HP 635n Practical IPsec Deployment for Printing and Imaging Devices
HP 635n - JetDirect IPv6/IPsec Print Server Manual
UPC - 882780301016
View all HP 635n manuals
Add to My Manuals
Save this manual to your list of manuals |
HP 635n manual content summary:
- HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 1
Basics: Receiving an IPsec Protected Packet 44 IPsec Guidelines for Printing and Imaging Devices 46 HP Jetdirect IPsec Configuration Wizard: Pre-Shared Key Authentication 51 Microsoft IPsec Configuration Wizard for Pre-Shared Key 68 Microsoft Vista/Server 2008: IPsec Configuration via Netsh 89 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 2
IKE Authentication: Kerberos ...136 HP Jetdirect IPsec Configuration Wizard: Kerberos Authentication 137 Microsoft Windows: Kerberos Authentication 152 HP Web Jetadmin 10.x IPsec Configuration Wizard 154 Summary ...172 Appendix A: IKE Templates...173 Appendix B: Troubleshooting Web Jetadmin and - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 3
him again tomorrow. The boss has been running into an authentication problem. He is unable to verify his role to those in control and Darren are still friends? How does this relate to IPsec? Well, in a proper deployment of IPsec, two computer systems are going to mutually authenticate each other - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 4
Figure 1 - Authentication Problem with HTTPS Let's assume card information. This credit card information support IPsec really shines because it can provide just that. Let's take a closer look at what some of the drivers for IPsec were and how this application transparency allowed Virtual Private Networks - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 5
IPsec and Virtual Private Networks Before the age of the Internet as we've come to know it, , this strategy often left the Corporate Router as a single point of failure for network communications - a problem with the Corporate Router would result in the Remote Offices being unable to communicate as - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 6
Lines Remote Office At substantial cost, the company is able to provide some form of networking redundancy which has some "security" for their data paths. In these models, although the the possibility of a company's data being exposed. Let's fast forward to the Internet Age - Refer to Figure 4. 6 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 7
are attaching to the Internet via an Internet Service Provider or ISP. In this example, we problem when leased lines aren't an option any more? We need a way to provide private communication over a public network. In short, we need a Virtual Private Network to be formed over the Internet. Here, IPsec - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 8
". The Intranet Threat Model What do Virtual Private Networks have to do with printing and imaging? No company is placing their printers on the public Internet (if you thought spam was bad on fax machines....) so is there a point in talking about IPsec for printing & imaging? While it is true most - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 9
C Secure MFP Room Card Access Figure 6 information to a server where the data is slightly suspicious of everyone, you review the security camera logs and hadn't defined a security policy! IPsec is not a replacement for a didn't hack into the MFP over the network. Yet Jane still obtained them. You - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 10
network, such as the Domain Name System, Windows Internet Naming Service, Dynamic Host Configuration Protocol, Email, Web Servers, etc... These are not specific printing and imaging vulnerabilities but general TCP/IP protocol vulnerabilities and Ethernet phone line is installed directly to their - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 11
the teenager's friend and Nodes "B", "C", "D", and "E" being watchful parents and curious siblings. In short, everyone connected to the hub hears the Ethernet conversation between Node "A" and Node "F". When a house has multiple phone lines with a phone for each line, it is acting a little like - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 12
need to somehow put an Ethernet repeater on the network. Amazingly, she discovered that the workgroup switches were out in the open on the floor she worked on. They had a small cubical door with a lock on it, but Jane being the athletic type could easily jump it and install a hub after hours. After - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 13
: The Flood Well, you may have read the last section and said: "This isn't a problem for me because all of my network infrastructure equipment is locked away and safe. Since Jane cannot insert an Ethernet repeater, I'm quite safe from any passive sniffing". Not True! In this section, we are going - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 14
has to send out all ports. It is an address that makes the switch act like an Ethernet repeater. Another way in which the Ethernet switch will act like an Ethernet repeater is when it receives an Ethernet packet that is destined for a device which is not in its lookup table. In other words - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 15
it will have to flood out all ports. In other words, fill up the Switch MAC table and you can make it act like an Ethernet repeater! Refer to Figure 13 - Flood Open Figure 13 - Flood Open Jane uses a tool called Ettercap which can generate thousands of random and bogus MAC - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 16
operating systems: Telnet. Many network administrators value the ability to use network sniffing as a way of troubleshooting normal networking problems. The initial influx of Ethernet switches made it harder and harder to do network sniffing. As a result, Ethernet switches often include an option - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 17
obtain an IP address automatically using DHCP and the network administrator never knew! Using the user manual that Jane found on the web, she goes a problem for me because (1) all my Ethernet switches are under lock and key, (2) These switches do not flood open, and (3) their network management - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 18
Data "Russian Dolls" Model TCP/UDP Data Actual Data Ethernet Data IP Data TCP/UDP Header Ethernet Data IP Header Ethernet Trailer Ethernet Header Figure 16 - Models Figure 16 shows three different ways of visualizing how networking protocols relate to one another. The first model is called - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 19
. This process will be continued until all the cargo is delivered to the museum. Figure 17 - Cargo In our analogy, the truck/driver represents the Ethernet frame. The cargo represents the IP packet. The IP packet contains the original source (warehouse) address and final destination (museum) address - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 20
are kept in what is called a cache. This cache maps IP addresses to Ethernet Addresses. When data is being sent from one node to another, the networking driver will add the Ethernet Address to the Ethernet frame based upon this cached information. Refer to Figure 19 - Ping Communication. 20 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 21
Will the Device with IP Address B tell me what their Ethernet Address is? Device-2 Cache (IP:MAC) A:[empty] IP Address: B Ethernet Address: 2 All Devices on the network receive this packet Device-2 "Device-1 is asking for my Ethernet Address. I better respond. They may have something important to - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 22
Device-1 and Device-2. Once the cache has been modified, Device-1 sends packets to Device-3's Ethernet Address when the destination IP address is actually for Device-2. Device-2 sends packets to Device-3's Ethernet address when the destination IP address is actually for Device-1. It should be clear - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 23
service on a TCP/IP network is subject to these attacks. What can we do to stop these attacks? One way is to deploy IPsec. What exactly is IPsec? Well, IPsec look at Figure 21 - Printing without an IPsec Policy. In this figure, we see a normal print job being sent to the printer. We also know that - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 24
point to note in the figure is that the IP packet that received IPsec protection has its content encrypted. This encryption provides confidentiality and is shown by the yellow color and the brackets around TCP and Print Data. Should this IP packet be captured by Wireshark, the contents in yellow - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 25
of the packet, unlike the Ethernet addresses (NOTE: This whitepaper does not discuss IPsec Network Address Translation (NAT) or NAT Basic IPsec Policy. Rule # 1 From IP My IP 2 My IP 3 DEFAULT My IP ANY To IP Printer IP Protocol TCP From Port To Port Any 443 Printer IP TCP Printer IP - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 26
. There are some situations where this behavior is required. For instance, there may be a service such as WINS that has many different clients, some supporting IPsec and some that do not. A network administrator may decide it is easier to not protect this protocol to prevent issues with devices that - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 27
Authentication Code". It is a way of providing Authentication and Integrity to the IPsec packet. SHA-1 and AES-XCBC are algorithms that provide this protection. you need to transmit by compressing the data. HP printing and imaging products do not support any IP compression protocols as yet, so we - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 28
Policy is providing the information needed to determine which packets should be protected by IPsec, the format of the IPsec packet, and the algorithms that can be used to provide IPsec services. However, the IPsec policy doesn't have any secret keys and these algorithms need secret keys to work - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 29
Entry in the Security Association Database (SADB)? NO YES Security Association Database Call on IKE to populate the SADB Ethernet IP IPsec [TCP] [Print Data] Figure 24 - IKE In Figure 24, we can see that if there are no entries in the SADB, then IKE is called upon to - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 30
begin building the two large cranes. Once the large cranes have been built, IKE Construction can now work on building the actual building for IPsec Policy Corporation. As the building is being built, the larger cranes begin to suffer wear and tear. The smaller crane disassembles the larger cranes - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 31
on in IKE Main Mode: Proposal/Acceptance, Establishing a shared secret, and Authentication. Let's look at Proposal/Acceptance: Note: The IPsec literature often makes a distinction between IKE and Internet Security Association Key Management Protocol or ISAKMP. Technically, the Proposal/Acceptance is - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 32
an SA Format recommendation. The Transform Payloads are the different algorithms for that SA. This format is best shown by an example. Let's use the IPsec Policy values in Table 2 for our IKE SA. Here is what the format would be: SA Payload Proposal 1 Transform 1 Confidentiality Algorithm: 3DES - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 33
of the proposals and their various transforms, it will respond back with an error NO PROPOSAL CHOSEN. Because IKE cannot establish an SA, no IPsec communication will take place in this scenario (like the builders/suppliers unable to establish a contract in our analogy). If the responder does like - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 34
Figure 26 - Publicly Exchanging a Secret Here the Blue PC puts a secret in a box and locks it with the blue lock, then drops the box in the "mail" so to speak and the Green PC receives it. The Green PC puts on a green lock and drops the box back in the mail. The Blue PC removes the blue lock and - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 35
systems know the pass-phrase without actually transmitting it over the network. To configure IKE Pre-Shared Key Authentication, you'll need a screen shot from Microsoft's IPsec Wizard. Figure 27 - Windows Authentication Method This next screen shot is from HP Jetdirect. Notice the pass phrases are - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 36
to cover. Here is our list: • An application decided to print data to a printer • The first packet sent to the printer is intercepted within the host's IP stack by IPsec without the application's knowledge • IPsec checks the IPsec policy and determines that the packet needs to be protected by - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 37
in the SADB. NOTE: IKE populates the SADB on both the initiator and responder. • IPsec uses these entries to provide IPsec protection to the packet and sends the packet out on the network • The printer receives the IPsec protected packet and checks the SADB for a matching entry based upon the IP - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 38
data than for receiving data. If you are ever debugging IPsec issues, knowing that IPsec has two SAs and not just one will become important. of Phase 1 and Phase 2, let's look at the HP Jetdirect advanced configuration screens to review all the configuration parameters. Refer to Figure 29 - IKE - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 39
Mode Here we see the Encapsulation Type - HP Jetdirect recommends Transport for the Intranet. The cryptographic parameters print data to a printer • The first packet sent to the printer is intercepted within the host's IP stack by IPsec without the application's knowledge • IPsec checks the IPsec - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 40
IPsec uses these entries to provide IPsec protection to the packet and sends the packet out on the network • The printer receives the IPsec information because the data has been processed through a driver and put into a format the printer can understand and process quickly. Do not mistake this - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 41
LPR, you can then send this data to a similar model printer later on and get the exact print out. Here is the command to use: LPR -S -P RAW Jane.bin Now let's look at the exact same print job, but this time protected with IPsec - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 42
Here we see the IKE Phase 1 main mode negotiation where the host is sending HP Jetdirect the list of transforms it wants to support. In Figure 34, HP Jetdirect accepts one. Figure 34 - IKE Phase 1: Accepted Now we begin the Diffie-Hellman key exchange in Figure 35. Figure 35 - IKE Phase 1: Diffie- - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 43
and the responder. This entire process will happen once every 8 hours (28800 seconds). Every 1 hour, you'll see an IKE Quick Mode negotiation because the IPsec SAs will have expired (3600 seconds by default on JD). In Figure 38, we can finally see the result of this communication - an ESP packet - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 44
in the SADB. NOTE: IKE populates the SADB on both the initiator and responder. • IPsec uses these entries to provide IPsec protection to the packet and sends the packet out on the network • The printer receives the IPsec protected packet and checks the SADB for a matching entry based upon the IP - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 45
Figure 39 - ESP Let's examine our transmitted IPsec protected packet closely as shown in Figure 37. How in the world is the receiver of this packet going to know what it is? Hmmm... - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 46
to deploy IPsec in an enterprise printing and imaging environment and meet these goals: • Provide proper protection to protocols as referenced by the company's security policy • Provide proper protection to these protocols without bringing down the network or creating an unavailable service for the - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 47
rather than using an intermediate Windows Print Server. • HP Jetdirect Printers and MFPs that support IPsec. Second most common platform in use as there are several desktops or laptops for every shared network printer or MFP. • Servers providing common network services - such as DHCP, DNS, WINS, etc - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 48
allow for proper operation of the network without too much exposure to security threats. This behavior is important to understand. If an administrator selects an IPsec policy where all IP addresses and all IP services are required to use IPsec, the HP Jetdirect device will still get DHCP configured - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 49
these challenges. Let's look at the other services and devices on the network as they may add further constraints to our HP Jetdirect IPsec policy. What about the desktops and laptops that print to HP Jetdirect devices using HP's Universal Printing Driver? What are some of the challenges there - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 50
via the HP Jetdirect IPsec policy what services that do not need IPsec protection. For those services that do require IPsec protection, if a machine attempts to use those services and doesn't have the correct IPsec policy and IKE authentication parameters, it cannot print, digitally send - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 51
: This policy assumes that there are only a few specialty servers on the network. These specialty servers have to keep track of all the IP addresses of the HP Jetdirect products, so the more specialty servers there are, the more difficult the IPsec policy is to manage on these devices. Examples Let - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 52
Here we are. We can see that Jetdirect supports ten rules and the default rule. Remember, we are going to deploy an IPsec policy that exempts certain services and then secures the rest. Let's click on the "Advanced" button first. Because we are going to exempt these protocols anyway, let's go ahead - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 53
Click "Apply". Back at the main screen. Here we can see that Jetdirect breaks each rule into 3 templates. The first two are for Matching and the last one is for Action. Let's go ahead and click "Add Rules..." 53 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 54
you want this rule to match?" We select "All IP Addresses" and click "Next". Here we answer the question: "For the IP addresses selected, which services do you want this rule to match?" Here we are going to create our own - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 55
636. LDAPS already uses SSL/TLS so it doesn't need IPsec to provide it protection. We choose "TCP", "Remote Service", and use a specific Remote Port of 636. Then click "Add" NOTE: Before adding custom services, be sure to check if the service is already present to save you some work. As an example - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 56
Now we define the same thing for UDP. Click "Add". Now let's click "OK". We are back at the Manage Services screen. We want to choose the services that are exempt from having IPsec required. Check "Bonjour" and scroll down. 56 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 57
Select "BOOTP/DHCP", then select "DHCPv6", then "DNS" for both UDP and TCP. Scroll down. Select "HTTPS", "ICMPv4", "ICMPv6". Scroll down. Select "IGMPv2" 57 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 58
Select "NTP" for both UDP and TCP. Scroll down. Select SLP for UDP as a local service and remote service. Scroll Down. Select "WINS" and "WSDiscovery". Click "OK". 58 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 59
Now we have selected all the services that we would like to be exempt from having to require IPsec protection. Let's give this service template a name, "IPsec Exemptions" and then click "OK". Select "IPsec Exemptions", then click "Next". Select "Allow". Click "Next". 59 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 60
We have created two rules - one for IPv4 and one for IPv6. Select "Create Another Rule". Select "All IP addresses". Click "Next". 60 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 61
Select "All Services". Click Next. Select "Require IPsec". Click "Next". Now we need to specify an IPsec template. This answers the question: "for the IP addresses and their respective services that you want protected by IPsec, what is the IPsec configuration you would like to use?" Click "New". 61 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 62
Here we give the IPsec template a name and select IKEv1. We use the most interoperable IKE settings. For more security, you can customize the IKE settings or use a different default - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 63
Select the IPsec template "PSK". Click "Next". Now we have 4 Rules and a very clear IPsec policy about what traffic doesn't have to be protected by IPsec and what traffic is protected by IPsec. Click "Finish". 63 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 64
add more protocols to the "IPsec Exemptions" service template. In any case, it is clear to see via the Jetdirect configuration what traffic is protected via IPsec and which traffic IPsec protection is optional. Highly Secure Printing and Imaging Policy for HP Jetdirect Here is a different policy to - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 65
them for better security. We step through the wizard and select "All IP addresses", "All Services", and our PSK IPsec template. By using the HTTPS failsafe option, we have a deployed a very secure IPsec policy that still allows us to access the EWS remotely in case there are any configuration issues - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 66
and Imaging Management Policy for HP Jetdirect Here is a different policy to utilize for HP Jetdirect. This policy values security for management services but not for printing services. This policy won't stop an attacker like Jane, but does allow for easier IPsec policy deployment by only focusing - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 67
This indicates that we are only interested in Management protocols. Here we can see that all Jetdirect management services are provided IPsec protection and anything else is allowed. Be sure to enable the failsafe option with this configuration! HTTPS is a management protocol that will be provided - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 68
deployment • (3) We want to protect our specialty servers, such as WJA with IPsec. Using the HP recommended printing and imaging configuration, we have accomplished (1): The Jetdirect recommended configuration - IPsec exemptions followed by IPsec protection of all services. Now we want to focus on - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 69
available on Microsoft XP/2003/Vista/2008. However, it only protects IPv4 and is limited in its choice of IPsec parameters. For Microsoft Vista and Server 2008, the netsh commands or the Advanced Firewall MMC snap in should be used to provide IPv4/IPv6 protection as well as the ability to set more - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 70
Add a snap-in. Select IP Security Policy Management. 70 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 71
Computer" for test/lab setups. Once configurations have been tested, use the Active Directory to deploy IPsec policy. Refer to Microsoft Documentation on recommendations for IPsec policy distribution using Active Directory. Example: http://www.microsoft.com/ipsec Click "Add" then Click "OK". 71 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 72
Select "IP Security Policies on Local Computer". Select "Create IP Security Policy". 72 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 73
Click "Next" Provide a name and description. 73 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 74
Do not activate the default response rule. Click "Finish". 74 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 75
Click "Add..." Click "Next". 75 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 76
Select "This rule does not specify a tunnel". We are dealing with intranet printing and do not need to worry about tunnels. Select "All network connections". 76 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 77
Here we are going to create an IP Filter, which is a way of telling IPsec what traffic to be interested in. Click "Add..." Add name and description. Click "Add...". 77 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 78
Click "Next". Add a description and make sure "Mirrored" is checked. 78 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 79
Source is "My Address" or any IP address on the Client. Destination is "Any IP address". 79 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 80
We want to protect TCP. From any port to port 9100 (the Jetdirect Printing Port). 80 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 81
Click Finish. Click "Ok". 81 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 82
Select our IP filter. We have now told IPsec what traffic to be interested in. Click "Next". Click "Add...". 82 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 83
Click "Next". Add a name and description. Click "Next". 83 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 84
Select "Negotiate security". Select "Do not allow unsecured communication". 84 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 85
/2008 and this MMC snap-in, you MUST set the "Session key settings" to 3600 or higher due to an interoperability issue between Microsoft and HP Jetdirect. 85 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 86
Click "Next". Click "Finish" 86 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 87
Select our Filter Action. Now we have told IPsec what traffic we are interested in and what do to with that traffic. Click "Next". Select "Preshared key" and enter the EXACT SAME preshared key used by Jetdirect. Click "Next". 87 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 88
Click "Finish" Click "Ok" 88 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 89
what we have covered previously. It provides more updated encryption algorithm support such as AES as well as integrated IPv6 support. NOTE: For the best interoperability with HP Jetdirect and Vista, please use Vista with Service Pack 1 or later. Unfortunately, there is no way to specify protocols - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 90
Here all the details for the connection security rule "P9100" are shown. Unfortunately, rules that are created via the netsh command line will appear in the Advanced Firewall UI, but they cannot be managed there because they use attributes only available from the command line. Therefore, to enable - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 91
Firewall HP Recommend IPsec Policy to Protect Printing for Specialty Servers For the last IPsec policy deployment scenario, Jetdirect to Specialty Server (e.g., Digital Sending Server), we are going to use the Advanced Firewall so we can take advantage of seamless support of both IPv4 and IPv6. Here - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 92
Select "Windows Firewall with Advanced Security". Click "Add". Select "Local Computer". 92 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 93
Click "OK". Select "Connection Security Rules". 93 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 94
Click "New Rule..." Select "Server-toserver". Click "Next". 94 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 95
IP addresses" for Endpoint 2 and click "Add..." Specify the address of the Jetdirect device. Click "OK". NOTE: This endpoint needs to be an IPv4 address. An IPv6 address can only be used when Microsoft Vista is updated to Service Pack 1 or later. It is highly recommended that all the IP addresses on - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 96
Select "Require authentication for inbound and outbound connections". Click "next". Select "Preshared Key" and enter the same key as configured on Jetdirect. Click "Next". 96 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 97
Select all of the profiles. Click "Next". Give the rule a name and description. Click "Finish". 97 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 98
This rule is enabled by default. Click "Windows Firewall with Advanced Security" on the left, then click the link "Windows Firewall Properties" in the middle. 98 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 99
default)" is selected. Windows Server 2008 also allows ICMPv6 Neighbor Discovery packets at the default setting. Done! We have covered some basic IPsec policy deployments and actually stepped through the configuration process for both Jetdirect and Microsoft Windows. The only problem that we have is - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 100
Public Key Infrastructure and Public Key Certificate Basics Have you ever see a warning dialog shown in Figure 44 when using https:// (e.g., going to any secure web site, such as a login or shopping cart) in a web browser? Figure 44 - Security Alert This dialog is entitled "Security Alert" and it - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 101
the message is trying to say is that "RootCA", who issued the certificate "635n", is not trusted. A useful analogy is to think of the certificate issuer Security Alert dialog is troubling because it is indicative of a trust problem. In the terms of our analogy, it would be like a driver, who has been - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 102
known as symmetric cryptography. Symmetric cryptography commonly has two attributes associated with it: • It performs well - it is fast and easy to implement • It has a key distribution problem - how do you get the symmetric key to everyone that needs it in a secure way? Asymmetric cryptography is - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 103
We get the flexibility of asymmetric cryptography and the speed of symmetric cryptography. Now we only have to solve the trust problem. In order to solve the trust problem, five things will need to be discussed: • A certificate authority - a trusted third party that creates digital certificates from - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 104
Jack's private key, which no one should know but Jack, John can be sure that Jack was the one that sent it. We still have a problem - How does John know that Jack's public key really belongs to the person that he knows as "Jack"? There are many people in the world - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 105
Jack Create Key Pair Jack's Public Key Jack's Private Key Identity Info + CA's Public Key Jack Jack's Private Key (Stays Private) Jack's Public Key Certificate Request Certificate Authority CA's Private Key (Also performs Identity Verification on Jack) Identity Info + CA Info + Jack's - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 106
trust will involve well-known certificate authorities like Verisign and Entrust. However, Intranet models usually revolve around Microsoft's certificate authority that comes with Windows 2003 server. Each company establishes their own 106 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 107
as part of the SSL/TLS negotiation process. In other cases, like LDAPS, Jetdirect will send its Identity certificate for client authentication if required. We do not want to install a Jetdirect Identity certificate that works for IPsec but fails for SSL/TLS. In this whitepaper, we will cover how to - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 108
, the Microsoft Enterprise Edition CA overwrites some fields in Jetdirect's certificate request when it creates the certificate and Jetdirect will reject the certificate. There is a workaround for this problem as well as a fix. For firmware versions less than V.36.11 (e.g., V.31.08, etc...), the - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 109
Provide the names you would like the certificate template to have. Select the "Allow private key to be exported" checkbox in the Request Handling tab. 109 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 110
Select the Application Policies extension in the Extensions tab. Click Edit. Click Add... 110 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 111
Select Client Authentication, then click OK. Click OK. 111 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 112
Click OK. Now we have created a new certificate template, we need to enable it to be used by the Certification Authority. Select Certificate Templates under Certification Authority. Now right click and select New and then "Certificate Template to Issue". 112 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 113
, a user can create a certificate for Jetdirect that works for all protocols. Now that this is in place, we can begin the "issuing a certificate to Jetdirect" process! Retrieving and Installing a CA Certificate In order to verify the certificate from an IPsec peer, HP Jetdirect will need to have the - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 114
From the main web interface, click "Download a CA certificate..." Select "Current [RootCA]", then DER (or Base 64 if you are using an older Jetdirect product), then click "Download CA certificate", 114 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 115
Click Save. Name the file "cacert.cer" Once we have the CA cert on the desktop, we can install it on Jetdirect. Let's bring up the Embedded Web Server and go to the Networking Tab Go to the Certificate Wizard. 115 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 116
CA Certificate" Point to the cacert.cer file and click Finish! Done! NOTE: this process will need to be done on every HP Jetdirect that will be utilizing IPsec with Certificate Authentication We also want to install the CA certificate chain on every computer system that will be communicating with - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 117
CSR and Installing the Certificate We've installed the Root CA on every Jetdirect. Now we need to install the Identity Certificate on each Jetdirect. Each Jetdirect will have a unique certificate and we need to create a certificate signing request. Starting with Jetdirect firmware version V.36 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 118
Click on the "Networking" tab and go to "Authorization" and then "Certificates". Click "Configure" under the Jetdirect Certificate section. Select "Create Certificate Request" and then click "Next". Enter in the fields that describe the devices. Click "Next". 118 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 119
Jetdirect generates the public/private key pair, which can take a little while. You can save the file, or you can simply copy the text starting and - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 120
Here we paste in our Certificate Request and select the HP Jetdirect certificate template. Then click "Submit". Now we have our certificate. Most Jetdirect cards support both DER and Base64, but all support Base64. Simply click "Download Certificate". Save the certificate. 120 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 121
file saved previously. Click "Finish". NOTE: starting with V.38.XX firmware and later, the private key can be protected from export when the certificate is first installed. We are done! Now we have the files that represent Jetdirect's identity certificate and the public key certificate of the CA we - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 122
of the "IPsec Exemptions" service template, as was done in the Pre-Shared Key screen shots. This process will allow us to skip some screen shots that are not relevant to certificate authentication. HP Jetdirect IPsec Configuration Wizard: Certificate Authentication The "IPsec exemptions" rules - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 123
Select All Services, Click "Next". Select "Require traffic...." Click "Next" Click "New" 123 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 124
Here we have named the IPsec template "Certificates". Click "Next" Select Certificates as the authentication for IKE. NOTE: this process assumes that you have already installed the Certificates as outlined in the previous section. Select the "Certificates" template. Click "Next". 124 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 125
certificate authentication on Jetdirect. Once we have the certificate files from the CA, it really isn't much harder than configuring IPsec for pre-shared where IKE authentication is specified. Windows XP/2003/Vista/2008: IPv4 IP Security Policies The Authentication Method for Certificates only has - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 126
Windows Vista/Server 2008: Advanced Firewall In the MMC snap in "Windows Firewall with Advanced Security - a very similar configuration. One possible problem that you may run across is that the Certificate Authority that was used for IPsec is not in the Certificate Store of the Windows machine. This - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 127
Select "Import..." Click "Next" 127 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 128
Specify the filename of the CA's public key certificate. Click "Next". Specify that the certificate should go into the "Trusted Root Certification Authorities" store. Click "Next". 128 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 129
for IPsec communication, IKE will fail. Using the same snap in, we can jump up to the personal certificates. If you don't find a certificate to match, then you will need to use the Certificate Authority web interface to install a certificate for your machine in order to communicate with Jetdirect - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 130
leverage that PKI for IPsec. What if the environment the benefits of Kerberos. Since HP Jetdirect is not a member of Jetdirect device. The domain in which the Jetdirect user object exists is called the "Realm", in Kerberos terminology. Jetdirect supports Intra-Realm authentication but does not support - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 131
Jetdirect" in a realm called "EXAMPLE.INTERNAL" (which is the domain example.internal). Although the principal name is Vista, Kerberos authentication for IPsec to know the network address of the Authentication Service • The principal needs to know he current time - via a time server or the principal - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 132
sharp, but often lived in studio apartments, ate fast food, worked a lot of hours, and most all the members of the DSG to its Authentication Server where their membership in DSG was proven. Once the text fields of any of the "free" dating services that you currently are a member of. This process - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 133
Ticket (TGT). Vista uses this TGT in the Step 2, this time communicating with the Ticket Granting Service (TGS) with a request (TGS-REQ) to get a service ticket for the application server. Vista includes an Authenticator with this message as well. The TGSREP from the TGS includes the application - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 134
Figure 53 - AS-REQ Vista and the KDC both have the exact same key. Vista sends an AS-REQ that is basically saying "I want a TGT from the TGS. It is also saying "I'm proving to the KDC that I'm Vista because I'm going to encrypt a timestamp with my secret key that only myself and the KDC knows". If - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 135
Session key. Notice that it also exists in the TGT. Let's see how it is used - refer to Figure 55 - TGSREQ. Figure 55 - TGS-REQ Here we can see that the Authenticator is used to communicate to the TGS in the TGS-REQ packet. The Authenticator is using the session key that was sent back in the AS-REP - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 136
an "opaque blob" to Vista as well. However, using the TGS/Vista session key, information about the application server ticket is also included so that Vista can communicate with the application server. Kerberos tries to use session keys and minimize the use of long-term keys (keys based upon the user - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 137
and Kerberos That is pretty straightforward. Let's move on to actually configuring Kerberos for use in a production environment. HP Jetdirect IPsec Configuration Wizard: Kerberos Authentication Because Jetdirect is not a member of the AD as a computer object, we have to jump through a few hoops to - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 138
Here is a Support Pack executable for Windows 2003. With the latest service packs, this file is often on the CD so you don't have to download it. Click "Next". 138 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 139
Deal with the license agreement.... Enter your credentials. 139 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 140
to put it. All done - relatively painless! Once that has been loaded, we will need to create a user object (not a computer object) that will represent Jetdirect in the Active Directory. Where the object is located in the directory tree doesn't matter as long as it is in the same domain as - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 141
Launch Active Directory Users and Computers Create a new user that will represent Jetdirect. We'll name it "finance" in this example. 141 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 142
Provide a password and change some of the options. Remember, this will be a Jetdirect device rather than an actual user. All done. 142 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 143
Still need one more parameter to configure. Highlight the user, right-click, and select "properties". Click the "Account" Tab. Select "Use DES encryption" and then click "Apply". 143 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 144
Got to the EWS of the Jetdirect card and setup the hostname and domain name. In this example, we are going to use a hostname of finance and a domain name of "example.internal". Moving over to DNS, we setup the DNS records for the Jetdirect device. Here is the "A" record. And here is the PTR record - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 145
quite done jumping through hoops..... Here we want to create a krb5.conf file that contains some information for Jetdirect. You can do this in notepad if you wish. Here are the contents for a Jetdirect card that we will configure later. Now we want to run our ktpass tool to map an Active Directory - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 146
jumped through the necessary hoops to get Jetdirect represented in the AD as well as in the KDC. Now let's go ahead and configure a Jetdirect device for IPsec with Kerberos Authentication! Now we can begin the Jetdirect configuration of Kerberos and IPsec. Let's start after we have already created - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 147
Select "All IP Addresses". Click "Next" Select "All Services". Click "Next". Click "New". 147 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 148
Provide a template name and select an IKE defaults template. Click "Next". Select Kerberos and click "Configure..." Select "Import configuration files". Provide the krb5.conf and finance.keytab files. Click "Next". 148 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 149
If the files loaded correctly, then we will be back at the main page for Authentication. Click "View..." Click "Validate...." It is very important that the validation is successful at this point, otherwise IPsec will not work. 149 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 150
Click "Next". Select the Kerberos template we just created. Click "Next". 150 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 151
Kerberos configuration completed. There is another way you can configure Kerberos on Jetdirect. Let's go back a few screens to where we entered the files. Instead of saying "import configuration files, we can choose to manually specify the configuration information. You still need to run ktpass, but - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 152
important! Okay, those are the two manual methods for configuration Kerberos on Jetdirect. Once we've got that setup, IPv4 and is limited in its choice of IPsec parameters. For Microsoft Vista and Server 2008, the netsh commands or the Advanced Firewall MMC snap in should be used to provide IPv4/IPv6 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 153
Windows Vista/Server 2008: Advanced Firewall In the MMC snap in "Windows Firewall with Advanced Security", we would select the "Advanced" authentication method and then hit "Customize" on the Server-toServer configuration. 153 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 154
talked about manually configuring IPsec on Jetdirect using the Embedded Web Server. We can also batch configure IPsec from Web Jetadmin 10.X (hereafter, WJA10) with any HP Jetdirect IPsec device at V.36.11 and later. Yeah! Currently, only Kerberos and Pre-Shared Key are supported via WJA10. Since - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 155
for configuring IPsec. To learn more about WJA10, go to http://www.hp.com/go/webjetadmin. One thing we still need to do is setup our Jetdirect cards in DNS. The next three screenshots are repeats regarding the DNS setup. We have a Jetdirect card at 192.168.0.11 named finance.example.internal that we - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 156
available free for WJA10 and can be found using WJA10's application management features or via the http://www.hp.com/go/webjetadmin web site. In case we need to install the IPsec plugin. Select "Application Management" on the bottom left, then "Available Packages" at the top left. Then click "upload - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 157
Select the filename. Click "Next". Click "Done". 157 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 158
Now we see the IPsec package as an "Available Package". Now select "Install" to install it into WJA10. Use the appropriate administrative credentials for the WJA10 server. Click "Next". 158 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 159
Click "Next". Here are the results. Click "Close". 159 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 160
device and then click the "Config" tab at the bottom. NOTE: In the slides that follow, a full recommended deployment of IPsec for a Jetdirect device will be shown using WJA10. Expand the "Security" navigation link and then select "IPsec Policy". This screen looks familiar! Click "Advanced..." 160 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 161
Uncheck the Broadcast and Multicast bypass boxes. Click "OK". Back to the main screen - click the "Add Rules..." button. 161 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 162
Select "All IP Addresses". Click "Next" Select "New..." 162 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 163
Select "Manage Services..." Select the services that are recommended as "IPsec Excemptions". NOTE: There are more screen shots here but we've deleted them since they are simply showing the other IPsec service Exemptions that we've covered previously. We are going to skip right to the end of the - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 164
Here are all the services that we don't care whether they are provided IPsec protection or not. Click "OK". Select the service template "IPsec Excemptions". 164 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 165
Select "Allow". Click "Next". Click "Create Another Rule". 165 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 166
Select "All IP Addresses". Click "Next". Select "All Services". Click "Next". 166 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 167
Select "Require ...." Click "Next". Name our Template Kerberos and then click "Next". 167 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 168
is no need to provide the principal names as WJA10 will be creating the users for you. Of course, we need to provide the KDC server and usually the FQDN is required to establish a connection to it. Click "OK". 168 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 169
Click "Next" Select "Kerberos" and click "Next". 169 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 170
Here is our summary. Click "Finish". Check "enable IPsec" and check "enable" by all of our rules we created. Then click "Apply..." 170 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 171
Select "Yes" for enable and "No" for failsafe. Click "OK" Click "Configure Devices". Done! 171 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 172
on the WJA10 server pretty quick - otherwise, WJA10 won't be able to communicate with Jetdirect anymore! All done with WJA10 and IPsec configuration! Here is what WJA10 configured for a user object in AD for Jetdirect so you know what it looks like. In AD users and computers, for the OU Printers, we - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 173
Appendix A: IKE Templates When configuring the IPsec template, we just selected "High interoperability/low security" for the IKE defaults. What if we want to do something different with IKE? Well, here are - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 174
Here are the IKE settings for Med/Med Here are the IKE settings for Low/High 174 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 175
Here are the IKE settings for High/Adv. What if you don't like these defaults? You can go "Custom". Select "Specify Custom Profile" then click "Next". 175 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 176
Here we specify a preshared key, but any authentication parameter will do. Click "Next". Here are Jetdirect's IKE Phase 1 parameters. If you click on "edit" for the DH groups.... Here are the DH group settings for IKE Phase 1. You can select which DH groups can be used. 176 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 177
Here are the Quick Mode parameters. Here are the Advanced parameters. All Done! 177 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 178
Appendix B: Troubleshooting Web Jetadmin and Kerberos WJA10 uses SSL to communicate with AD. If this isn't setup correctly, the WJA10 IPsec configuration may fail. Using a program loaded with the Support Tools called "LDP.EXE", we can test this out before using WJA10. Run LDP Select "Connect..." 178 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 179
Enter the KDC FQDN. NOTE: if you enter the IP the LDAPS server certificate probably has the FQDN as the common name which means this step will fail. Be sure to use the FQDN. Here is a sample screen - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 180
Should see "Authenticated" at the bottom. Do a simple search by selecting "Search" from the menu. 180 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 181
we can probably create users in that OU. That would be the next step using LDP. Appendix C: Importing a Certificate For versions of HP Jetdirect firmware that are earlier than V.36.XX, you will need to import a certificate rather than use the Certificate Signing Request. For the Microsoft Enterprise - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 182
Click "advanced certificate request" 182 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 183
Click "Create and submit a request to this CA". 183 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 184
Be sure to select the Certificate Template "HP Jetdirect" and to check the checkbox entitled "Mark keys as exportable". Click Yes. 184 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 185
Click "Install this certificate" to install it on your local computer. We will export it and then delete it from this computer later. Click Yes. 185 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 186
Done. At this point, we want to export the certificate so that it can be loaded with its private key into Jetdirect. We need to bring up MMC again and load the Certificates snap-in. 186 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 187
Go to the File Menu and select Add/Remove Snap-In. Click "Add..." 187 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 188
Click "Certificates" Click "My user account" 188 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 189
Click "Local Computer" Select the folder "Certificates" under "Personal". Highlight the Jetdirect certificate issued. Right Click and select "Export..." 189 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 190
, the Enterprise CA modifies the certificate in a way that is not compatible with Jetdirect's CSR and this resulted in Jetdirect refusing to accept the certificate during its installation. Jetdirect has since addressed this problem starting with version V.36.11. Using V.36.11 and later, certificates - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 191
Enterprise CAs using a Jetdirect CSR file are accepted. As this process is more secure and preferred, we will cover it later in the whitepaper. Type a password to protect the private key. Click "Next". Name the file "jdcert.pfx" and click "Next" 191 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 192
Click Finish Click Ok. To import the certificate in Jetdirect Click "Configure" under the heading "Jetdirect Certificate". 192 - HP 635n | Practical IPsec Deployment for Printing and Imaging Devices - Page 193
Select "Import certificate and private key". Click "Next". Browse the file name of the Jetdirect certificate and supply the password that you used when exporting the certificate earlier. We are done! 193
1
Practical IPsec Deployment for Printing and Imaging Devices
June 2008
Table of Contents:
Introduction
.....................................................................................................................................
2
A Parable: Confidentiality, Authentication, and Integrity
.......................................................................
2
IPsec and Virtual Private Networks
.....................................................................................................
5
The Intranet Threat Model
.................................................................................................................
8
Too Easy: The Repeater
..................................................................................................................
10
Too Easy: The Flood
.......................................................................................................................
13
Too Easy: The Mirror Port
...............................................................................................................
16
Too Easy: MITM Active Sniffing
.......................................................................................................
17
Too Easy: MITM Data Injection
........................................................................................................
22
IPsec Basics
...................................................................................................................................
23
IPsec Basics: IPsec Policy – Packet Matching
.....................................................................................
25
IPsec Basics: IPsec Policy – Action-on-Match
......................................................................................
26
IPsec Basics: Internet Key Exchange and the SADB
............................................................................
29
IKE Authentication: Pre-shared Key
...................................................................................................
35
IKE Phase 2/Quick Mode
...............................................................................................................
36
IKE in Action
.................................................................................................................................
39
IPsec Basics: Receiving an IPsec Protected Packet
...............................................................................
44
IPsec Guidelines for Printing and Imaging Devices
.............................................................................
46
HP Jetdirect IPsec Configuration Wizard: Pre-Shared Key Authentication
..............................................
51
Microsoft IPsec Configuration Wizard for Pre-Shared Key
...................................................................
68
Microsoft Vista/Server 2008: IPsec Configuration via Netsh
...............................................................
89
Microsoft Vista/Server 2008: IPsec Configuration via Advanced Firewall
.............................................
91
Public Key Infrastructure and Public Key Certificate Basics
................................................................
100
HP Jetdirect and Public Key Certificates
..........................................................................................
107
IKE Authentication: Public Key Certificates
......................................................................................
107
The Microsoft Certificate Authority Environment
...............................................................................
107
Creating a Certificate Template
.....................................................................................................
108
Retrieving and Installing a CA Certificate
........................................................................................
113
Creating a Jetdirect CSR and Installing the Certificate
......................................................................
117
HP Jetdirect IPsec Configuration Wizard: Certificate Authentication
...................................................
122
Microsoft Windows: Certificate Authentication
................................................................................
125
Kerberos, Active Directory, and Jetdirect
.........................................................................................
130
Kerberos Basics
...........................................................................................................................
131
whitepaper