• Home
  • Network Security

Network Security

Updated Reference: 20 September 2014

Youtube have a short video of a hacked Cannon Printer which illustrates the vulnerability of improperly secured equipment. Click here to watch.

A wireless Canon Pixma printer has been hacked to run classic video game Doom.
The hack was carried out by security researcher Michael Jordon, and it took four months to get the game running on the hardware.
He said he had undertaken the project to demonstrate the security problems surrounding devices that would form the “internet of things”.
Canon said it planned to fix the loopholes on future printers to make them harder to subvert.
More at BBC News

We find that the security of the modern device has been improved vastly with manufacturer such as Sharp and Toshiba having changed their architecture recently and Xerox combining their resources with MacAfee Security. However it is the user of the device that has ultimate responsibility for the security on their network and we see that over time focus on the device can become diluted as the user attached just one mobile device, changes the network to add just one new machine or allows an engineer to update firmware without know what changes this will make.

MFD’s can present a security risk since they have similar components and features to computers. If you are in any doubt about the security of your network and or the placement of a machine upon your network please raise this with us before installation. Though the risk of protected information (PI) exposure is considered low due to network attacks (SNMP attacks, and buffer overflows, etc.) other capabilities present a higher risk (HTTP in clear text, File Transfer Protocol (FTP), FAX/Scan to Email stored PI, E-Mail address books, fax numbers, copy and scan logs, etc). Most if not all devices have an internal web page used for configuration and setup of these devices. Unprotected access to these pages can allow modification of network information in addition to manipulation of internal address book information controlling scan destinations and inbound routing of fax data.

These devices if configured properly can prevent the loss/exposure of information from the above vulnerabilities.

In addition to the machine itself you should consider the devices that are attaching to the MFD and therefore your network. There is a growing trend, some would say need, for users to print from mobile devices. In most environments this means that the mobile device is exposed to the network and through the MFD to other services. You may wish to consider other secure server based methods of mobile print if you consider mobile devices on your network is less desirable.

As a preventative step it is recommended that you follow the recommendations below.

Registration

All MFDs should be registered with their respective IT departments. At a minimum, the following information is useful and should be maintained to provide accurate identification:

  • Primary point of contact(s), and the physical location
  • Vendor supporting the MFD, Administrator name
  • Hardware make, model, and manufacturer
  • Main functions and any associated applications
  • All associated IP Addresses and IP names
  • All associated wired and wireless MAC addresses

Periodic Assessment

Periodic assessments of the MFD and related components will be performed to ensure the MFD meets the guidelines within this best practice. Also some MFDs suffer from a mismatch between the service state articulated in the management console and the true state of the service. Given this, it is recommended that the MFD undergo a port scan to ensure only expected network services are available.

Network Protocols

Set a Static IP Addresses
Giving MFDs static IP addresses or DHCP reservations makes it easier to monitor them and apply access lists on hardware-based firewalls. It is recommended that a static IP address be assigned to the MFD.

Set Static DNS Server Addresses
It is recommended that DNS server IP addresses be statically configured in the MFD.

Disable Bootstrap Protocols
Bootstrap Protocols, including BOOTP, PXE, and DHCP are network protocols used by a network client to obtain its network configuration (IP, subnet, DNS servers, gateway, etc) automatically. It is recommended that bootstrap protocols be disabled.

Disable Unused Protocols
Many MFDs can participate in networks that operate over a variety of protocols, including IP, IPX/SPX, and AppleTalk. As a defense in depth measure, it is recommended that all unused network-layer protocols supported by the MFD be disabled.

Disable Unused Wi-Fi Interfaces
MFDs often come equipped with Wi-Fi cards that allow these devices to participate on wireless LANs. As a defense in depth measure, it is recommended that unused Wi-Fi interfaces be disabled. If the WI-FI interface is used it should meet the INFOSEC Wireless Standards and Guidelines.

Use Secured Communications
Where technically feasible, all unencrypted protocols should be replaced by encrypted protocols (for example scan to email and file sharing) to improve overall security if Protected Information is being used. This is especially true and required if the protected information will transverse a public network such as WUSTL and/or the Internet.

  • If the MFD supports it, use HTTPS for web-based management rather than HTTP. If web based management occurs only within WUCON this is not required but recommended.
  • If you use Simple Network Management Protocol (SNMP) to manage your MFD, and your MFD supports it, choose SNMPv3 for its authentication and encryption features. If not configure SNMP per some of the suggestions below. SNMP is a network management protocol used for centralized monitoring and configuration of network-based devices. SNMP “traps” are sent to a management console whenever an event occurs that warrants it (e.g. an “out-of-paper” or “paper jam” condition). The most basic form of SNMP security is the community string, which functions similarly to a password. Many devices come with preconfigured SNMP community strings, which pose a security risk if left at the widely known, default settings – “public” for read-only access and “private” for read-write access. If SNMP is NOT used for device management in your environment, then disable it. If SNMP is used to monitor and/or manage the device, the following recommendations provide increasing levels of protection to better secure SNMP:
  • If supported by the device and management platform, use SNMPv3
  • If only monitoring is necessary, disable SNMP read-write access
  • Change the default SNMP community strings
  • Configure an ACL (on the device and/or network) to limit SNMP queries from only necessary monitoring systems
  • Encryption of Protected Information that is output to a printer connected to a public network should be provided through the use of secure printing applications (e.g., JetDirect) or protocols (e.g., IPP over SSL, TLS, or VPN) to prevent unauthorized network interception.
  • If sensitive information is to be sent to printers across unprotected campus networks consult the INFOSEC office for a risk assessment and alternative ways of protecting the information.

Disable Telnet and FTP Access
Legacy MFDs provide administrative access over Telnet.   It is recommended that this access mechanism be disabled. Access for network-based administration should be limited to authenticated and encrypted methods, and to the fewest individuals and methods necessary for managing the device. FTP is also a common vector to gain access to a system. This should also be disabled.

Disable Unused SMTP Services
Some MFDs accept inbound SMTP requests in support of SMTP-to-fax services. It is recommended that this access mechanism be disabled if unused.

Disable Unused HTTP Services
Hyper Text Transfer Protocol (HTTP) is the primary protocol over which web based communications occurs. Often, MFDs utilize this protocol to expose rich administrative interfaces. Most MFDs include an embedded web server, and HTTP or HTTPS will likely be the primary management protocol for the device. If the MFP does not require remote management, this interface can be disabled. Use HTTPS if supported and disable HTTP.

Print/Copy/Scan/FAX Services

PIN for Confidential Job Retrieval
Many MFDs can be configured to require a pin or RFID interaction to retrieve print jobs. It is recommended that a PIN, or other authorization mechanism, be used to access print jobs if the MFD is in a public area and is used to process protected information.

Accept Jobs from Only Authorized Spoolers and Users  
It is recommended that print jobs be restricted to only those jobs that originate from authorized spoolers or users.

Restrict Print Services Ports
Print services are commonly bound to port 9100/TCP or 515/TCP. It is recommended that the MFD be configured to utilize these ports or a port standardized on by the implementing department.

  • Port 9100 (a.k.a. HP JetDirect, socket): Most printing services use this protocol, especially drivers from HP, so you may not be able to disable it.
  • LPD: LPD is used for printing by many Unix and Linux systems. However, many can now also use CUPS (the Common UNIX Printing System), which allows for printing via a number of protocols. If you do not need LPD, disable it.
  • IPP: If the Internet Printing Protocol is not used in your environment, then disable it.
  • FTP: Some printers give you the ability to FTP upload documents to print. This feature is not used in most environments and should be disabled.
  • SMB: SMB (Windows) printing is often not required, as it is taken care of by other protocols, such as JetDirect. It is also not encrypted. If possible, disable SMB printing.
  • SMTP: This is often used for scanning and faxing, and can often be disabled.

Delete Completed Scan Jobs
MFDs often have functionality that allows a user to scan an image to the MFD’s local hard drive. It is recommended that the MFD be configured to delete job artifacts once retrieved by the user.

Protect Hard Disk Information
If hard disk functionality is enabled, configure the MFD to remove spooled files, images, and other temporary data using a secure overwrite (or other disk clearing capability) between jobs if the MFD is processing protected information. Typically, the system administrator can manually invoke this feature using the On Demand Image Overwrite (ODIO) function. It is recommended that this facility be used prior to returning, recycling, or otherwise disposing of the device.

Data Storage
Ensure that the MFD provides secure storage for Protected Information.

Management

Establish Firmware Currency
To take advantage of improvements in security technology, MFDs should have the most current, supportable version of the firmware, operating system, and application installed that will meet the needs of the user community. Upgrade to patched firmware expediently, in a manner consistent with change control processes. All firmware, operating system, service, and application security software updates should be applied as soon as possible after they become available.

Verify Configuration State after Power Loss
A defective Multi-Function Device may not retain its configuration state after power loss. It is recommended that the configuration state of the MDF be verified after power loss. If a full reset is performed, ensure that a process is in place to reconfigure the MFD back to its production state.

Require PIN for Administrative Control Panel
MFDs can commonly be configured to require an authorization code before granting access to the device’s control panel. It is recommended that authentication and authorization mechanisms be enabled for administrative control panel access.

Change Default Passwords
Multi-Function Devices are typically configured with default user accounts that are common to all devices of the same make/model. It is recommended that default passwords be changed. Passwords and passphrases must meet the complexity requirements and change frequency as defined by the User Account and Password Guidelines for all accounts and services on the device.

Restrict Administrative Access to Specific IP Addresses
Many MFDs can be configured to limit administrative access to only those connections that originate from a designated IP subnet. It is recommended that access to network accessible administrative interfaces be limited to designated subnets.

Logging

MFD’s typically contain functionality to log all submitted requests. It is recommended that these facilities be enabled on the device, logging levels be set to ensure adequate details are preserved, and logs be reviewed. In particular ensure that the following are enabled if the MFD supports it:

  • Enable Print Spooler Access Logging
  • Enable Print Job Logging
  • Enable Print to Fax Logging
  • Enable Print to Email Logging
  • Enable Print to Share Logging
  • Physical Security

The classification of information that the MFD’s processes should dictate how/where they are physically. If the classification level is Protected then the following should be observed.

  • Physically secure the MFD in areas with restricted access.
  • If capabilities permit lock and prevent access to the hard disk.
  • Ensure that only printer administrators can modify the global configuration from the console by requiring a password.
  • When a vendor is working on the MFD, the vendor’s work is monitored to ensure that security measures are not removed during the course of troubleshooting. If they are removed, they should be put back in place.

Related References

Center for Internet Security “CIS_Multi-Function_Device_Benchmark_v1.0.0”, www.cisecurity.org .

LET'S EMPOWER YOUR BUSINESS TOGETHER

Partner with TECHNODOCS for a new approach to
Network Security and improve your business
Contact Us
Request a Quote

info@technodocs.co.uk

0845 527 0770