HP Designjets and HP Security Features Overview and solutions for managing Security features in HP Designjets using the printers Embedded Web Server technology, Front Panel and Web Jetadmin Table of contents Introduction & Overview ....................................................................................................................... 2 Designjet Security features vs LaserJet ..................................................................................................... 4 Appendix: Security Concepts explanation............................................................................................... 4 Secure file and disk erase ................................................................................................................. 4 Embedded Web Server (EWS) multilevel access ...................................................................................... 7 Control panel Access ......................................................................................................................... 10 Deadlock: Front Panel locked + EWS password forgotten ....................................................................... 12 Disable connectivity interfaces ............................................................................................................. 13 Exclude personal information from accounting e-mail ............................................................................. 14 Glossary ........................................................................................................................................... 15 For more information .......................................................................................................................... 17
Transcript
HP Designjets and HP Security Features Overview and solutions for managing Security features in HP Designjets using the printers Embedded Web Server technology, Front Panel and Web Jetadmin
For more information .......................................................................................................................... 17
Introduction & Overview This document is aimed at providing an overview of the security features supported by HP Designjet printers as of November 2009. HP Designjets are well suited to being deployed into environments where network, data, access control and security are everyday issues thanks to the security features explained below. Below is an executive table summarizing the new and already existing security features of HP Designjet printers and how they can be implemented using the Embedded Web Server and/or HP Web Jetadmin.
Security Feature by November 09
DJ Z6100/ Z6100PS
DJ T1100/
T1100PS
DJ T1120/
T1120PS
DJ Z2100 Z3100/Z3100PS
Z3200/Z3200PS
DJ 4000/
4500
DJ 4020/
4520 How To Apply
this setting
Secure File erase Yes Yes Yes Yes Yes Yes WJA
Secure disk erase Yes Yes Yes Yes Yes Yes Service Menu
Or WJA
Control panel Access Yes Yes No No Yes Yes WJA
Embedded Web Server multilevel access passwords Admin and Guest
Yes Yes Admin pwd
only
(Guest Future)
Admin pwd only
Yes Yes
WJA (Admin only) or EWS
(Admin & Guest)
Exclude personal information from accounting e-mail
Yes Yes Yes No Yes Yes EWS
Disable interfaces Yes Yes No No
Yes
Yes EWS
IPSec With JetDirect 635n
With JetDirect 635n
With JetDirect 635n
With JetDirect 635n
With JetDirect 635n
With JetDirect 635n
SNMPv3
Hide IP address from Front Panel
Yes Yes No No Yes Yes Service Menu
Security Feature by November 09
T610 T620 T770 T770 HDV T1200 T1200
PostScript How To Apply
this setting
Secure File erase Yes Yes Yes Yes Yes Yes WJA
Secure disk erase No No No Yes Yes Yes Service Menu
Or WJA
Control panel Access No No No No Yes Yes WJA or EWS
Embedded Web Server multilevel access passwords Admin and Guest
No No No No Yes Yes
WJA (Admin only) or EWS
(Admin & Guest)
Exclude personal information from accounting e-mail
No No Yes Yes Yes Yes EWS
Disable interfaces No No No No
Yes
Yes EWS
IPSec With JetDirect 635n
With JetDirect 635n
With JetDirect 635n
With JetDirect 635n Yes Yes
SNMPv3
Hide IP address from Front Panel
Yes No No No Yes Yes Service Menu
Note: If the printer is not listed in the above table then these features are not implemented
Designjet Security features vs LaserJet HP LaserJet printers have some security features not yet available in HP Designjet printers. As a brief comparison, please find the comparison between HP LJ 9050 series and HP DJ 4020 series. In the appendix we explain what each security feature is.
Security Feature LJ 9050 DJ 4020
Authentication Manager Yes No
Control panel Access Yes Yes
Device Password Yes Yes
Direct Connect Ports (USB/IEEE 1284) Yes Yes
File erase mode Yes Yes
File system access settings Yes No
File system password Yes No
Job Held Timeout Yes No
Job Retention Yes No
PJL Password Yes No
Remote FW upgrade Yes Yes
When comparing HP Designjets to competitive products in a more secure environment such as an Enterprise customers look for these feature sets to compare
Appendix: Security Concepts explanation
Secure file and disk erase Secure File Erase can be divided in 3 parts:
1. File erase allowing printer working mode of continuous removal of files in a non-secure and secure manner
2. Disk erase allowing a complete removal of all user data in HDD content 3. The user Interface providing access to the secure erase functionality
Let’s look at how each of these features can be used in a secure manner within our printing environment. 1. File Erase There are three modes of operation regarding File Erase; this means that each file that the printer creates and removes follows a specification, so minimal data is left at any time without being sanitized:
I. Non-Secure Fast Erase: In this mode, all file pointers to the data (table indexes) are erased. Temporary data remains on the Hard Disk Drive until the disk space it occupies is needed for other purposes, and it is then overwritten. This is the default mode (out of the box) of operation and how the product works today. This is the fastest mode of operation.
II. Secure Fast Erase: In this mode of operation, file pointers are erased and the disk space where the temporary job was stored is also overwritten with a fixed character pattern. This mode of operation is slower than Non-Secure Fast Erase, but more secure and all data is overwritten!
III. Secure Sanitizing Erase: In this mode of operation, file pointers are erased and the disk
space where the temporary job was stored is repetitively overwritten using an algorithm that prevents any residual data. This mode of operation may affect product performance. The Secure Sanitizing Erase mode of operation meets the US Department of Defense 5220-22.m requirements for clearing and sanitization of disk media. When SDE feature is enable, all temporary files that might contain sensitive data are erased with this method and no temporary files are left around after a job has completed (scan, copy, or print).
2. Secure Disk Erase
There’s also the option to delete the complete disk in either of the two secure methods commented above, (Secure Fast Erase and Secure Sanitizing Erase) this will sanitize the whole disk in one shot by removing any user data in a secure manner so the device can be moved out from a safe to a non safe environment. This setting can be done via Web Jetadmin or the Front Panel “Service Menu” by an HP authorized engineer or by contacting HP Support directly with a request to access.
All disk erasing will be done via the same level of security erase. The Secure Disk Erase feature is already implemented for these printers:
o HP Designjet Z3100/Z3200 o HP Designjet Z6100 o HP Designjet T1100 o HP Designjet T1120 o HP Designjet T770 HDV o HP Designjet T1200/T1200 PostScript o HP Designjet 4000/4500 o HP Designjet 4020/4520
3. User Interface
We will discuss how to set these options using two user interfaces: HP Web Jetadmin and the printers Front Panel “Service Menu”.
HP Web Jetadmin access: When the user interface used to manage Secure File Erase and
Secure Disk Erase functionality is HP Web Jetadmin, we use the same SFE/SDE functionality that is used in the WJA device plug-ins for LaserJet printers, this means that you can set the same global options for SFE/SDE across your fleet of HP LaserJet’s and HP Designjets. The example below shows the T1100ps being configured using WJA
Secure File Erase:
Secure Disk Erase:
Note: the file system password needs to be set for a device before the file erase/disk erase mode can be configured.
Printer Front Panel: Once selected in the “Service Menu” you can perform Secure Disk Erase, The printer will warn you that it is a process which destroys all data and takes a long time, when you accept the printer starts the process and shows a progress bar until complete, all data will be wiped in one of the two selectable methods and the printer firmware will be restored.
Note: the T1200 series now has an optional accessory for added disk security, an external HDD to replace the printer's internal hard disk as a repository of personal data storage (job queue, including temporal processing data, accounting,..). In that way, the EHD could be removed from the printer to store it in a secure place.
Embedded Web Server (EWS) multilevel access The Embedded Web Server is a tool which enables one to one management of a device such as an HP LaserJet printer or an HP Designjet printer, however without any security being implemented this tool can also be damaging as many features can be configured using just a web browser and an IP connection to the printer. To alleviate this problem we have implemented two levels of access to our compatible HP Designjets as follows.
The Security page allows users to:
‐ Restrict access to the printer by setting an administrator user account ‐ We can now define two levels of access: Administrator and Guest ‐ If the two levels of access have been set, and the user has neither of the passwords they will
not be able to gain access to EWS information at all. See below
Administrator password Access control is enabled by setting the Admin account password: that is, by specifying a password for the user account Admin. Users will then have to provide the Admin password in order to perform any of the following restricted operations:
‐ Cancel, delete or preview a job in the job queue ‐ Delete a stored job ‐ Clear accounting information ‐ Change the printer settings on the Device Setup page ‐ Update the printer's firmware ‐ Change the printer's date and time ‐ Change security settings ‐ View protected printer information pages
See below
Guest password Once the administrator user account has been set, the administrator can also set the guest account password: that is, by specifying a password for the user account Guest. If the guest user account is set, a username and password are required for all Web server operations: users identified as guests have access to restricted operations, whilst users identified as administrators have access to all operations.
Control panel Access The control panel access is a feature intended for IT administrators that allow them to lock the device front panel using HP Web Jetadmin or the printers Embedded Web Server (T1200 series only), preventing unauthorized users from accessing it and changing the printer’s settings. Administrators can specify the level of access as follows:
This option can be enabled from HP Web Jet Admin as shown below:
Picture below: Control Panel Access feature settings.
This option can be enabled from the T1200 series Embedded Web Server as shown below:
Options Below: Retrieve job Information Paper handling Configure
Designjet Diagnostics
Maximum OK ----- ----- ----- ----- Intermediate OK OK ----- ----- ----- Moderate OK OK OK ----- ----- Minimum OK OK OK OK OK Maximum Lock - This option denies access to all options. Intermediate Lock - This option denies access to the paper and ink supplies handling options, maintenance options and demo prints, on top of the Moderate Lock. Only viewing printer and supplies information is allowed. Moderate Lock - This option denies access to all printer settings, the job queue, information and service prints and the printer log, on top of the Minimum Lock. Minimum Lock - This option denies access to the Resets options, Enable/Disable connectivity options and the Service menu. Note: with Moderate or Maximum lock set you will not be able to load/unload paper or replace printheads/ink cartridges without first unlocking the front panel, and so these options should only be set in specific circumstances where the implications are known and understood. Some printers like T1100 Series will also allow controlling the Front Panel Access from the Embedded Web Server. When the Control Panel is locked, locked menus show a ‘lock’ symbol in the FP. If a user makes an attempt to enter in a ‘lock’ menu entry, the following message is shown:
Deadlock: Front Panel locked + EWS password forgotten The main implication from a Customer Support point of view is related to the management of situations where a printer is blocked because of the loss of the Administrator’s Password that is needed to unblock its Front Panel. This could happen if the Front Panel is locked through the printer’s Embedded Web Server and the Administrative password in the EWS is lost. In this situation, it would not be possible to unblock the FP from the EWS and it would not be possible to reset the EWS from the FP. With HP Designjet Printers the solution will be to implement a menu option in the Diagnostic Boot Mode accessible to users at start up.
Customer Support agents would be able to guide customers that have found themselves in a deadlock situation to this menu in order to unlock the printer and recover from this situation.
Disable connectivity interfaces Depending on the printer series, there are some ports that can be disabled to prevent unauthorized printing and possible data theft: Customers concerned about the data stream sent to the printer should use an HP JetDirect card which implements the IPSec security standard (JetDirect 635n) install this card and then disable all other ports using the printers EWS as shown below.
Here is a table showing the connectivity options that can be disabled.
HP DJ 4020 Series HP DJ 4520 Series
‐ On‐board Gigabit Ethernet ‐ 1394 FireWire
HP DJ T1200 Series HP DJ T1200 Series
‐ On‐board Gigabit Ethernet ‐ USB
If you enable or disable a connectivity option, the printer will automatically restart. Bear in mind that disabling a connectivity option could cut off network access to the printer. As a security measure, you cannot disable the connection you are using to access the Web server. There is an option in the Service menu to enable all connectivity interfaces in case a user ends up without connectivity due to an improper use of this feature.
Exclude personal information from accounting e-mail You can enable or disable the printer to send an e-mail containing accounting information. If you enable this setting, you have also to fill in the destination of the report using the Send accounting files to setting. Please note that you also have to configure the e-mail server on the Setup page. In some cases customers prefer not to send personal user data from the printers via email and so the option Exclude personal information from accounting e-mail is now available in the Embedded Webserver, accounting e-mails will not contain personal information (user name, job name, account ID will be left blank in the accounting file sent by email from the printer). Typically this option is used for managed print or pay-per-use contracts to ensure that only the data (counters) relevant for billing are being sent by the printer. Personal information about who printed which file is not required for billing purposes, and can be excluded from the accounting email. This personal information is typically used for cost allocation within a company. Supported printers: T1100, T1120, Z6100, 4020/4520, 4000/4500, T770, T1200 Series
Glossary Active Directory (AD): An advanced, hierarchical directory service that comes with Microsoft Windows servers (version 2000 or later). It is LDAP-compliant and built on the domain naming system (DNS) used on the Internet. Workgroups are given domain names, exactly like Web sites, and any LDAP-compliant client – such as Windows, Mac, or Unix – can gain access. Adobe PostScript: Developed by Adobe, this is the standard page description language (PDL) for the graphics arts industry and commercial printing. Many printing devices support PostScript with a built-in PostScript interpreter. Color Access Control: Settings to determine which users and/or applications are allowed to print in color. Domain Naming System (DNS): Converts host names and domain names into IP addresses on the Internet or on local networks that use the TCP/IP protocol. Embedded Web Server (EWS): The EWS resides on a hardware device (such as an HP Designjet) or in the printer firmware. The EWS allows you to review, configure, and change settings on an HP Designjet after inputting an IP address into a Web browser from your computer. HP Web Jetadmin: Web-based fleet management software tool for remote installation, configuration, problem resolution, proactive management, and reporting. IP multicast: A one-to-many transmission of data over an IP network. Multicast DNS (mDNS): Also known as Bonjour or Rendezvous, mDNS uses IP multicast with DNS to provide the capabilities of a DNS server for service discovery in a small network that does not have a DNS server. Simple Network Management Protocol (SNMP): This is a network monitoring and control protocol. Subnet: A logical division of a local area network, which is created to improve performance and provide security. A subnet limits the number of nodes that compete for bandwidth. IPSec Internet Protocol Security (IPsec) is a suite of protocols for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a data stream. IPsec also includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. In our case, IPsec is used to protect data flows between the host and the printer. SNMPv3 SNMP (Simple Network Management protocol) allows users to manage the printer using SNMP management tools, such as HP Web JetAdmin. SNMP is also the protocol for communicating the printer with the Windows driver. SNMPv3 provides security through user authentication and data encryption. Hide IP address from front Panel Option in the Service Utilities menu of the front panel to show/not show the Internet Protocol (IP) address of your printer. In that way, only registered users or network administrations will know the right address to submit jobs to the printer Device Password (LJ feature) This is equivalent to designjet’s web server password. It helps protect the printer from unauthorized access through remote applications. PJL Password (LJ feature) The PJL password feature helps protect the printer from unauthorized configurations through Print Job Language (PJL) commands. It does not affect ordinary print jobs. Once the PJL password is configured, the MFP requires it before it will process any of these commands. File System Password (LJ feature)
The File System Password feature helps protect the printer data storage system options from unauthorized access. With the File System password configured, the printer requires the password before it will allow configurations to features that affect the data storage system. Some of these features are the Secure disk erase mode, the Secure Storage Erase feature, and the File System Access options. File System Access settings (LJ feature) File system access settings: The File System Access options allow users to completely disable many of the access points to the printer data storage system. These access points are for various types of usage for the printer. The options are: PJL disk access SNMP disk access NFS disk access PS disk access HP recommends enabling PS Disk Access to allows users to print PS-type files, and disable the rest Remote Firmware Upgrade (LJ feature) This service allows an administrator to use a custom application to upgrade the printer’s firmware remotely. Since HP recommends using HP Web Jetadmin to upgrade MFP firmware, you should disable Remote Firmware Upgrade. Job Retention (LJ feature) This feature provides job retention options such as private job and hold job. Users will be able to ensure that they are present during printing to provide privacy for documents in the printer output bins. Job Held Timeout (LJ feature) This feature is part of the Job Retention feature. It limits a held job to the selected time, and then the printer deletes it. You should select a reasonable timeout value for this setting to allow enough time for a user to walk to the printer to print a job or to allow time for jobs to print in line at the queue. Authentication Manager (LJ feature) The Authentication Manager allows administrators to secure Device Functions by requiring users to log in with a specific Log In Method for each Function. For example, users may be required to log in with an Access Code or PIN to make copies yet be required to log in with a username and password to send e-mails. Log In Methods The following Log In Methods are available with the latest device firmware upgrade: Group 1 PIN: Requires users to input a numeric code for access when at the control panel of the device. The numeric code entered by the walk up user is compared to the first of two PINs stored on the device by the Administrator. When the PIN is entered correctly, the user can proceed. Group 2 PIN: Requires users to input a numeric code for access when at the control panel of the device. The numeric code is compared to the second of two PINs stored on the device by the Administrator. LDAP: Lightweight Directory Access Protocol, Requires users to input a username and password that are verified by an LDAP server. HP Digital Send Service (if available): Also known as DSS. Requires users to enter credentials that are verified by the HP Digital Send Service software. (HP Digital Send Service software must be available to use this Log In Method. If no DSS server is associated with this device, walk-up users will not be required to authenticate before using the device.) Kerberos: Requires users to enter a username and password to be verified by a Windows Server.
For more information About HP: www.hp.com/go/designjet
