Securing printers

Printer manufacturers ship printers with just about every feature and access method turned on. They want to wow their customers with everything the printer can do. They also want to assure that they don't get bothered with complaints that some aspect of the printer is "not working" (because the customer has not activated it). So, the staff at the venue put this networked printer online, try it out, and all is well, as it happily prints everything they want.

Then weird stuff starts happening. Some mornings, they come in and find hundreds of sheets of paper with just gibberish or odd markings in the output tray. During the day, they find the printer either slow or unresponsive. What the heck is going on?

It happens because they put the printer onto the network with a public IP address and did not in any way restrict access. This leaves the printer open to access from anywhere on the Internet, and out there lurk lots of malicious people whose only ambition in life is to hurt others and waste resources. Using automated tools, they will scour the Internet looking for vulnerable printers and then pounce upon them, scheduling paper waste attacks overnight when there is less likely to be anyone to notice, and denial of service attacks during the day when staff are trying to do printing.

So, what are the vulnerabilities, and what protective measures can be taken?

• If at all possible, have the printer and its users on a private subnet.
  This is easy: just implement an inexpensive router and connect your computers and printers to it. You've probably seen the address ranges involved in a privat net: 192.168.x.x, 10.x.x.x. With that, no one on the Internet can reach either your printer or your computers, rendering them much safer. Your computer users can reach out to the Internet, but those on the internet have no way of initiating sessions into your systems.
• Restrict access by IP address ranges.
  Many printers provide a type of firewall configuration which allows specifying a range of IP addresses from which connections will be accepted: all other sources will be blocked. If your printer must have a public IP address, configure restricted access if the printer supports it. (The wise will have chosen a printer with such capabilities in the first place.)
• Turn off unused services.
  A favorite attack "vector" (target) is FTP, which is the bulk method of submitting. Hackers favor FTP because it is such a simple protocol, designed for high volumes. Every network printer that I have seen supports FTP submission, and every one I have seen came with its FTP port open. If your printer has FTP, it will also have a configuration option for turning it off. Turn it off and you will eliminate most problems. (A large printer that I attended to which was barely usable was found to be suffering from a denial of service attack on its FTP port from a clown in China.) No shops that I have been in ever actually used FTP for legitimate print job submission, so turning off FTP will likely be no issue in your site. While at it, also turn off all other ports not used to submit jobs in your site. Those other ports are LPR, IPP, and Telnet. Most commonly, jobs are submitted through port 9100, popularized by HP for JetDirect printing. LPR use is mostly in Unix environments. Internet Printing Protocol is relatively popular, used by "open systems" computer systems.
• Consider implementing a print server.
  While it is possible and rather common to submit jobs directly to a printer, you get more control and value by submitting through a print server. Printers are relatively primitive devices where the software in them typically never gets upgraded after time of sale. In my experience, printers are easily befuddled, exhibiting all kinds of anomalous behavior when they are overloaded or experience situations that their limited programming wasn't designed to handle. With a print server, you will have an easily upgradeable platform where you can readily put into effect all control measures you want, in a single place, to limit access and deal with bad inputs. With print jobs coming from the single point of a print server, the printer can be configured to accept input only from its IP address. A print server also affords throttling and accounting opportunities, as well as the ability to determine the source of connections.
  As above, turn off all services which the print server does not use to submit jobs to the printer. (Normally, SNMP would be left active, for the server to probe printer status.) If the printer has a USB port for injecting jobs from a memory stick, place a seal over that port and periodically check for tampering, to keep people from bypassing the server to print.