Re: Securing Printers

[Jonathan Kline <klinej () msoe edu>]

Put all of your printed into a dedicated vlan, don't provide a route to
the vlan, and force all access to the printers to go through a cups box
which multihoned (or multivlaned). Then you can do fun stuff like
accounting, and quotas, and authentication. Very very simple.

There should be no reason to have unsecured devices on the network, and
even less reason to have them available to the internet.

Wait, on second thought why are you even using real ips on your network?
printer should be firewalled from the outside, hence use RFC non
routables on your private network and use NAT to the internet.

Security needs to be something built into your network from the ground
up, and is not something that happens over night.

I can think of 1 fun little exploit for the printers (look on ./ for hp
printer hack, posted April fools day last year)...... Changing the
screen on the printers can cause chaos.

~J

On Mon, 2004-11-15 at 11:18 -0600, Bryce Embry wrote:
> Howdy,
>
> A recent thread on BugTraq, along with some discussions with my 
> colleagues, has me curious about printer security.  What dangers are 
> there in giving a printer a public IP address?
>
> To me, a printer with a public IP sounds utterly foolish, but I'm not 
> doing a very good job of making this point with my colleagues.  They 
> usually respond with the question "Why would anyone want to print 
> something to a printer they can't even find?".  My answers (usually "Why 
> not?" or "it's a system running an OS that is subject to exploitation") 
>   don't seem to be very convincing, especially since I can't produce any 
> known exploits.  I would appreciate any arguments and reasoning that 
> would carry more weight, or enlightenment to help me stop being so 
> paranoid.
>
> Thanks,
>
> Bryce
-- 
Jonathan Kline <klinej () msoe edu>
Milwaukee School of Engineering

Attachment: signature.asc
Description: This is a digitally signed message part