IPP Mail Archive: RE: IPP> Printing through a firewall [caut

IPP Mail Archive: RE: IPP> Printing through a firewall [caut

RE: IPP> Printing through a firewall [caution]

From: McDonald, Ira (imcdonald@sharplabs.com)
Date: Mon Dec 08 2003 - 18:16:01 EST

  • Next message: Robert Herriot: "RE: IPP> Printing through a firewall [caution]"

    Hi,

    Paul is right. If your Hawking Parallel Print Server
    supports SSL/3.0 (or TLS/1.0) and has a manufacturer
    embedded Server certificate (so that your external
    customer can start an _encrypted_ session to a fully
    authenticated printer), then you can use HTTP simple
    user/password authentication for your client.

    Cheers,
    - Ira

    Ira McDonald (Musician / Software Architect)
    Blue Roof Music / High North Inc
    PO Box 221 Grand Marais, MI 49839
    phone: +1-906-494-2434
    email: imcdonald@sharplabs.com

    -----Original Message-----
    From: Moore, Paul [mailto:Paul.Moore06@ca.com]
    Sent: Monday, December 08, 2003 5:29 PM
    To: McDonald, Ira; Ara Roselani; ipp@pwg.org
    Subject: RE: IPP> Printing through a firewall [caution]

    You can use TLS/SSL with simple user password client auth. This is a lot
    easier to setup than client certs providing the IPP server supports it
    (and it really ought to).

    -----Original Message-----
    From: owner-ipp@pwg.org [mailto:owner-ipp@pwg.org] On Behalf Of
    McDonald, Ira
    Sent: Monday, December 08, 2003 2:12 PM
    To: 'Ara Roselani'; ipp@pwg.org
    Subject: RE: IPP> Printing through a firewall [caution]

    Hi,

    [Disclaimer - the following is personal opinion - you should
    consider taking some advice from your organization's network
    security professionals or consultants]

    Yes, port 631 (and ONLY that port) must be open on external
    firewall (for inbound HTTP over TCP connections) for IPP
    to work.

    Personally, I would NOT let any external customer print
    through my firewall via IPP, unless I had enabled the
    TLS/1.0 option (which may or may not be supported in
    your Hawking Parallel Print Server) and was using both
    Server authentication (certificate-based SSL just like
    a Web server) AND also Client authentication (cert-based
    SSL authentication for your external client).

    Otherwise, I think you're going to see quite significant
    denial of service attacks against port 631 on the external
    side of your firewall.

    Here's a link to Hawking Technology's Print Server family:

      http://www.hawkingtech.com/prodList.php?FamID=42

    And here's the link to the Datasheet for their HPS1P product:

      http://209.61.202.44/images/datasheet/HPS1P-Datasheet_LR.pdf

    That datasheet describes their IPP support (briefly) but does
    not mention SSL/TLS support in the implementation (not very
    surprising, because cert-based authentication is not trivial).

    I hope this all helps some.

    Cheers,
    - Ira

    Ira McDonald (Musician / Software Architect)
    Blue Roof Music / High North Inc
    PO Box 221 Grand Marais, MI 49839
    phone: +1-906-494-2434
    email: imcdonald@sharplabs.com
     
    -----Original Message-----
    From: Ara Roselani [mailto:ara@americanlegalcopy.com]
    Sent: Monday, December 08, 2003 4:15 PM
    To: ipp@pwg.org
    Subject: IPP> Printing through a firewall

    I'm brand new to IPP and I have a client that wants to print directly to
    our
    copy shop's printer. I'm attempting to set this up without breaching
    security. I'm aware that I can use VPN tunneling (IPSEC), but I'm
    exploring
    other options.

    We have a Linux Firewall running on Redhat. Our internal network is
    running
    a 192.168.4.0 scheme that goes through the firewall to the router.

    I have a small Hawking 10/100 Parallel Print Server hooked up to my
    printer,
    which allows IPP printing. It's assigned to 192.168.4.100. I can print
    just fine internally. I'm at the point where I need to assign firewall
    rules to let this through.

    Do I need to forward port 631 to the firewall's external interface
    through
    NAT to allow IPP to go through? Ideally, I'd like to be able to print
    to
    the Firewall's external IP. Is this secure? Is there a better
    configuration?

    Thanks.

    ---
    Ara Roselani
    Network Administrator
    Portland, Oregon
    



    This archive was generated by hypermail 2b29 : Mon Dec 08 2003 - 18:17:00 EST