On the heels of Google indexing more than 86,000 HP printers, how can I make sure my network printers aren't inadvertently available on the Internet?
Ask the Expert!
Have questions about enterprise security? Send them via email today! (All questions are anonymous.)
So you're saying that turning what has previously been considered a private or local network function into a service available over the WAN has led to vulnerabilities? I'm shocked! Sarcasm aside, you're referencing the incident earlier this year in which it was discovered that Google's search engine had indexed tens of thousands of privately owned printers that had been inadvertently made available to the public Internet. This is an information security problem in that not only is it inviting malicious hackers to cause all sorts of mischief in the form of rogue printing, but it also could set the stage for high-risk incidents like enabling an attacker to access a print serve queue, or even overloading and breaking some printers.
When introducing any new service into your network, it's best to allow the service to only be accessed from within the LAN. Configuring your network printers to only be accessed from devices from within internally facing IP addresses ensures that the device will not be discoverable via Google. Because a printer is a network device, motivated network attackers can still connect to the device, but they would have to do so without the help of Google.
However, some organizations want to access the full range of functionality from their printers to enable users to print to a network printer while away from the office. As with any remotely available service, introducing some sort of password mechanism is a good start. Simply allowing individuals from outside of your network to access services without authenticating themselves is bad practice no matter which way you slice it.
Lastly, I can't say I'm crazy about allowing people from outside of my network to access my network services without going through some sort of VPN or secure remote desktop service. Configuring some type of encrypted access to your network -- no matter the scenario -- limits your exposure to this vulnerability exponentially.
This was first published in July 2013