Manualshelf

Multifunction Peripheral (MFP) Security for Enterprise Environments

ManualsBrandsHP ManualsDesktopsHP LaserJet 4101 Multifunction Printer
12345678910
MFP Security White Paper
5
! Default Passwords
Default passwords provide no practical security, yet they are one of the most commonly used mechanisms
for securing systems. Default passwords do nothing more than provide the administrator with a false sense
of security. Default passwords are readily available from product user manuals, and hackers have
created web sites to catalog and distribute default passwords for a variety of products.
To enable HP products to have a high level of initial security, two mechanisms are used together:
Make security configuration integral with the installation process
Encrypt the communications for privacy
By making the security configuration integral with the system installation, administrators may be assured that
subsequent system management may only be performed by authorized users. Using the Security Wizard of
the Embedded Web Server Management Interface, administrators are able to select all security-related
configuration settings during installation.
By encrypting the communications for security configuration, the administrator is assured that the credentials,
passwords, and keys, cannot be intercepted by network hackers and reused.
Encryption
To secure network communications, providing both integrity as well as privacy, encrypted protocols are used.
HP MFPs allow encrypted communications immediately out of the box, without administrator configuration,
using public key cryptography. During start-up, the MFP creates a unique asymmetric key pair, consisting of a
“private key” that is known only to the MFP, and a “public key” that is exposed to the user’s management
interface. Data encrypted using the MFP’s public key may only be decrypted by the MFP, allowing secure
communications to the MFP, and data decrypted by the public key may only have been encrypted by the
MFP, allowing authentication of the sending device.
For management interfaces’ using the SNMP protocol, such as the Jetdirect Installer and Web Jetadmin, the
public key is exposed as an SNMP object. For first time installation, the management application can retrieve
the public key from the MFP, and then uses it to encrypt the credentials for subsequent SNMPv3 operation.
For management using the MFP’s Embedded Web Server, the public/private key pair is bound to a self-
signed X.509 server certificate. The server certificate facilitates the establishment of a secure connection using
the SSL/TLS protocol. The administrator may subsequently add the certificate to their certificate store for future
trust, or install an externally-signed X.509 certificate.
Access Control
Management access control is provided by a combination of administrator account (username and
password), SNMP Community Names, SNMPv3 authentication keys, and IP Access Control Lists.
The administrator account utilizes a username and password for authentication, and is used by the EWS,
Telnet, and FTP management interfaces. The SNMP Get/Set Community Names are used for the SNMPv2
protocol and emulate the functionality of a password. For added convenience and security, the EWS Security
Wizard allows the Community Names to be set to match the administrator password. The SNMPv3
authentication key is an administrator-supplied key that allows for cryptographically strong authentication.
IP Access Control Lists allow the administrator to select a set of specific, or range of, IP addresses that are
allowed TCP/IP access to the device. When using IP Access Control Lists for management security, the IP
addresses of authorized management consoles (WJA) should be enabled, or the specific IP addresses of
network administrator workstations.