HP 635n Practical IPsec Deployment for Printing and Imaging Devices - Page 50

Finally, some protocols really don't need IPsec protection, such as HTTPS and LDAPS. These wellknown protocols are already protected using SSL/TLS protections and it may not make sense to protect these with IPsec too. Putting all of this together, let's describe some deployment recommendations for IPsec Policy HP Recommend Printing and Imaging Policy This policy has an explicit trade off between interoperability, security, and clearly indicates what traffic is protected and what is not. HP Jetdirect Rule 1: All IP addresses, IPsec Exemptions Services, Allow without IPsec Protection Rule 2: All IP addresses, All services, Require IPsec Where the Service Template "IPsec Exemptions" is created by the administrator and has the following services in it: • LDAPS • Bonjour • BOOTP/DHCPv4 • DHCPv6 • DNS • HTTPS • ICMPv4 • ICMPv6 • IGMPv2 • NTP • SLP • WINS • WS-Discovery • Kerberos In essence, we've clearly communicated via the HP Jetdirect IPsec policy what services that do not need IPsec protection. For those services that do require IPsec protection, if a machine attempts to use those services and doesn't have the correct IPsec policy and IKE authentication parameters, it cannot print, digitally send, or manage the device. Microsoft Desktops/Laptops Distributing IPsec policy via the Active Directory where: Rule 1: To Any IP address, From My IP address, TCP Protocol, From ANY Port, To Port 9100, Require IPsec Protection This simply and easily protects printing to the device via IPsec. NOTE: This policy doesn't match the HP Jetdirect policy - in other words, more is being protected with IPsec on HP Jetdirect than is being protected on the desktop/laptop. This mismatch is actually okay. What we are doing is having HP Jetdirect enforce a restrictive IPsec policy and utilize an IPsec Policy on the desktops/laptops that is easy to manage and will result in protected printing communication. 50