Manualshelf

HP Enterprise printers - HP Connection Inspector (white paper)

ManualsBrandsHP ManualsDesktopsHP LaserJet Enterprise M506x
12345678
2
Introduction
HP Connection Inspector is a new intelligent embedded security feature created by HP Labs. The technology inspects
outbound network connections typically abused by malware, determines what is normal and stop suspicious activity. If
the printer is compromised, it will automatically trigger a system restart to initiate HP Sure Start self-healing
procedures.
Theory of Operation
Malware is typically designed to call home to its external server to get further instructions, updates and
information on where to send collected data. Early malware used hardcoded IP addresses. Modern malware uses
more sophisticated behaviors to establish and maintain contact with its external server. These behaviors can be
recognized to detect the presence of malware and block the attackers.
When anomalous behavior on outgoing connection requests is detected, the device enters a protected mode of
operation for DNS queries, designed to stop the malware communicating with its external server and preventing the
malware from causing additional damage, while allowing the printer to function normally.
If further anomalous connection requests are detected, the device performs a system restart which is designed to clear
the malware by taking advantage of the device’s Sure Start and Whitelisting features. An IT security alert is generated to
communicate a possible attack.
HP Connection Inspector settings
Settable parameters define how the feature identifies DNS behavior that could indicate anomalous activity. The device
enters either of two modes: DNS Protected Mode or a Self-Healing Mode where the device performs a system restart.
The settable parameters allow the detection method to be tuned to different customer environments, in terms of typical
network behavior and security sensitivity.
Configuration interfaces:
Embedded Web Server (EWS) supports all configuration settings
HP Web Jetadmin supports Enable/Disable only in version 10.4sr2 Feature Pack 6
HP JetAdvantage Security Manager supports all configuration settings in version 3.1
Feature Enable / Disable
The HP Connection Inspector feature can be disabled for troubleshooting purposes. Disabling and re-enabling the
feature resets Protected mode counters and monitoring statistics to their configured values.
Figure 1: HP Connection Inspector Enable/Disable in the Embedded Web Server (EWS)
EWS Path: Networking Tab -> TCP/IP Menu > Network Identification Page
Threshold and Duration Settings
DNS Failure Threshold: Default: 5 (4 50)
The number of unique non-resolving unknown DNS requests within the “Monitoring Window” resulting in DNS Protected
Mode.
A higher value will reduce the speed and accuracy of detection but will reduce potential false positives.