Linux Can Bypass Print Servers

  It has come to our attention, that students using Linux, and possibly Macs, can bypass our print servers, and print directly to our printers.  We use Pcounter to keep track of printing charges.  So students bypassing the print servers would be able to print for free.  We don't know if anyone is actually doing this yet, but we do see this as a security hole, and we want to close it.
  I contacted the printer manufacturer, Hewlett-Packard, and their suggestion was to log on to the printer, and lock it so that it would only accept network traffic from the servers.  I followed their directions, but I was still able to bypass the server and print to that printer using Linux.
Has found a solution to this issue?Daniel Starnes
Student Computer Lab &
Network Technician
California Western School of Law

Linux Can Bypass Print Servers

Starnes, Daniel wrote:
> Has found a solution to this issue?

Our student printers are on a subnet separate from the student laptop
network. The students' laptops can talk to the print servers and the
print servers can talk to the printers, but the laptops can't go
directly to the printers. For the purposes of printing, you could do
this fairly easily with an inexpensive home router (just turn off the
wireless radio, if so equipped).

FWIW, we also use PCounter, although we're not charging per-page. We
mainly use it to avoid having to throw out reams of unclaimed print jobs
(the auto-expiring feature is a wonderful thing).

James

James P. Callison, MCP+I, MCSE
Network Administrator/Webmaster
The University of Oklahoma Law Center ITS
callison@law.ou.edu
"I'm living so far beyond my income that we may almost be said
to be living apart." -- e. e. cummings
_______________________________________________
You are currently subscribed to teknoids as: tekarchive@host2.teknoids.net.
To unsubscribe send a blank email to teknoids-leave@ruckus.law.cornell.edu
--
See the web interface at http://ruckus.law.cornell.edu/mailman/listinfo/teknoids to get your list password, unsubscribe, and view your list settings.

RE: Linux Can Bypass Print Servers

Make sure you turn off all unused Printing Protocols. I do not use Pc
Counter but I can assume its a print server? So set the printer to only
accept jobs from a specific IP address (the print server).

Unless this is what you have done already.. If so I have to look into what
ubuntu clients can do on my network.. J

Matthew Perna MCSE

Assistant Director for Information Technology

Touro Law Center

225 East View Drive

Central Islip NY 11722

Email: Mperna@tourolaw.edu

Phone: 631-761-7072

Cell: 631-708-6418

Support: IT@tourolaw.edu

Phone: 631-761-7070

From: teknoids-bounces@ruckus.law.cornell.edu
[mailto:teknoids-bounces@ruckus.law.cornell.edu] On Behalf Of Starnes, Daniel
Sent: Monday, October 12, 2009 3:52 PM
To: teknoids@ruckus.law.cornell.edu
Subject: [teknoids] Linux Can Bypass Print Servers

It has come to our attention, that students using Linux, and possibly Macs,
can bypass our print servers, and print directly to our printers. We use
Pcounter to keep track of printing charges. So students bypassing the print
servers would be able to print for free. We don't know if anyone is actually
doing this yet, but we do see this as a security hole, and we want to close
it.

I contacted the printer manufacturer, Hewlett-Packard, and their suggestion
was to log on to the printer, and lock it so that it would only accept
network traffic from the servers. I followed their directions, but I was
still able to bypass the server and print to that printer using Linux.

Has found a solution to this issue?

Daniel Starnes
Student Computer Lab &
Network Technician
California Western School of Law

RE: Linux Can Bypass Print Servers

Move the printers to a private vlan with no gateway/nat configuration on your
routers and dual home your print servers.

-Mike

Information Technology Department

University of Maryland School of Law

410-706-5771

From: teknoids-bounces@ruckus.law.cornell.edu
[mailto:teknoids-bounces@ruckus.law.cornell.edu] On Behalf Of Starnes, Daniel
Sent: Monday, October 12, 2009 3:52 PM
To: teknoids@ruckus.law.cornell.edu
Subject: [teknoids] Linux Can Bypass Print Servers

It has come to our attention, that students using Linux, and possibly Macs,
can bypass our print servers, and print directly to our printers. We use
Pcounter to keep track of printing charges. So students bypassing the print
servers would be able to print for free. We don't know if anyone is actually
doing this yet, but we do see this as a security hole, and we want to close
it.

I contacted the printer manufacturer, Hewlett-Packard, and their suggestion
was to log on to the printer, and lock it so that it would only accept network
traffic from the servers. I followed their directions, but I was still able
to bypass the server and print to that printer using Linux.

Has found a solution to this issue?

Daniel Starnes
Student Computer Lab &
Network Technician
California Western School of Law

Linux Can Bypass Print Servers

This is what software and hardware manufacturers get for refusing to support
Linux, I guess.

On Mon, Oct 12, 2009 at 2:52 PM, Starnes, Daniel <dstarnes@law.cwsl.edu>wrote:

> It has come to our attention, that students using Linux, and possibly
> Macs, can bypass our print servers, and print directly to our printers. We
> use Pcounter to keep track of printing charges. So students bypassing the
> print servers would be able to print for free. We don't know if anyone is
> actually doing this yet, but we do see this as a security hole, and we want
> to close it.
>
> I contacted the printer manufacturer, Hewlett-Packard, and their
> suggestion was to log on to the printer, and lock it so that it would only
> accept network traffic from the servers. I followed their directions, but I
> was still able to bypass the server and print to that printer using Linux.
>
> Has found a solution to this issue?
>
> Daniel Starnes
> Student Computer Lab &
> Network Technician
> California Western School of Law
>
> _______________________________________________
> You are currently subscribed to teknoids as: samglover@consumerlawyer.mn.
> To unsubscribe send a blank email to teknoids-leave@ruckus.law.cornell.edu
> --
> See the web interface at
> http://ruckus.law.cornell.edu/mailman/listinfo/teknoids to get your list
> password, unsubscribe, and view your list settings.
>

Linux Can Bypass Print Servers

Thank you all for the suggestions.  You all have given us some good ideas to look at.Daniel Starnes
Student Computer Lab &
Network Technician
California Western School of Law
-----Original Message-----
From: "Sparks, Michael" <Michael.Sparks@law.lsu.edu>
Sent 10/14/2009 9:10:31 AM
To: "Teknoids" <teknoids@ruckus.law.cornell.edu>
Subject: Re: [teknoids] Linux Can Bypass Print Servers$50, buy a Linksys WRT54GL, load Tomato (free open-source firmware
replacement, lots of cool features), configure to turn off the wireless, set
port forwarding and filters for the ports and IPs you want to allow.
Works great. We've protected nearly 20 devices with deficient native
security this way. Works with most older WRT54 models as well. Powerful,
flexible, manageable. Smaller and draws less power than dedicating an old
PC. Less work too. Only marginal geek skills required.
http://www.polarcloud.com/tomato
--
J. Michael Sparks
Director of Computing Services
Louisiana State University Law Center
michael.sparks@law.lsu.edu
225/578.8717 (f) 225/578-4682
On 10/14/09 10:40 AM, "Mike Hurley" <Mike.Hurley@law.uconn.edu> wrote:
> you can fight fire with fire. Put a linux bridge between the printer and
> the network, and filter any packets that do not come from the print
> server. you can make the bridge out of any old pc with two nics.
>
> +------------------------------------------+
> Michael Hurley
> Webmaster/System Administrator
> University of Connecticut School of Law
> mike.hurley@law.uconn.edu
> 860.570.5233
> +------------------------------------------+
>
> teknoids-bounces@ruckus.law.cornell.edu wrote on 10/13/2009 11:05:36 AM:
>
>> From:
>>
>> Sam Glover <samglover@consumerlawyer.mn>
>>
>> To:
>>
>> Teknoids <teknoids@ruckus.law.cornell.edu>
>>
>> Date:
>>
>> 10/13/2009 11:06 AM
>>
>> Subject:
>>
>> Re: [teknoids] Linux Can Bypass Print Servers
>>
>> Sent by:
>>
>> teknoids-bounces@ruckus.law.cornell.edu
>>
>> This is what software and hardware manufacturers get for refusing to
> support
>> Linux, I guess.
>
>> On Mon, Oct 12, 2009 at 2:52 PM, Starnes, Daniel <dstarnes@law.cwsl.edu>
> wrote:
>> It has come to our attention, that students using Linux, and possibly
> Macs,
>> can bypass our print servers, and print directly to our printers. We
> use
>> Pcounter to keep track of printing charges. So students bypassing the
> print
>> servers would be able to print for free. We don't know if anyone is
> actually
>> doing this yet, but we do see this as a security hole, and we want to
> close it.
>>
>> I contacted the printer manufacturer, Hewlett-Packard, and their
> suggestion
>> was to log on to the printer, and lock it so that it would only accept
> network
>> traffic from the servers. I followed their directions, but I was still
> able
>> to bypass the server and print to that printer using Linux.
>>
>> Has found a solution to this issue?
>
>> Daniel Starnes
>> Student Computer Lab &
>> Network Technician
>> California Western School of Law
>>
>> _______________________________________________
>> You are currently subscribed to teknoids as:
> samglover@consumerlawyer.mn.
>> To unsubscribe send a blank email to
> teknoids-leave@ruckus.law.cornell.edu
>> --
>> See the web interface at
> http://ruckus.law.cornell.edu/mailman/listinfo/teknoids
>> to get your list password, unsubscribe, and view your list settings.
>> _______________________________________________
>> You are currently subscribed to teknoids as: mike.hurley@law.uconn.edu.
>> To unsubscribe send a blank email to
> teknoids-leave@ruckus.law.cornell.edu
>> --
>> See the web interface at
> http://ruckus.law.cornell.edu/mailman/listinfo/teknoids
>> to get your list password, unsubscribe, and view your list settings.
> _______________________________________________
> You are currently subscribed to teknoids as: michael.sparks@law.lsu.edu.
> To unsubscribe send a blank email to teknoids-leave@ruckus.law.cornell.edu
> --
> See the web interface at
> http://ruckus.law.cornell.edu/mailman/listinfo/teknoids to get your list
> password, unsubscribe, and view your list settings.
_______________________________________________
You are currently subscribed to teknoids as: dstarnes@law.cwsl.edu.
To unsubscribe send a blank email to teknoids-leave@ruckus.law.cornell.edu
--
See the web interface at http://ruckus.law.cornell.edu/mailman/listinfo/teknoids to get your list password, unsubscribe, and view your list settings.

Linux Can Bypass Print Servers

you can fight fire with fire. Put a linux bridge between the printer and
the network, and filter any packets that do not come from the print
server. you can make the bridge out of any old pc with two nics.

+------------------------------------------+
Michael Hurley
Webmaster/System Administrator
University of Connecticut School of Law
mike.hurley@law.uconn.edu
860.570.5233
+------------------------------------------+

teknoids-bounces@ruckus.law.cornell.edu wrote on 10/13/2009 11:05:36 AM:

> From:
>
> Sam Glover <samglover@consumerlawyer.mn>
>
> To:
>
> Teknoids <teknoids@ruckus.law.cornell.edu>
>
> Date:
>
> 10/13/2009 11:06 AM
>
> Subject:
>
> Re: [teknoids] Linux Can Bypass Print Servers
>
> Sent by:
>
> teknoids-bounces@ruckus.law.cornell.edu
>
> This is what software and hardware manufacturers get for refusing to
support
> Linux, I guess.

> On Mon, Oct 12, 2009 at 2:52 PM, Starnes, Daniel <dstarnes@law.cwsl.edu>
wrote:
> It has come to our attention, that students using Linux, and possibly
Macs,
> can bypass our print servers, and print directly to our printers. We
use
> Pcounter to keep track of printing charges. So students bypassing the
print
> servers would be able to print for free. We don't know if anyone is
actually
> doing this yet, but we do see this as a security hole, and we want to
close it.
>
> I contacted the printer manufacturer, Hewlett-Packard, and their
suggestion
> was to log on to the printer, and lock it so that it would only accept
network
> traffic from the servers. I followed their directions, but I was still
able
> to bypass the server and print to that printer using Linux.
>
> Has found a solution to this issue?

> Daniel Starnes
> Student Computer Lab &
> Network Technician
> California Western School of Law
>
> _______________________________________________
> You are currently subscribed to teknoids as:
samglover@consumerlawyer.mn.
> To unsubscribe send a blank email to
teknoids-leave@ruckus.law.cornell.edu
> --
> See the web interface at
http://ruckus.law.cornell.edu/mailman/listinfo/teknoids
> to get your list password, unsubscribe, and view your list settings.
> _______________________________________________
> You are currently subscribed to teknoids as: mike.hurley@law.uconn.edu.
> To unsubscribe send a blank email to
teknoids-leave@ruckus.law.cornell.edu
> --
> See the web interface at
http://ruckus.law.cornell.edu/mailman/listinfo/teknoids
> to get your list password, unsubscribe, and view your list settings.
_______________________________________________
You are currently subscribed to teknoids as: tekarchive@host2.teknoids.net.
To unsubscribe send a blank email to teknoids-leave@ruckus.law.cornell.edu
--
See the web interface at http://ruckus.law.cornell.edu/mailman/listinfo/teknoids to get your list password, unsubscribe, and view your list settings.

Linux Can Bypass Print Servers

$50, buy a Linksys WRT54GL, load Tomato (free open-source firmware
replacement, lots of cool features), configure to turn off the wireless, set
port forwarding and filters for the ports and IPs you want to allow.

Works great. We've protected nearly 20 devices with deficient native
security this way. Works with most older WRT54 models as well. Powerful,
flexible, manageable. Smaller and draws less power than dedicating an old
PC. Less work too. Only marginal geek skills required.

http://www.polarcloud.com/tomato