Mobility Print is the answer to encryption for both iOS and MacOS, as IPPS is used as the printing protocol.
Note however, that both iOS and MacOS? devices accept self-signed certificates. On the open internet, where there are many hops between you and the server, a self-signed certificate is not secure because any of these hops can introduce a man-in-the-middle attack. On a local network however, the risk is considerably less, especially in a switched network environment.
Best practice: If you want to minimize the risk of man-in-the-middle attacks , make sure you use secure wifi protocols, and consider using security tools that actively monitor for address spoofing attempts.
PaperCut’s Android Mobility Print app uses encrypted printing for Android devices out of the box. Print jobs are sent to the Mobility Print server over HTTPS. Similar to iOS and MacOS, self-signed certificates are accepted.
ChromeOS currently prints over IPP (not IPPS) to Mobility Print. User identity information such as passwords and usernames are encrypted, but not the spool file. If fully encrypted printing from ChromeOS is required, consider setting up PaperCut Web Print (over HTTPS) or use Google Cloud Print integration with PaperCut MF and NG.
Print server to printers
Firstly, you need to check whether your printer supports IPPS. Check your printer specification.
If your printers support IPPS, you are in luck, as you can set up an encrypted connection between your print server and the printer. If your printers only support LPD, then there are still a few things you can do to avoid someone snooping and capturing the print jobs, which will be explained below.
IPPS between the server and printers
PaperCut MF and NG can securely forward print jobs to printers over IPPS. Follow this guide on how to configure IPPS printers and PaperCut MF and NG.
How to secure printers that do not support IPPS
As print jobs won’t be encrypted, your only defence is to separate network traffic between your server and printers from the rest of the network.
Firstly, configure your printers on a different VLAN. Secondly, to ensure someone can’t access the private VLAN by pulling out a network cable from a printer, follow the user manual of your switch to configure port security to only accept your printer’s MAC address.
Checking whether encryption to a website is configured, is pretty easy. Simply open a browser and see whether it complains about the security.
Checking the encryption of print jobs is slightly more involved, and a little bit more fun. You’ll need Wireshark to analyse network protocols and for instructions on how to use Wireshark to validate that your jobs are secure, follow this guide.
As mentioned earlier, an important part of security is maintenance. All too often, vulnerabilities occur through lack of maintenance. This is often a forgotten step so here are our top tips on making your print environment secure…. FOREVER!
- Document your security policies and design. If you leave one day, someone should be able to pick up from where you left off.
- Keep your printers on a different VLAN or dedicated IP range, and disable all protocols except IPPS.
- Switch on auto updates to get the latest security updates for software and operating systems.
- Sign up for security notifications from Microsoft.
- Create Google Alerts for:
- MacOS security alert
- iOS security alert
- ChromeOS security alert
- Android security alert
- IPPS security alert
- Share your practices and document within your organization. Don’t be surprised when your next pay review includes a nice raise.
Well done! You have not only secured your organisation for the present, but you’ve put in place practices that will keep your organisation secure far into the future. Through all of this, you might have picked up a salary raise. You can now feel good going on a weekend away, knowing that you’ve got your organisation’s back. Proceed to work towards an Apply, Validate and Maintain approach for the other areas of your IT infrastructure!