IPP> SEC - IPP and firewalls

IPP> SEC - IPP and firewalls

Carl-Uno Manros cmanros at cp10.es.xerox.com
Mon Jun 30 13:57:01 EDT 1997 

While I was still in the Boston area last week I had the opportunity to
discuss IPP and firewalls with Philip Gladstone who works for Raptor, a
company that specializes in firewalls and other security products for major
corporations.  They are at: 


	http://www.raptor.com


Philip pointed out that firewalls mostly play the role of enforcing
corporate security policies even if the individual servers, in our case the
IPP server, is not configured correctly.  This means that the IPP Printer
can actually report back features in the response to an Get-Attributes
operation which works fine when you operate behind the firewall, but which
may not be allowed if you try to access it from a client outside the firewall.


The firewall would act as a proxy for all IPP Printers behind the firewall
and hence intercept all incoming HTTP Posts from the outside.  The firewall
software would probably need to be able to understand the semantics of the
IPP request and either generate IPP error responses as if it were an IPP
Printer, or alternatively just break off the connection, if the request is
in conflict with the security policy.  Otherwise the request would be
passed on to the IPP Printer.  Likewise, the IPP Printer responses would be
filtered by the firewall software, before it is passed back to the external
IPP Client.


The kind of restrictions that a firewall might impose include:


- Only requests from a set of known TCP/IP address ranges
- Only one copy of each document
- Only black & white printing
- Only documents up to a certain size
- No multiple document jobs
- No print-by-reference jobs


I expect that it is unlikely that the firewall software would be able to
check for features specified in the actual document content (e.g. as
specified in a Postscript statement).


We also discussed whether there were any security features in preparation
that would provide security for print-by-reference.  The answer is NO.


Finally, I asked about whether a separate port for IPP might be useful.
The answer to that is also NO.


Comments?


Carl-Uno




Carl-Uno Manros
Principal Engineer - Advanced Printing Standards - Xerox Corporation
701 S. Aviation Blvd., El Segundo, CA, M/S: ESAE-231
Phone +1-310-333 8273, Fax +1-310-333 5514
Email: manros at cp10.es.xerox.com

More information about the Ipp mailing list