SLAC Computer Security		Search SLAC
SLAC Home | Computing Home | Computing Outages | Help

Cyber Security for Networked Printers and Copiers

An increasing number of services are being offered on printers and copiers and SLAC needs to be sure cyber security is kept in mind as new printers/copiers are considered for purchase and deployment at SLAC. It is advisable to involve SLAC Computer Security early in the evaluation process to insure that the printer/copier will be allowed to remain on the SLAC network. Since each model is unique, offering a unique experience, it is impossible to provide blanket approval or rejection for any new offerings. The cyber security evaluation will be based on the following list of recommendations/guidelines.

Security Group Recommendations/Guidelines

• Vendor must provide support to SLAC personnel so that we don't rely on vendor service calls to address the security restrictions listed below;
• The password used to administer the printer/copier must be changeable - and changed from the default ASAP;
• If administered via the web then the administrator password must be encryped - cleartext HTTP is _NOT_ to be used. This authentication should be protected via SSL or SSH or some other encrypted channel. If it cannot be encrypted then web administration is not allowed and only the local console should be used;
• The vendor must provide security patches in a timely manner (any vulnerability left unpatched for > 30 days would require the device to be shut down until the patch is available from vendor and installed on printer);
• The device will be scanned for latest vulnerabilities multiple times/day by SLAC Computer Security and it will also be scanned at least quarterly using SANS TOP 20 tests. If the scanning causes the printer/copier problems it should be powered off until the vendor can fix or replace it;
• Printers/copiers must be restricted from direct offsite Internet access. This is accomplished by placing it in Internet Free Zone (IFZ). When the SCCS Helpdesk provides IP addresses for printers and copiers they should be providing IFZ addresses by default. If not initially placed in IFZ area of subnet, it will be forced to move to IFZ IP address when the next SANS TOP 20 quarterly scan is run;
• No user authentication to SLAC authenticators is to go across the net in clear text (including to LDAP servers);
• E-mail sending should allow authentication using SMTP/TLS (or equivalent) - though this is not required;
• E-mail From: address must be configurable, and the From: address must be in our mailrouter database and they must point to an actively monitored mailbox;
• All "services" must be configurable - and must allow complete disable (i.e. SMTP, NTP, FTP, HTTP, NFS, IPX, Appletalk, etc);
• If certificates are used, the device must allow the use of "real" certificates (SLAC uses Thawte for SSL certificates);
• Device should support 802.1x network authentication, or have planned upgrade (by vendor) to support it;
• Device must support IPv6, or have a committed upgrade path from vendor for IPv6.

Note: Unix printing requires SNMP v1/v2 on the printer. Do not disable SNMP from networked printers. Removing R/W access should be fine. Just leave R/O access.