Multifunction Peripheral (MFP) Security for Enterprise Environments

ManualsBrandsHP ManualsDesktopsHP LaserJet 4101 Multifunction Printer

White Paper

March 2004

Document Version: 1.0

Imaging and Printing Group

Hewlett-Packard Company

Contents

Introduction ................................ 1

Imaging and Printing

Infrastructure.......................... 1

Ease of Use ................................ 2

Multifunction Peripheral (MFP)

Hardware ............................. 2

Embedded Operating System

and Firmware ............................. 2

Firmware Updates ....................... 2

Vulnerabilities, buffer overflows,

et al...................................... 3

Chai Platform.............................. 3

Network Interface, EIO bus........... 3

Wireless Ethernet ........................ 3

MFP Analog FAX Accessory.......... 3

Disk Drive................................... 3

MFP Management Security ........... 4

Management Interfaces and

Protocols ............................... 4

Out-of-Box Security ...................... 4

Encryption .................................. 5

Access Control............................ 5

Protocol/Service Configuration ..... 6

MFP Copy/Scan/Print Security ..... 6

Networked Printing...................... 7

Spoolers and Access Control ........ 7

IP Access Control List ................... 7

Print Encryption ........................... 7

Recommendations ....................... 7

Acronyms ................................... 8

References.................................. 9

Multifunction Peripheral (MFP)

Security for Enterprise

Environments

Abstract:

Networked imaging and printing infrastructure has the potential for abuse

just as any other networked system. Imaging and printing devices have

gained levels of sophistication comparable to network servers and

workstations, and should be managed as such. Understanding, and

effectively using, the security features of HP imaging and printing devices

is crucial for the maintenance of a secure network.

Notice:

Microsoft

, Windows

, and Windows NT

are trademarks of Microsoft

Corporation in the U.S. and/or other countries. UNIX

is a trademark of The

Open Group in the U.S. and/or other countries. Intel

and Itanium

are

trademarks or registered trademarks of Intel Corporation or its subsidiaries in the

U.S. and other countries. Oracle

is a registered U.S. trademark of Oracle

Corporation, Redwood City, California. All other product names mentioned

herein may be the trademarks of their respective companies.

Neither HP, nor any of its subsidiaries, shall be liable for technical or editorial

errors or omissions contained herein. The information in this publication is

provided "as is" without warranty of any kind and is subject to change without

notice. The warranties for HP products are set forth in the express limited warranty

statements accompanying such products. Nothing herein should be construed as

constituting an additional warranty.

Summary of content (10 pages)

PAGE 1
White Paper March 2004 Document Version: 1.0 Imaging and Printing Group Hewlett-Packard Company Contents Introduction ................................ 1 Imaging and Printing Infrastructure.......................... 1 Ease of Use ................................ 2 Multifunction Peripheral (MFP) Hardware ............................. 2 Embedded Operating System and Firmware ............................. 2 Firmware Updates ....................... 2 Vulnerabilities, buffer overflows, et al....................
PAGE 2
MFP Security White Paper 1 Introduction The networked imaging and printing infrastructure has become increasingly sophisticated, becoming a critical component of the office infrastructure. Despite its importance, network administrators have largely ignored the security risks of their imaging and printing infrastructure, oftentimes leaving the infrastructure entirely unsecured.
PAGE 3
MFP Security White Paper Ease of Use Frequently, security features are ignored because of their complexity. A device may offer credible security features, however because of the complexity of their use, they may go unused. HP has concentrated on reducing the complexities of security, while continuing to lead with state-of-the-art capabilities.
PAGE 4
MFP Security White Paper firmware updates, access controls integral to device management are supported. Mechanisms are used to check the authenticity of the firmware image; however it is still recommended that only firmware images provided directly from HP be applied. Vulnerabilities, buffer overflows, et al. HP MFPs have been extensively tested to ensure that they may not be compromised by buffer overflows, malformed data requests, and malformed data submissions.
PAGE 5
MFP Security White Paper Encryption of network transmitted data stored on the disk is available using the JetCAP SecureDIMM II accessory module. The SecureDIMM II module secures the print job from the printing client to the MFP’s internal printing engine. While the print job is retained on the hard disk, it remains encrypted. Unless otherwise specified, print job data is deleted from the disk at the completion of the print job.
PAGE 6
MFP Security White Paper ! Default Passwords Default passwords provide no practical security, yet they are one of the most commonly used mechanisms for securing systems. Default passwords do nothing more than provide the administrator with a false sense of security. Default passwords are readily available from product user manuals, and hackers have created web sites to catalog and distribute default passwords for a variety of products.
PAGE 7
MFP Security White Paper Protocol/Service Configuration Improperly configured systems are a common target for attack. Systems may have security settings improperly configured, or unused, unneeded, and unmonitored services installed. Oftentimes, services that are left unused are not secured, providing backdoors for exploitation. The following services and protocols may be selectively disabled: • Management: Embedded Web Server (EWS), SNMPv2 and SNMPv3 protocols, Telnet, FTP, and RCFG.
PAGE 8
MFP Security White Paper Networked Printing MFPs use simple print protocols to receive print jobs from remote clients. The two common print protocols are LPR and “raw” Port 9100. Neither protocol provides encryption or access controls; however these features are typically integrated with other components of the system, including spoolers and encryption modules.
PAGE 9
MFP Security White Paper The following recommendations can be a starting point for securing your imaging and printing infrastructure: • Treat MFPs and networked printers as any other network server – Networked MFPs and printers offer much of the same capabilities as general purpose servers. Integrate MFPs and printers into vulnerability scans, and into intrusion detection systems, and audit for compliance of policies.
PAGE 10
MFP Security White Paper HTTPS: Hypertext Transmission Protocol, Secure. LEAP: Lightweight EAP, officially called “EAP Cisco Wireless. MFPs: Multifunction peripherals. MIB OID: Management Information Base/Object Identifier; PEAP: Protected EAP. RCFG: Remote Configuration (SPX protocol) mDNS: Multicast DNS. SMB/CIFS: Server Message Block/Common Internet File System. SNMP: Simple Network Management Protocol. SSL/TLS: Secure Sockets Layer/Transport Layer Security.