802.1X with network printing

Discussion in 'Cisco' started by Steve Burton, Sep 4, 2006.

  1. Steve Burton

    Steve Burton Guest

    Hi,
    Hi.

    I've been reading about 802.1X and have set it up to protect a small
    (test) wireless network (WinXP supplicant) and all seems to work. I
    was about to try it with part of our wired (test) network which uses
    Catalyst 2950 switches when a thought occurred. How do I protect ports
    which are (normally) connected to printers? Chiefly, how do I protect
    the network from an interloper who unplugs a printer and connects his
    own devices?

    I considered that all of these ports could be connected to a distinct
    LAN/VLAN which was firewalled from the main LAN/VLAN but some of the
    heavier devices have multiple functions printer/copier/scanner/fax
    with delivery of scans by FTP/SMTP/fax with email notification, so the
    firewall solution would be non-trivial :-(
    On a wireless network the problem seems even harder to solve.

    How are these devices normally handled?

    Steve.
     
    Steve Burton, Sep 4, 2006
    #1
    1. Advertising

  2. Steve Burton

    Merv Guest

    With print servers that support 802,1x authentication
     
    Merv, Sep 4, 2006
    #2
    1. Advertising

  3. Steve Burton

    Steve Burton Guest

    On 4 Sep 2006 15:10:19 -0700, "Merv" <> wrote:

    >With print servers that support 802,1x authentication


    I had a google around and found one such print server (this for
    801.11g I haven't checked for wired) but commonly we (as SA's) are
    stuck with what we already have and a company propensity to continue
    to buy previously successful printers, often with integral servers. I
    was rather hoping for a previously overlooked 'silver-bullet'.

    Steve.
     
    Steve Burton, Sep 5, 2006
    #3
  4. Steve Burton

    Peter Guest

    Hi Steve,

    > I was about to try it with part of our wired (test) network which uses
    > Catalyst 2950 switches when a thought occurred. How do I protect ports
    > which are (normally) connected to printers? Chiefly, how do I protect
    > the network from an interloper who unplugs a printer and connects his
    > own devices?


    It really comes down to how much effort do you wish to put in. I can
    think of 3 main ways to start with -
    1.The simplest would be to lock it at the device level by applying a
    simple MAC address filter.
    2. Or you could use a PVLAN (a private VLAN) for the printer so that
    it can ONLY connects to one other port, which is then managed by a
    Router and then use Layer 3 ACL's so that data only flowed the "right
    way" to/from that port.
    3. Upgrade your printer so that it can participate in your 802.1X
    environment.

    Cheers...............pk.

    --
    Peter from Auckland.
     
    Peter, Sep 5, 2006
    #4
  5. Steve Burton

    Merv Guest

    A number of printers with intergral server ( ie HP) support 802.1X
     
    Merv, Sep 5, 2006
    #5
  6. Steve Burton

    Steve Burton Guest

    On 5 Sep 2006 20:00:22 +1200, "Peter" <> wrote:

    >Hi Steve,
    >
    >> I was about to try it with part of our wired (test) network which uses
    >> Catalyst 2950 switches when a thought occurred. How do I protect ports
    >> which are (normally) connected to printers? Chiefly, how do I protect
    >> the network from an interloper who unplugs a printer and connects his
    >> own devices?

    >
    >It really comes down to how much effort do you wish to put in. I can
    >think of 3 main ways to start with -
    > 1.The simplest would be to lock it at the device level by applying a
    >simple MAC address filter.
    > 2. Or you could use a PVLAN (a private VLAN) for the printer so that
    >it can ONLY connects to one other port, which is then managed by a
    >Router and then use Layer 3 ACL's so that data only flowed the "right
    >way" to/from that port.
    > 3. Upgrade your printer so that it can participate in your 802.1X
    >environment.
    >
    >Cheers...............pk.


    Thanks for all your replies.
    The wired case seems reasonably straightforward [!] but the wireless
    case, where there are no physical ports, less so. I suppose using only
    802.1X compliant printers *securely* wired each into its own, cheap,
    (Linksys ?) AP would work though it'd be fairly unsightly and need two
    mains supplies. Then, of course, you might argue that if I'm wiring
    for mains twice perhaps I could run cat5 while I'm at it :)

    Steve.
     
    Steve Burton, Sep 5, 2006
    #6
  7. On 09/04/06 16:41, Steve Burton wrote:
    > I considered that all of these ports could be connected to a distinct
    > LAN/VLAN which was firewalled from the main LAN/VLAN but some of the
    > heavier devices have multiple functions printer/copier/scanner/fax
    > with delivery of scans by FTP/SMTP/fax with email notification, so the
    > firewall solution would be non-trivial :-(
    > On a wireless network the problem seems even harder to solve.
    >
    > How are these devices normally handled?


    I don't know if this is reasonable or not. Depending on your AP that you are using, you may be able to set up an additional SSID that does not advertise its SSID, I believe this is called beaconing(?). Then you could configure your printer to get on to the SSID that is not broadcasted. This way will provide some security through obscurity. Of course you will want to set up all appropriate WEP / WPA / WPA2 security on the new SSID. I would also probably recommend that you set up MAC filtering on the new SSID. You may even want to consider doing some filtering based on destination IP and / or port if you can.

    I do not claim to be an expert in wireless or Cisco hardware, but I think this may give you a direction to look. For what it's worth, I know that an Airownet 350 is capable of broadcasting 16 SSIDs with only one of them beaconing.



    Grant. . . .
     
    Taylor, Grant, Sep 6, 2006
    #7
  8. Steve Burton

    Merv Guest

    Out of curiosity, why the requirement to have printers use wireless ?
     
    Merv, Sep 6, 2006
    #8
  9. On 09/06/06 04:41, Merv wrote:
    > Out of curiosity, why the requirement to have printers use wireless ?


    If you ask my clients, "Because we can!".



    Grant. . . .
     
    Taylor, Grant, Sep 8, 2006
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Oli
    Replies:
    3
    Views:
    884
  2. =?Utf-8?B?aXR6ZWQ=?=

    802.11g cards can't see 802.11b network?

    =?Utf-8?B?aXR6ZWQ=?=, Aug 19, 2006, in forum: Wireless Networking
    Replies:
    2
    Views:
    864
  3. elie
    Replies:
    0
    Views:
    1,001
  4. elie
    Replies:
    0
    Views:
    920
  5. elie
    Replies:
    0
    Views:
    955
Loading...

Share This Page