WP_Secure_Network_Printing_V1.0_e

WP_Secure_Network_Printing_V1.0_e

SECURITY RISKS IN NET WORK

PRINTING

Solutions from the PC to the printed document

In every enterprise and organization there are confidential data and documents which have to be protected from unauthorized access. In IT departments security measures such as the quality of passwords, SSL/TLS or VPN connections ensure the security of sensitive or critical data. Moreover, current data protection acts require institutions and enterprises to protect personal data from unauthorized access.

Consequently there is a growing awareness that secure network printing should be part of any solid IT security policy. When confidential data is sent through the network in clear text, the above mentioned security measures will be futile. This White Paper describes the security risks which a print job is likely to encounter on its way from the user’s workstation to the collection tray of the printer, and proposes solutions.

THORSTEN KILIAN

Product Manager

MARGARETE KEULEN

Marketing Communications Manager

Version 1.0

November 2006

TABLE OF CONTENTS

1.

SECURITY RISKS IN NETWORK PRINTING

2.

THE PRINT JOB IN THE NETWORK: THE JUNGLE OF SECURITY RISKS

2.1.

Securing Data, Workstations, and Applications

2.2.

Access to the Network – With or Without Control

2.3.

Security Risks Determined by the Network Type

2.4.

Network Subsystem – Network Components for Security

2.5.

Network Protocols with Integrated Security Mechanisms

2.6.

Print Data Encryption with SSL/TLS

2.7.

Access Control for Output Devices

2.8.

Release of Printed Documents to Authorized Users

3.

SEH SOLUTIONS FOR SECURE NETWORK PRINTING: AN OVERVIEW

3.1

SEH Print Servers for Particular Network Types 10

3.2

User Authentication 10

3.3

Access Control and Configuration Protection for SEH Print Servers 11

3.4

Access Control for Printers 11

3.5

Print Data Encryption with SSL/TLS (128 Bit Encryption) 12

3.6

Follow Me Printing Solution with SEH Print Servers 12

4.

SEH SOLUTIONS FOR SECURE NETWORK PRINTING AT A GLANCE 13

5.

LITERATURE 14

6.

INTERNET 14

7

8

7

7

9

4

4

5

10

3

4

S E H W H I T E P A P E R

Security Risks in Network

Printing

Version 1.0 November 2006 2

1 . S E C U R I T Y R I S K S I N N E T W O R K P R I N T I N G

The VDI (The Association of German Engineers) commission “Technology – Risk –

Communication” defines security as “a state for which the remaining risk exposure is classified as acceptable.” This is followed by an important reminder: “Even if security is established, the possibility remains that damage might still incur.”

1

As security is always only relative and never absolute it makes sense to analyze security risks and to define clearly what, in each given case, is identified as a security risk, how this risk is to be classified, and how it can be minimized or even eliminated.

2

An IT security audit usually distinguishes between the compromise, the manipulation, and the loss of data. In analogy, when it comes to network printing, the analysis of security risks for print data during the whole printing process should take the following aspects into account:

X

The Compromise of Print Data

Print data are compromised if an unauthorized person gains access to these data. For example: During the transmission of print data in a network an unauthorized person reads these data as clear text.

X

The Manipulation of Print Data

Print data are manipulated when their content and/or their form is changed during the printing process. It is relatively easy to intercept a print job with hacker tools, make changes and resend it in this changed form. Obviously, in case of payment instructions, orders, contracts or similar documents considerable damage might occur.

X

The Loss of Print Data

The loss of print data might entail unpleasant consequences if a print job is prevented from being printed or if a printed document is stolen from the printer. As a rule, business-related printing processes are important, for instance in logistics, stockkeeping, and order processing. Attacks on this level often result in financial disadvantages for enterprises.

3

Damages which result from such security risks are usually grave. Material damages manifest as financial loss and extra work time (e.g. delayed business processes, competitive disadvantages, legal consequences). Immaterial damages are detrimental to the corporate image. Often, one brings about the other. This is the moment to realize that the costs for preventive security measures are definitely lower than those caused by damages resulting from security risks. Therefore it is more than reasonable to take decisive action upon a risk analysis and minimize or close existing security gaps immediately. In addition, established security measures and a plausible security policy will provide the best possible protection for a limited period of time only. As methods of attack are continually developed and joined by new ones, it is important to keep one’s knowledge up to date: What are the latest standards, which new security solutions have been made available since the latest security update?

VDI Guideline

1

VDI Guideline „Risk

Communication for

Enterprises“ (Risikokommun ikation für Unternehmen), ed. Dr. Peter M. Wiedemann,

Chairman of the VDI commission „Technik -

Risiko -

Kommunikation“ (Technology – Risk –

Communication),

Dusseldorf: VDI Verein

Deutscher Ingenieure, 2000.

2 Risk Analysis: “A risk analysis identifies, quantifies, and evaluates risks. This analysis aims at the best possible prognosis of the likelihood of certain damages to occur. This prognosis is based on the given knowledge about such damages at a time.“ (Ibid., translation

SEH)

IDC Study

3

According to the IDC study

“IT Security for Mediumsized Businesses – Status

Quo and Trends for German

Medium-sized Businesses

2006“ (IT-Sicherheit im

Mittelstand – Status Quo und Trends in Deutschland

2006) the prevention of the loss of data is the major driving force for more security in German medium-sized businesses.

S E H W H I T E P A P E R

Security Risks in Network

Printing

Version 1.0 November 2006 3

2 . T H E P R I N T J O B I N T H E N E T W O R K : T H E J U N G L E O F

S E C U R I T Y R I S K S

In order to identify security risks in network printing it is instructive to take a close look at the printing process up to the printed document. During this process a print job normally passes the following stations:

X

X

X

X

X

Data, applications, and workstations

Network access

Network medium (e.g. copper cable, fiber, Wireless LAN)

Network protocols (e.g. TCP/IP, HTTP)

Network subsystems (e.g. access points, hubs, switches, routers, gateways, bridges, network servers)

X

X

Network print server, spooling appliance, print server

Printer

At all these stations there exist security risks and vulnerable spots for attacks – but suitable solutions and appropriate security measures are also available. A thorough risk analysis will clarify where and to which extent security measures are necessary.

The first security risks are encountered during the creation of a document which is to be printed. Questions which may arise are: Which PC or notebook is available to the user to create the document? Who else has access to this client? Is this access protected by a log in? Or is the workstation installed in a room which can be locked and which only specific persons have access?

The same questions turn up with regard to access authorization to data, documents, and applications. Some applications which can be used to create a document to be printed feature protective functions such as write protect or the interdiction to print.

2 . 2 . A C C E S S T O T H E N E T W O R K – W I T H O R W I T H O U T C O N T R O L

If the access of network participants to the network is not regulated, practically anybody will be able to enter the network. Access control to the network needs to consider both the physical and the logical access:

X

X

Physical Network Access:

Securing the hardware: lockable distribution boxes and wall-mounted

• or wall-integrated RJ45 jacks, etc.

Logical Network Access:

Authorization by administrators with the help of device based access regulations via IP or MAC addresses as well as managed switches and access points respectively – however, the risk of unauthorized access to the network (e.g. spoofing) will remain.

Authentication of network participants via user based access regulations using an authentication instance - IEEE 802.1x or RADIUS server are the keywords here.

S E H W H I T E P A P E R

Security Risks in Network

Printing

Version 1.0 November 2006 4

2 . 3 . S E C U R I T Y R I S K S D E T E R M I N E D B Y T H E N E T W O R K T Y P E

The different physical properties of the common network types – copper cable, fiber, and Wireless LAN – result in specific security risks.

X

Copper Cable:

With copper cable data is transferred electromagnetically. If an attacker has access to a cable he can tap it directly. Electronic devices as well as network cabling radiate electromagnetic waves, the so-called interference radiation. This also transmits the information of the transferred data. On the basis of this phenomenon hackers are able to read data transferred in a network. In order to prevent this, special shielding and interference suppression are necessary.

X

Fiber:

Fiber optics is a technology which uses glass threads to transmit messages modulated onto light waves. These travel through the cable according to the principle of total internal reflection, whereby light is reflected almost without any loss. As there is

S E H W H I T E P A P E R

Security Risks in Network

Printing

Version 1.0 November 2006 5

no electromagnetic radiation with this technology it is considered eavesdropping secure. A tapping of the cable, e.g. by cutting it open (splicing), or bending it (coupler- or splitter method) will result in lower signal attenuation which can be instantly and exactly measured. Optical tapping methods without direct access to the fiber optic cable (e.g. Non-touching Method) are disproportionally laborious and costly. If, nevertheless, protection against these types of optical tapping methods is desired, it will be necessary to additionally encrypt the transferred data.

X

Wireless LAN:

WLAN (Wireless Local Area Network) is based on the technology of radio communication, usually according to one of the standards of the IEEE 802.11 family.

There are no cables which could be manipulated. Instead, data transmission is entirely via radio waves. In order to protect data in a WLAN, two factors need to be considered: One is the authorization of the network participant at the access point

(see above), the other is the encryption of the data. Currently the most common

Wireless LAN encryption technologies are WEP and WPA/WPA2.

WEP (Wired Equivalent Privacy, IEEE-Standard 802.11): This encryption method is based on the RC 4 algorithm. It has been found to be insecure but is still widely used.

WPA and WPA2 (Wi-Fi Protected Access): WPA anticipates parts of the new security standard IEEE 802.11i in order to patch the known security gaps of WEP. The complete security standard 802.11i has been realized in WPA2, which also operates with the even more secure encryption algorithm AES (Advanced Encryption Standard). The most eminent security function of WPA is the usage of dynamic keys for protection, which are based on the Temporal Key Integrity Protocol (TKIP). WPA and WPA2 are the most secure, most modern, and most widely spread WLAN security standards currently available.

S E H W H I T E P A P E R

Security Risks in Network

Printing

Version 1.0 November 2006 6

S E C U R I T Y

Each network type requires necessary components of the network subsystem such as hubs, switches, servers, cabling, access points, etc. For example, a switch is always more secure than a hub because it works like a telephone exchange (at least OSI layer 2), whereas a hub sends on all data packages to every connected port (OSI layer

1).

In case of a WLAN access point its equipment makes the difference: Does it feature only weak or strong encryption standards, authentication methods, etc.

One should apply the same care to network subsystem components as to the other aspects discussed so far, i.e. both the physical aspect and the access regulations established by IT administrators should be considered in the risk analysis.

2 . 5 . N E T W O R K P R O T O C O L S W I T H I N T E G R A T E D S E C U R I T Y

M E C H A N I S M S

The OSI model (Open Systems Interconnection Reference Model, also known as

OSI/ISO Model, OSI Reference Model, 7 Layer Model) describes the communication in a network. This model divides the different sections of network communication regulating the order of the electronic transmission of signals into seven layers which are superimposed upon each other. Communication is carried out via network protocols which range between the OSI layers 3 to 7. Many of the protocols used for network printing did not include any encryption or security mechanisms in their original form. These have since been integrated into newer versions of some of these protocols. Some examples among others are:

X

X

HTTP

Î

HTTPs

FTP

Î

secure

X

X

X

IPP

Î

IPP

SNMP

Î

SNMP

IP

Î

IPv6,

2 . 6 . P R I N T D A T A E N C R Y P T I O N S S L / T L S

The above mentioned security mechanisms are mostly authorization or authentication methods or techniques for encrypting raw data. In order to avoid that print data are sent through the network as clear text they need to be encrypted. Without encryption all printing protocols transmit print data as more or less readable clear text (e.g. ASCII, PCL, Postscript).

S E H W H I T E P A P E R

Security Risks in Network

Printing

Version 1.0 November 2006 7

In order to encrypt print data there is only one vendor independent method available – this is printing via the Internet Printing Protocol (IPP) in the latest version 1.1.

This is described in the RFCs 2910, 2911, and 3196. IPP v1.1 is based on http 1.1 and can use all extensions for HTTP. This includes the use of SSL/TLS for encryption. However, none of the current Windows operating systems supports IPP v1.1. Windows

2000, XP Professional, and Windows Server 2003 can add the IIS Web Server as a Windows component to the software category system control. The IIS Web Server can then be configured as a print server and allows IPP printing as well as SSL encrypted print data transmission via the Internet. Management of the networked printers is via a web interface.

In Linux and Unix environments IPP v1.1 is supported by CUPS (Common Unix Printing System). Another example for IPP v1.1 support is the operating system extension

RSO Spool for the mainframe system BS2000 OSD by Fujitsu Siemens.

In addition to these, there exist only a few proprietary solutions to encrypt print data transmission.

2 . 7 . A C C E S S C O N T R O L F O R O U T P U T D E V I C E S

A thorough secure network printing policy should also include access control for printers. Physical access to output devices can be controlled when these are installed in rooms which can be locked. The logical network access to output devices is regulated by the above mentioned authorization and authentication methods, which can be applied to printers in the same manner. For example, administrators can make use of a function for filtering client IP addresses to ensure that only those employees have access to a printer who need to use it professionally. This function also prevents an unauthorized user from printing a hacked print job.

S E H W H I T E P A P E R

Security Risks in Network

Printing

Version 1.0 November 2006 8

2 . 8 . R E L E A S E O F P R I N T E D D O C U M E N T S T O A U T H O R I Z E D U S E R S

As soon as the print job is under way, even encrypted data are at risk if the printed document ends up unprotected in the collection tray of the printer and is open to everyone’s view or can be taken away by someone for whom it is not meant. Solutions for the controlled release of print jobs to authorized users range from face down printing to the widely used Follow Me or Private Printing Solutions which require that users must first identify themselves at the printer before the print job is released. Identification is by various methods which may, under certain circumstances, be combined:

X

X

X

X

PIN

Magnetic or chip cards

Non-contact cards (e.g. RFID)

Private Printing solutions for the secure print job release

TEMPEST (Temporary Emanation and Spurius Transmission or Transient Electromagnetic Pulse Emanation Standard) is a special case: A protective casing shields the printer completely from any electromagnetic radiation. At the same time this casing as a rule prevents unauthorized access to a printed document.

S E H W H I T E P A P E R

Security Risks in Network

Printing

Version 1.0 November 2006 9

3 . S H E S O L U T I O N S F O R S E C U R E N E T W O R K P R I N T I N G :

A N O V E R V I E W

The SEH solutions for secure network printing concentrate on four crucial points:

X

X

Special solutions for particular network types (fiber optic, WLAN)

System protection (certificates, authentication, configuration protection, access control)

X Print data encryption to protect print data

3 . 1 S E H P R I N T S E R V E R S F O R P A R T I C U L A R N E T W O R K T Y P E S

X Fiber Optic: With eavesdropping secure fiber-to-the-desk (FTTD) solutions network printing benefits from all advantages inherent in fiber optics technology – especially from the secure transmission of data. SEH’s portfolio of external and internal fiber optic print servers is the most comprehensive worldwide. These solutions allow users to realize a security policy based on fiber optic up to the printer.

X Wireless LAN: SEH WLAN print servers are professional Wireless LAN equipment which support several authentication protocols: EAP-MD5, EAP-TLS and Cisco LEAP. When one of these methods is applied, a central authentication server verifies the access rights – usually RADIUS (Remote Access Dial-In

User Service). In case of EAP-MD5 and Cisco LEAP verification is via user name and passwords while EAP-TLS uses certificates. All models of the SEH

WLAN print server family feature WLAN encryption standards of the IEEE

802.11 family. While the older models are equipped with WEP, the newer and safer standards WAP and WAP2 are integrated into the latest SEH print server models. These offer backward compatibility to WEP.

Positioned directly between the printer and the network, SEH print servers and the

ThinPrint Gateway TPG60 take care of the correct login to the network. A client about to communicate with these devices can be identified correctly. This happens via a two port authentication based on the implementation of IEEE 802.1x. This method is typical for Wireless LAN technology, where authentication is via access point and

RADIUS server. It is currently spreading out to cable based networks, where a switch is used instead of an access point.

S E H W H I T E P A P E R

Security Risks in Network

Printing

Version 1.0 November 2006 10

3 . 3 A C C E S S C O N T R O L A N D C O N F I G U R A T I O N P R O T E C T I O N F O R

S E H P R I N T S E R V E R S

As print servers can play an important role in secure network printing SEH has implemented a range of functions such as access control and configuration protection.

Password protection is a simple but efficient way to protect the configuration of a print server from manipulation and unauthorized access. Thus, network participants may take a look at this configuration via the miscellaneous management options (e.g. via browser, the SEH InterCon-NetTool, and vendor specific management tools) – but in order to change the configuration, they would first have to enter a password. In addition, the function “Access Control” of SEH print servers allows administrators to render this configuration invisible for non-authorized network participants with one mouse click. With the help of this function, some printers allow the possibility to protect the configuration of the print server via the printer panel.

3 . 4 A C C E S S C O N T R O L F O R P R I N T E R S

All SEH print servers feature the filter function “IP Sender”. With this function IT administrators can control access to a network printer via specific IP addresses, which correlate to workstations. These are assigned the right to access specific network printers. In this way they prevent unauthorized access to printers. The authorized IP addresses or host names are entered into the respective input field. Furthermore, IP address ranges can be entered via “wild card”.

In this way user groups for network printers can be precisely defined as access control for certain printers is established for single users, workgroup, or whole departments.

S E H W H I T E P A P E R

Security Risks in Network

Printing

Version 1.0 November 2006 11

3 . 5 P R I N T D A T A E N C R Y P T I O N W I T H S S L / T L S ( 1 2 8 B I T E N C R Y P -

T I O N )

In order to enable print data encryption with SSL/TLS SEH has developed the SEH

“Print Monitor” for Windows operating systems. With this tool Windows clients can choose between socket printing (e.g. via port 9100) and HTTP printing (via port 80).

Users can then decide whether they want to use print data encryption with HTTPs

(port 431) or not (port 80).

In case of other operating systems such as Mac OS or Linux SEH print servers allow print data encryption with the established standard IPP v1.1.

Another example for proprietary solutions is ThinPrint SSL encryption which was recently developed and integrated into the bandwidth optimized network printing solution by ThinPrint. As yet SEH is the only vendor to have integrated ThinPrint SSL encryption into its latest print server line.

3 . 6 F O L L O W M E P R I N T I N G S O L U T I O N W I T H S E H P R I N T S E R V E R S

Some SEH print servers for Kyocera printers and MFP can be combined with the M.S.E. identification and accounting system „Card’n’Print / Card’n’Copy“. This is connected to the SEH print server via a special interface. The print jobs of authorized users are spooled to a particular M.S.E. server component. In order to release the print job, users will first have to identify themselves with the help of an M.S.E. magnetic card at the printer. If the user is authorized the print job will be released. This solution ensures that only authorized users will have access to certain printers. At the same time this system may be used for print cost controlling.

S E H W H I T E P A P E R

Security Risks in Network

Printing

Version 1.0 November 2006 12

4 . S E H S O L U T I O N S F O R S E C U R E N E T W O R K

P R I N T I N G A T A G L A N C E :

S P E C I A L S O L U T I O N S F O R S P E C I F I C N E T W O R K M E D I A :

X

X

Fiber Optic: print servers for eavesdropping secure fiber-to-the-desk (FTTD) network printing solutions

WLAN print servers with authentication protocol support (EAP-MD5, EAP-TLS,

Cisco LEAP) and modern encryption standards (WEP, WPA, WPA2)

S Y S T E M P R O T E C T I O N :

X

X

X

User authentication (IEEE 802.1x)

Access control and configuration protection for SEH print servers

Access control for printers (“IP-Sender”)

P R O T E C T I O N O F P R I N T D A T A W I T H S S L / T L S ( 1 2 8 B I T E N C R Y P -

T I O N )

X

X

X

SEH “Print Monitor” for current Windows operating systems

IPP v1.1 implementation for Mac OS, Linux , and other operating systems

ThinPrint SSL encryption

P R O T E C T I O N O F T H E P R I N T E D D O C U M E N T

X Combination of SEH print servers and M.S.E. „Card’n’Print / Card’n’Copy“ for

Kyocera printers and MFP to ensure that print jobs are released to authorized users only

S E H W H I T E P A P E R

Security Risks in Network

Printing

Version 1.0 November 2006 13

5 . L I T E R A T U R E

X

X

X

X

X

X

Brown, Edwin Lyle: 802.1x Port-Based Network Access Authentication. New

York, NY: Auerbach Publications, 2006.

IDC study “IT Security for Medium-sized Businesses – Status Quo and Trends for German Medium-sized Businesses 2006“ (IT-Sicherheit im Mittelstand –

Status Quo und Trends in Deutschland 2006)

Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector.

US Secret Service and CERT Coordination Center, 2005

Rajiv, Ramaswami and Sivarajan, Kumar: Optical Networks: A Practical

Perspective. San Francisco: Morgan Kaufmann Publishers, 1998

RFC 2828: Internet Security Glossary

VDI Guideline „Risk Communication for Enterprises“ (Risikokommunikation für Unternehmen), ed. Dr. Peter M. Wiedemann, Chairman of the VDI

Commission „Technik-Risiko-Kommunikation“ (Technology – Risk –

Communication). Dusseldorf: VDI Verein Deutscher Ingenieure, 2000

6 . I N T E R N E T

X

X

X

About fiber optics: http://www.thefoa.org/; http://www.fiber-optics.info/

About the Internet Printing Protocol (IPP v1.1): http://www.pwg.org/ipp

About Wi-Fi Protected Access (WPA/WPA2): http://www.wi-fi.org

S E H W H I T E P A P E R

Security Risks in Network

Printing

Version 1.0 November 2006 14

Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement