HP 635n Practical IPsec Deployment for Printing and Imaging Devices - Page 47
Microsoft Desktops and Laptops running Windows XP/Vista: The most common platforms
 |
UPC - 882780301016
View all HP 635n manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 47 highlights
• Provide proper protection to these protocols without causing unreasonable support costs over a non-IPsec protected network. Deploying IPsec really means deploying an IPsec policy - a set of rules for how traffic is to be protected. It would be easier if all devices could simply protect all traffic with IPsec. Unfortunately, that is not a practical choice in most situations. Many times, special considerations must be made that results in differing rule sets on differing device types. A mismatch in the set of rules between differing device types that need to communicate often means that those devices cannot communicate. While there are options to avoid these types of problems, more often than not, they compromise on the certainty of securing traffic with IPsec and are vulnerable to IKE denial of service attacks. There are really four types of network devices that come into play regarding IPsec policy for printing and imaging devices: • Microsoft Desktops and Laptops running Windows XP/Vista: The most common platforms for printing in the Enterprise and also the most important to distribute a broad and clean IPsec policy to due to the number of machines that the IPsec policy will affect and the wide variety of networking applications in use. For this whitepaper, we are assuming a client printing directly to an HP device - HP's Universal Printer Driver is a commonly used component in this type of model - rather than using an intermediate Windows Print Server. • HP Jetdirect Printers and MFPs that support IPsec. Second most common platform in use as there are several desktops or laptops for every shared network printer or MFP. • Servers providing common network services - such as DHCP, DNS, WINS, etc... • Microsoft Servers running Windows Server 2003 and Server 2008: Not as commonly found - used for specialty services like Digital Send Software, Managed Print Spooling, Web Jetadmin, OpenView, or an Email server for MFPs. In addition to these device types, there are also traffic types to worry about. Some services rely heavily on broadcast/multicast traffic in various combinations as well as the traditional unicast traffic. Our IPsec policy must consider these situations. Refer to Figure 41 Traffic Types. 47
-
1 -
2
-
3
-
4
-
5
-
6
-
7
-
8
-
9
-
10
-
11
-
12
-
13
-
14
-
15
-
16
-
17
-
18
-
19
-
20
-
21
-
22
-
23
-
24
-
25
-
26
-
27
-
28
-
29
-
30
-
31
-
32
-
33
-
34
-
35
-
36
-
37
-
38
-
39
-
40
-
41
-
42 -
43 -
44 -
45 -
46 -
47 -
48 -
49 -
50 -
51 -
52 -
53
-
54
-
55
-
56
-
57
-
58
-
59
-
60
-
61
-
62
-
63
-
64
-
65
-
66
-
67
-
68
-
69
-
70
-
71
-
72
-
73
-
74
-
75
-
76
-
77
-
78
-
79
-
80
-
81
-
82
-
83
-
84
-
85
-
86
-
87
-
88
-
89
-
90
-
91
-
92
-
93
-
94
-
95
-
96
-
97
-
98
-
99
-
100
-
101
-
102
-
103
-
104
-
105
-
106
-
107
-
108
-
109
-
110
-
111
-
112
-
113
-
114
-
115
-
116
-
117
-
118
-
119
-
120
-
121
-
122
-
123
-
124
-
125
-
126
-
127
-
128
-
129
-
130
-
131
-
132
-
133
-
134
-
135
-
136
-
137
-
138
-
139
-
140
-
141
-
142
-
143
-
144
-
145
-
146
-
147
-
148
-
149
-
150
-
151
-
152
-
153
-
154
-
155
-
156
-
157
-
158
-
159
-
160
-
161
-
162
-
163
-
164
-
165
-
166
-
167
-
168
-
169
-
170
-
171
-
172
-
173
-
174
-
175
-
176
-
177
-
178
-
179
-
180
-
181
-
182
-
183
-
184
-
185
-
186
-
187
-
188
-
189
-
190
-
191
-
192
-
193
 |
 |
