 |
» |
|
|
|
|
|
|
|
|
HP Web Jetadmin Software - Device Security Frequently Asked Questions
|
NOTE:
|
This FAQ document pertains to HP Web Jetadmin 10.X software. More detailed information can be found in the various user guides and white papers downloadable from
http://www.hp.com/go/webjetadmin
. |
Question: Why does HP recommend I secure my printing and imaging devices?
Answer:
Security of the imaging and printing environment has long been ignored by IT administrators. Historically, printers and scanners have been considered little more than network appliances, posing none of the risks of client and server PCs. However, recent publications by hacker groups have raised the awareness that imaging and printing devices are more than simple appliances, and that these devices have capabilities beyond printing and scanning.
Device security in the print environment can best be defined as any security vulnerability that might render a printing device out of production, including any inadvertent or malicious user behavior directed at these printing devices. A device security vulnerability might be as basic as an unlocked device control panel or as advanced as a remote DoS (denial of service) attack. Setting security at the device level is the surest way of eliminating unauthorized access to the device. Access that could potentially change required device configurations, modify pay-per-use tracking, or even gather unauthorized information from printed, copied, or faxed jobs, needs to be controlled.
Question: Why does HP ship printing and imaging devices without device security set?
Answer:
Print environments can support many network protocols and services. More specifically, the method chosen for printer installation, configuration and management may differ greatly between customers.
- Example 1:
Customer A chooses Telnet to configure their devices, while Customer B opts for HTTP (Embedded Web Server) and Customer C, SNMP (HP Web Jetadmin).
- Example 2:
Customer B uses HTTP (Embedded Web Server) to configure the device and SNMP (HP Web Jetadmin) to manage or monitor it.
By default, device security is not set to present an excellent network installation experience and ensure maximum compatibility for most environments. Once installed, HP imaging and printing devices allow individual control over these protocols and services and let administrators enable only the functionality required.
Question: Is remote access to my devices even possible without the use of HP Web Jetadmin?
Answer:
Absolutely. The most popular method is via the Embedded Web Server, found in most of our network attached devices today. Entering an IP address or device hostname in the URL field of a simple internet browser will provide access to the Embedded Web Server for device installation, configuration, and information gathering purposes. HP highly recommends security protection (password) for this device remote access method. There is also a variety of SNMP, HTTP, and various other protocol based applications and utilities available today that may be used to gain access to devices. Administrators should seek the right balance between device security and print production to ensure best device uptime possible.
Question: What are some of the most common device access methods I should be concerned with?
Answer:
The Device Control Panel, EWS (Embedded Web Server), SNMP (Simple Network Management Protocol), Telnet (Telecommunication Network), and FTP (File Transfer Protocol).
Question: Will providing security to these most common device access methods impact print production in my environment?
Answer:
Possibly. Administrators should seek the right balance between device security and print production requirements. Let’s take the Device Control Panel for example. Depending on the model, most HP printers possess the ability to lock the control panel at different security levels. Minimum, Moderate, and Maximum are the most common levels. Setting the control panel security level to Maximum will certainly protect from unauthorized local access, but may affect an authorized user’s ability to make a paper tray setting or some other setting necessary for proper printing. Minimum or Moderate might be the better setting in this example.
Here is another example. The majority of printing occurs over standard TCP/IP Port 9100 or via LPD, port 515. However, certain scenarios may exist where spooling software may require SNMP access to the device for a status check before releasing a print job. Another scenario would be with HP’s own Universal Print Driver, which utilizes SNMP to retrieve specific device data for purposes of appropriate driver setup. In either of these scenarios, the appropriate course of action would be to ensure any SNMP security is applied to the spooling software or driver for proper functionality.
Question: Does HP recommend a common device security strategy that provides an appropriate balance between minimum device security and maximum print productivity?
Answer:
Yes. Most customers can utilize the configuration guidelines below to achieve the appropriate balance.
First and foremost:
Always deploy a device Embedded Web Server (EWS) password. If left unsecured, any user with a browser and the IP address or hostname of the printer can gain access to all device configuration parameters. With an EWS password deployed, users may only gain access to 'informational’ areas of the device.
- Front Panel Lock: Minimum to Moderate
- TCP/IP Protocol Stack: Enabled
- IPX/SPX Protocol Stack: Disabled
- AppleTalk Protocol Stack: Disabled
- DLC/LLC Protocol Stack: Disabled
- EWS Config: Enabled (but password protected)
- Telnet Config: Disabled
-
SLP Config: Disabled
- FTP Printing: Disabled
- LPD Printing: Disabled (only if UNIX, Linux, AppleTalk, or other port 515 printing not in use)
- 9100 Printing: Enabled
-
IPP Printing: Disabled
- MDNS Config: Disabled
- IPv4 Multicast Config: Disabled
In addition:
An SNMP SET Community Name should be implemented at the device, as well. The SNMP SET Community Name is essentially an embedded password in the SNMP network packet. This would protect against any SNMP based device configuration change from an unauthorized SNMP tool or application.
Any authorized SNMP tool or application would have to know the device SNMP SET Community Name to change a device configuration. By loading the device SNMP SET Community Name as an HP Web Jetadmin credential, you are authorizing HP Web Jetadmin to be the device configuration tool of choice.
For basic security, it is not recommended that an SNMP GET Community Name be used. There may be spooling software, device drivers, client software, etc. in your environment that depend on SNMP GET network packets to retrieve data from the device.
The guidelines above are provided to you as a minimum security recommendation, not as complete assurance that your device is fully protected against all unauthorized access. Other security configuration parameters are available for purposes of raising security levels to ensure company INFOSEC compliance.
Question: The implementation of an SNMP GET or SNMP SET Community Name is confusing to me. Can you please provide a simple explanation?
Answer:
The SNMP GET or SET Community Name (String) is essentially an embedded password in an SNMP packet. SNMP (Simple Network Management Protocol) is an industry-standard networked device communication protocol. Most network device vendors implement an industry-standard default GET and SET Community Name (password) of “PUBLIC�?. Most SNMP based network management applications know this and pass SNMP device management packets over the network with “PUBLIC�? as the embedded password to allow communication with the device.
The sending of an SNMP GET packet is a “read-only�? attempt at retrieving information from the device. For example, an SNMP GET packet is used by HP Web Jetadmin to retrieve the Total Page Count from a device. If the device SNMP GET Community Name was changed from “PUBLIC�? to “SOFTBALL�?, any SNMP based network management application (including WJA) would have to include “SOFTBALL�? in their SNMP GET packet to retrieve information from that device. Using the example above, without “SOFTBALL�? loaded into WJA as an SNMP GET credential, access to the Total Page Count information would be denied.
The sending of an SNMP SET packet is a “read-write�? attempt at setting or configuring something at the device. For example, an SNMP SET is used by HP Web Jetadmin to enter an Asset Number Tag into the Asset Number field. If the device SNMP SET Community Name was changed from “PUBLIC�? to “SLUGGER�?, any SNMP based network management application (including WJA) would have to include “SLUGGER�? in their SNMP SET packet to enter the Asset Number Tag into the Asset Number field. Using the example above, without “SLUGGER�? loaded into WJA as an SNMP SET credential, the attempt to insert an Asset Tag Number would fail.
Question: What other device security configuration categories should I investigate to raise my level of device security?
Answer:
SNMPv3
is becoming more prevalent in environments with stricter INFOSEC policies. SNMPv3 protects network management information through user authentication and data encryption. SNMPv3 configures a user account and two pass-phrases onto the device which requires the user (or application) to authenticate. With SNMPv3, the authentication information does not traverse the network in clear text, making device access information difficult to glean from the network.
Access Control Lists (ACL)
can be used to raise device security by only allowing specific network IP addresses to access the device. The device ACL has a maximum of ten entries that may be populated with the HP Web Jetadmin server IP address, a client server IP address, the IP address of designated support engineers, etc. An empty list allows access from any IP address.
IPSec
configuration is also available through the installation of an HP Web Jetadmin application plug-in. Once the plug-in is installed, extra device configuration items appear in the WJA Network configuration category. Through an IPSec policy, IP traffic can be processed or discarded, and processed traffic can be protected by IPSec authentication and encryption protocols.
Question: Many HP printing and imaging devices are shipped with an internal hard disk. Are there other security measures specifically related to hard disk security?
Answer:
Yes. The hard disk can store print job data for quite some time if disk storage security is not implemented. Some of the data stored on the disk may be confidential in nature, and if not encrypted, could be non-compliant with your company INFOSEC policy. Fortunately, our devices can be configured to deploy HP Secure Erase technology, providing two different methods to remove data from the disk.
Secure File Erase
erases files on a continuous basis as soon as they are no longer needed to perform the requested function. This feature controls the way in which a device deletes its files on an ongoing basis. The mode in which a device can erase its files can be set to non-secure fast erase, secure fast erase or secure sanitize.
Secure Storage Erase
removes all non-essential data from storage devices in a manor consistent with preparation for decommissioning or redeployment. This operation can be initiated on demand or scheduled for a later date and time. Secure Storage Erase is a device feature which can be invoked from the Storage tab on any device list for one or many devices. This device feature, once invoked, clears all user files from the disk in one of the three erase modes mentioned below.
- Secure Sanitizing Erase
conforms to the U.S. Department of Defense 5220-22.M specification for deleting magnetically stored data. This mode uses multiple data overwrites to eliminate trace magnetic data and also prevents subsequent analysis of the hard disk drive’s physical platters for the retrieval of data.
- Secure Fast Erase
completes the erasure faster than Secure Sanitize Mode. This mode overwrites the existing data once, and prevents “software-based undelete�? operations on the data.
-
Non-secure Fast Erase
is the quickest of the three erase modes. This mode marks the print job data as deleted, and allows the MFP operating system to reclaim and subsequently overwrite the data when needed.
Question: Can you provide some recommendations to determine the right amount of printing and imaging device security in my environment?
Answer:
While it would be impossible to prescribe all of the security requirements for an enterprise’s imaging and printing environment, the following recommendations may be used as a starting point for enabling that security.
-
Assess Common Criteria Certification Needs.
Today, features being certified by the hardcopy industry are not representative of the true risks that face imaging and printing devices. It is critical to scrutinize certification and assess the capabilities of the device against actual needs.
- Fleet Management using HP Web Jetadmin.
HP Web Jetadmin provides consistent management of enterprise-deployed imaging and printing devices and is critical for maintaining a secure environment. Fleet management aids in the consistency of policy enforcement and assists in audit and regulatory compliance.
- Update Firmware.
Firmware updates protect against product defects and vulnerabilities. HP provides automated firmware update notification services, and HP Web Jetadmin aids in deploying updates across enterprise environments.
- Disable Unused Ports and Services.
Frequently, imaging and printing devices have unused capabilities that are enabled. In some cases, these capabilities may enable functionality counter to the intent of the administrator, such as leaving insecure management protocols accessible, when only encrypted management is desired.
-
Implement Access Controls.
HP printers and MFPs allow a variety of user-level authentication mechanisms, including passwords, proximity cards, and Smartcards. Access controls can ensure that only authorized users utilize the imaging and printing infrastructure, while authentication capabilities provide assurances of who is using the environment, and how they are using it, which aids in audit and regulatory compliance.
- Implement Secure Protocols.
The sophistication necessary to sniff network traffic has been reduced by the distribution of hacking tools, as well as by legitimate network analyzers. IPsec secures existing printing and scanning applications with strong encryption, while SNMPv3 and HTTPS secures management functions.
|
|
Druckversion
