdirect) that is not cryptographically protected is subject to IP address spoofing and Man-in-the-Middle (MITM) attacks. These attacks can target any TCP/IP traffic. Also, some cryptographic protections can be used but may not be deployed correctly. For instance, if you are relying on SSL/TLS to protect your data, you need to have the certificates used by SSL/TLS to be properly signed by a trusted Certificate Authority. Otherwise, SSL/TLS is subject to MITM attacks as well because it depends on a robust PKI to successfully authenticate the server endpoint (and optionally the client endpoint). What about the user at work that is allowed to print but keeps changing the display or doing other mischief with the printer using TCP Port 9100? Well, that really is no different then if they were printing personal items at work, running the printer out of consumables with large print jobs, etc... If 8

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
8
Which hosts need to print?
Options
Only computers on the same subnet as HP
Jetdirect
Option 1) For SET 1/2/3/4. Eliminate the
default gateway (set to 0.0.0.0).
This
doesn’t prevent HP Jetdirect from
receiving packets from other subnets,
but does prevent the responses from
returning to those remote subnets.
As a
result, TCP connections cannot be
formed.
Option 2) For SET 1/2/3/4. Setup an
access control list with the IP address
and mask for the local subnet.
Option 3) For SET 3.
Setup a rule to
protect print traffic using the Firewall.
Option 4) For SET 4.
Setup a rule to
protect print traffic using the IPsec.
Ten or less individual computers on different
subnets
Option 1) For SET 1/2/3/4.
Setup an
access control list for each individual IP
address with a mask of
255.255.255.255.
Option 2) For SET 3. Setup a rule to
protect print traffic using the Firewall
Option 3) For SET 4. Setup a rule to
protect print traffic using IPsec
All hosts in the company.
Option 1) For Set 1/2/3/4. Setup an
access control list for the network ID
assigned to your company.
As an
example, for HP’s internal network,
there would be two entries: IP - 15.0.0.0
mask - 255.0.0.0 and IP -16.0.0.0 mask
- 255.0.0.0.
Option 2) For SET 3. Setup a rule to
protect print traffic using the Firewall
Option 3) For SET 4. Setup a rule to
protect print traffic using IPsec
Table 5 – Access Control
Because there are many print protocols supported over TCP, the next logical step is to disable all print
protocols that the administrator doesn’t use.
How to disable these protocols can be found in the
administrative guidelines for the appropriate product SET.
It is important to note that all TCP/IP traffic to any device (not just HP Jetdirect) that is not
cryptographically protected is subject to IP address spoofing and Man-in-the-Middle (MITM) attacks.
These attacks can target any TCP/IP traffic.
Also, some cryptographic protections can be used but
may not be deployed correctly.
For instance, if you are relying on SSL/TLS to protect your data, you
need to have the certificates used by SSL/TLS to be properly signed by a trusted Certificate Authority.
Otherwise, SSL/TLS is subject to MITM attacks as well because it depends on a robust PKI to
successfully authenticate the server endpoint (and optionally the client endpoint).
What about the user at work that is allowed to print but keeps changing the display or doing other
mischief with the printer using TCP Port 9100?
Well, that really is no different then if they were
printing personal items at work, running the printer out of consumables with large print jobs, etc…
If