attachment-0001
<html>
<body>
<font size=3>I have Hawking Parallel Print Servers connected to 3 of my
printers on my home network. They work well. <br><br>
I checked the "Setup" web page on the Hawking and there are
absolutely no options that deal with security. <br>
So I conclude that the Hawking doesn't support any IPP
security.<br><br>
Bob Herriot<br><br>
At Monday 12/8/2003 03:16 PM, McDonald, Ira wrote:<br>
<blockquote type=cite class=cite cite>Hi,<br><br>
Paul is right. If your Hawking Parallel Print Server<br>
supports SSL/3.0 (or TLS/1.0) and has a manufacturer<br>
embedded Server certificate (so that your external<br>
customer can start an _encrypted_ session to a fully<br>
authenticated printer), then you can use HTTP simple<br>
user/password authentication for your client.<br><br>
Cheers,<br>
- Ira<br><br>
Ira McDonald (Musician / Software Architect)<br>
Blue Roof Music / High North Inc<br>
PO Box 221 Grand Marais, MI 49839<br>
phone: +1-906-494-2434<br>
email: imcdonald@sharplabs.com<br><br>
-----Original Message-----<br>
From: Moore, Paul
[<a href="mailto:Paul.Moore06@ca.com" eudora="autourl">mailto:Paul.Moore06@ca.com</a>]<br>
Sent: Monday, December 08, 2003 5:29 PM<br>
To: McDonald, Ira; Ara Roselani; ipp@pwg.org<br>
Subject: RE: IPP> Printing through a firewall [caution]<br><br>
<br><br>
<br>
You can use TLS/SSL with simple user password client auth. This is a
lot<br>
easier to setup than client certs providing the IPP server supports
it<br>
(and it really ought to).<br><br>
<br><br>
-----Original Message-----<br>
From: owner-ipp@pwg.org
[<a href="mailto:owner-ipp@pwg.org" eudora="autourl">mailto:owner-ipp@pwg.org</a>]
On Behalf Of<br>
McDonald, Ira<br>
Sent: Monday, December 08, 2003 2:12 PM<br>
To: 'Ara Roselani'; ipp@pwg.org<br>
Subject: RE: IPP> Printing through a firewall [caution]<br><br>
<br>
Hi,<br><br>
[Disclaimer - the following is personal opinion - you should<br>
consider taking some advice from your organization's network<br>
security professionals or consultants]<br><br>
Yes, port 631 (and ONLY that port) must be open on external<br>
firewall (for inbound HTTP over TCP connections) for IPP<br>
to work.<br><br>
Personally, I would NOT let any external customer print<br>
through my firewall via IPP, unless I had enabled the<br>
TLS/1.0 option (which may or may not be supported in<br>
your Hawking Parallel Print Server) and was using both<br>
Server authentication (certificate-based SSL just like<br>
a Web server) AND also Client authentication (cert-based<br>
SSL authentication for your external client).<br><br>
Otherwise, I think you're going to see quite significant<br>
denial of service attacks against port 631 on the external<br>
side of your firewall.<br><br>
Here's a link to Hawking Technology's Print Server family:<br><br>
<a href="http://www.hawkingtech.com/prodList.php?FamID=42" eudora="autourl">http://www.hawkingtech.com/prodList.php?FamID=42</a><br><br>
And here's the link to the Datasheet for their HPS1P product:<br><br>
<a href="http://209.61.202.44/images/datasheet/HPS1P-Datasheet_LR.pdf" eudora="autourl">http://209.61.202.44/images/datasheet/HPS1P-Datasheet_LR.pdf</a><br><br>
That datasheet describes their IPP support (briefly) but does<br>
not mention SSL/TLS support in the implementation (not very<br>
surprising, because cert-based authentication is not trivial).<br><br>
I hope this all helps some.<br><br>
Cheers,<br>
- Ira <br><br>
Ira McDonald (Musician / Software Architect)<br>
Blue Roof Music / High North Inc<br>
PO Box 221 Grand Marais, MI 49839<br>
phone: +1-906-494-2434<br>
email: imcdonald@sharplabs.com<br>
<br>
-----Original Message-----<br>
From: Ara Roselani
[<a href="mailto:ara@americanlegalcopy.com" eudora="autourl">mailto:ara@americanlegalcopy.com</a>]<br>
Sent: Monday, December 08, 2003 4:15 PM<br>
To: ipp@pwg.org<br>
Subject: IPP> Printing through a firewall<br><br>
<br>
I'm brand new to IPP and I have a client that wants to print directly
to<br>
our<br>
copy shop's printer. I'm attempting to set this up without
breaching<br>
security. I'm aware that I can use VPN tunneling (IPSEC), but
I'm<br>
exploring<br>
other options.<br><br>
We have a Linux Firewall running on Redhat. Our internal network
is<br>
running<br>
a 192.168.4.0 scheme that goes through the firewall to the
router.<br><br>
I have a small Hawking 10/100 Parallel Print Server hooked up to my<br>
printer,<br>
which allows IPP printing. It's assigned to 192.168.4.100. I
can print<br>
just fine internally. I'm at the point where I need to assign
firewall<br>
rules to let this through.<br><br>
Do I need to forward port 631 to the firewall's external interface<br>
through<br>
NAT to allow IPP to go through? Ideally, I'd like to be able to
print<br>
to<br>
the Firewall's external IP. Is this secure? Is there a
better<br>
configuration?<br><br>
Thanks.<br>
---<br>
Ara Roselani<br>
Network Administrator<br>
Portland, Oregon </font></blockquote></body>
</html>