How it Works
HP
Loading...
P2600
User Manual
13 pgs221.84 Kb0

HP P2600 User Manual

Practical considerations for imaging and printing security
Overview.................................................................................................................................................. 3
Imaging and printing security............................................................................................................... 3
Common Criteria Certification ..................................................................................................................... 3
IEEE p2600 ....................................................................................................................................... 4
Security checklists............................................................................................................................... 4
Conclusion: look beyond Common Criteria Certification .......................................................................... 4
HP’s imaging and printing security framework ............................................................................................... 4
MFP walk-up authentication.......................................................................................................... 5
Network printing authentication.................................................................................................... 5
Physical document access control.................................................................................................. 5
HP Secure Erase ......................................................................................................................... 6
Vulnerabilities, viruses, and worms ................................................................................................ 6
Protect Information on the Network ....................................................................................................... 6
Network connectivity with HP Jetdirect devices................................................................................ 6
HP Digital Sending Software (DSS)................................................................................................ 7
Fax/LAN bridging ...................................................................................................................... 7
Effectively Monitor and Manage........................................................................................................... 7
HP Web Jetadmin for fleet management ........................................................................................ 7
Device and service control ........................................................................................................... 7
Firmware updates ....................................................................................................................... 7
Logging device activity ................................................................................................................ 8
Common Criteria Certification ...................................................................................................... 8
The future of imaging and printing security .................................................................................................... 8
Document security and Digital Rights Management ................................................................................. 8
Trusted Computing Group.................................................................................................................... 8
Conclusion ................................................................................................................................................ 9
Appendix A—Access controls..................................................................................................................... 10
HP Digital Sending Software 4.0.........................................................................................................10
HP Job Retention and PIN Printing ....................................................................................................... 10
Jetmobile SecureJet-PS Secure Print Product ...........................................................................................10
Jetmobile Technologies SecureJet Authenticator Products......................................................................... 11
SafeCom .......................................................................................................................................... 11
Appendix B—HP Secure Erase.................................................................................................................... 12
For more information .................................................................................................................................13
Overview
The IT security climate has changed. While in the past the challenge has been to convince customers of the need for security, the current need is to show how a product’s security capabilities complement a customer’s existing security environment.
Security measures have evolved through the years, from firewalls that kept intruders out, to sophisticated virus throttling systems that detect viruses before they take hold and prevent them from spreading. Attacks now often originate from inside the network, for example: employees take advantage of access, wireless networks are improperly secured, and unaware users introduce viruses or worms to the secure network.
As attacks increase in sophistication, hardening the internal network’s security—from clients and servers to the imaging and printing infrastructure—becomes critical. Further, regulatory requirements, including Sarbanes-Oxley and the Health Insurance Portability Protection Act, are mandating protection accountability.
Imaging and printing security
Security of the imaging and printing environment has long been ignored by IT administrators. Printers and scanners have been considered little more than network appliances, posing none of the risks of client and server PCs. Recent publications by hacker groups have raised the awareness that imaging and printing devices are more than simple appliances, and that these devices have capabilities beyond printing and scanning.
This whitepaper explains the threats and risks unique to imaging and printing environments and provides recommendations and strategies to prevent their effects. Parallels to common security capabilities are drawn to aid in explaining hardcopy-specific needs. Imaging and printing devices are put into the context of regulatory requirements, although—as will be seen—there is no simple solution.
Common Criteria Certification
While Common Criteria Certification provides a valuable means for assessing the security capabilities of a product, it is important to understand the true significance of Certification, what Common Criteria is and is not, and the role Common Criteria Certification plays in imaging and printing manufacturer’s marketing differentiation claims.
Common Criteria Certification provides no credible means for assessing the true security capabilities of hardcopy products today, and should not be used as a measure for purchasing requirements. Common Criteria does not dictate necessary security functionality, it merely provides a means to assess the correctness of a manufacturer’s implementation claims.
The varying levels of EAL (Evaluation Assurance Level) certification foster further confusion. Higher certification levels are assumed to provide greater levels of security. However, as certification reflects only the manufacturer’s functional claims, the higher levels of certification are frequently meaningless.
The majority of the hardcopy industry currently certifies Disk Erase and Analog Fax functions, but this certification does not accurately portray a product’s security capabilities or vulnerabilities. A product may advertise certification of these capabilities while providing no, or rudimentary, protection for the remaining system.
To ensure Common Criteria Certification provides value, it is important to understand the product’s complete range of capabilities versus those for which certification is claimed. While certification can prove what a product does properly, it says nothing of what a product does not do, and to what degree that omission represents a security risk.
3
e
IEEE p2600
The IEEE p2600 working group is defining a security standard for hardcopy devices, as well as recommendations for the security capabilities of devices when deployed in various environments, including enterprise, high-security, small office/home office, and public spaces.
The p2600 working group has broad industry participation, including Hewlett-Packard, Lexmark, Canon, Xerox, Sharp, Ricoh, IBM, Epson, Okidata, Equitrac, and Oce.
The p2600 standard will provide a means for credibly measuring the security capabilities of individual manufacturers. HP is actively participating within the working group, and will Common Criteria-certify products to the standard when complete. As of this time, HP devices support the majority of capabilities specified in the draft documents.
Security checklists
The National Institute of Standards and Technologies (NIST) has been tasked by U.S. legislation to develop checklists that facilitate security configuration of devices likely to be used by the U.S. Federal Government. NIST has requested IT equipment manufacturers to develop these security checklists for their products. Details of the checklist program are available at
NIST will review manufacturer’s checklists for relevance and correctness and publish those checklists on a searchable NIST website.
HP considers security checklists as a means to significantly improve the security capabilities’ ease of configuration for imaging and printing products. A security checklist for the HP LaserJet 4345mfp is available for public review at
http://checklists.nist.gov/repository/, and is currently the only available
hardcopy product checklist available from any manufacturer. HP plans to develop additional checklists for hardcopy devices in the future.
http://csrc.nist.gov/checklists.
Conclusion: look beyond Common Criteria Certification
Ultimately, individuals must look carefully at their requirements and not be swayed by manufacturer advertising claims. Common Criteria Certification adds significant cost and development time to products, while providing limited assurance to the product’s actual capabilities and potential vulnerabilities. Products that are not certified may actually provide more robust security capabilities than products that are certified. NIST security checklists simplify the complex process of enabling security functions, and better illustrate the product’s capabilities
HP’s imaging and printing security framework
To simplify the presentation of security concepts, HP developed an imaging and printing security framework with three categories of security functions:
Secure the Device Includes elements that protect the function of the physical device, including access controls for
Protect Information on the Network management, scanning, and printing protocols.
Effectively Monitor and
Manage
The categories within HP’s imaging and printing security framework are built from traditional network security theory, which identifies the four elements that compose a secure system: confidentiality, access control, integrity, and non-repudiation.
management and use, secure deletion of files, and physical security.
Includes network communications, including media access protocols such as 802.1x and secur
Includes the capabilities to securely manage fleets of imaging and printing devices and audit
devices for compliance to security policies and regulatory requirements
4
Loading...
+ 9 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use