IPP Mail Archive: RE: IPP> Printing through a firewall [caut

RE: IPP> Printing through a firewall [caution]

From: Robert Herriot (bob@herriot.com)
Date: Mon Dec 08 2003 - 20:13:42 EST

  • Next message: don@lexmark.com: "IPP> Mail Delivery System"

    I have Hawking Parallel Print Servers connected to 3 of my printers on my
    home network. They work well.

    I checked the "Setup" web page on the Hawking and there are absolutely no
    options that deal with security.
    So I conclude that the Hawking doesn't support any IPP security.

    Bob Herriot

    At Monday 12/8/2003 03:16 PM, McDonald, Ira wrote:
    >Hi,
    >
    >Paul is right. If your Hawking Parallel Print Server
    >supports SSL/3.0 (or TLS/1.0) and has a manufacturer
    >embedded Server certificate (so that your external
    >customer can start an _encrypted_ session to a fully
    >authenticated printer), then you can use HTTP simple
    >user/password authentication for your client.
    >
    >Cheers,
    >- Ira
    >
    >Ira McDonald (Musician / Software Architect)
    >Blue Roof Music / High North Inc
    >PO Box 221 Grand Marais, MI 49839
    >phone: +1-906-494-2434
    >email: imcdonald@sharplabs.com
    >
    >-----Original Message-----
    >From: Moore, Paul [mailto:Paul.Moore06@ca.com]
    >Sent: Monday, December 08, 2003 5:29 PM
    >To: McDonald, Ira; Ara Roselani; ipp@pwg.org
    >Subject: RE: IPP> Printing through a firewall [caution]
    >
    >
    >
    >
    >You can use TLS/SSL with simple user password client auth. This is a lot
    >easier to setup than client certs providing the IPP server supports it
    >(and it really ought to).
    >
    >
    >
    >-----Original Message-----
    >From: owner-ipp@pwg.org [mailto:owner-ipp@pwg.org] On Behalf Of
    >McDonald, Ira
    >Sent: Monday, December 08, 2003 2:12 PM
    >To: 'Ara Roselani'; ipp@pwg.org
    >Subject: RE: IPP> Printing through a firewall [caution]
    >
    >
    >Hi,
    >
    >[Disclaimer - the following is personal opinion - you should
    >consider taking some advice from your organization's network
    >security professionals or consultants]
    >
    >Yes, port 631 (and ONLY that port) must be open on external
    >firewall (for inbound HTTP over TCP connections) for IPP
    >to work.
    >
    >Personally, I would NOT let any external customer print
    >through my firewall via IPP, unless I had enabled the
    >TLS/1.0 option (which may or may not be supported in
    >your Hawking Parallel Print Server) and was using both
    >Server authentication (certificate-based SSL just like
    >a Web server) AND also Client authentication (cert-based
    >SSL authentication for your external client).
    >
    >Otherwise, I think you're going to see quite significant
    >denial of service attacks against port 631 on the external
    >side of your firewall.
    >
    >Here's a link to Hawking Technology's Print Server family:
    >
    > http://www.hawkingtech.com/prodList.php?FamID=42
    >
    >And here's the link to the Datasheet for their HPS1P product:
    >
    > http://209.61.202.44/images/datasheet/HPS1P-Datasheet_LR.pdf
    >
    >That datasheet describes their IPP support (briefly) but does
    >not mention SSL/TLS support in the implementation (not very
    >surprising, because cert-based authentication is not trivial).
    >
    >I hope this all helps some.
    >
    >Cheers,
    >- Ira
    >
    >Ira McDonald (Musician / Software Architect)
    >Blue Roof Music / High North Inc
    >PO Box 221 Grand Marais, MI 49839
    >phone: +1-906-494-2434
    >email: imcdonald@sharplabs.com
    >
    >-----Original Message-----
    >From: Ara Roselani [mailto:ara@americanlegalcopy.com]
    >Sent: Monday, December 08, 2003 4:15 PM
    >To: ipp@pwg.org
    >Subject: IPP> Printing through a firewall
    >
    >
    >I'm brand new to IPP and I have a client that wants to print directly to
    >our
    >copy shop's printer. I'm attempting to set this up without breaching
    >security. I'm aware that I can use VPN tunneling (IPSEC), but I'm
    >exploring
    >other options.
    >
    >We have a Linux Firewall running on Redhat. Our internal network is
    >running
    >a 192.168.4.0 scheme that goes through the firewall to the router.
    >
    >I have a small Hawking 10/100 Parallel Print Server hooked up to my
    >printer,
    >which allows IPP printing. It's assigned to 192.168.4.100. I can print
    >just fine internally. I'm at the point where I need to assign firewall
    >rules to let this through.
    >
    >Do I need to forward port 631 to the firewall's external interface
    >through
    >NAT to allow IPP to go through? Ideally, I'd like to be able to print
    >to
    >the Firewall's external IP. Is this secure? Is there a better
    >configuration?
    >
    >Thanks.
    >---
    >Ara Roselani
    >Network Administrator
    >Portland, Oregon

    This archive was generated by hypermail 2b29 : Mon Dec 08 2003 - 20:13:01 EST