You can use TLS/SSL with simple user password client auth. This is a lot
easier to setup than client certs providing the IPP server supports it
(and it really ought to).
-----Original Message-----
From: owner-ipp@pwg.org [mailto:owner-ipp@pwg.org] On Behalf Of
McDonald, Ira
Sent: Monday, December 08, 2003 2:12 PM
To: 'Ara Roselani'; ipp@pwg.org
Subject: RE: IPP> Printing through a firewall [caution]
Hi,
[Disclaimer - the following is personal opinion - you should
consider taking some advice from your organization's network
security professionals or consultants]
Yes, port 631 (and ONLY that port) must be open on external
firewall (for inbound HTTP over TCP connections) for IPP
to work.
Personally, I would NOT let any external customer print
through my firewall via IPP, unless I had enabled the
TLS/1.0 option (which may or may not be supported in
your Hawking Parallel Print Server) and was using both
Server authentication (certificate-based SSL just like
a Web server) AND also Client authentication (cert-based
SSL authentication for your external client).
Otherwise, I think you're going to see quite significant
denial of service attacks against port 631 on the external
side of your firewall.
Here's a link to Hawking Technology's Print Server family:
http://www.hawkingtech.com/prodList.php?FamID=42
And here's the link to the Datasheet for their HPS1P product:
http://209.61.202.44/images/datasheet/HPS1P-Datasheet_LR.pdf
That datasheet describes their IPP support (briefly) but does
not mention SSL/TLS support in the implementation (not very
surprising, because cert-based authentication is not trivial).
I hope this all helps some.
Cheers,
- Ira
Ira McDonald (Musician / Software Architect)
Blue Roof Music / High North Inc
PO Box 221 Grand Marais, MI 49839
phone: +1-906-494-2434
email: imcdonald@sharplabs.com
-----Original Message-----
From: Ara Roselani [mailto:ara@americanlegalcopy.com]
Sent: Monday, December 08, 2003 4:15 PM
To: ipp@pwg.org
Subject: IPP> Printing through a firewall
I'm brand new to IPP and I have a client that wants to print directly to
our
copy shop's printer. I'm attempting to set this up without breaching
security. I'm aware that I can use VPN tunneling (IPSEC), but I'm
exploring
other options.
We have a Linux Firewall running on Redhat. Our internal network is
running
a 192.168.4.0 scheme that goes through the firewall to the router.
I have a small Hawking 10/100 Parallel Print Server hooked up to my
printer,
which allows IPP printing. It's assigned to 192.168.4.100. I can print
just fine internally. I'm at the point where I need to assign firewall
rules to let this through.
Do I need to forward port 631 to the firewall's external interface
through
NAT to allow IPP to go through? Ideally, I'd like to be able to print
to
the Firewall's external IP. Is this secure? Is there a better
configuration?
Thanks.
--- Ara Roselani Network Administrator Portland, Oregon
This archive was generated by hypermail 2b29 : Mon Dec 08 2003 - 17:29:19 EST