-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Just to clarify, the CISC will grant exceptions for open telnet ports on
printers only if there is no way to turn off the telnet port, a
reasonable password is set, and the telnet port is rarely, if ever,
used. However, we still need people to submit requests for exception so
that SNS has the IP addresses involved and so that we can track these
exceptions. They are not indefinite exceptions, they are, at most, for
one year.
Also, please understand that printers, though they may seem like
innocuous devices, can pose a significant threat if they are
compromised. I've seen printers used as repositories and distribution
points for illegal copies of software, music, etc. I've seen printers
used as a denial of service tool (i.e. setting the printers IP address
to that of the local router). I've seen printers configured to quietly
store whatever is printed for later review by a hacker. I've even seen
printers hacked to function as a network sniffer. The point is that
printers do represent a computing resource that can be useful to hackers
and we need to protect them just as we do every device on the network.
Craig Lant
> From: Ryan L. Means <rmeans_at_law.berkeley.edu>
> Date: Tue May 03 2005 - 22:48:43 PDT
>
> Mike,
>
> This hasn't been published anywhere yet, mostly because we just made the
> decision last Thursday, but CISC has made an exception for print server
> cards.
>
> Based on the exception that we have already granted:
>
> The telnet service on JetDirect (and other, similar print server) cards
> that are not capable of having their telnet service disabled will be
> exempted from the unencrypted authentication and unnecessary services
> standards for one year. This exemption will probably be renewed again
> after a year, though we cannot guarantee that. It depends on the
> availability of newer, better solutions. Again, this exemption is ONLY
> for the telnet service on print server cards and only for cards where
> the telnet service cannot be shut off.
>
> My personal recommendation for JetDirect cards (the majority of the
> print servers, I believe), is to configure them as securely as possible
> per this URL and the other documents that it references:
>
> http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00004828
>
> My co-worker Gabriel wrote a script that connects to all of our printers
> regularly and checks to make sure that they are set up as securely as
> possible, turns off stupid services where possible, etc. We are even
> moving to implement access control lists, which I believe are available
> on even the oldest cards, to lock down the printer so it can only be
> accessed by the Windows print server which sends jobs out.
>
> I am still not sure whether you need to request exceptions for the
> printers that you have, for CISC's recordkeeping purposes, or whether it
> is acceptable to merely reference the exception that has been granted
> already. Craig, what do you think?
>
> Ryan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCe/910utcLN0BLdARArhxAJ94VkZ3G2xN0Sy+tvOJ1HqKT9H6gQCgqjjh
Re+OMuG4SUQxELUy3S6qXZE=
=DaPs
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.berkeley.edu/>.
Received on Fri May 6 16:38:08 2005
This archive was generated by hypermail 2.1.8 : Fri May 06 2005 - 16:38:11 PDT