How it Works
HP
Loading...
I
Loading...
Loading...
Instant-On Security
User manual
43 pgs3.13 Mb0

HP Instant-On Security User manual

Technical white paper
HP JetAdvantage Security Manager
Instant-On Security and Auto-Group Remediation
Table of Contents
Overview ............................................................................................................................................ 3
What is Instant-On Security? ............................................................................................................................. 3
What is Instant-On Secure at Install? .............................................................................................................. 3
What is Instant-On Stay Secure? ..................................................................................................................... 3
How do I implement Instant-On Security? ..................................................................................................... 4
Instant-On Security, Part 1 - Device Announcement Agent (DAA) ................................. 4
Introduction to Device Announcement Agent (DAA) ................................................................................. 4
Instant-on workflow .......................................................................................................................................... 7
DAA Workflow Diagram ............................................................................................................................... 8
Explanation of the DAA workflow ................................................................................................................... 8
Device and DNS configuration .................................................................................................................... 8
Network Activity ............................................................................................................................................. 11
Initial Device Announcement Use Cases ..................................................................................................... 13
When are Device Announcement Messages Created? ........................................................................... 14
Post-Install Device Announcement Use Cases ............................................................................................. 15
Use Case 1 – Device Cold Reset ............................................................................................................... 15
Use Case 2 – Device Formatter or JetDirect Interface Replacement ................................................ 15
Use Case 3 – Device Acquires New IP address ................................................................................... 15
Security and Mutual Authentication .............................................................................................................. 15
Instant-On Security, Part 2 - Security Manager Instant-On Security Settings ......... 17
Introduction .......................................................................................................................................................... 17
Enabling Instant-on Discovery ......................................................................................................................... 17
2
Enabling Instant-On Security ........................................................................................................................... 18
Configuring Instant On Forwarding to WJA .............................................................................................. 19
Configuring Instant On Mutual Authentication .......................................................................................... 21
Mutual Authentication Configuration ........................................................................................................ 25
Announcement Message Summary ........................................................................................................... 30
Configuring Instant On with Device Serial List filtering ........................................................................... 30
Instant-On Assessment Policy with HPSM 3.3 and older ........................................................................ 32
Instant-On Assessment Policy from HPSM 3.4 onwards .......................................................................... 32
Part 3- Autogrouping and autogroup remediation .......................................................... 32
A. Autogroup remediation for devices discovered via instant-on ...................................................... 33
B. Autogroup remediation for devices discovered via manual or automatic discovery .............. 35
C. Autogroup remediation at configured time intervals ........................................................................ 37
D. Autogroup remediation after editing an autogroup or autogroup policy .................................. 39
Part 4 – Performance Implications .......................................................................................... 39
Part 4 – Summary .......................................................................................................................... 41
Appendix A ...................................................................................................................................... 42
Links to other HP Security Manager Whitepapers .................................................................................... 42
3
Overview
What is Instant-On Security?
HP JetAdvantage Security Manager (HPSM) is the industry’s first policy-based security compliance solution for HP printing and imaging devices. Unique to Security Manager, the Instant-On Security feature provides automatic device discovery and security compliance configuration when an HP supported device is first connected to the network. Afterwards, Instant-On Security maintains security compliance when the usual “after installation” scenarios place the device into a non-compliant state.
What is Instant-On Secure at Install?
Instant-On Security is a dual component solution consisting of dedicated communication between a supported device and appropriately configured Security Manager software. When enabled at the device, a special device announcement agent locates the Security Manager server and requests secure communication. After the agent source is authenticated, the Security Manager server responds by adding the device to the database and applying a pre-configured corporate security policy. This activity will be referred to as Secure at Install throughout the document.
What is Instant-On Stay Secure?
After being registered with Security Manager, a device generates an announcement when power cycled, cold reset, assigned a different IP address and for other device specific conditions while on the network. Upon receiving an announcement, Security Manager assesses the device and immediately remediates any setting found to be out of compliance with the last security policy applied to that device. This activity will be referred to as Stay Secure throughout the document. Instant-On security does not rely on periodic database refreshing or special device group configuration. The process is simple; any time a device announces, Security Manager will assess the device and remediate any setting found to be out of compliance with the established corporate security policy.
How do I implement Instant-On Security?
The remainder of this document includes a general and detailed understanding of the Instant-On Security feature, organized into two primary sections. Part 1 covers the device side component, referred to as the Device Announcement Agent. Part 2 covers the Security Manager Instant-On Security configuration server component. Familiarization with both components will explain Instant-On Security as a complete solution and provide assistance for proper implementation.
Instant-On Security, Part 1 - Device Announcement Agent (DAA)
Introduction to Device Announcement Agent (DAA)
This section provides a general understanding of the Device Announcement Agent, why it was developed, and the value it provides.
The Device Announcement Agent (DAA) serves as the device-side component of the Instant-On Security solution and can be found as embedded functionality in most Security Manager supported printers. The DAA can also be found in recently released HP JetDirect network interface cards to provide Instant-On compatibility with legacy HP printers missing the embedded DAA functionality. Please refer to the HP JetAdvantage Security Manager Supported Devices document found at www.hp.com/go/securitymanager for the most current list of Instant-On Security supported devices.
Note: Security Manager Instant-On Security supported devices are a subset of Security Manager overall supported devices.
Developed strictly for use with the Security Manager Instant-On feature, the DAA combined with Security Manager addresses three primary customer desires:
1. An automatic printing device discovery solution that doesn’t require additional network configuration, additional protocol enabling, exhaustive searches or chatty broadcasts
2. A solution that provides a true out-of-the-box device security compliance experience or what is referred to as Secure at Install
3. A solution that can maintain security settings when the installed device is cold reset or changes IP addresses or hostname, referred to as the Stay Secure experience
Due to limitations in fully automatic discovery methods, networked printer discovery is generally a manual process requiring device or network specific input. For example, automatic device discovery methods such as SLP (Service Location Protocol) and Bonjour (mDNS) can provide some automation to the discovery process. Both methods commonly possess limitations that prevent them from being a complete solution in most
4
5
corporate environments. SLP adoption typically faces packet filtering restrictions, and Bonjour is limited to a single broadcast domain, without special DNS configuration. In addition, automatic discovery methods such as exhaustive subnet scanning are not feasible for IPv6 networks due to size of the address space. These and other automatic methods typically involve some manual intervention, lack efficiency, and do not scale well for large enterprises.
To overcome such limitations, the innovative Device Announcement Agent (DAA) was developed and provides a supported HP printing device the capability of “announcing” its presence directly to the Security Manager server. This announcement process is handled through common DNS address resolve and dedicated TCP port communication (port 3329). The DAA model alleviates the need for manual intervention, is not chatty, and serves as a more efficient device discovery mechanism. After the initial device discovery process is complete, Security Manager applies the established security policy to the device over a secure TCP connection.
A device Secure at Install experience is the result of this two-step process. After the Secure at Install process is complete, Instant-On continues with the Stay Secure process via the DAA announcements that occur for device cold resets, IP address changes and other device specific conditions. The Stay Secure
process ensures the device is remediated in accordance with the last security policy applied. With Security Manager, only the settings found to be out of compliance with the established security policy are targeted for remediation.
To quickly identify DAA functionality presence on a specific device, you may print a configuration page. A
configuration page example of DAA presence is provided below. You may also browse to the device’s embedded web server “Networking” page to verify DAA presence.
HP Web Jetadmin provides fleet configuration of the Device Announcement Agent. You can set up a device layout in HP Web Jetadmin to include the Device Announcement Agent column. DAA presence is represented
by an Enabled, Disabled or Not Supported status in this column.
The device DAA functionality is enabled by default but can be manually disabled via the control panel, Embedded Web Server or HP Web Jetadmin.
6
7
An enabled Device Announcement Agent will announce when the device is powered up on the network for the first time. Announcements also occur during a device power cycle, cold reset, IP address change and link down/link up scenario.
Instant-on workflow
The Device Announcement Agent is enabled by default. The device is capable of displaying four different DAA states; Disabled, In Progress, Success or Failed. Success indicates the device was able to discover a Security Manager server and establish communication. Failed indicates the device wasn’t able to discover a Security
Manager server or wasn’t able to establish a connection with a discovered Security Manager server. Use the
following DAA workflow description and the diagram below to understand the device announcement experience:
1. A supported device is powered up on network with a pre-configured IP address or automatically
acquires an IP address after network installation. The DAA is enabled by default on the device, but can easily be disabled if Instant-On Security is not desired. In the disabled scenario, the device will show a
disabled status for the announcement agent.
2. If the DAA is enabled, and the Security Manager server IP address is configured on the device, the
device will target the provided Security Manager server IP address to begin Instant-On communication. If the Security Manager server IP address is not configured on the device, the device
will attempt DNS IP resolution of the following hostname or DNS alias (CNAME): hp-print-mgmt.
Note: This hostname or alias must be administratively assigned to the Security Manager server for
successful default Instant-On functionality.
3. The Security Manager server Instant-On feature must be enabled and configured to allow DAA
communication to proceed without failure. The Instant-On feature can be configured to discover only or discover, assess and remediate.
4. With the Security Manager server IP address known (either through direct configuration or DNS
resolve), TCP port 3329 communication is attempted with the Security Manager server. Device announces itself using SSL and its self-signed identity certificate.
5. Upon receiving the announcement, the Security Manager configuration server authenticates the
device, retrieves the device’s identity details, and adds the device to the database. Security Manager then continues with an assessment of the device based upon the designated Security Manager security policy and remediates the device’s non-compliant security settings.
8
DAA Workflow Diagram
Explanation of the DAA workflow
This section presents the Device Announcement Agent workflow in greater detail, including network configuration for default functionality, network activity, primary use cases, communication specifics, and authentication.
Device and DNS configuration
DAA communication occurs via a protocol that will be referred to in this document as HDAP (HP Device Announcement Protocol). When a DAA enabled printer comes online in a networked environment, it follows a process of contacting the default Security Manager server to request discovery and compliance with a configured corporate security policy. All use cases follow the same basic workflow, but differ in the way that the device is authenticated to the Security Manager server and if some manual intervention in the workflow is required.
In order to leverage the default functionality provided by a DAA enabled printer, the network administrator must make a minimal DNS configuration change to the networked environment. Once the configuration
9
change is complete, any Instant-On supported device coming online will be automatically discovered and configured to a secure setting. The required steps are as follows:
1. The DNS administrator configures a DNS entry for the default Security Manager server hostname hp-
print-mgmt on the network where a new HP print device is to be placed. The hp-print-mgmt reference can be the actual Security Manager server hostname or a DNS alias (CNAME) of that specific server. If the administrator is unable or unwilling to configure this DNS entry, the DAA must be manually configured to include the IP address of the Security Manager server. HP Web Jetadmin can assist with the DAA configuration from a fleet management perspective. Pre-configuring the Security Manager server IP address in the DAA eliminates the need for DNS, but adds a manual step to the default Instant-On process.
Note: The DAA DNS resolve occurs on the local domain only unless the device is configured to query additional domains or the DNS environment is configured to refer to other domains. The device can be automatically configured with a specific DHCP server option (option 119) that assigns additional domain suffixes or manually
configured with the additional domain information via the device’s embedded web server. The Microsoft DHCP
domain search options differ by server operating system. To understand more about specific server operating system DHCP capabilities and automatic domain search options, please refer to the Microsoft Support
Knowledge Base. A network trace example is shown below of DAA behavior when the hp-print-mgmt
10
hostname or DNS alias cannot be found on the local domain and the device searches on other domains for which the network interface may be configured.
Note: When IPv6 is enabled on the device, you will notice at least one IPv6 (AAAA) and IPv4(A) DNS request per domain.
2. TCP Port 3329 is registered with the IANA (Internet Assigned Numbers Authority) and specifically
assigned to HP Security Manager. This port is dedicated to Instant-On communication between the HP supported device and Security Manager. Port 3329 is also referred to as the hp-device-disc port. If the Security Manager server Windows firewall is in use, ensure the firewall allows TCP Port 3329
communication in both directions.
3. At the Security Manager server, create a security policy that best describes the conformance
requirements for devices on this network. This policy should be the most encompassing policy relative to the mix of device models found in your corporate printing environment.
4. At the Security Manager server, configure authentication requirements for communicating with
devices. Devices will attempt the highest level of authentication available. Choices are “No
11
Authentication” (true out-of-the box conditions) or “Mutual Authentication” which leverages installed certificates.
5. Place a device which supports the DAA and is enabled, on the network.
Network Activity
Instant-On security operates with very little impact to the network. As mentioned earlier in this document, the Device Announcement process consists of resolving the Security Manager server hostname or alias of hp- print-mgmt to an IP address. Once the address is resolved, a dedicated TCP port (3329) is opened for direct communication between the device and Security Manager. For a detailed flow of what to expect to see on the
network, please see the DNS flow diagram below.
Note: If the Security Manager IP address is pre-configured in the DAA, the DNS resolve step in the Instant-On Security process is eliminated.
Resolving the hp-print-mgmt hostname or alias:
Successful DNS resolution of the hp-print-mgmt hostname or alias (IPv6 Enabled)
The trace below is an example of a successful DNS resolution of the default hostname of hp-print- mgmt.domain.company.net. After an unsuccessful attempt at DNS resolve over IPv6, the device retried over
IPv4. Once the hostname resolved to an IP address, the device then opened up a TCP connection on port
3329. This connection then serves as secure communication between Security Manager and the device.
12
Note: IPv6 is enabled by default on the device
13
Initial Device Announcement Use Cases
Setting up the network as explained above will allow for an initial default out-of-the-box device security configuration experience. Below, is a list of the most common Secure at Install use cases.
Use Case 1 – Auto Discovery and Policy Conformance
A DAA enabled Security Manager supported device is placed on the network for the first time without any staged configuration. The Security Manager server Instant-On feature is configured to “Accept Device
Loading...
+ 30 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use