Home > ISCW, Production Story, Tips > Security enthusiastic – production story

Security enthusiastic – production story

Coming back from my glorious day I’ve decided to apply some of the good practice I’ve learned to my production network. Now remember, I’m still under the alcohol influence of last night’s hot date (happy hour all night Mon-Wed at Bogotá Latin Bistro)…

I’ve started with the printers as they can do no evil. Since I just learned how important it is to avoid SNMP v1\2 I started with disabling it on my HP 4700 and worked on setting up SNMP v3.
While setting up user name and key parameters, users started calling saying they cannot print to the HP 4700…

Troubleshooting printers I always start with my PC. Printing to the 4700 from my desk worked just fine. Since my PC point directly at the printer it indicated that both printer and network connectivity are good.

Checking the server I noticed that the printer status is offline. All other printers had a valid online status.
I tried to restart the Print Spooler service as it tend to fix most of the printer issues but the status came as online for about 15 seconds and switched back to offline.

The next move was my good old friend Google. It took maybe 2 minutes to find out that the HP Universal Driver uses SNMP:

The Universal Print Driver works on a bidirectional port.
It retrieves the printer hardware properties from the printer by sending 50 SNMP commands to check the various installed options. This works purely on a bidirectional port.
If the SNMP port is disabled or not available, then all SNMP commands fail to communicate with the printer, and show all the default features of the driver.
Checking further I found that SNMP v3 is not supported:
Does Universal Print Driver support SNMPv3?
No. The Universal Print Driver supports SNMPv1 and v2. SNMPv3 is not supported.
Once SNMP v1/2 was re-enabled (read-only, I still keep the security best practice) the printer status changed back to online.
Advertisements
  1. Rofi Neron
    February 8, 2010 at 10:33 am

    more on the same subject…
    http://www.firstdigest.com pointed me to a Cisco Security Advisory: SNMP Version 3 Authentication Vulnerabilities http://www.cisco.com/en/US/products/products_security_advisory09186a00809ac83b.shtml

    the bottom line of this security advisory:
    Only SNMPv3 is impacted by these vulnerabilities
    SNMP versions 1, 2 and 2c are not impacted by these vulnerabilities

  2. February 2, 2010 at 1:47 pm

    That sucks for sure. I do remember having a similar problem with changing SNMP communities to something better than “public” and leaving no one with a working printer.

    I actually took the initiative a few years back to change all the network gear to SNMPv3. Like Sean said, I found that very few of the tools that we use actually support that version, so back to v2c they went. One day, I’ll revisit that, but, for now, it’s an acceptable risk.

  3. February 2, 2010 at 11:44 am

    All the books saying you’re supposed to use SNMPv3 make me think the author has never had to try and implement it. Like you found out, nothing supports SNMPv3. Even if the router does, many management stations don’t.

    What people don’t understand is that security is not an absolute. It’s a series of tradeoffs. Security is about managing risk, not eliminating it.

    Sean

    • Rofi Neron
      February 2, 2010 at 11:57 am

      while I agree with you, in my case both the printer and my monitoring system support SNMPv3. the problem is the HP driver that establish the connection to the printer based on SNMP availability (Universal Print Driver). I admit that I didn’t even think about the possibility that the driver is SNMP based. but isn’t it why our job is fun?!

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: