Building Internet Firewalls

Building Internet FirewallsSearch this book
Previous: 8.16 X11 Window SystemChapter 8
Configuring Internet Services
Next: 8.18 Analyzing Other Protocols
 

8.17 Printing Protocols (lpr and lp)

The BSD lpr printing system is very similar to the BSD "r" commands discussed earlier in this chapter (rsh, rlogin, rcp, rdump, rdist). Unlike the "r" commands, lpr authorizes hosts, not individual users, and it will accept jobs from hosts in /etc/printers.equiv as well as /etc/hosts.equiv.

The System V lp printing system doesn't really have a remote printing component. When it does remote printing, it usually does it by handing the job off to a BSD lpr printing system, or by using the BSD rsh command (which is often called remsh on System V systems, because such systems have another program called rsh that does something else entirely).

Given the deficiencies of both lp and lpr, many UNIX vendors implement their own solutions to remote printing. Other platforms may support lp, lpr, a separate protocol, or some combination. Because it has its own protocol, which is somewhat easier to implement than rsh, lpr is more popular than lp on non-UNIX systems, but many of them have their own protocols. Some printers are network devices in their own right, sometimes speaking lp or lpr directly, and sometimes (particularly older printers) speaking a protocol developed by the printer manufacturer.

For the most part, the wide variety of other network printing protocols that are out there share a common feature; they're no more secure than lpr. Most of them are not even as secure as lpr (if you can reach the system with a print request in the right protocol, it will print it). Because modern PostScript printers can be intelligent Ethernet devices with their own disks, it is theoretically possible for a rogue print job to turn one into a network sniffing device. In practice, this is a baroquely complex approach; attackers aren't very likely to succeed at it. However, more mundane denial of service attacks on printers are eminently possible, and in fact have been known to happen.

Some are merely annoying, such as simply printing page after page of garbage (or, better yet, something offensive to the victim or their coworkers) until the printer runs out of paper. Unfortunately, the nastiest of them are enabled by a security feature in PostScript. PostScript was designed to protect certain dangerous commands by requiring a password before they were executed. This password is stored in an EEPROM chip on the printer, and is factory-set to "0" on every brand of PostScript printer. It's always the same because it must always be the same. Some of the commands that the PostScript designers considered dangerous are routinely used by standard PostScript drivers, and if you change the password, those drivers will no longer work. Because, in order to reset it, you need either the old password or a ROM burner, a program that uses the well-known "0" password to reset the password to something unknown can make printers effectively unusable until new EEPROMs are sent from the factory. (Some printers will run without the EEPROM, with an effective password of 0.) Removing or replacing the EEPROM resets not only the password, but also the printer ID and the page count; if you have fonts licensed to the printer, they will have to be relicensed. Since the last wave of such attacks, licensing of fonts to individual printers has become uncommon.

The intelligence and vulnerability of PostScript devices makes it important to protect your printers from Internet access. Make sure you have blocked any remote printing protocols your machines and printers use. You will need to check every printer type and every machine type separately.

8.17.1 Packet Filtering Characteristics of lpr

lpr is TCP-based. Servers use port 515. Clients use random ports below 1024, just like the BSD "r" commands, as discussed above.

Direc-SourceDest.Pro-SourceDest.ACK
tionAddr.Addr.tocolPortPortSetNotes

In

Ext

Int

TCP

<1024

515

[53]

Incoming lpr, client to server

Out

Int

Ext

TCP

515

<1024

Yes

Incoming lpr, server to client

Out

Int

Ext

TCP

<1024

515

[53]

Outgoing lpr, client to server

In

Ext

int

TCP

515

<1024

Yes

Outgoing lpr, server to client

[53] ACK is not set on the first packet of this type (establishing connection) but will be set on the rest.

8.17.2 Proxying Characteristics of lpr

lpr is a store-and-forward protocol, capable of being configured to do its own proxying. You can simply run a standard lpr configuration on your proxy server and configure it to drive whatever printers you like or pass jobs to another server. This does not provide security improvements over direct lpr, but it will let it cross a nonrouting host.

8.17.3 Packet Filtering and Proxying Characteristics of lp

lp itself provides no remote printing support. It handles printing across the network by using either rsh, which is covered above with the other BSD "r" commands, or lpr. To determine what your printer configuration is using, configure a remote printer and read its interface file (which is usually stored in /usr/spool/lp/interfaces/printername). Some vendors may also provide novel remote printing systems for use with lp; you will need to consult your vendor documentation.

8.17.4 Summary Recommendations for Printing Protocols


Previous: 8.16 X11 Window SystemBuilding Internet FirewallsNext: 8.18 Analyzing Other Protocols
8.16 X11 Window SystemBook Index8.18 Analyzing Other Protocols