HP | J2550B | White Paper | HP J2550B White Paper

whitepaper
HP Jetdirect Security Guidelines
Table of Contents:
Introduction ..................................................................................................................................... 1
HP Jetdirect Overview ...................................................................................................................... 2
What is an HP Jetdirect?................................................................................................................... 3
How old is Your HP Jetdirect?............................................................................................................ 4
Upgrading ...................................................................................................................................... 5
HP Jetdirect Administrative Guidelines ................................................................................................ 6
HP Jetdirect Hacks: TCP Port 9100..................................................................................................... 7
HP Jetdirect Hacks: Password and SNMP Community Names................................................................ 9
HP Jetdirect Hacks: Firmware Upgrade............................................................................................... 9
HP Jetdirect Hacks: Sniffing Print Jobs and Replaying Them................................................................. 10
HP Jetdirect Hacks: Printer/MFP access ............................................................................................ 10
Recommended Security Deployments: SET 1...................................................................................... 11
Recommended Security Deployments: SET 2...................................................................................... 12
Recommended Security Deployments: SET 3...................................................................................... 18
Recommended Security Deployments: SET 4...................................................................................... 28
Further Reading ............................................................................................................................. 33
Introduction
The availability of public information on the Internet for hacking HP Jetdirect products has prompted
customers to ask HP about how they can protect their printing and imaging devices against such
attacks and what is HP doing about preventing those attacks. In all fairness, some of this public
information is of rather poor quality and inflammatory; however, some websites detailing the attacks
and the vulnerabilities on HP Jetdirect are informative and raise valid concerns that need to be
addressed. It is the purpose of this whitepaper to address customer concerns about these attacks and
vulnerabilities and to recommend proper security configurations to help customers protect their
printing and imaging devices. This whitepaper is only a small part of a broad initiative within HP to
educate our customer base about printing and imaging security. Resources such as The Secure
Printing website (http://www.hp.com/go/secureprinting) provide a great deal of information for
customers about products, solutions, as well as configuration recommendations. In general, a lot of
this information can be put to use on existing HP Jetdirect products, mainly because HP Jetdirect was
1
one of the first print servers to widely implement security protocols such as SSL/TLS, SNMPv3,
802.1X, and IPsec.
If you are new to security and secure configurations, it is important to remember that ‘security’ is a
process. Today’s security configurations and protocols that are thought to be unbreakable for the
next few years may in fact be broken later today. At one extreme, the best security available for
imaging and printing devices is to never unpack them once you buy them. At the other extreme, the
worst security available is unboxing them, powering them up, getting a configuration page to find the
IP address, adding them to your desktop computer system or printer spooler, and then forgetting
about them. Does that last part sound like your printing and imaging security strategy?
One of the challenges HP Jetdirect has in terms of security is actually the result of being “plug-n-play”
and reliable. As we will find out, “plug-n-play” and “security” often do not belong in the same
sentence. Hundreds of thousands, and perhaps a few million HP Jetdirect products have been in use
for years and have never had their firmware updated or their configuration changed. In today’s
increasingly security focused environment, we know that this is not a sound practice for maintaining
the proper operation of an infrastructure, regardless of the type of device in question.
HP Jetdirect Overview
Years ago, the world networked printers by connecting them via parallel ports or serial ports to
computers called spoolers. These spoolers then shared the printers via networking protocols such as
LPD to clients on the network. The length limits of serial and parallel based cables prohibited printers
from moving too far from the spoolers.
The incredible print quality of the HP LaserJet printers compared to other technologies at the time
fueled an unprecedented growth in the printing industry. The complexity and capability of printers
increased and the need to connect to a spooler in order to share printers became a burden. HP
Jetdirect was designed to allow users to share printers on the network without the need of direct
attachment to a spooler. While migrating to networking printers, the goal was to have the same ease
of use as a directly connected printer. HP Jetdirect would automatically initialize all protocols to the
best of its ability in order to allow users to print to Jetdirect immediately. Popular HP tools, such as
Jetadmin, simplified configuration of HP Jetdirect devices by taking advantage of proprietary
protocols as well as well-known default security settings.
At the time HP Jetdirect was introduced, there was a variety of competition in the market place
regarding protocol suites and networking infrastructure. Protocol suites such as AppleTalk, DLC/LLC,
and IPX/SPX were deployed widely and had as much market share as TCP/IP. In addition, TokenRing, FDDI, LocalTalk, ATM, and other ways of transporting frames had been adopted (or hyped)
almost as much as Ethernet. During this growth period in network printing, functionality within HP
Jetdirect was designed to promote ‘Ease-of-Use’, to reduce support calls, and to provide a rich
customer experience regardless of the protocol or networking infrastructure they were using. In short,
HP Jetdirect was designed to be “plug-n-play” on the network and behave as if the printer was
directly connected to your PC.
Fast forwarding to the present, we have clear winners in intranet networking connectivity: TCP/IP
and Ethernet. An ‘Ease of Use’ design criterion now has an arch nemesis: ‘Security’. Customers are
starting to ask how to deploy printing and imaging devices securely rather than how to deploy them
as fast and painlessly as possible.
2
What is an HP Jetdirect?
OS
OS
When printers were directly connected to network spoolers, often a simple hardware protocol was
used to send data from the PC to the printer. Centronics mode on a parallel port would be an
example. As customers demanded faster data transfer speeds and richer status, these protocols
became more complex as in IEEE 1284.4. In short, a printer had direct connect ports (e.g., serial,
parallel) that implemented a hardware protocol and converted encapsulated data into just data for
printer consumption. As customers began to network their printers, HP decided to embark on a
strategy that still remains in use to this day: Use a smart networking card to implement the various
networking infrastructure components to convert encapsulated network data into data for printer
consumption. Thus, the HP Jetdirect was born – one of the first Networking Protocol offload engines.
Let’s refer to Figure 1 – Functional Diagram
Figure 1 - Functional Diagram
In Figure 1, you can see the standard diagram of an offload engine. This diagram is by no means
comprehensive, but does convey the difference between HP Jetdirect and Printer/MFP platforms.
Why is this diagram important? First and foremost, we can understand what HP Jetdirect can do to
help in the security of your printing infrastructure. Secondly, we can also understand what HP
Jetdirect cannot do. As an example, some information on the Internet conveys that the PJL parser is
implemented on HP Jetdirect. Based upon this diagram, we know that is false. Upgrading your HP
Jetdirect card to provide your printer more PJL parsing protection is not going to be a good
investment. Upgrading your HP Jetdirect card to control who can and who cannot interact with your
printer is a good investment.
3
How old is Your HP Jetdirect?
Once in a while, when doing an inventory of a network, an administrator may discover some network
connected devices that rather old but are still working. The same is true for printers and HP Jetdirect
devices. An easy way to get an inventory of your HP Jetdirect devices is to use the HP Download
Manager available here: http://www.hp.com/go/dlm_sw. This utility allows you to discover printers
and their HP Jetdirect devices on the network. For an in-depth management platform, try HP Web
Jetadmin available here: http://www.hp.com/go/webjetadmin. Keep in mind, you don’t have to
update the firmware on your HP Jetdirect products if you don’t want to (HP does recommend it), but
for this particular section we simply want to find HP Jetdirect devices and based upon their product
number, see how old they are. Refer to Table 1 – HP Jetdirect Aging
Description
Microsoft Windows for Workgroups 3.11
HP Jetdirect J2550A, J2552A MIO Print Servers
Microsoft Windows 95
HP Jetdirect J2550B, J2552B MIO Print Servers
HP Jetdirect J3110A, J3111A EIO Print Servers
HP Jetdirect J3263A 300X External Print Server
HP Jetdirect J3113A 600n EIO Print Server
Microsoft Windows 98
HP Jetdirect J3258A 170x External Print Server
Microsoft Windows 2000 Professional
HP Jetdirect J4169A 610n EIO Print Server
Microsoft Windows XP
HP Jetdirect J6057A 615n EIO Print Server
Microsoft Windows 2003 Server
HP Jetdirect J7934A 620n EIO Print Server
HP Jetdirect J7961A 635n EIO Print Server
Date Released
February 1994
May 1994
August 1995
November 1996
October 1997
January 1998
January 1998
June 1998
September 1998
February 2000
October 2000
October 2001
April 2002
April 2003
April 2004
October 2005
Table 1 – HP Jetdirect Aging
Table 1 is by no means complete. Many Jetdirect cards were introduced before 1994; however,
some popular HP Jetdirect products are listed there and compared to some of the Microsoft Windows
introduction dates. It would be rare to find a reputable security analyst willing to spend time
discussing the security issues associated with Microsoft Windows for Workgroups 3.11 and Microsoft
Windows 95 in today’s environment. When viewing public information about the security
vulnerabilities of HP Jetdirect devices, be sure to keep in mind how old the devices may be.
At the time of this writing (August 2007), migrating to Microsoft Windows XP SP2 and Microsoft
Windows 2003 SP2 is very important to get the most security protection for desktops and servers.
Microsoft provides many guidelines to the proper configurations of their products and many security
consultants make a living by helping customers deploy these configurations. Customers are willing to
carry this expense because the security of their data is very important to them. If your printing
infrastructure is important to you, should you not consider upgrading it and implementing
recommended security configurations as well? As a point of comparison, some companies place a
lot of their faith in a printing infrastructure that they developed in the early 1990s. How many of
these customers would also be willing to run Microsoft Windows 95 on their desktops and Microsoft
Windows Advanced Server 3.51 on their servers today?
4
Upgrading
Upgrading your HP Jetdirect devices is by no means a requirement, but is highly recommended.
Should a customer choose to do so, HP can provide some guidelines. First, if the HP Jetdirect device
was introduced before the year 2000, HP recommends that it be upgraded to a newer model. Some
security features of the models that are available for customers to purchase as of August 2007 are
shown in Table 2 – HP Jetdirect Models:
HP Jetdirect
J3258G 170x External Parallel Print server
Security Features
Non-Cryptographic Security, not
upgradeable to newer firmware after
purchase
Non-Cryptographic Security, not
upgradeable to newer firmware after
purchase
Non-Cryptographic Security,
upgradeable after purchase
Non-Cryptographic Security,
upgradeable after purchase
SSL/TLS for Management, SNMPv3,
802.1X PEAP.
SSL/TLS for Management, SNMPv3,
802.1X PEAP.
Running V.33.14 or later firmware:
SSL/TLS for Management, SNMPv3,
802.1X PEAP.
Firewall, SSL/TLS for Management,
SNMPv3, 802.1X PEAP, 802.1X EAP-TLS.
J6035G 175x External USB 1.1 Print Server
J3263G 300x External Print server
J7983G 510X External 3-Port Print Server
J7942G en3700 External USB 2.0 Print Server
J7934G 620n EIO 10/100 Print Server
J7949E Embedded Jetdirect 10/100 (not for sale
individually, comes installed on the formatter for
certain printers/MFP devices)
J7982E Embedded Jetdirect 10/100 (not for sale
individually, comes installed on the formatter for
certain printers/MFP devices)
J7997G 630n EIO 10/100/1000 Print Server
Firewall, SSL/TLS for Management,
SNMPv3, 802.1X PEAP, 802.1X EAP-TLS.
IPsec/Firewall, SSL/TLS for Management,
SNMPv3, 802.1X PEAP, 802.1X EAP-TLS
J7961G 635n EIO 10/100/1000 IPv6/IPsec
Print Server
Table 2 - HP Jetdirect Models
In Table 3 – Discontinued HP Jetdirect Models, some popular HP Jetdirect devices that are no longer
being sold by HP and their security capabilities are shown.
HP Jetdirect
J4100A 400n 10/100 MIO Print server
Security Features
Non-Cryptographic Security,
upgradeable after purchase
Non-Cryptographic Security,
upgradeable after purchase
Non-Cryptographic Security,
upgradeable after purchase
Non-Cryptographic Security,
upgradeable after purchase
Non-Cryptographic Security,
upgradeable after purchase
SSL/TLS for Management, SNMPv3
SSL/TLS for Management, SNMPv3
J4106A 400n 10Mbps MIO Print server
J3110A 600n 10Mbps EIO Print server
J3111A 600n 10Mbps EIO Print server
J3113A 600n 10/100 EIO Print server
J4169A 610n 10/100 EIO Print Server
J6057A 615n 10/100 EIO Print Server
Table 3 - Discontinued HP Jetdirect Models
5
As you can see, replacing a discontinued 400n MIO model with a new external parallel port print
server like the 300X will not upgrade the security capabilities of the Jetdirect device. Printers that
have an MIO slot like the LaserJet IIIsi and LaserJet 4si have been discontinued for many years.
Printers and MFPs with an EIO slot are still being sold today. The EIO slot was introduced on the HP
LaserJet 4000 almost ten years ago. One of the great features of having an EIO based printer is the
ability to install a J7961G 635n IPv6/IPsec print server. Using this product, we can take an older
printer like the HP LaserJet 4000 and give it the latest in networking protocol and security support.
This flexibility will come in handy as we evaluate the various attacks employed against HP Jetdirect
and some ways to counteract those attacks. For companies with a lot of EIO based printers, proper
deployment of the 635n can protect their printer/MFP investment and increase the security of their
printing and imaging infrastructure.
HP Jetdirect Administrative Guidelines
In the material that follows, this whitepaper will be addressing some public information available
about vulnerabilities or attacks against HP Jetdirect. In order to properly recommend configurations
for HP Jetdirect, four different administrative guidelines will need to be used. These administrative
guidelines come from the four main HP Jetdirect product lines, referred to as SETs.
•
SET 1: The 170x, 300x, 500x, 510x, 400n, 600n models. The administrative guideline for
securing these devices is located here:
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=bpj05999.
As a reminder, these devices do not have cryptographic security capability.
•
SET 2: The 610n, 615n, 620n, 625n, en3700, and Embedded Jetdirect (J7949E) models.
SET 2 can use the administrative guideline referenced for SET 1 products, but a more
updated administrative tool available via the EWS for securing these devices is located here:
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=bpj07576
•
SET 3: The 630n and Embedded Jetdirect (J7982E, J7987E, J7991E, and J7992E) models.
SET 3 can use the administrative guideline referenced for SET 2 products, but have additional
security by means of a Firewall. The Firewall can allow/drop packets on the basis of
IPv4/IPv6 addresses as well as service types.
•
SET 4: The 635n model and the CM8000 Color MFP series (J7974E). These models have
the most security capability in HP Jetdirect’s product line.
With security configurations, one must be careful not to lock the front door and leave your windows
open. In many cases, one must “lock down” several things before securing one thing can be
effective. Before using the techniques presented here, the administrator at the very least should
do the following:
•
•
•
•
•
Update all HP Jetdirect firmware to the highest level. One of the easiest ways to perform this
operation is to use the HP Download Manager available at http://www.hp.com/go/dlm_sw.
Using Internet Mode, the HP Download Manager will automatically indicate which devices
need to be upgraded. HP recommends always upgrading only a few devices and
performing an evaluation of those devices on your network before upgrading all devices to
the latest firmware.
An Embedded Web Server (EWS) password has been specified
The default SNMPv1/v2c SET Community Name has been changed
All non-active protocols have been disabled (e.g., IPX/SPX, AppleTalk)
Mark any product that cannot be firmware upgraded to the highest level as a security risk.
6
•
A guideline to popular HP Jetdirect devices and the firmware they should be running as of
August of 2007 is shown in Table 4:
HP Jetdirect Product Number
J7949E Embedded Jetdirect
J4100A 400n 10Mbps MIO Print server
J4106A 400n 10Mbps MIO Print server
J3110A 600n 10Mbps EIO Print server
J3111A 600n 10Mbps EIO Print server
J3113A 600n 10/100 EIO Print server
J4169A 610n 10/100 EIO Print Server
J6057A 615n 10/100 EIO Print Server
J3263A/J3263G 300x External Print server
J3265A 500X External 3-Port Print Server
J7983G 510X External 3-Port Print Server
J7942A/J7942G en3700 External USB 2.0 Print
Server
J7934A/J7934G 620n EIO 10/100 Print Server
J7960A/J7960G 625n EIO 10/100/1000 Print
Server
J7961A/J7961G 635n EIO 10/100/1000
IPv6/IPsec Print Server
Firmware Version
V.33.14/V.33.15
K.08.49
K.08.49
G.08.49
G.08.49
G.08.49
L.25.57
R.25.57
H.08.60
J.08.60
J.08.60
V.28.22
V.29.20
V.29.29
V.36.11
Table 4 – Jetdirect Firmware Versions
NOTE: For some Embedded Jetdirect products, you’ll need to upgrade the printer/MFP firmware to
update the JDI firmware.
Now that we covered enough background information, let’s look at some of the reported
vulnerabilities and attacks on HP Jetdirect.
HP Jetdirect Hacks: TCP Port 9100
TCP port 9100 was one of the first ways developed for sending print data to a printer. Some public
references talk about a print protocol that exists on TCP port 9100. There isn’t one. Raw data
delivered to the TCP layer on the HP Jetdirect device is sent to the printer as if it had been delivered
over a parallel port, serial port, or any other port. TCP port 9100 is the fastest and most efficient
way of delivering data to a printer using the TCP/IP protocol suite.
The most common hack for TCP Port 9100 is send a job to that port that has some PJL commands in it.
These PJL command can do a variety of things, one of the most common ones being to change the
control panel display. Remember that HP Jetdirect is stripping off the TCP/IP headers and presenting
this data directly to the printer. The printer is processing the PJL (data) as if the printer was directly
connected to a PC. Many years ago, printer drivers would use the PJL command suite to control the
printer in a variety of ways. As we can see, in the networking world, there is a potential for misuse.
How does an Administrator prevent TCP Port 9100 from being misused? Based upon what we’ve
learned about HP Jetdirect so far, we know we have to control who can and who cannot establish a
TCP connection to TCP Port 9100. Table 5 shows us some options, presented in the form of the least
amount of security (option 1) to higher levels of security (options > 1):
7
Which hosts need to print?
Only computers on the same subnet as HP
Jetdirect
Options
Option 1) For SET 1/2/3/4. Eliminate the
default gateway (set to 0.0.0.0). This
doesn’t prevent HP Jetdirect from
receiving packets from other subnets,
but does prevent the responses from
returning to those remote subnets. As a
result, TCP connections cannot be
formed.
Option 2) For SET 1/2/3/4. Setup an
access control list with the IP address
and mask for the local subnet.
Option 3) For SET 3. Setup a rule to
protect print traffic using the Firewall.
Option 4) For SET 4. Setup a rule to
protect print traffic using the IPsec.
Option 1) For SET 1/2/3/4. Setup an
access control list for each individual IP
address with a mask of
255.255.255.255.
Option 2) For SET 3. Setup a rule to
protect print traffic using the Firewall
Option 3) For SET 4. Setup a rule to
protect print traffic using IPsec
Option 1) For Set 1/2/3/4. Setup an
access control list for the network ID
assigned to your company. As an
example, for HP’s internal network,
there would be two entries: IP - 15.0.0.0
mask - 255.0.0.0 and IP -16.0.0.0 mask
- 255.0.0.0.
Option 2) For SET 3. Setup a rule to
protect print traffic using the Firewall
Option 3) For SET 4. Setup a rule to
protect print traffic using IPsec
Ten or less individual computers on different
subnets
All hosts in the company.
Table 5 – Access Control
Because there are many print protocols supported over TCP, the next logical step is to disable all print
protocols that the administrator doesn’t use. How to disable these protocols can be found in the
administrative guidelines for the appropriate product SET.
It is important to note that all TCP/IP traffic to any device (not just HP Jetdirect) that is not
cryptographically protected is subject to IP address spoofing and Man-in-the-Middle (MITM) attacks.
These attacks can target any TCP/IP traffic. Also, some cryptographic protections can be used but
may not be deployed correctly. For instance, if you are relying on SSL/TLS to protect your data, you
need to have the certificates used by SSL/TLS to be properly signed by a trusted Certificate Authority.
Otherwise, SSL/TLS is subject to MITM attacks as well because it depends on a robust PKI to
successfully authenticate the server endpoint (and optionally the client endpoint).
What about the user at work that is allowed to print but keeps changing the display or doing other
mischief with the printer using TCP Port 9100? Well, that really is no different then if they were
printing personal items at work, running the printer out of consumables with large print jobs, etc… If
8
they are trusted to establish a print connection, they are trusted to print. Some additional protections
can be provided, in the form of Color Access Controls using HP’s Universal Print Driver (UPD), which
allow an administrator to control the amount of color being used by a user. In addition, HP’s Web
Jetadmin includes functionality called Report Generator which facilitates reports on users and their
how their printing behavior. This functionality is useful for auditing and understanding printer usage.
HP Jetdirect Hacks: Password and SNMP Community Names
HP Jetdirect password and SNMP Community Name behavior has definitely evolved over the years.
An excellent resource for the history and current behavior is located here:
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00004828.
In short, keep your firmware updated on your HP Jetdirect, use the latest client software from HP, and
upgrade to the latest Web Jetadmin management software. After you have upgraded all software
and firmware, change your passwords on these devices to something new. This process will help
make your HP Jetdirect devices behave the same regarding their password handling.
To better protect passwords from passive sniffing, consider using SSL/TLS. SET 2/3/4 support
automatic redirection to SSL/TLS and prevents HTTP from being used to access the EWS (if the
administrator so desires). However, when using SSL/TLS, be sure to update the HP Jetdirect
certificate to a certificate issued by a trusted CA to properly avoid MITM attacks. Also, consider
migrating to SNMPv3. HP Web Jetadmin can be configured to use SNMPv3 automatically. HP
Jetdirect devices that belong to SET 2, 3, or 4 support SNMPv3.
HP Jetdirect Hacks: Firmware Upgrade
A nice overview of the various methods used by HP Jetdirect to upgrade firmware is described here:
http://www.hp.com/go/webjetadmin_firmware.
All HP Jetdirect firmware files follow the same basic format: a recovery partition and a main
functionality partition. In case of an upgrade programming failure (due to a network outage, client
lockup, printer powered down during the upgrade, etc…), HP Jetdirect will be able to recover, albeit
with less functionality. This behavior allows an administrator to restart the upgrade process from the
recovery partition and regain full functionality without having to contact HP support.
There are three common ways of updating HP Jetdirect firmware:
•
•
•
HP Download Manager / HP Web Jetadmin
FTP
Embedded Web Server
When using HP Download Manager or HP Web Jetadmin, the application issues an SNMP SET to the
HP Jetdirect device. If the application has proper credentials, it can populate the firmware upgrade
MIB table with TFTP server information. HP Jetdirect uses this information to start a TFTP client and
pull down the download file. These applications use the well-known default SNMP community names.
However, if an administrator has configured the SNMP SET community name, then the application
must know it to successfully set the TFTP MIB objects for firmware upgrade. Customers can also utilize
SNMPv3 for additional security and HP Web Jetadmin makes using SNMPv3 easy. Also note that
applications such as the HP Download Manager and HP Web Jetadmin are digitally signed by
Hewlett-Packard as proof of their source.
The ability to use FTP to upgrade the firmware of HP Jetdirect devices is described here:
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=bpj07129. At the
end of the document is a Security section detailing the security precautions available for FTP firmware
upgrades. Essentially: if a password has been specified, it is required to be entered to utilize FTP
9
firmware upgrades; if telnet has been disabled to avoid plain-text transmission of the password, FTP
upgrades are also disabled.
The ability to use the EWS to upgrade HP Jetdirect devices is described here:
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=bpj07572. How
the EWS is protected determines how the HP Jetdirect firmware upgrade capability is protected. For
users of the EWS, HP recommends setting the redirect from HTTP to HTTPS, using a properly signed
certificate, and of course specifying a good password.
HP Jetdirect Hacks: Sniffing Print Jobs and Replaying Them
Easily available network tools that can perform effective MITM attacks against the TCP/IP protocol
suite has caused of a lot of concern among customers. Let’s review what a MITM attack against the
TCP/IP protocol suite does. A node intercepts IP packets from a node by pretending to be another
node and then forwards the IP packets to the next correct node so it may end up at the final
destination as if no interception had taken place; also, this MITM node intercepts packets traveling in
the opposite direction (from the destination back to the source) in the same manner. What this means
is that the MITM node has a copy of all the data sent between that source and that destination. If the
MITM node has a copy of a PDF file that was sent between an email client and email server, it can
use Adobe Acrobat Reader to open it. If the MITM node has a copy of a text document that was sent
between an FTP client and an FTP server, it can open it with a text editor. If the MITM node has a
copy of a print job, it can “open” it by sending it to a printer. In some cases, as with PostScript or
simple text, a print job can be opened using other applications without having to send it to a printer.
While a valid vulnerability, it is nonetheless a general vulnerability of the TCP/IP protocol suite and is
not a vulnerability specific to printing.
Passive sniffing attacks are where another node on the network can record conversations. These
attacks are analogously similar to using listening device hidden in a conference room to record a
meeting conversation. Active attacks are also used to force network infrastructure equipment to
behave in a manner that allows passive sniffing. This active/passive behavior is analogously similar
to a person not being able to plant the listening device in the conference room and instead pulling a
fire alarm in the building then recording the conversation of the individuals leaving the conference
room. Properly deployed cryptographic protocols are a good defense against passive and active
sniffing attacks. Networking infrastructure equipment can be configured to help hinder active attacks.
Port access controls, such as 802.1X, help protect against unauthorized connections. In addition,
many switch vendors offer various flavors of ARP protection and monitoring since ARP poisoning is a
fundamental step in MITM attacks.
The defense against TCP/IP MITM attacks is the proper deployment of cryptographic protocols such
as IPsec and SSL/TLS with a properly signed HP Jetdirect certificate. HP recommends the proper
deployment of IPsec (SET 4) as a solution to this general vulnerability with the TCP/IP protocol suite.
HP Jetdirect Hacks: Printer/MFP access
Up until now, we have discussed HP Jetdirect security primarily. Some publicly available applications
interface directly with the printer/MFP’s PJL library over a print connection. These tools often claim to
bypass HP Jetdirect security. However, as we’ve seen from our functional diagram, HP Jetdirect
controls the networking stack and does not parse PJL and cannot be configured to block PJL
commands. However, printer/MFPs can be configured to provide a lot of security too. HP
recommends following NIST checklist as a guideline to all customers concerned about printer/MFP
security: http://www.hp.com/united-states/business/catalog/nist_checklist.html.
10
Recommended Security Deployments: SET 1
The HP Jetdirect products denoted by SET 1 do not have any cryptographic security capability. As a
result, a BOOTP/TFTP configuration is recommended as we can specify several control parameters
via the TFTP configuration file. This configuration file allows for a great deal of power with very little
administration overhead once configured. Many customers associate BOOTP/TFTP with UNIX or
Linux environments; however, there are many free BOOTP and TFTP servers for Windows and setup is
fairly easy. An example UNIX configuration will be provided here.
picasso:\
:hn:\
:ht=ether:\
:vm=rfc1048:\
:ha=0001E6123456:\
:ip=192.168.40.39:\
:sm=255.255.255.0:\
:gw=192.168.40.1:\
:lg=192.168.40.3:\
:T144="hpnp/picasso.cfg":\
:T151=”BOOTP-ONLY”:
This configuration provides the following:
•
•
•
Syslog server: 192.168.40.3
TFTP configuration file: picasso.cfg under the subdirectory of “hpnp” of the TFTP daemon’s
home directory
Forces HP Jetdirect to remain with BOOTP and not transition to DHCP if a BOOTP server
is unavailable.
An example of the contents of the TFTP configuration file picasso.cfg:
# Allow subnet 192.168.40.0 access
allow: 192.168.40.0 255.255.255.0
#
# Disable Telnet
telnet-config: 0
#
# Disable the embedded Web server
ews-config: 0
#
# disable unused protocols
ipx/spx: 0
dlc/llc: 0
ethertalk:0
#
# Set a password
passwd: Security4Me3
#
# Disable SNMP
# use with caution – breaks SNMP management tools
snmp-config:0
#
# if SNMP must be enabled, comment out the “snmp-config” command and
# uncomment out the following:
# set-community-name: Security4Me3
# get-community-name: notpublic
# default-get-community: 0
#
# parameter file
parm-file: hpnp/pjlprotection
#
11
The TFTP configuration file points to a parameter file called “pjlprotection”. This file is sent to the
printer on power-up. Here is a sample content for the pjlprotection file:
<ESC>%-12345X@PJL <CR><LF>
@PJL COMMENT **Set Password** <CR><LF>
@PJL COMMENT **& Lock Control Panel**<CR><LF>
@PJL JOB PASSWORD = 7654 <CR><LF>
@PJL DEFAULT PASSWORD = 1776 <CR><LF>
@PJL DINQUIRE PASSWORD <CR><LF>
@PJL DEFAULT CPLOCK = ON <CR><LF>
@PJL DINQUIRE CPLOCK <CR><LF>
@PJL EOJ <CR><LF>
<ESC>%-12345X
Recommended Security Deployments: SET 2
For the HP Jetdirect products that are in SET 2, the security wizard is recommended for non HP Web
Jetadmin users. The security wizard can be access via the Networking tab, “Settings” in the left-hand
navigation bar, and then the “Wizard” tab. A sample configuration is shown here:
NOTE: be sure
to use HTTPS
when
navigating to
this page.
Press the “Start
Wizard” button
to begin the
wizard.
The Security
level you want
to implement
on Jetdirect.
Here, we are
going to
choose
“Custom
Security” to
show all the
options that are
available to a
customer.
12
First and
foremost, set a
password.
13
Change the
Encryption
Strength to
“Medium” and
check the
“Encrypt All
Web
Communication
” checkbox.
This checkbox
forces HTTPS to
be used for all
web
communication.
Uncheck
“Enable Telnet
and FTP
Firmware
Update” and
“Enable
RCFG”.
14
Uncheck
“Enable
SNMPv1/v2”
and check
Enable
“SNMPv3”.
Provide
SNMPv3
parameters.
15
Based upon the
customer’s
environment,
read only
SNMPv1/v2c
access may
need to be
granted. Some
tools such as
the HP
Standard Port
Monitor use
SNMPv1/v2c
for status.
Setup an
Access Control
List entry. This
is another
customer
environment
specific entry.
In this example,
the subnet
192.168.1.0 is
protected by
the ACL.
Uncheck
“Allow Web
Server (HTTP)
access” to
force HTTP
checking to be
done in the
ACL.
16
Disable unused
print protocols
and services.
Allowing
device
discovery helps
in device
management,
but may not be
required in all
environments.
802.1X
authentication
can also be
done. Special
equipment is
required. For a
complete
discussion of
802.1X, see
HP Jetdirect
whitepapers on
the topic. For
now, this
configuration
step is skipped.
17
Configuration
Review
Configuration
review. Click
“Finish” to set
the
configuration.
Recommended Security Deployments: SET 3
First and foremost, SET 3 configuration needs to have the Security Wizard for SET 2 executed. Once
the Security Wizard configuration has been completed, then we can begin the Firewall configuration.
A sample Firewall configuration is shown where the management protocols are restricted to a specific
IP subnet range:
18
Be sure that
you are using
HTTPS before
navigating to
this page.
Select the drop
down box for
the Default Rule
to be “Allow”
and then click
“Add Rules…”
We have a
specific
administrator
subnet defined
for printing and
imaging
devices. Click
the “New”
button so we
can be very
specific about
what addresses
can manage
the device.
19
We’ll define the
IPv4 address
range first.
Select “All IPv4
Addresses” for
Local Address
and then we
specified the
192.168.0/24
subnet for the
Remote
Address.
We’ve also
named this
address
template very
clearly.
Now for IPv6.
Click “New”
again. NOTE: If
IPv6 is not used
on your
network, go to
TCP/IP settings
and disable
IPv6 for
increased
security. You
can also skips
which use IPv6
in this
configuration.
20
Select the
appropriate
IPv6 addresses
and name the
address
template.
Now that we
have the
address
templates, let’s
create a rule.
Rules are
processed in
priority order
from 1 – 10.
Let’s create an
IPv4 rule first.
Select the IPv4
address
template you
created, then
click “Next”.
21
We are
concerned with
management
services, so
select the
service
template “All
Jetdirect
Management
Services”.
Click “Next”.
Select “Allow
Traffic”. Click
“Next”
22
Select “Create
another rule”.
Select the IPv6
address
template you
created and
then click
“Next”.
23
Select the “All
Jetdirect
Management
Services”
service
template. Click
“Next”.
Select “Allow
Traffic”. Click
Next.
24
We have
allowed
management
traffic from our
IPv4/IPv6
administrative
subnet. Now
we must create
a rule to throw
away all other
management
traffic. Click
“Create
another rule”.
Here we select
“All IP
addresses”
which
encompasses
both IPv4 and
IPv6. Click
“Next”.
25
Again, select
“All Jetdirect
Management
Services” for
the service
template and
then click
“Next”.
Select “Drop”.
Click “Next”.
26
We can now
see our policy.
Rules are
processed from
1 to 10. If a
packet comes
from or is
going to our
defined
IPv4/IPv6
subnet, the rule
will match and
it will be
allowed.
Otherwise, if it
is a
management
service, it will
be dropped.
All other traffic
will be allowed
(the default rule
is allow). Click
“Finish”.
Select “Yes” for
Enable Policy.
HTTPS failsafe
can be used
when trying out
configurations.
If this is your
first firewall
configuration,
you may want
to enable it,
and then
disable it once
it has been
tested. Click
“Ok”
27
Recommended Security Deployments: SET 4
First and foremost, SET 4 configuration needs to have the Security Wizard for SET 2 executed. Once
the Security Wizard configuration has been completed, then we can begin the IPsec configuration.
Let’s go through the same process as we did with SET 3, only this time, we’ll simply say that all IP
addresses must use IPsec to utilize a management protocol. If an end station tries to communicate
with a management protocol to Jetdirect without using IPsec, the packets are dropped by the IP layer.
Be sure that
you are using
HTTPS before
navigating to
this page.
Select “Allow”
for the default
rule and then
click “Add
Rules…”.
Select “All IP
Addresses”
and click
“Next”.
28
Select “All
Jetdirect
Management
Services”. Click
“Next”.
Select “Require
traffic to be
protected with
an
IPsec/Firewall
Policy”. Click
“Next”.
29
Click “New”.
Name the IPsec
Template.
Some Jetdirect
models may
require you to
configure IKE
parameters.
However, this
model has a
quick set of IKE
defaults that
can be used.
The one
selected is for
more emphasis
on
Interoperability
and less on
Security. Click
“Next”.
30
For example
purposes only,
Pre-Shared Key
Authentication
is used. HP
does not
recommend
using PreShared Key
Authentication.
Certificates or
Kerberos is
highly
recommended.
Click “Next”.
Select the IPsec
template you
just created.
Click “Next”.
31
Here is our
IPsec policy. If
a management
protocol is to
be used, it must
use IPsec. All
other traffic is
allowed based
upon the
default rule.
Click “Finish”.
Select “Yes” to
enable the
IPsec policy.
You can also
choose to have
a failsafe if you
would like.
Click “OK”.
32
Further Reading
802.1X: http://h20000.www2.hp.com/bc/docs/support/SupportManual/c00731218/c00731218.pdf
IPsec: http://h20000.www2.hp.com/bc/docs/support/SupportManual/c01048192/c01048192.pdf
IPv6: http://h20000.www2.hp.com/bc/docs/support/SupportManual/c00840100/c00840100.pdf
Using the networking infrastructure to better protect your printing and imaging devices:
http://h20000.www2.hp.com/bc/docs/support/SupportManual/c00707837/c00707837.pdf
33
Download PDF

advertising