HP J3111A - JetDirect 600N Network Card Manuallines
Security guidelines
Hide thumbs
Also See for J3111A - JetDirect 600N Network Card:
- White paper (20 pages) ,
- Appendix (13 pages)
Table of Contents
Advertisement
Quick Links
HP Jetdirect Security Guidelines
Table of Contents:
Introduction ..................................................................................................................................... 1
HP Jetdirect Overview ...................................................................................................................... 2
What is an HP Jetdirect?................................................................................................................... 3
How old is Your HP Jetdirect?............................................................................................................ 4
Upgrading ...................................................................................................................................... 5
HP Jetdirect Administrative Guidelines ................................................................................................ 6
HP Jetdirect Hacks: TCP Port 9100..................................................................................................... 7
HP Jetdirect Hacks: Password and SNMP Community Names................................................................ 9
HP Jetdirect Hacks: Firmware Upgrade............................................................................................... 9
HP Jetdirect Hacks: Sniffing Print Jobs and Replaying Them................................................................. 10
HP Jetdirect Hacks: Printer/MFP access ............................................................................................ 10
Recommended Security Deployments: SET 1...................................................................................... 11
Recommended Security Deployments: SET 2...................................................................................... 12
Recommended Security Deployments: SET 3...................................................................................... 18
Recommended Security Deployments: SET 4...................................................................................... 28
Further Reading ............................................................................................................................. 33
Introduction
The availability of public information on the Internet for hacking HP Jetdirect products has prompted
customers to ask HP about how they can protect their printing and imaging devices against such
attacks and what is HP doing about preventing those attacks. In all fairness, some of this public
information is of rather poor quality and inflammatory; however, some websites detailing the attacks
and the vulnerabilities on HP Jetdirect are informative and raise valid concerns that need to be
addressed. It is the purpose of this whitepaper to address customer concerns about these attacks and
vulnerabilities and to recommend proper security configurations to help customers protect their
printing and imaging devices. This whitepaper is only a small part of a broad initiative within HP to
educate our customer base about printing and imaging security. Resources such as The Secure
Printing website (http://www.hp.com/go/secureprinting) provide a great deal of information for
customers about products, solutions, as well as configuration recommendations. In general, a lot of
this information can be put to use on existing HP Jetdirect products, mainly because HP Jetdirect was
1
Advertisement
Table of Contents
Related Manuals for HP J3111A - JetDirect 600N Network Card
Summary of Contents for HP J3111A - JetDirect 600N Network Card
-
Page 1: Table Of Contents
HP Jetdirect Security Guidelines Table of Contents: Introduction ............................. 1 HP Jetdirect Overview ........................2 What is an HP Jetdirect?........................3 How old is Your HP Jetdirect?......................4 Upgrading ............................5 HP Jetdirect Administrative Guidelines ....................6 HP Jetdirect Hacks: TCP Port 9100..................... 7 HP Jetdirect Hacks: Password and SNMP Community Names.............. -
Page 2: Hp Jetdirect Overview
one of the first print servers to widely implement security protocols such as SSL/TLS, SNMPv3, 802.1X, and IPsec. If you are new to security and secure configurations, it is important to remember that ‘security’ is a process. Today’s security configurations and protocols that are thought to be unbreakable for the next few years may in fact be broken later today. -
Page 3: What Is An Hp Jetdirect
What is an HP Jetdirect? When printers were directly connected to network spoolers, often a simple hardware protocol was used to send data from the PC to the printer. Centronics mode on a parallel port would be an example. As customers demanded faster data transfer speeds and richer status, these protocols became more complex as in IEEE 1284.4. -
Page 4: How Old Is Your Hp Jetdirect
How old is Your HP Jetdirect? Once in a while, when doing an inventory of a network, an administrator may discover some network connected devices that rather old but are still working. The same is true for printers and HP Jetdirect devices. -
Page 5: Upgrading
Upgrading Upgrading your HP Jetdirect devices is by no means a requirement, but is highly recommended. Should a customer choose to do so, HP can provide some guidelines. First, if the HP Jetdirect device was introduced before the year 2000, HP recommends that it be upgraded to a newer model. Some security features of the models that are available for customers to purchase as of August 2007 are shown in Table 2 –... -
Page 6: Hp Jetdirect Administrative Guidelines
As you can see, replacing a discontinued 400n MIO model with a new external parallel port print server like the 300X will not upgrade the security capabilities of the Jetdirect device. Printers that have an MIO slot like the LaserJet IIIsi and LaserJet 4si have been discontinued for many years. Printers and MFPs with an EIO slot are still being sold today. -
Page 7: Hp Jetdirect Hacks: Tcp Port 9100
A guideline to popular HP Jetdirect devices and the firmware they should be running as of • August of 2007 is shown in Table 4: HP Jetdirect Product Number Firmware Version J7949E Embedded Jetdirect V.33.14/V.33.15 J4100A 400n 10Mbps MIO Print server K.08.49 J4106A 400n 10Mbps MIO Print server K.08.49... - Page 8 Which hosts need to print? Options Only computers on the same subnet as HP Option 1) For SET 1/2/3/4. Eliminate the Jetdirect default gateway (set to 0.0.0.0). This doesn’t prevent HP Jetdirect from receiving packets from other subnets, but does prevent the responses from returning to those remote subnets.
-
Page 9: Hp Jetdirect Hacks: Password And Snmp Community Names
SNMPv3 for additional security and HP Web Jetadmin makes using SNMPv3 easy. Also note that applications such as the HP Download Manager and HP Web Jetadmin are digitally signed by Hewlett-Packard as proof of their source. The ability to use FTP to upgrade the firmware of HP Jetdirect devices is described here: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=bpj07129. -
Page 10: Hp Jetdirect Hacks: Sniffing Print Jobs And Replaying Them
firmware upgrades; if telnet has been disabled to avoid plain-text transmission of the password, FTP upgrades are also disabled. The ability to use the EWS to upgrade HP Jetdirect devices is described here: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=bpj07572. How the EWS is protected determines how the HP Jetdirect firmware upgrade capability is protected. For users of the EWS, HP recommends setting the redirect from HTTP to HTTPS, using a properly signed certificate, and of course specifying a good password. -
Page 11: Recommended Security Deployments: Set 1
Recommended Security Deployments: SET 1 The HP Jetdirect products denoted by SET 1 do not have any cryptographic security capability. As a result, a BOOTP/TFTP configuration is recommended as we can specify several control parameters via the TFTP configuration file. This configuration file allows for a great deal of power with very little administration overhead once configured. -
Page 12: Recommended Security Deployments: Set 2
The TFTP configuration file points to a parameter file called “pjlprotection”. This file is sent to the printer on power-up. Here is a sample content for the pjlprotection file: <ESC>%-12345X@PJL <CR><LF> @PJL COMMENT **Set Password** <CR><LF> @PJL COMMENT **& Lock Control Panel**<CR><LF> @PJL JOB PASSWORD = 7654 <CR><LF>... - Page 13 First and foremost, set a password.
- Page 14 Change the Encryption Strength to “Medium” and check the “Encrypt All Communication ” checkbox. This checkbox forces HTTPS to be used for all communication. Uncheck “Enable Telnet and FTP Firmware Update” and “Enable RCFG”.
- Page 15 Uncheck “Enable SNMPv1/v2” and check Enable “SNMPv3”. Provide SNMPv3 parameters.
- Page 16 Based upon the customer’s environment, read only SNMPv1/v2c access may need to be granted. Some tools such as the HP Standard Port Monitor use SNMPv1/v2c for status. Setup an Access Control List entry. This is another customer environment specific entry. In this example, the subnet 192.168.1.0 is...
- Page 17 Disable unused print protocols and services. Allowing device discovery helps in device management, but may not be required in all environments. 802.1X authentication can also be done. Special equipment is required. For a complete discussion of 802.1X, see HP Jetdirect whitepapers on the topic.
-
Page 18: Recommended Security Deployments: Set 3
Configuration Review Configuration review. Click “Finish” to set configuration. Recommended Security Deployments: SET 3 First and foremost, SET 3 configuration needs to have the Security Wizard for SET 2 executed. Once the Security Wizard configuration has been completed, then we can begin the Firewall configuration. A sample Firewall configuration is shown where the management protocols are restricted to a specific IP subnet range:... - Page 19 Be sure that you are using HTTPS before navigating to this page. Select the drop down box for the Default Rule to be “Allow” and then click “Add Rules…” We have a specific administrator subnet defined for printing and imaging devices.
- Page 20 We’ll define the IPv4 address range first. Select “All IPv4 Addresses” for Local Address and then we specified the 192.168.0/24 subnet for the Remote Address. We’ve also named this address template very clearly. Now for IPv6. Click “New” again. NOTE: If IPv6 is not used on your network, go to...
- Page 21 Select the appropriate IPv6 addresses and name the address template. Now that we have the address templates, let’s create a rule. Rules are processed in priority order from 1 – 10. Let’s create an IPv4 rule first. Select the IPv4 address template you created, then...
- Page 22 We are concerned with management services, so select the service template “All Jetdirect Management Services”. Click “Next”. Select “Allow Traffic”. Click “Next”...
- Page 23 Select “Create another rule”. Select the IPv6 address template you created and then click “Next”.
- Page 24 Select the “All Jetdirect Management Services” service template. Click “Next”. Select “Allow Traffic”. Click Next.
- Page 25 We have allowed management traffic from our IPv4/IPv6 administrative subnet. Now we must create a rule to throw away all other management traffic. Click “Create another rule”. Here we select “All IP addresses” which encompasses both IPv4 and IPv6. Click “Next”.
- Page 26 Again, select “All Jetdirect Management Services” for the service template and then click “Next”. Select “Drop”. Click “Next”.
- Page 27 We can now see our policy. Rules are processed from 1 to 10. If a packet comes from or is going to our defined IPv4/IPv6 subnet, the rule will match and it will be allowed. Otherwise, if it is a management service, it will be dropped.
-
Page 28: Recommended Security Deployments: Set 4
Recommended Security Deployments: SET 4 First and foremost, SET 4 configuration needs to have the Security Wizard for SET 2 executed. Once the Security Wizard configuration has been completed, then we can begin the IPsec configuration. Let’s go through the same process as we did with SET 3, only this time, we’ll simply say that all IP addresses must use IPsec to utilize a management protocol. - Page 29 Select “A Jetdirect Management Services”. Click “Next”. Select “Requ traffic to be prot ected with IPsec/Firewall Policy”. C lick “Next”.
- Page 30 Click “New”. Name the IP Template. Some Jetdirec models may require you to configure IKE parameters. However, this model has a quick set of IK defaults that can be us The one selected is for e emphasis Interoperabil and less on Security.
- Page 31 For example purposes only, Pre-Shared Key Authenticatio is used. H does not recommen using Pre- Shared Key Authentication. Certificates o Kerberos is highly recommended. Click “Next”. Select the IPse template you just created. Click “Next”.
- Page 32 Here is our IPsec policy. I a management protocol is to be used, it must use IPsec. All other traffi c is allowed based upon the default rule. Click “Finish”. Select “Yes” to enable the IPsec policy. You can also choose to ha a failsafe if you would like.
-
Page 33: Further Reading
Further Reading 802.1X: http://h20000.www2.hp.com/bc/docs/support/SupportManual/c00731218/c00731218.pdf IPsec: http://h20000.www2.hp.com/bc/docs/support/SupportManual/c01048192/c01048192.pdf IPv6: http://h20000.www2.hp.com/bc/docs/support/SupportManual/c00840100/c00840100.pdf Using the networking infrastructure to better protect your printing and imaging devices: http://h20000.www2.hp.com/bc/docs/support/SupportManual/c00707837/c00707837.pdf...