HP 635n Practical IPsec Deployment for Printing and Imaging Devices - Page 2

Introduction, A Parable: Confidentiality, Authentication, and Integrity

Get HP 635n - JetDirect IPv6/IPsec Print Server PDF manuals and user guides
UPC - 882780301016
View all HP 635n manuals
Add to My Manuals
Save this manual to your list of manuals

Page 2 highlights

IKE Authentication: Kerberos ...136 HP Jetdirect IPsec Configuration Wizard: Kerberos Authentication 137 Microsoft Windows: Kerberos Authentication 152 HP Web Jetadmin 10.x IPsec Configuration Wizard 154 Summary ...172 Appendix A: IKE Templates...173 Appendix B: Troubleshooting Web Jetadmin and Kerberos 178 Appendix C: Importing a Certificate 181 Introduction What does Internet Protocol Security, also known as IPsec, do? What does it provide that is different than other security protocols? Isn't IPsec a protocol used strictly for Virtual Private Networks? Why would I use IPsec on my Intranet? Why would I want to use IPsec to protect my printing and imaging communication? We will answer these questions and more in this whitepaper. In order to get our arms around IPsec and use it fruitfully to solve problems, we'll need to establish the background from which it came. In addition, we'll look at the Intranet threat model and show how terribly easy it is to circumvent basic security measures in most networks. Next, we'll talk about IPsec and how it can be used to prevent these attacks. Finally, we'll show how to configure and deploy IPsec for printing and imaging devices. IPsec is complex and as a prominent security researcher once said, "Complexity is the enemy of security". Rather than discuss all the features of IPsec, we will be taking a practical simplified approach to minimize configuration complexities and maximize the security of your printing and imaging devices. It is important to note that IPsec is a technology tool that is used in the implementation of an overall company's security policy. If you are engaged in "print and sprint", where you 'print' documents you consider sensitive then 'sprint' to the shared printer in the hallway in the hopes of getting there before anyone else does, you are probably (a) violating an existing security policy, (b) don't have a security policy to violate, and/or (c) shouldn't be using IPsec because you've got bigger security problems to solve. Please do not forgo having a security policy simply for the sake of throwing technology, such as IPsec, at perceived security issues. The IPsec Policy is really determined by a company's overall Security Policy. A helpful guide on security policy can be found on the website run by the National Institute for Standards and Technology (NIST) and at the SANS Institute. In addition, be sure to read the Request For Comments (RFC) 2196 - Site Security Handbook. A Parable: Confidentiality, Authentication, and Integrity It is vitally important that the concepts of Confidentiality, Authentication, and Integrity are understood before continuing. Most people do not have a true understanding of these concepts as they relate to IPsec because IPsec is a network protocol and network protocol specifications aren't usually read for leisure. To illustrate these concepts, let's work through a parable. There is a small company of about ten employees. The boss of the company works remotely and so no one has ever seen him. One day he announces via email that no one will get a pay raise because earnings are too low. The next day, the police call the boss to report that his company building has obscenities, directed at him, spray painted on the outside walls. The boss is positive that one of the employees had something to do with it and decides to conduct an investigation to find out whom. He drives into work with the intention of conducting one-on-one interviews with each of his employees. The boss arrives at the building and is incensed at what he reads on the walls. He storms up to the entrance but is stopped by a security guard. The security guard says "Identification Please." The boss says "I'm the Boss, let me in". The security guard says "I'm sorry sir, but I'll need to see a company badge." The boss is really angry now because he has to drive all the way back home and get his employee badge. It was a long trip and now back at home he has calmed down. He realizes that the security guard did an important thing by not allowing just anyone without a badge access to his building. He is determined to 2

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166
  • 167
  • 168
  • 169
  • 170
  • 171
  • 172
  • 173
  • 174
  • 175
  • 176
  • 177
  • 178
  • 179
  • 180
  • 181
  • 182
  • 183
  • 184
  • 185
  • 186
  • 187
  • 188
  • 189
  • 190
  • 191
  • 192
  • 193
2
IKE Authentication: Kerberos
.........................................................................................................
136
HP Jetdirect IPsec Configuration Wizard: Kerberos Authentication
.....................................................
137
Microsoft Windows: Kerberos Authentication
..................................................................................
152
HP Web Jetadmin 10.x IPsec Configuration Wizard
........................................................................
154
Summary
....................................................................................................................................
172
Appendix A:
IKE Templates
..........................................................................................................
173
Appendix B:
Troubleshooting Web Jetadmin and Kerberos
..............................................................
178
Appendix C:
Importing a Certificate
..............................................................................................
181
Introduction
What does Internet Protocol Security, also known as IPsec, do?
What does it provide that is different
than other security protocols?
Isn’t IPsec a protocol used strictly for Virtual Private Networks?
Why
would I use IPsec on my Intranet? Why would I want to use IPsec to protect my printing and imaging
communication?
We will answer these questions and more in this whitepaper.
In order to get our arms around IPsec
and use it fruitfully to solve problems, we’ll need to establish the background from which it came.
In
addition, we’ll look at the Intranet threat model and show how terribly easy it is to circumvent basic
security measures in most networks.
Next, we’ll talk about IPsec and how it can be used to prevent
these attacks.
Finally, we’ll show how to configure and deploy IPsec for printing and imaging
devices.
IPsec is complex and as a prominent security researcher once said, “Complexity is the
enemy of security”.
Rather than discuss all the features of IPsec, we will be taking a practical
simplified approach to minimize configuration complexities and maximize the security of your printing
and imaging devices.
It is important to note that IPsec is a technology tool that is used in the implementation of an overall
company’s security policy.
If you are engaged in “print and sprint”, where you ‘print’ documents you
consider sensitive then ‘sprint’ to the shared printer in the hallway in the hopes of getting there before
anyone else does, you are probably (a) violating an existing security policy, (b) don’t have a security
policy to violate, and/or (c) shouldn’t be using IPsec because you’ve got bigger security problems to
solve.
Please do not forgo having a security policy simply for the sake of throwing technology, such
as IPsec, at perceived security issues.
The IPsec Policy is really determined by a company’s overall
Security Policy.
A helpful guide on security policy can be found on the website run by the National
Institute for Standards and Technology (NIST) and at the SANS Institute.
In addition, be sure to read
the Request For Comments (RFC) 2196 – Site Security Handbook.
A Parable: Confidentiality, Authentication, and Integrity
It is vitally important that the concepts of Confidentiality, Authentication, and Integrity are understood
before continuing.
Most people do not have a true understanding of these concepts as they relate to
IPsec because IPsec is a network protocol and network protocol specifications aren’t usually read for
leisure.
To illustrate these concepts, let’s work through a parable.
There is a small company of about ten employees.
The boss of the company works remotely and so no one has ever seen him.
One day he announces via email that no one will get a pay raise because earnings are too low.
The next day, the police call
the boss to report that his company building has obscenities, directed at him, spray painted on the outside walls.
The boss is
positive that one of the employees had something to do with it and decides to conduct an investigation to find out whom.
He
drives into work with the intention of conducting one-on-one interviews with each of his employees.
The boss arrives at the building and is incensed at what he reads on the walls.
He storms up to the entrance but is stopped by
a security guard.
The security guard says “Identification Please.”
The boss says “I’m the Boss, let me in”.
The security guard
says “I’m sorry sir, but I’ll need to see a company badge.” The boss is really angry now because he has to drive all the way
back home and get his employee badge. It was a long trip and now back at home he has calmed down.
He realizes that the
security guard did an important thing by not allowing just anyone without a badge access to his building.
He is determined to