White Paper

ManualsBrandsHP ManualsNetworkingJ2550B

HP Jetdirect Security Guidelines

white

Table of Contents:

Introduction ..................................................................................................................................... 1

HP Jetdirect Overview ...................................................................................................................... 2

What is an HP Jetdirect?................................................................................................................... 3

How old is Your HP Jetdirect?............................................................................................................ 4

Upgrading ...................................................................................................................................... 5

HP Jetdirect Administrative Guidelines ................................................................................................ 6

HP Jetdirect Hacks: TCP Port 9100..................................................................................................... 7

HP Jetdirect Hacks: Password and SNMP Community Names................................................................ 9

HP Jetdirect Hacks: Firmware Upgrade............................................................................................... 9

HP Jetdirect Hacks: Sniffing Print Jobs and Replaying Them................................................................. 10

HP Jetdirect Hacks: Printer/MFP access ............................................................................................ 10

Recommended Security Deployments: SET 1...................................................................................... 11

Recommended Security Deployments: SET 2...................................................................................... 12

Recommended Security Deployments: SET 3...................................................................................... 18

Recommended Security Deployments: SET 4...................................................................................... 28

Further Reading ............................................................................................................................. 33

Introduction

The availability of public information on the Internet for hacking HP Jetdirect products has prompted

customers to ask HP about how they can protect their printing and imaging devices against such

attacks and what is HP doing about preventing those attacks. In all fairness, some of this public

information is of rather poor quality and inflammatory; however, some websites detailing the attacks

and the vulnerabilities on HP Jetdirect are informative and raise valid concerns that need to be

addressed. It is the purpose of this whitepaper to address customer concerns about these attacks and

vulnerabilities and to recommend proper security configurations to help customers protect their

printing and imaging devices. This whitepaper is only a small part of a broad initiative within HP to

educate our customer base about printing and imaging security. Resources such as The Secure

Printing website (http://www.hp.com/go/secureprinting

) provide a great deal of information for

customers about products, solutions, as well as configuration recommendations. In general, a lot of

this information can be put to use on existing HP Jetdirect products, mainly because HP Jetdirect was

Summary of content (33 pages)

PAGE 1
whitepaper HP Jetdirect Security Guidelines Table of Contents: Introduction ..................................................................................................................................... 1 HP Jetdirect Overview ...................................................................................................................... 2 What is an HP Jetdirect?...................................................................................................................
PAGE 2
one of the first print servers to widely implement security protocols such as SSL/TLS, SNMPv3, 802.1X, and IPsec. If you are new to security and secure configurations, it is important to remember that ‘security’ is a process. Today’s security configurations and protocols that are thought to be unbreakable for the next few years may in fact be broken later today. At one extreme, the best security available for imaging and printing devices is to never unpack them once you buy them.
PAGE 3
What is an HP Jetdirect? OS OS When printers were directly connected to network spoolers, often a simple hardware protocol was used to send data from the PC to the printer. Centronics mode on a parallel port would be an example. As customers demanded faster data transfer speeds and richer status, these protocols became more complex as in IEEE 1284.4. In short, a printer had direct connect ports (e.g.
PAGE 4
How old is Your HP Jetdirect? Once in a while, when doing an inventory of a network, an administrator may discover some network connected devices that rather old but are still working. The same is true for printers and HP Jetdirect devices. An easy way to get an inventory of your HP Jetdirect devices is to use the HP Download Manager available here: http://www.hp.com/go/dlm_sw. This utility allows you to discover printers and their HP Jetdirect devices on the network.
PAGE 5
Upgrading Upgrading your HP Jetdirect devices is by no means a requirement, but is highly recommended. Should a customer choose to do so, HP can provide some guidelines. First, if the HP Jetdirect device was introduced before the year 2000, HP recommends that it be upgraded to a newer model.
PAGE 6
As you can see, replacing a discontinued 400n MIO model with a new external parallel port print server like the 300X will not upgrade the security capabilities of the Jetdirect device. Printers that have an MIO slot like the LaserJet IIIsi and LaserJet 4si have been discontinued for many years. Printers and MFPs with an EIO slot are still being sold today. The EIO slot was introduced on the HP LaserJet 4000 almost ten years ago.
PAGE 7
• A guideline to popular HP Jetdirect devices and the firmware they should be running as of August of 2007 is shown in Table 4: HP Jetdirect Product Number J7949E Embedded Jetdirect J4100A 400n 10Mbps MIO Print server J4106A 400n 10Mbps MIO Print server J3110A 600n 10Mbps EIO Print server J3111A 600n 10Mbps EIO Print server J3113A 600n 10/100 EIO Print server J4169A 610n 10/100 EIO Print Server J6057A 615n 10/100 EIO Print Server J3263A/J3263G 300x External Print server J3265A 500X External 3-Port Print S
PAGE 8
Which hosts need to print? Only computers on the same subnet as HP Jetdirect Options Option 1) For SET 1/2/3/4. Eliminate the default gateway (set to 0.0.0.0). This doesn’t prevent HP Jetdirect from receiving packets from other subnets, but does prevent the responses from returning to those remote subnets. As a result, TCP connections cannot be formed. Option 2) For SET 1/2/3/4. Setup an access control list with the IP address and mask for the local subnet. Option 3) For SET 3.
PAGE 9
they are trusted to establish a print connection, they are trusted to print. Some additional protections can be provided, in the form of Color Access Controls using HP’s Universal Print Driver (UPD), which allow an administrator to control the amount of color being used by a user. In addition, HP’s Web Jetadmin includes functionality called Report Generator which facilitates reports on users and their how their printing behavior. This functionality is useful for auditing and understanding printer usage.
PAGE 10
firmware upgrades; if telnet has been disabled to avoid plain-text transmission of the password, FTP upgrades are also disabled. The ability to use the EWS to upgrade HP Jetdirect devices is described here: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=bpj07572. How the EWS is protected determines how the HP Jetdirect firmware upgrade capability is protected.
PAGE 11
Recommended Security Deployments: SET 1 The HP Jetdirect products denoted by SET 1 do not have any cryptographic security capability. As a result, a BOOTP/TFTP configuration is recommended as we can specify several control parameters via the TFTP configuration file. This configuration file allows for a great deal of power with very little administration overhead once configured.
PAGE 12
The TFTP configuration file points to a parameter file called “pjlprotection”. This file is sent to the printer on power-up.
PAGE 13
First and foremost, set a password.
PAGE 14
Change the Encryption Strength to “Medium” and check the “Encrypt All Web Communication ” checkbox. This checkbox forces HTTPS to be used for all web communication. Uncheck “Enable Telnet and FTP Firmware Update” and “Enable RCFG”.
PAGE 15
Uncheck “Enable SNMPv1/v2” and check Enable “SNMPv3”. Provide SNMPv3 parameters.
PAGE 16
Based upon the customer’s environment, read only SNMPv1/v2c access may need to be granted. Some tools such as the HP Standard Port Monitor use SNMPv1/v2c for status. Setup an Access Control List entry. This is another customer environment specific entry. In this example, the subnet 192.168.1.0 is protected by the ACL. Uncheck “Allow Web Server (HTTP) access” to force HTTP checking to be done in the ACL.
PAGE 17
Disable unused print protocols and services. Allowing device discovery helps in device management, but may not be required in all environments. 802.1X authentication can also be done. Special equipment is required. For a complete discussion of 802.1X, see HP Jetdirect whitepapers on the topic. For now, this configuration step is skipped.
PAGE 18
Configuration Review Configuration review. Click “Finish” to set the configuration. Recommended Security Deployments: SET 3 First and foremost, SET 3 configuration needs to have the Security Wizard for SET 2 executed. Once the Security Wizard configuration has been completed, then we can begin the Firewall configuration.
PAGE 19
Be sure that you are using HTTPS before navigating to this page. Select the drop down box for the Default Rule to be “Allow” and then click “Add Rules…” We have a specific administrator subnet defined for printing and imaging devices. Click the “New” button so we can be very specific about what addresses can manage the device.
PAGE 20
We’ll define the IPv4 address range first. Select “All IPv4 Addresses” for Local Address and then we specified the 192.168.0/24 subnet for the Remote Address. We’ve also named this address template very clearly. Now for IPv6. Click “New” again. NOTE: If IPv6 is not used on your network, go to TCP/IP settings and disable IPv6 for increased security. You can also skips which use IPv6 in this configuration.
PAGE 21
Select the appropriate IPv6 addresses and name the address template. Now that we have the address templates, let’s create a rule. Rules are processed in priority order from 1 – 10. Let’s create an IPv4 rule first. Select the IPv4 address template you created, then click “Next”.
PAGE 22
We are concerned with management services, so select the service template “All Jetdirect Management Services”. Click “Next”. Select “Allow Traffic”.
PAGE 23
Select “Create another rule”. Select the IPv6 address template you created and then click “Next”.
PAGE 24
Select the “All Jetdirect Management Services” service template. Click “Next”. Select “Allow Traffic”. Click Next.
PAGE 25
We have allowed management traffic from our IPv4/IPv6 administrative subnet. Now we must create a rule to throw away all other management traffic. Click “Create another rule”. Here we select “All IP addresses” which encompasses both IPv4 and IPv6. Click “Next”.
PAGE 26
Again, select “All Jetdirect Management Services” for the service template and then click “Next”. Select “Drop”. Click “Next”.
PAGE 27
We can now see our policy. Rules are processed from 1 to 10. If a packet comes from or is going to our defined IPv4/IPv6 subnet, the rule will match and it will be allowed. Otherwise, if it is a management service, it will be dropped. All other traffic will be allowed (the default rule is allow). Click “Finish”. Select “Yes” for Enable Policy. HTTPS failsafe can be used when trying out configurations.
PAGE 28
Recommended Security Deployments: SET 4 First and foremost, SET 4 configuration needs to have the Security Wizard for SET 2 executed. Once the Security Wizard configuration has been completed, then we can begin the IPsec configuration. Let’s go through the same process as we did with SET 3, only this time, we’ll simply say that all IP addresses must use IPsec to utilize a management protocol.
PAGE 29
Select “All Jetdirect Management Services”. Click “Next”. Select “Require traffic to be protected with an IPsec/Firewall Policy”. Click “Next”.
PAGE 30
Click “New”. Name the IPsec Template. Some Jetdirect models may require you to configure IKE parameters. However, this model has a quick set of IKE defaults that can be used. The one selected is for more emphasis on Interoperability and less on Security. Click “Next”.
PAGE 31
For example purposes only, Pre-Shared Key Authentication is used. HP does not recommend using PreShared Key Authentication. Certificates or Kerberos is highly recommended. Click “Next”. Select the IPsec template you just created. Click “Next”.
PAGE 32
Here is our IPsec policy. If a management protocol is to be used, it must use IPsec. All other traffic is allowed based upon the default rule. Click “Finish”. Select “Yes” to enable the IPsec policy. You can also choose to have a failsafe if you would like. Click “OK”.
PAGE 33
Further Reading 802.1X: http://h20000.www2.hp.com/bc/docs/support/SupportManual/c00731218/c00731218.pdf IPsec: http://h20000.www2.hp.com/bc/docs/support/SupportManual/c01048192/c01048192.pdf IPv6: http://h20000.www2.hp.com/bc/docs/support/SupportManual/c00840100/c00840100.pdf Using the networking infrastructure to better protect your printing and imaging devices: http://h20000.www2.hp.com/bc/docs/support/SupportManual/c00707837/c00707837.