[Sussex] Secure Printing

Richard Smith richard at blackmesahydro.com
Tue Jan 6 14:00:57 UTC 2009


Hi Brendan,

Just a thought but it may be that all the NHS require is a VPN between the
two networks, thus providing security from the outside world and not
necessarily from an internal network.

You would need to provide a fixed IP address on the printer / print server,
this in my experience works well, especially using LPD.

Richard.


-----Original Message-----
From: sussex-bounces at mailman.lug.org.uk
[mailto:sussex-bounces at mailman.lug.org.uk] On Behalf Of
sussex-request at mailman.lug.org.uk
Sent: 06 January 2009 12:00
To: sussex at mailman.lug.org.uk
Subject: Sussex Digest, Vol 272, Issue 1

Send Sussex mailing list submissions to
	sussex at mailman.lug.org.uk

To subscribe or unsubscribe via the World Wide Web, visit
	https://mailman.lug.org.uk/mailman/listinfo/sussex
or, via email, send a message with subject or body 'help' to
	sussex-request at mailman.lug.org.uk

You can reach the person managing the list at
	sussex-owner at mailman.lug.org.uk

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Sussex digest..."


Today's Topics:

   1. Secure printing (Brendan BT Account)
   2. Secure printing (Brendan BT Account)
   3. Re: Secure printing (Alex Harrington)
   4. Re: Secure printing (Steve Dobson)
   5. Re: Secure printing (Brendan BT Account)
   6. Re: Secure printing (Matthew Macdonald-Wallace)


----------------------------------------------------------------------

Message: 1
Date: Mon, 05 Jan 2009 14:57:21 +0000
From: Brendan BT Account <d740whelan at btinternet.com>
Subject: [Sussex] Secure printing
To: LUG email list for the Sussex Counties <sussex at mailman.lug.org.uk>
Message-ID: <49621FD1.5050501 at btinternet.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

We are quoting for an NHS job where they want secure transmission of
patient data. HTTPS will securely handle information between browsers
and the servers and we can encrypt/password protect any downloadable
reports. However, printing would seem to be more tricky as by default
Postscript and raw text files (to label printers) are unencrypted.
Secure Jet  (http://www.artimbilisim.com/urun09/SecureJET.pdf) would
seem to be handle laser printers. Has anyone experience in encrypting
printer output or any suggestions?  Thanks, Brendan




------------------------------

Message: 2
Date: Mon, 05 Jan 2009 11:55:43 +0000
From: Brendan BT Account <d740whelan at btinternet.com>
Subject: [Sussex] Secure printing
To: LUG email list for the Sussex Counties <sussex at mailman.lug.org.uk>
Message-ID: <4961F53F.9020503 at btinternet.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

We are quoting for an NHS job where they want secure transmission of 
patient data. HTTPS will securely handle information between browsers 
and the servers and we can encrypt/password protect any downloadable 
reports. However, printing would seem to be more tricky as by default 
Postscript and raw text files (to label printers) are unencrypted. 
Secure Jet  (http://www.artimbilisim.com/urun09/SecureJET.pdf) would 
seem to be handle laser printers. Has anyone experience in encrypting 
printer output or any suggestions?  Thanks, Brendan



------------------------------

Message: 3
Date: Mon, 5 Jan 2009 17:25:54 -0000
From: "Alex Harrington" <alex at longhill.org.uk>
Subject: Re: [Sussex] Secure printing
To: "Sussex LUG" <sussex at mailman.lug.org.uk>,	"LUG email list for the
	Sussex Counties" <sussex at mailman.lug.org.uk>
Message-ID:
	
<2779A35BE6EBB14A808809C7E825052901F2B180 at mcexchange.mail.longhill.brighton-
hove.sch.uk>
	
Content-Type: text/plain;	charset="iso-8859-1"

> However, printing would seem to be more tricky as by default 
> Postscript and raw text files (to label printers) are unencrypted. 
> Secure Jet  (http://www.artimbilisim.com/urun09/SecureJET.pdf) would 
> seem to be handle laser printers. Has anyone experience in encrypting 
> printer output or any suggestions?  Thanks, Brendan

Could you not tunnel LPD or similar over stunnel to a linux print server
with the label printer directly attached via USB/serial/parallel?

A

-- 
Alex Harrington - Network Manager
Longhill High School
t: 01273 304086 e: alex at longhill.org.uk



------------------------------

Message: 4
Date: Mon, 05 Jan 2009 19:28:16 +0000
From: Steve Dobson <steve.dobson at syscall.org.uk>
Subject: Re: [Sussex] Secure printing
To: Sussex LUG <sussex at mailman.lug.org.uk>
Message-ID: <49625F50.7020502 at syscall.org.uk>
Content-Type: text/plain; charset=ISO-8859-1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Brendan

Not sure why to submitted this twice, but I will only answer once :-)

Brendan BT Account wrote:
> We are quoting for an NHS job where they want secure transmission of
> patient data. HTTPS will securely handle information between browsers
> and the servers and we can encrypt/password protect any downloadable
> reports. However, printing would seem to be more tricky as by default
> Postscript and raw text files (to label printers) are unencrypted.
> Secure Jet  (http://www.artimbilisim.com/urun09/SecureJET.pdf) would
> seem to be handle laser printers. Has anyone experience in encrypting
> printer output or any suggestions?  Thanks, Brendan

What is the physical layout of the servers, network and workstations?
How secure is the physical stuff?  Browsers need a secure communications
link because they often communicate over a network (Internet) which is
not secure.

On the other hand printers normally sit in offices without armed guards
checking the identities of anyone coming to correct their print jobs.
Once a print as been done it is just sitting there and anyone can pick
it up and read it.  What security is at the other end to ensure the
security of the data once made physically manifest?

The first rule of security, which I learnt for my days working a
military systems supplier, is "that if you don't have physical security
you don't have security at all!"  The army will post an armed guard with
orders to shot to kill) by the printer to check identities it that what
takes to secure the system.  They will also post guards along the route
of the network cabling if that needs to be secured too.

If the network isn't secure[1] then the NHS has bigger problems than
print job security.  I would suggest that you ask some probing question
about their infrastructure.

Steve

[1] An example would be if a patient could plug their laptop into the
same network as the NHS's staff.  As the patients are not trusted people
(and we will assume here that all staff are) then they should be on a
physically separate networks to guard against casual network traffic
snooping.  After all the SMB protocol as used by Windows to share files
and print jobs transmits it's passwords (and all it's data) in clear
text - very useful to your causal network snooper.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJYl9Qu7HOw0Q66oERAqzXAJ40ZNtCJvB8uhrVYGcyZbl1DEh0QgCguknq
A6Gni033dx0IsEMuIw7RYdk=
=Fa+f
-----END PGP SIGNATURE-----



------------------------------

Message: 5
Date: Tue, 06 Jan 2009 10:40:15 +0000
From: Brendan BT Account <d740whelan at btinternet.com>
Subject: Re: [Sussex] Secure printing
To: Sussex LUG <sussex at mailman.lug.org.uk>
Message-ID: <4963350F.6070103 at btinternet.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Thanks to Alex and Steve for responding. I agree that in many ways 
printer security is a bit of a farce but NHS IT departments tend to come 
up with rules without fully considering all the implications. In this 
case, all printers will be in laboratories that are protected against 
unauthorised access, so encrypting data transferred from the main 
database server to a print server would be a practical approach. At this 
stage all I am seeking is a tick in a box so that we aren't precluded 
from bidding on a technicality.  Brendan

Steve Dobson wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Brendan
>
> Not sure why to submitted this twice, but I will only answer once :-)
>
> Brendan BT Account wrote:
>   
>> We are quoting for an NHS job where they want secure transmission of
>> patient data. HTTPS will securely handle information between browsers
>> and the servers and we can encrypt/password protect any downloadable
>> reports. However, printing would seem to be more tricky as by default
>> Postscript and raw text files (to label printers) are unencrypted.
>> Secure Jet  (http://www.artimbilisim.com/urun09/SecureJET.pdf) would
>> seem to be handle laser printers. Has anyone experience in encrypting
>> printer output or any suggestions?  Thanks, Brendan
>>     
>
> What is the physical layout of the servers, network and workstations?
> How secure is the physical stuff?  Browsers need a secure communications
> link because they often communicate over a network (Internet) which is
> not secure.
>
> On the other hand printers normally sit in offices without armed guards
> checking the identities of anyone coming to correct their print jobs.
> Once a print as been done it is just sitting there and anyone can pick
> it up and read it.  What security is at the other end to ensure the
> security of the data once made physically manifest?
>
> The first rule of security, which I learnt for my days working a
> military systems supplier, is "that if you don't have physical security
> you don't have security at all!"  The army will post an armed guard with
> orders to shot to kill) by the printer to check identities it that what
> takes to secure the system.  They will also post guards along the route
> of the network cabling if that needs to be secured too.
>
> If the network isn't secure[1] then the NHS has bigger problems than
> print job security.  I would suggest that you ask some probing question
> about their infrastructure.
>
> Steve
>
> [1] An example would be if a patient could plug their laptop into the
> same network as the NHS's staff.  As the patients are not trusted people
> (and we will assume here that all staff are) then they should be on a
> physically separate networks to guard against casual network traffic
> snooping.  After all the SMB protocol as used by Windows to share files
> and print jobs transmits it's passwords (and all it's data) in clear
> text - very useful to your causal network snooper.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFJYl9Qu7HOw0Q66oERAqzXAJ40ZNtCJvB8uhrVYGcyZbl1DEh0QgCguknq
> A6Gni033dx0IsEMuIw7RYdk=
> =Fa+f
> -----END PGP SIGNATURE-----
>
> __ 
> Sussex mailing list
> Sussex at mailman.lug.org.uk
> E-mail Address: sussex at mailman.lug.org.uk
> Sussex LUG Website: http://www.sussex.lug.org.uk/
> https://mailman.lug.org.uk/mailman/listinfo/sussex
>
>
>   




------------------------------

Message: 6
Date: Tue, 06 Jan 2009 11:03:47 +0000
From: Matthew Macdonald-Wallace <matthew at truthisfreedom.org.uk>
Subject: Re: [Sussex] Secure printing
To: sussex at mailman.lug.org.uk
Message-ID:
	<20090106110347.urq22r6n28cs48sk at webmail.truthisfreedom.org.uk>
Content-Type: text/plain;	charset=ISO-8859-1;	DelSp="Yes";
	format="flowed"

Just googled quickly, Novell have something called iPrint that allows  
authentication against their Linux eDirectory Servers and prvides  
secure printing via ssl:

http://www.novell.com/documentation/nnls/index.html?page=/documentation/nnls
/iprint/data/akujjgs.html

http://www.novell.com/products/openenterpriseserver/iprint.html

This thread:

http://osdir.com/ml/printing.cups.general/2004-03/msg00050.html

Also has some information about securing CUPS printing using TLS/SSL/etc.

HTH,

M.


Quoting Brendan BT Account <d740whelan at btinternet.com>:

> Thanks to Alex and Steve for responding. I agree that in many ways
> printer security is a bit of a farce but NHS IT departments tend to come
> up with rules without fully considering all the implications. In this
> case, all printers will be in laboratories that are protected against
> unauthorised access, so encrypting data transferred from the main
> database server to a print server would be a practical approach. At this
> stage all I am seeking is a tick in a box so that we aren't precluded
> from bidding on a technicality.  Brendan
>
> Steve Dobson wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Hi Brendan
>>
>> Not sure why to submitted this twice, but I will only answer once :-)
>>
>> Brendan BT Account wrote:
>>
>>> We are quoting for an NHS job where they want secure transmission of
>>> patient data. HTTPS will securely handle information between browsers
>>> and the servers and we can encrypt/password protect any downloadable
>>> reports. However, printing would seem to be more tricky as by default
>>> Postscript and raw text files (to label printers) are unencrypted.
>>> Secure Jet  (http://www.artimbilisim.com/urun09/SecureJET.pdf) would
>>> seem to be handle laser printers. Has anyone experience in encrypting
>>> printer output or any suggestions?  Thanks, Brendan
>>>
>>
>> What is the physical layout of the servers, network and workstations?
>> How secure is the physical stuff?  Browsers need a secure communications
>> link because they often communicate over a network (Internet) which is
>> not secure.
>>
>> On the other hand printers normally sit in offices without armed guards
>> checking the identities of anyone coming to correct their print jobs.
>> Once a print as been done it is just sitting there and anyone can pick
>> it up and read it.  What security is at the other end to ensure the
>> security of the data once made physically manifest?
>>
>> The first rule of security, which I learnt for my days working a
>> military systems supplier, is "that if you don't have physical security
>> you don't have security at all!"  The army will post an armed guard with
>> orders to shot to kill) by the printer to check identities it that what
>> takes to secure the system.  They will also post guards along the route
>> of the network cabling if that needs to be secured too.
>>
>> If the network isn't secure[1] then the NHS has bigger problems than
>> print job security.  I would suggest that you ask some probing question
>> about their infrastructure.
>>
>> Steve
>>
>> [1] An example would be if a patient could plug their laptop into the
>> same network as the NHS's staff.  As the patients are not trusted people
>> (and we will assume here that all staff are) then they should be on a
>> physically separate networks to guard against casual network traffic
>> snooping.  After all the SMB protocol as used by Windows to share files
>> and print jobs transmits it's passwords (and all it's data) in clear
>> text - very useful to your causal network snooper.
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.9 (GNU/Linux)
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>>
>> iD8DBQFJYl9Qu7HOw0Q66oERAqzXAJ40ZNtCJvB8uhrVYGcyZbl1DEh0QgCguknq
>> A6Gni033dx0IsEMuIw7RYdk=
>> =Fa+f
>> -----END PGP SIGNATURE-----
>>
>> __
>> Sussex mailing list
>> Sussex at mailman.lug.org.uk
>> E-mail Address: sussex at mailman.lug.org.uk
>> Sussex LUG Website: http://www.sussex.lug.org.uk/
>> https://mailman.lug.org.uk/mailman/listinfo/sussex
>>
>>
>>
>
>
> __
> Sussex mailing list
> Sussex at mailman.lug.org.uk
> E-mail Address: sussex at mailman.lug.org.uk
> Sussex LUG Website: http://www.sussex.lug.org.uk/
> https://mailman.lug.org.uk/mailman/listinfo/sussex
>



-- 
Matthew Macdonald-Wallace
matthew at truthisfreedom.org.uk
http://www.truthisfreedom.org.uk/



------------------------------

-- 
Sussex mailing list
Sussex at mailman.lug.org.uk
E-mail Address: sussex at mailman.lug.org.uk
Sussex LUG Website: http://www.sussex.lug.org.uk/
https://mailman.lug.org.uk/mailman/listinfo/sussex


End of Sussex Digest, Vol 272, Issue 1
**************************************




More information about the Sussex mailing list