IPP Mail Archive: RE: IPP> Printing through a firewall [caut

RE: IPP> Printing through a firewall [caution]

From: McDonald, Ira (imcdonald@sharplabs.com)
Date: Mon Dec 08 2003 - 17:12:27 EST

  • Next message: Moore, Paul: "RE: IPP> Printing through a firewall [caution]"

    Hi,

    [Disclaimer - the following is personal opinion - you should
    consider taking some advice from your organization's network
    security professionals or consultants]

    Yes, port 631 (and ONLY that port) must be open on external
    firewall (for inbound HTTP over TCP connections) for IPP
    to work.

    Personally, I would NOT let any external customer print
    through my firewall via IPP, unless I had enabled the
    TLS/1.0 option (which may or may not be supported in
    your Hawking Parallel Print Server) and was using both
    Server authentication (certificate-based SSL just like
    a Web server) AND also Client authentication (cert-based
    SSL authentication for your external client).

    Otherwise, I think you're going to see quite significant
    denial of service attacks against port 631 on the external
    side of your firewall.

    Here's a link to Hawking Technology's Print Server family:

      http://www.hawkingtech.com/prodList.php?FamID=42

    And here's the link to the Datasheet for their HPS1P product:

      http://209.61.202.44/images/datasheet/HPS1P-Datasheet_LR.pdf

    That datasheet describes their IPP support (briefly) but does
    not mention SSL/TLS support in the implementation (not very
    surprising, because cert-based authentication is not trivial).

    I hope this all helps some.

    Cheers,
    - Ira

    Ira McDonald (Musician / Software Architect)
    Blue Roof Music / High North Inc
    PO Box 221 Grand Marais, MI 49839
    phone: +1-906-494-2434
    email: imcdonald@sharplabs.com
     
    -----Original Message-----
    From: Ara Roselani [mailto:ara@americanlegalcopy.com]
    Sent: Monday, December 08, 2003 4:15 PM
    To: ipp@pwg.org
    Subject: IPP> Printing through a firewall

    I'm brand new to IPP and I have a client that wants to print directly to our
    copy shop's printer. I'm attempting to set this up without breaching
    security. I'm aware that I can use VPN tunneling (IPSEC), but I'm exploring
    other options.

    We have a Linux Firewall running on Redhat. Our internal network is running
    a 192.168.4.0 scheme that goes through the firewall to the router.

    I have a small Hawking 10/100 Parallel Print Server hooked up to my printer,
    which allows IPP printing. It's assigned to 192.168.4.100. I can print
    just fine internally. I'm at the point where I need to assign firewall
    rules to let this through.

    Do I need to forward port 631 to the firewall's external interface through
    NAT to allow IPP to go through? Ideally, I'd like to be able to print to
    the Firewall's external IP. Is this secure? Is there a better
    configuration?

    Thanks. 

    ---
Ara Roselani
Network Administrator
Portland, Oregon

    This archive was generated by hypermail 2b29 : Mon Dec 08 2003 - 17:13:26 EST