Introduction

The security of some types of print jobs has always been important:

  • Financial and accounting documents
  • Documents containing sensitive and/or private data
  • Human resources information

Pharos Systems' Secure Release Here capability in Blueprint, Uniprint (and soon to be Beacon!) helps to further the security model by storing held jobs in an encrypted state using an AES-256 algorithm. And that's great for the jobs "at rest" on the Pharos server, but what about the data when it's going from your computer to the server, or the server to the printer when the job is released?

 

Well, it's unprotected. Using a network utility like WireShark or Microsoft Network Monitor, data packets can be captured at the server or the printer and extract the raw PCL or PostScript code. Once extracted, any PCL or PostScript viewer utility can easily create a viewable (and printable!) PDF file.

 

Securing the Gap

For Pharos, product-provided Point-to-Point (or Click-to-Clunk) encryption/security is a top priority, and we are actively working on this across our platforms. In the short term, however, IPSec (Internet Protocol Security) can be used to secure the data flowing from the workstation to the print server, and from the print server to the printer. And because the solution rests on IPSec -- which operates at the Network layer -- it requires absolutely no change in the Pharos software to use it!

 

The print device at the end of this system must support IPSec, or jobs will not print because the printer has no way to decrypt the inbound file.

 

At a high level, the following events take place:

  1. The workstation is configured to transmit encrypted data when printing.
  2. The print server is configured to accept the encrypted data.
  3. The print server is configured to transmit encrypted data to the printer.
  4. The printer is configured to accept the encrypted data.

 

Configuring the Windows Server - Inbound Print Jobs from Clients

IPSec configuration in Microsoft Windows Vista/7/8/10 and Windows Server 2008/2012 is best performed using Windows Firewall with Advanced Security. Step one, then, is:

  1. Launch the "Windows Firewall with Advanced Security" console.
  2. Enable it for the profile(s): Domain, Private, Public needed for your specific configuration.
  3. Create a new Connection Security Rule.
  4. Select the Custom option and click Next.
  5. Define the Endpoints. For the print server rule, Endpoint 1 is the server, and Endpoint 2 is the client (and, in this case, the client includes the printer). It is a best practice to choose "These IP addresses" for Endpoint 1, click the "Add..." button and type in the IP address of the server. If the server's IP address can change because it is using a non-reserved DHCP address, opt for "This IP address range" instead and include the DHCP scope. Alternately, input the subnet in CIDR format (example: 192.168.39.0/24) and continue to use the "This IP address or subnet" option.

    Continue to leave Endpoint 2 set to "Any IP address". Click "Next >".

    If the number of printers connected to the print server is small, or in consistent subnets, you can improve security by specifying the printers' IP addresses in Endpoint 2

  6. Choose the "Require authentication for inbound and outbound connections" option and click "Next >".
  7. Select the "Advanced" Authentication Method. Click the "Customize" button.
  8. Click the "Add..." button under the "First authentication methods" section. There will be no "Second authentication method" defined.
  9. The authentication method makes available several credential options. In a larger environment, it is best to use the "Computer certificate...(CA)" option and then choose a pre-installed enterprise Root Certificate Authority (CA). For the purposes of this tutorial, the "Preshared key" method will be used. Select the "Preshared" option and type in a passphrase. This passphrase will be used for the entire configuration going forward. When the credential has been defined, click OK and then OK again to set the Authentication Method.


    Consult Microsoft's documentation on TechNet regarding the various authentication methods and their configuration. A good starting place is Windows Firewall with Advanced Security. As mentioned earlier, "Preshared Key" is great for demonstration and teaching purposes, but it is not considered a robust way of securing a production environment. Ensure that the certificates used for IPSec come from verified and trustworthy sources.

  10. At the Protocol and Ports step, choose the TCP "Protocol type". Because this is the server inbound side, specify 139 and 445 for "Endpoint 1 ports" and leave "Endpoint 2 ports" at "All Ports". NOTES: Because this step does not allow multiple Protocol Type selection, another Connection Security Rule will need to be created to handle the UDP ports used by Windows Printing: 137 and 138. Additionally, if non-Windows clients (MacOS or Linux, for example) need to be accommodated, add network port 515 to the TCP port list. Click "Next >".
  11. Next, assign the new Security Rule to the profiles necessary for the network. If all three profiles are enabled for Windows Firewall, choose all three here. Click "Next >".
  12. Name the new Rule. Click "Finish" when done.

 

At this point, re-engage the New Rule wizard to create the rule for the UDP ports (137,138). Follow steps 1 through 12, replacing step 10 with this:

This satisfies the printing client, but not the outbound (TCP 515 and/or 9100) to the printer, which is covered in....

Configuring the Windows Server - Outbound to the Printer

As will be shown later, the printer will be configured to require encrypted/authorized communications as well. This means that the "send" function needs to be encrypted/authorized at the server. To begin:

  1. Create a new Connection Security Rule.
  2. Choose the Custom rule type. Click "Next >".
  3. At the Endpoint step, Endpoint 1 still remains the server, and the printer(s) that will be used as release targets are Endpoint 2. Like in the earlier rules, it is a best practice to specify the IP address of the server as Endpoint 1. Click "Next >" when finished.
  4. The Authentication remains to require at both inbound and outbound connections. In general, however, this is going to be a one-way street from the server to the printer. Click "Next >" to go to the next step.
  5. At the Authentication step, choose the "Advanced" option and then click the "Customize..." button.
  6. Click the "Add..." button under the "First authentication methods" section. There will be no "Second authentication method" defined.
  7. The authentication method makes available several credential options. In a larger environment, it is best to use the "Computer certificate...(CA)" option and then choose a pre-installed enterprise Root Certificate Authority (CA). For the purposes of this tutorial, the "Preshared key" method will be used. Select the "Preshared" option and type in a passphrase. This passphrase will be used for the entire configuration going forward. When the credential has been defined, click OK and then OK again to set the Authentication Method.


  8. At the Protocol and Ports step, choose the TCP "Protocol type". Keep "Endpoint 1" at "All Ports" and set "Endpoint 2" to "Specific Ports", using 515 and/or 9100 as the port numbers. If it is possible that some printers will be configured with the "RAW" protocol and others as "LPR" endpoints, then specify both. Otherwise, just specify the one or the other. Click "Next >" to continue.
  9. At the Profiles step, choose the profiles needed for the specific network's configuration. Click "Next >" to continue.
  10. Name the rule. Save the rule by clicking "Finish".

 

Managing the Inbound and Outbound Server Connections with Windows Firewall

Because Windows Firewall is running, the ports used by the Pharos services and those for IPSec communications need to be white-listed for Windows Firewall, or nothing will happen. In a Blueprint Enterprise implementation on a Collector, the following ports, at minimum, will be needed:

Protocol TypePort NumberAllow InAllow Out
TCP80X
TCP139X*X*
TCP443X
TCP445X*X*
TCP515X*/**X*
TCP808***XX
TCP8080***XX
TCP8081***XX
TCP9100X*
UDP137X*X*
UDP138X*X*
UDP161XX

 

* - This communication will need to be allowed when encrypted.

** - TCP 515 is only required "In" when a non-Windows client is accessing the shared printer via LPR/LPD.

** - This is the default Blueprint port for communications. It may be different depending on the site configuration. Check with the Blueprint Server Configuration utility.

 

Example: Creating an Encrypted Connection Inbound Rule

  1. Create a new Inbound Rule.
  2. Choose the "Custom" option. Click "Next >".
  3. Choose "All Programs" and click "Next >".
  4. Choose the TCP "Protocol Type". Then choose Specific Ports for the "Local port" option and enter the desired port(s). Separate non-contiguous ports with a comma. Leave "Remote port" set to All Ports. Click "Next >".


  5. Keep the "Scope" step at its defaults. Click "Next >".
  6. At "Action" choose "Allow the connection if it is secure" and click the "Customize" button.
  7. For complete security, choose the "Require the connections to be encrypted" option. Click "OK" and then "Next >" to move to the next step.

    ONLY perform steps 6 and 7 if you desire complete encryption across the client platform. Configuring the white-list rule in this way will create an operational challenge for clients that are not configured for IPSec communications.

  8. Leave the "Users" step at the default. Click "Next >".
  9. Leave the "Computers" step at the default. Click "Next >".
  10. Define the rule for the necessary profiles. Click "Next >".
  11. Name the rule.

 

Once the ports have been white-listed, it is time to move on to....

 

Configuring the Windows Client for IPSec

Configuring the Windows client follows the same procedure outlined above for the server. The only differences are:

  • There is no need to configure any printer ports (TCP 515 or 9100). Simply configure the two TCP ports (139,445) and UDP ports (137,138).
  • Endpoint 2 is the Windows server. This will cause most connection options to "flip flop" during configuration: Remote is now Local and vice versa.

Now that the Windows environment is secured, move on to the printer fleet.

 

Configuring the Printer for IPSec

In this example, an HP LaserJet 700 mfp M775 is being configured. Other manufacturers, and other models, will have different interfaces and implementation steps, but the configuration options will be similar.

 

The incorrect configuration of IPSec/Firewall rules on a printer may render the printer inoperable. To restore a printer that cannot be managed nor used will require a factory reset by a manufacturer-trained technician in order to comply with any in-effect warranty or service agreement.

 

  1. Log onto the printer's management web page as an administrator.
  2. On the "Networking" tab, locate the IPSec/Firewall link. In this case, it is under the "Security" heading.
  3. Click the "Add Rules..." button.
  4. At the "Specify Address Template" step, click "New...".
  5. Select the printer's IP address under "Local Address" and enter the server's IP address as the "Remote Address". Click "OK" to accept the changes.
  6. Select the new address template and click "Next>".


  7. Click the "New..." button on the "Specify Service Template" step.
  8. Click the "Manage Services" button.
  9. Scroll to pick the LPD and, if desired, the P9100 services. Click "OK" to return.
  10. Provide the template a name. Click "OK".
  11. Select the new template and click "Next>".
  12. Select the "Require traffic to be protected with an IPSec/Firewall policy" option and click "Next>".
  13. Click the "New" button to create a new IPSec template.
  14. Name the IPSec template and choose "IKEv1" with "High interoperability/Low security" and click the "Next>" button.
  15. Enter the passphrase used when creating the Microsoft Windows IPSec rules into the "Pre-Shared Key" field. Click "Next>" when finished.

    Again, using a pre-shared key to manage encryption and security is a risk. It is better to configure IPSec on the printers using a CA certificate. Consult the printer's administration guide or online resource to install and configure IPSec with certificates.

  16. Select the new IPSec template and click "Next>".
  17. A summary screen is displayed. Click the "Finish" button.
  18. Clicking the "Finish" button results in a dialog box verifying that the new rule be activated, and also if the "failsafe" option should be enabled. Choose "Yes" for both (and disable failsafe once everything has been tested; it represents another security risk), and then click "OK".
  19. This returns to the primary IPSec/Firewall page. IPSec is now enabled, as is the rule. Click the "Apply" button to set everything.


    A confirmation dialog box will display. Click "OK" to accept.

 

This may sometimes result in a "405 Method Not Allowed" message on the web page, rather than the administrative web page. Simply retype the printer's IP address in the address bar of the browser and log back in.

 

Conclusion

In a small network, manual configuration -- while bothersome -- is not a chore. Larger scale deployments are best served when using management tools to perform the tasks. Active Directory Group Policy Objects (GPOs) make deploying IPSec across the entire environment, or select subset, very easy. Similarly, most device manufacturers provide a centralized administration application that will readily deploy IPSec to the fleet. These "automation" tools are out of scope for this tutorial, but learning to use them is a skill set highly valued in today's security-conscious environment.

 

As was said earlier, look for the Pharos end-to-end solution on the horizon.

 

DISCLAIMER: This article is provided as-is for informational purposes only and Pharos Systems International, Inc., including its agents, partners, and subsidiaries, is held harmless in any event that its use causes any disruption in an environment due to its implementation. Pharos Systems International, Inc. does not recommend, nor endorse, a specific third-party product by its inclusion in this article; nor does it, or its agents, guarantee the information contained in this article to be free of flaw or defect. For specific questions as to the fitness of the process described herein, please consult your printer or operating system manufacturer's technical support resources. The processes here may not be satisfactory in every environment, as each network infrastructure has its own unique configurations, challenges, and availability.