Segregating a Printer in my Enterprise Network

Question

I have a EAP-TLS network at home which I've managed for some time now. I just got a new Brother HL-5470 printer so I can finally print things at home, which is really nice.

The only problem is that printers are notoriously good at being huge security holes.

The printer is connected to my EAP-TLS network, which allows hosts to talk with one another, provided that they're in that network or connected directly to ethernet. (ie: both my EAP-TLS WiFi and ethernet share the same LAN) It has to be in the same LAN as the other computers so that they can access it. I've succeeded in getting the Brother printer onto the EAP-TLS network, but what steps can I take now to protect myself?

The network is firewalled so that there aren't any open ports accepting connections from the WAN. Any device inside will be able to "speak" with any other device inside. The printer also features Google Cloud Print, though I haven't done anything to configure it yet.

What can I do to further harden and lock down the printer from a networking point of view? I've configured the login password for the printer so that other users of my network won't be able to change things willy-nilly, but login is over HTTP and there's no way to turn that off. If someone has gotten into my EAP-TLS network, generally they should be there, but I greatly fear the security hell that this printer could possibly unleash in my network. What can I do?

Get a printer with better login security? Keep it turned off until you need to print? — schroeder, Mar 11 '15 at 05:49
I could probably just deny all access to port 80 on the printer from within the network, forcing anyone inside my network to connect to 443. — Naftuli Kay, Mar 11 '15 at 22:06
This really depends on the security stance of the place you're at. It is also a pain if you have a device on the premises that constantly tries to connect out to the internet. Deny all outgoing from this. — munchkin, Jul 10 '15 at 10:19

score 2 · Answer 1 · answered Sep 12 '15 at 17:06

You could consider putting the printer on a dedicated subnet in its own VLAN. In lots of enterprise networks there are dedicated 'Device' VLANs.

Because all traffic will then need to traverse a router (and therefore probably a firewall) to get to the subnet the users are on you have the option to put some firewall rules in to make sure:

The printer cannot make any outbound connections
Users can only reach it via the ports and protocols they need (TCP/9100 maybe) rather than the HTTP admin (TCP/80 probably) etc.

You can make exceptions to #2 to allow management access from either the IP address assigned to you on the Users subnet or from another Management subnet which you could create just for your use.

score 0 · Answer 2 · answered Sep 13 '15 at 11:13

Logically, and I'm speculating here, the only way I can see Google's cloud print service working, is if the printer sends out beacon packets to Google.

This achieves two things. It allows print jobs to get to the printer by having that awareness of its presence at all times. Also it defeats your firewall. By connecting on an outbound-first path, it opens traffic for inbound traffic as well.

Again, not sure if this is the case and if you're really paranoid, you could sniff traffic from the printer to see if that's the case.

If you don't feel like sniffing the traffic first, you could just deny outbound traffic from the printer to the Internet (perhaps you'll need the parental controls functionality on the router). If that stops all Google printing from working then that dramatically reduce any internet-born threats.

Obviously patch the thing too.

Benjamin MALYNOVYTCH · Answer 3 · 2015-03-12T07:29:56.907

0

As long as you trust people / computers accessing your network, your printer isn't a big problem.

The main security hole is the HTTP-only access, which means that when you manage the printer using it, someone 'may' grab your credentials. And then ? This could only be achieved while you're managing it through the WiFi, not while connected on your ethernet switch (unless you use a 20 years old hub) as packets are directly sent from port to port on a switch, and not broadcasted all around the network.

As no connection is allowed from outside and your WiFi network is supposed to be safe (if not, the printer won't be your main trouble), you may consider that you've done enough securing the printer, in a "home" context.

edited Mar 12 '15 at 07:29

answered Mar 11 '15 at 09:00

Benjamin MALYNOVYTCH

125
6

It's good to hear that my main problem is the unencrypted HTTP access to the printer. Luckily, if something does get into this network, it needs to either be hardwired or have a signed SSL client certificate: not likely. WiFi snooping wouldn't be able to reveal my communications with the printer, as all WiFi data is encrypted using 4096-bit RSA for authentication and AES for encryption, which I assume is secure. Really wish I could disable HTTP anyway, though. – Naftuli Kay Mar 11 '15 at 22:05

Segregating a Printer in my Enterprise Network

3 Answers3