By Mike Majewski, SEH Technology

Confidential print data is often sent through a network as clear text without any appropriate protection. It happens even though current data protection acts require institutions and enterprises to protect personal data from unauthorized access. A careful analysis of existing security risks is the first step towards efficient protection.

Every organization has confidential data and documents that have to be protected from unauthorized access. Digitally created documents are distributed and managed in the respective organization's infrastructure, often within document management (DMS) or enterprise content management (ECM) systems. Compliance is a prevalent business concern here, companies must stay in accordance with established guidelines, specifications, or legislation. Data protection and the obligation to preserve records both fall under this umbrella. Therefore compliance includes the identification and minimization of security risks for such documents.

Secure network printing should be part of any solid IT security policy because many confidential and sensitive documents are often presented in a paper form. Without protection, print data within a network is an easy target for attacks from the outside and even more likely to be violated from inside the network. No absolute security for network printing exists, but there are a host of efficient protective measures managers can choose from. A risk analysis considering compliance regulations identifies security risks that need to be mended.

Security Risks and Protection for Print Data in a Network

Depending on the environment and security demands, a risk analysis can be very comprehensive, including access to workstations, application, documents, and data as well as securing all related hardware such as servers, printers, and all related network components. All these stations have security risks and vulnerable spots for attacks—but suitable solutions and appropriate security measures are available to counteract the vulnerabilities. A thorough risk analysis will clarify where and to what extent security measures are necessary.

Similar security risks are inherent in the network media. Copper cabling radiates electromagnetic waves (interference radiation) that transmits the information of the transferred data. Without special shielding and interference suppression, hackers can intercept and read this information. Fiber optic networks eliminate the need for this radiation, creating an environment that is eavesdropping-secure. By utilizing fiber optic print servers, print data is protected right up to the moment the ink hits the paper. To protect print data in wireless networks, authentication and encryption methods need to be up-to-date. Currently, WPA/WPA2 (Wi-Fi Protected Access) are held to be the safest WLAN encryption standards and should be supported by the print server.

Device- and user-based authentication ensure safe network access. The former connects printers via IP or MAC addresses as well as managed switches and access points to the network—but the risk of unauthorized access to the network (e.g. spoofing) will remain. Authentication of network participants via user based access regulations using an authentication instance (e.g. two-port IEEE 802.1X authentication, RADIUS server) supported by the print server is a safer method.

Secure Print Data Encryption

Print data encryption is another critical aspect of security management. Digital data leave traces on hard disks, random access memory (RAM), and network interfaces of high-end office printers and multifunctional peripherals (MFP). These devices can also include solutions that only print a particular print job after the user has been authorized at the printer. Data saved to the hard disk are encrypted and deleted automatically once the print job is released. When the printer is moved or disposed of, the hard disk is completely erased.

However, all these precautions will be futile if print data are sent through the network as clear text. Without encryption, all printing protocols transmit print data as more or less readable clear text (e.g. ASCII, PCL, Postscript). Hackers just need a simple sniffer application (like Wireshark), that they can download from the Internet, to record print data during transmission. Reading this data on the monitor is a simple task, hackers can manipulate it and even resend it afterwards. Common printing protocols (LPD/LPR/Sockets, SMB/CIFS etc.) cannot encrypt print data and offer no protection.
In order to encrypt print data there is only one vendor independent method available: printing via the Internet Printing Protocol version 1.1 (IPPv1.1), that can encrypt data with SSL/TLS in several environments—albeit, only under certain conditions.

Cups (Common Unix Printing System) supports IPPv1.1 in Linux and Unix environments and in MAC OS X. None of the current Windows operating systems supports IPP v1.1. Windows 2000, XP Professional, and Windows Server 2003 can add the IIS Web Server as a Windows component to the software category system control. The IIS Web Server can then be configured as a print server and allows IPP printing as well as SSL encrypted print data transmission via the Internet. In addition to these, only a few proprietary solutions to encrypt print data transmission exist. In contrast to the method just described, they are much easier to apply.

For example, the SEH Print Monitor is an easily applicable software tool to encrypt print jobs with just a few mouse clicks in Windows environments. Another example is the print management software ThinPrint .print. This is able to encrypt print data sent from server to client. ThinPrint SSL encryption is also available in heterogeneous environments (Linux, Unix, IBM Mainframes).

Analyzing Risks and Avoiding Damages

If a thorough risk analysis has identified the vulnerable spots in network printing, taking decisive action and minimizing or closing existing security gaps immediately is reasonable. In addition to the issues discussed so far, there are solutions for access control to the printer and to printer and print server configuration, certificate management and other risks. However, established security measures and a plausible security policy will provide the best possible protection for a limited period of time only. As methods of attack are continually developed and joined by new ones, it is important to keep one’s knowledge up to date: What are the latest standards and which new security solutions have been made available since the latest security update? Investing in network security is well worth the money because the costs for preventive security measures are significantly lower than those caused by damages resulting from security risks.

Mike Majewski is CEO SEH Technology.