[97] in Enterprise Print Delivery Team
Revised Version of Secure Printing Statement
daemon@ATHENA.MIT.EDU (Rocklyn E. Clarke)
Tue Feb 29 03:07:04 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Message-Id: <v04020a00b4e12e9b0929@[216.112.46.2]>
Date: Tue, 29 Feb 2000 03:09:58 -0500
To: Enterprise Printing Delivery Team <PRINTDEL@MIT.EDU>
From: "Rocklyn E. Clarke" <rclarke@MIT.EDU>
Hi Team,
Here is my revised version of Mike's secure printing statement. Please reply
with any revisions. I basically just added a preamble paragraph at the
beginning.
Rocklyn
P.S. I originally sent this to PRINTDEL@MITVMA.MIT.EDU by mistake. I am now
sending it to PRINTDEL@MIT.EDU so that it will be logged by the Discuss
meeting. I apologize that you had to see this twice.
----------------------
SECURITY IN THE ENTERPRISE PRINTING ENVIRONMENT
As we attempt to develop a suitable Institute-wide printing infrastructure,
the Enterprise Printing Delivery Team has been forced to consider what is
the best way to provide secure printing services to the MIT community. We
believe that end-to-end network printing security is appropriate in a few
limited situations. For all other situations, it will be appropriate to
provide end-to-end security between the point at which print data
originates and the print spooler or processor. The recommendations
descibed here build on the recommendations made by the R-Ready team in
their Secure Printing Position Paper dated June 16, 1995.
As of the beginning of 2000, printing is still not considered a
high-priority application, and security, which is underemphasized by
industry in most applications, is almost nonexistent in the printing
field. Currently, no commodity printer vendors sell network printers
which support end-to-end network security. Only one vendor currently
sells an add-on device for network printers to enable end-to-end
network security.
Print data streams are not usually the target of network intruders.
Instead, the parts of a printing system which are currently more
likely to be targeted are networked printers and server(s). Printers'
IP drivers are often vulnerable to network denial-of-service attacks
suck as 'land' and 'teardrop', and servers may be cracking and
intrusion targets.
Thus, until network security becomes much more readily available in
standalone devices such as networked printers, the network security
policies for enterprise printing should reflect a tradeoff between
availability and importance of the print data stream in question.
In certain cases, we must implement end-to-end network printing
security. These are cases where the damage to the Institute in the
case of interception or subversion of the print data stream could
outweigh the expense of implementation, e.g.:
- check printers
- student records/personal data
- ...?
For these printers, no data may flow across a shared network anywhere
between the data's origin and the destination device, without being
encrypted and authenticated, using a technology on par with current
standards such as triple-DES. It is acceptable for data to flow
unencrypted across a physically secure point-to-point link (as is
current practice), as it is less feasible for intruders to intercept
or subvert data in a point-to-point link.
These printers must be secured against Internet denial-of-service
attacks. We must address physical security of the printer on a
case-by-case basis. (For some printers, it may be sufficient to
ensure that the printer itself is in a secure room to which only
trusted people have access. For others, it may be necessary to
support physically secure output bins.)
In the rest of the cases of network and enterprise printing, security
is not necessarily a strict requirement (the worst-case scenario in
case of job interception or subversion is a nuisance as opposed to
serious loss to the Institute), but if done properly and scalably, can
save us many headaches in the future. We must be prepared to offer at
the minimum end-to-end security between the data's point of origin and
the print spooler or processor. Ideally, we will be able to offer any
customer end-to-end data security equivalent to that of a "sensitive"
printer detailed above.
Finally, effort should be made to secure all servers against
host-based intrusion. Also, we must ensure that there is a sufficient
infrastructure in place to scalably keep network printers' firmware
up-to-date in order to protect against denial-of-service exploits
against network firmware bugs.
