|
802.1X with network printing
Hi,
Hi. I've been reading about 802.1X and have set it up to protect a small (test) wireless network (WinXP supplicant) and all seems to work. I was about to try it with part of our wired (test) network which uses Catalyst 2950 switches when a thought occurred. How do I protect ports which are (normally) connected to printers? Chiefly, how do I protect the network from an interloper who unplugs a printer and connects his own devices? I considered that all of these ports could be connected to a distinct LAN/VLAN which was firewalled from the main LAN/VLAN but some of the heavier devices have multiple functions printer/copier/scanner/fax with delivery of scans by FTP/SMTP/fax with email notification, so the firewall solution would be non-trivial :-( On a wireless network the problem seems even harder to solve. How are these devices normally handled? Steve. |
Re: 802.1X with network printing
With print servers that support 802,1x authentication
|
Re: 802.1X with network printing
On 4 Sep 2006 15:10:19 -0700, "Merv" <merv.hrabi@rogers.com> wrote:
>With print servers that support 802,1x authentication I had a google around and found one such print server (this for 801.11g I haven't checked for wired) but commonly we (as SA's) are stuck with what we already have and a company propensity to continue to buy previously successful printers, often with integral servers. I was rather hoping for a previously overlooked 'silver-bullet'. Steve. |
Re: 802.1X with network printing
Hi Steve,
> I was about to try it with part of our wired (test) network which uses > Catalyst 2950 switches when a thought occurred. How do I protect ports > which are (normally) connected to printers? Chiefly, how do I protect > the network from an interloper who unplugs a printer and connects his > own devices? It really comes down to how much effort do you wish to put in. I can think of 3 main ways to start with - 1.The simplest would be to lock it at the device level by applying a simple MAC address filter. 2. Or you could use a PVLAN (a private VLAN) for the printer so that it can ONLY connects to one other port, which is then managed by a Router and then use Layer 3 ACL's so that data only flowed the "right way" to/from that port. 3. Upgrade your printer so that it can participate in your 802.1X environment. Cheers...............pk. -- Peter from Auckland. |
Re: 802.1X with network printing
A number of printers with intergral server ( ie HP) support 802.1X |
Re: 802.1X with network printing
On 5 Sep 2006 20:00:22 +1200, "Peter" <SOMEONE@orcon.net.nz> wrote:
>Hi Steve, > >> I was about to try it with part of our wired (test) network which uses >> Catalyst 2950 switches when a thought occurred. How do I protect ports >> which are (normally) connected to printers? Chiefly, how do I protect >> the network from an interloper who unplugs a printer and connects his >> own devices? > >It really comes down to how much effort do you wish to put in. I can >think of 3 main ways to start with - > 1.The simplest would be to lock it at the device level by applying a >simple MAC address filter. > 2. Or you could use a PVLAN (a private VLAN) for the printer so that >it can ONLY connects to one other port, which is then managed by a >Router and then use Layer 3 ACL's so that data only flowed the "right >way" to/from that port. > 3. Upgrade your printer so that it can participate in your 802.1X >environment. > >Cheers...............pk. Thanks for all your replies. The wired case seems reasonably straightforward [!] but the wireless case, where there are no physical ports, less so. I suppose using only 802.1X compliant printers *securely* wired each into its own, cheap, (Linksys ?) AP would work though it'd be fairly unsightly and need two mains supplies. Then, of course, you might argue that if I'm wiring for mains twice perhaps I could run cat5 while I'm at it :-) Steve. |
Re: 802.1X with network printing
On 09/04/06 16:41, Steve Burton wrote:
> I considered that all of these ports could be connected to a distinct > LAN/VLAN which was firewalled from the main LAN/VLAN but some of the > heavier devices have multiple functions printer/copier/scanner/fax > with delivery of scans by FTP/SMTP/fax with email notification, so the > firewall solution would be non-trivial :-( > On a wireless network the problem seems even harder to solve. > > How are these devices normally handled? I don't know if this is reasonable or not. Depending on your AP that you are using, you may be able to set up an additional SSID that does not advertise its SSID, I believe this is called beaconing(?). Then you could configure your printer to get on to the SSID that is not broadcasted. This way will provide some security through obscurity. Of course you will want to set up all appropriate WEP / WPA / WPA2 security on the new SSID. I would also probably recommend that you set up MAC filtering on the new SSID. You may even want to consider doing some filtering based on destination IP and / or port if you can. I do not claim to be an expert in wireless or Cisco hardware, but I think this may give you a direction to look. For what it's worth, I know that an Airownet 350 is capable of broadcasting 16 SSIDs with only one of them beaconing. Grant. . . . |
Re: 802.1X with network printing
Out of curiosity, why the requirement to have printers use wireless ?
|
Re: 802.1X with network printing
On 09/06/06 04:41, Merv wrote:
> Out of curiosity, why the requirement to have printers use wireless ? If you ask my clients, "Because we can!". Grant. . . . |
| All times are GMT. The time now is 04:13 PM. |
Powered by vBulletin®. Copyright ©2000 - 2013, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.