IPP> Firewalls and IPP

Philip Thambidurai (pthambid@okidata.com)
Tue, 15 Jul 1997 09:02:36 -0400

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Sylvan Butler: "Re: IPP> Firewalls and IPP"
• Previous message: Philip Thambidurai: "IPP> Cancel Job operation"
• Next in thread: Sylvan Butler: "Re: IPP> Firewalls and IPP"

I would appreciate some comment on exactly how IPP will address
issues that are likely to be raised by those who administer
firewalls and such. If this has already been discussed before and
settled, please so indicate (I can read the archives).

Specifically:

a) Does every "IPP printer" have to be made known to the firewall(s)?
In a large company printers might be scatterred at various levels
of the organization. It could be a headache for firewall admins.
Or does the firewall only have to know about an IPP service (or
protocol)?

b) I did see (in the archives) that there was some discussion about
a well-known-port for IPP. From a firewall admin perspective
it might make sense to apply for a new port (although the protocol
is http which uses 80 by default, mostly). It would be a LOT
easier to set firewall policies/rules for IPP based on the port
number. Such a port number might also make it simpler to go
through an "IPP security proxy" --- all traffic into this port
could be directed to the proxy.
Packet-filtering firewalls (or routers) commonly make their
decisions based on the port number. An application-level firewall
(proxy) would be needed to distinguish between http intended for a
web server and http intended for an ipp printer. The security
policies for a typical web server and an ipp printer would
normally be very different. For instance, many companies will not
allow web access to machines "deep" in the organization. Machines
that can be accessed from the web are usually "partioned" off in
terms of security mechanisms from the rest of the
systems/networks.


c) How would we handle the case where a (small) business has only a
PPP link to the Internet via some ISP. The web hosting is provided
by the ISP and resides at the ISP's site. How exactly would a job
be received in the IPP printer at this business? We could assume
that the link is always up. This appears to place some requirement
on the part of the ISP --- to route some of the http traffic
(which contains IPP) to the client (business) site.




Regards
Philip Thambidurai
Okidata

• Next message: Sylvan Butler: "Re: IPP> Firewalls and IPP"
• Previous message: Philip Thambidurai: "IPP> Cancel Job operation"
• Next in thread: Sylvan Butler: "Re: IPP> Firewalls and IPP"

Comments are owned by the poster. All other material is Copyright © 2001-2024 The Printer Working Group. All rights reserved. IPP Everywhere, the IPP Everywhere logo, and the PWG logo are trademarks of the IEEE-ISTO.
About the PWG · Privacy Policy · PWG Webmaster