HP Jetdirect Security Guidelines Table of Contents: Introduction ............................. 1 HP Jetdirect Overview ........................2 What is an HP Jetdirect?........................3 How old is Your HP Jetdirect?......................4 Upgrading ............................5 HP Jetdirect Administrative Guidelines ....................6 HP Jetdirect Hacks: TCP Port 9100..................... 7 HP Jetdirect Hacks: Password and SNMP Community Names..............
one of the first print servers to widely implement security protocols such as SSL/TLS, SNMPv3, 802.1X, and IPsec. If you are new to security and secure configurations, it is important to remember that ‘security’ is a process. Today’s security configurations and protocols that are thought to be unbreakable for the next few years may in fact be broken later today.
What is an HP Jetdirect? When printers were directly connected to network spoolers, often a simple hardware protocol was used to send data from the PC to the printer. Centronics mode on a parallel port would be an example. As customers demanded faster data transfer speeds and richer status, these protocols became more complex as in IEEE 1284.4.
How old is Your HP Jetdirect? Once in a while, when doing an inventory of a network, an administrator may discover some network connected devices that rather old but are still working. The same is true for printers and HP Jetdirect devices.
Upgrading Upgrading your HP Jetdirect devices is by no means a requirement, but is highly recommended. Should a customer choose to do so, HP can provide some guidelines. First, if the HP Jetdirect device was introduced before the year 2000, HP recommends that it be upgraded to a newer model. Some security features of the models that are available for customers to purchase as of August 2007 are shown in Table 2 –...
As you can see, replacing a discontinued 400n MIO model with a new external parallel port print server like the 300X will not upgrade the security capabilities of the Jetdirect device. Printers that have an MIO slot like the LaserJet IIIsi and LaserJet 4si have been discontinued for many years. Printers and MFPs with an EIO slot are still being sold today.
A guideline to popular HP Jetdirect devices and the firmware they should be running as of • August of 2007 is shown in Table 4: HP Jetdirect Product Number Firmware Version J7949E Embedded Jetdirect V.33.14/V.33.15 J4100A 400n 10Mbps MIO Print server K.08.49 J4106A 400n 10Mbps MIO Print server K.08.49...
Which hosts need to print? Options Only computers on the same subnet as HP Option 1) For SET 1/2/3/4. Eliminate the Jetdirect default gateway (set to 0.0.0.0). This doesn’t prevent HP Jetdirect from receiving packets from other subnets, but does prevent the responses from returning to those remote subnets.
SNMPv3 for additional security and HP Web Jetadmin makes using SNMPv3 easy. Also note that applications such as the HP Download Manager and HP Web Jetadmin are digitally signed by Hewlett-Packard as proof of their source. The ability to use FTP to upgrade the firmware of HP Jetdirect devices is described here: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=bpj07129.
firmware upgrades; if telnet has been disabled to avoid plain-text transmission of the password, FTP upgrades are also disabled. The ability to use the EWS to upgrade HP Jetdirect devices is described here: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=bpj07572. How the EWS is protected determines how the HP Jetdirect firmware upgrade capability is protected. For users of the EWS, HP recommends setting the redirect from HTTP to HTTPS, using a properly signed certificate, and of course specifying a good password.
Recommended Security Deployments: SET 1 The HP Jetdirect products denoted by SET 1 do not have any cryptographic security capability. As a result, a BOOTP/TFTP configuration is recommended as we can specify several control parameters via the TFTP configuration file. This configuration file allows for a great deal of power with very little administration overhead once configured.
The TFTP configuration file points to a parameter file called “pjlprotection”. This file is sent to the printer on power-up. Here is a sample content for the pjlprotection file: <ESC>%-12345X@PJL <CR><LF> @PJL COMMENT **Set Password** <CR><LF> @PJL COMMENT **& Lock Control Panel**<CR><LF> @PJL JOB PASSWORD = 7654 <CR><LF>...
First and foremost, set a password.
Change the Encryption Strength to “Medium” and check the “Encrypt All Communication ” checkbox. This checkbox forces HTTPS to be used for all communication. Uncheck “Enable Telnet and FTP Firmware Update” and “Enable RCFG”.
Uncheck “Enable SNMPv1/v2” and check Enable “SNMPv3”. Provide SNMPv3 parameters.
Based upon the customer’s environment, read only SNMPv1/v2c access may need to be granted. Some tools such as the HP Standard Port Monitor use SNMPv1/v2c for status. Setup an Access Control List entry. This is another customer environment specific entry. In this example, the subnet 192.168.1.0 is...
Disable unused print protocols and services. Allowing device discovery helps in device management, but may not be required in all environments. 802.1X authentication can also be done. Special equipment is required. For a complete discussion of 802.1X, see HP Jetdirect whitepapers on the topic.
Configuration Review Configuration review. Click “Finish” to set configuration. Recommended Security Deployments: SET 3 First and foremost, SET 3 configuration needs to have the Security Wizard for SET 2 executed. Once the Security Wizard configuration has been completed, then we can begin the Firewall configuration. A sample Firewall configuration is shown where the management protocols are restricted to a specific IP subnet range:...
Be sure that you are using HTTPS before navigating to this page. Select the drop down box for the Default Rule to be “Allow” and then click “Add Rules…” We have a specific administrator subnet defined for printing and imaging devices.
We’ll define the IPv4 address range first. Select “All IPv4 Addresses” for Local Address and then we specified the 192.168.0/24 subnet for the Remote Address. We’ve also named this address template very clearly. Now for IPv6. Click “New” again. NOTE: If IPv6 is not used on your network, go to...
Select the appropriate IPv6 addresses and name the address template. Now that we have the address templates, let’s create a rule. Rules are processed in priority order from 1 – 10. Let’s create an IPv4 rule first. Select the IPv4 address template you created, then...
We are concerned with management services, so select the service template “All Jetdirect Management Services”. Click “Next”. Select “Allow Traffic”. Click “Next”...
Select “Create another rule”. Select the IPv6 address template you created and then click “Next”.
Select the “All Jetdirect Management Services” service template. Click “Next”. Select “Allow Traffic”. Click Next.
We have allowed management traffic from our IPv4/IPv6 administrative subnet. Now we must create a rule to throw away all other management traffic. Click “Create another rule”. Here we select “All IP addresses” which encompasses both IPv4 and IPv6. Click “Next”.
Again, select “All Jetdirect Management Services” for the service template and then click “Next”. Select “Drop”. Click “Next”.
We can now see our policy. Rules are processed from 1 to 10. If a packet comes from or is going to our defined IPv4/IPv6 subnet, the rule will match and it will be allowed. Otherwise, if it is a management service, it will be dropped.
Recommended Security Deployments: SET 4 First and foremost, SET 4 configuration needs to have the Security Wizard for SET 2 executed. Once the Security Wizard configuration has been completed, then we can begin the IPsec configuration. Let’s go through the same process as we did with SET 3, only this time, we’ll simply say that all IP addresses must use IPsec to utilize a management protocol.
Select “A Jetdirect Management Services”. Click “Next”. Select “Requ traffic to be prot ected with IPsec/Firewall Policy”. C lick “Next”.
Click “New”. Name the IP Template. Some Jetdirec models may require you to configure IKE parameters. However, this model has a quick set of IK defaults that can be us The one selected is for e emphasis Interoperabil and less on Security.
For example purposes only, Pre-Shared Key Authenticatio is used. H does not recommen using Pre- Shared Key Authentication. Certificates o Kerberos is highly recommended. Click “Next”. Select the IPse template you just created. Click “Next”.
Here is our IPsec policy. I a management protocol is to be used, it must use IPsec. All other traffi c is allowed based upon the default rule. Click “Finish”. Select “Yes” to enable the IPsec policy. You can also choose to ha a failsafe if you would like.
Further Reading 802.1X: http://h20000.www2.hp.com/bc/docs/support/SupportManual/c00731218/c00731218.pdf IPsec: http://h20000.www2.hp.com/bc/docs/support/SupportManual/c01048192/c01048192.pdf IPv6: http://h20000.www2.hp.com/bc/docs/support/SupportManual/c00840100/c00840100.pdf Using the networking infrastructure to better protect your printing and imaging devices: http://h20000.www2.hp.com/bc/docs/support/SupportManual/c00707837/c00707837.pdf...