I highly recommend assigning private IPs to all items such as printers, fancy fax machines, switches, etc... The only reason to give them a public IP is conveinance. Conveinance and security usually cancel each other out. It's hard to have one if you're big on the other. Assign private IP subnets to the same internal subnets that you used the public IPs on, route them internally, and get real big on ingress/egress filtering of those RFC1918 blocks. Then only your own users can hurt you. Sure it's not a fixall but it's usually easier to gain accountability locally than on the 'Net at large. Good luck! Justin On Mon, 30 Apr 2001, Ltlw0lf wrote: > Thanks, Francis... Looks like 750DP and 930 printers should be added to the > list of printers that exibit this vuln. > > Unfortunately, your fix doesn't always work with printers. We've noticed on > most printers, a blank gateway means "find out the gateway yourself." Most > printers will utilize RIP, or worse, will just choose a gateway (i.e. > 10.0.0.1 for network 10.0.0.0) of its own. We've seen tektronix printers do > this as well as hp printers. We've suggested setting the default gateway > as the IP address of the printer, and this usually limits the vulnerability, > but not always. Best is to put it behind the corporate firewall or restrict > it in other ways. > > Francis Favorini <francis.favoriniat_private> wrote: > > <snip> > > I suggest not setting a default gateway for the printer's IP > > configuration. > > This should limit the vulnerability to your own subnet. >
This archive was generated by hypermail 2b30 : Tue May 01 2001 - 09:24:00 PDT