OT:Multifunction Printers: The Forgotten Security Risk

Bill Campbell bill at celestial.com
Thu Feb 14 10:39:57 PST 2008


On Thu, Feb 14, 2008, Bob Rasmussen wrote:
>On Thu, 14 Feb 2008, Bill Campbell wrote:
>
>> I've been doing secure network printing for the better part of 20 years
>> using secure shell to transfer print jobs between *nix systems.
>> 
>> We also use OpenVPN, IPSec, etc. to connect remote sites securely which
>> makes it easy to handle remote printing direct to the printers as well.
>
>Please be specific; I really am interested. Are you protecting data over 
>the "last leg", from a local server, say, to a network connected printer? 
>Do you avoid this issue by connecting the printer directly to the server? 
>Or what?

We generally handle the VPN connections such that the printer is on the
local network, thus internal traffic on the LAN will not be encrypted.
Given that most (all?) of our systems now are using ethernet switches
which, unlike hubs, create virtual circuits between pairs of IP addresses.
Sniffing isn't a problem unless it can be done on the machine handling the
VPN connections, or someone has physical access to the printer and can
connect an ethernet hub to it which would allow them to put another machine
on the hub to sniff all traffic to and from the printer.

If I were to have a printer running really sensitive matter, I would
probably attach it directly to the machine generating the reports, and
strictly control access to that machine.  If I were *REALLY* paranoid, that
machine would not be connected to any network.

Bill
--
INTERNET:   bill at celestial.com  Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/  PO Box 820; 6641 E. Mercer Way
FAX:            (206) 232-9186  Mercer Island, WA 98040-0820; (206) 236-1676

We have a two party system and what a party they are giving themselves.
Since 1960 government spending has grown 8 times as fast as the GNP.


More information about the Filepro-list mailing list