IPP> Printing through a firewall [caution]

IPP> Printing through a firewall [caution]

McDonald, Ira imcdonald at sharplabs.com
Mon Dec 8 17:12:27 EST 2003


Hi,

[Disclaimer - the following is personal opinion - you should
consider taking some advice from your organization's network
security professionals or consultants]

Yes, port 631 (and ONLY that port) must be open on external
firewall (for inbound HTTP over TCP connections) for IPP
to work.

Personally, I would NOT let any external customer print
through my firewall via IPP, unless I had enabled the
TLS/1.0 option (which may or may not be supported in
your Hawking Parallel Print Server) and was using both
Server authentication (certificate-based SSL just like
a Web server) AND also Client authentication (cert-based
SSL authentication for your external client).

Otherwise, I think you're going to see quite significant
denial of service attacks against port 631 on the external
side of your firewall.

Here's a link to Hawking Technology's Print Server family:

  http://www.hawkingtech.com/prodList.php?FamID=42

And here's the link to the Datasheet for their HPS1P product:

  http://209.61.202.44/images/datasheet/HPS1P-Datasheet_LR.pdf

That datasheet describes their IPP support (briefly) but does
not mention SSL/TLS support in the implementation (not very
surprising, because cert-based authentication is not trivial).

I hope this all helps some.

Cheers,
- Ira 

Ira McDonald (Musician / Software Architect)
Blue Roof Music / High North Inc
PO Box 221  Grand Marais, MI  49839
phone: +1-906-494-2434
email: imcdonald at sharplabs.com
 
-----Original Message-----
From: Ara Roselani [mailto:ara at americanlegalcopy.com]
Sent: Monday, December 08, 2003 4:15 PM
To: ipp at pwg.org
Subject: IPP> Printing through a firewall


I'm brand new to IPP and I have a client that wants to print directly to our
copy shop's printer.  I'm attempting to set this up without breaching
security.  I'm aware that I can use VPN tunneling (IPSEC), but I'm exploring
other options.

We have a Linux Firewall running on Redhat.  Our internal network is running
a 192.168.4.0 scheme that goes through the firewall to the router.

I have a small Hawking 10/100 Parallel Print Server hooked up to my printer,
which allows IPP printing.  It's assigned to 192.168.4.100.  I can print
just fine internally.  I'm at the point where I need to assign firewall
rules to let this through.

Do I need to forward port 631 to the firewall's external interface through
NAT to allow IPP to go through?  Ideally, I'd like to be able to print to
the Firewall's external IP.  Is this secure?  Is there a better
configuration?

Thanks.
---
Ara Roselani
Network Administrator
Portland, Oregon



More information about the Ipp mailing list