If you've seen my column photo, you know I like the occasional spoon of sugar in my coffee. (OK, four spoons, so bite me.) Point is, since Brian Chee keeps me well stocked in Hawaiian Kona coffee, I make sure to keep a box of Domino instant-dissolve sugar in the kitchen. Tear off plastic, open little metal spout on side of box, pour sugar, reactivate synaptic functionality — simple. Then some product marketing management wizard apparently decided to fix it. Now the spout is cardboard, no longer firmly attached to the box, and inexplicably blocked by another slab of cardboard that serves no discernable purpose, yet must somehow be removed without dislodging the spout.
I look at IT infrastructure and sometimes have similar sentiments. Take printers, for example. It used to be you write your doc and hit Print, and those little dot-matrix pins would start whining away. Then came color, ink jets, thermals, and lasers. All that seemed like a natural and (mostly) intelligent progression.
But then came "network" printers. And while printing over a network is certainly a necessary evolutionary step in the history of mankind, the technologies that are being used to bring us this feature often aren't.
A typical multifunction networked printer today isn't just a printer with an Ethernet port. It's also a fax machine with a phone port — often still POTS, regardless of whether the rest of the office is on VoIP. It also has a full operating system with access controls (often open by default and containing open backdoors so that support people can do off-site maintenance); a Telnet server; an FTP server; a pretty big hard disk; and usually SNMP turned on by default, too. All those smarts enable some cool print features, especially along the lines of remote printing, but they also make your printer a serious security risk.
That can be a problem for harried IT guys running Vista in gen-pop and most likely for those who will run Server 2008. Not because the security mechanisms aren't there, but because those operating environments try to make printer connectivity so easy. Plug a couple of Vista laptops into my network and they'll find both the HP Color LaserJet 3800dn and the little downstairs Kyocera ink jet all by themselves. The Kyocera still requires me to manually install a driver, but three out of four Vista machines know how to find the HP's driver on their own and install on command. It's very similar to the MacBook Pro, which did the same thing.
It's great for IT staffers in one sense, since they don't need to do much to enable printing, provided the printer isn't made by some company in the hinterlands. But it's not so great for security, because it engenders a feeling of neglect toward the printers themselves. It was the same with wireless access points a while back. Just plug them in and fiddle until you got the green link light. Who wants to deal with advanced security protocols on both AP and client side when you can just be lazy and have your clients find them automatically? Vista is going to push the same kind of feeling with printers. Why deal with real security on your print side when it might mean you have to toddle over to the client side and do actual work?
But you should. Oh boy, should you ever. And do a little research before you buy, too. It turns out that even today, some print manufacturers disallow the ability to change SNMP community strings. Somebody gets access to that and they have limited read/write access to the SNMP server. You can play some great practical jokes that way, but you can also use it as a staging point to map out the rest of the network, gather default passwords, and open ports — the usual penetration drill. Using other aspects of the printer OS, you might also enable cute programming scenarios where an image is superimposed over every print job (practical joke) or every document that hits the printer's hard disk is mirrored and e-faxed to some nefarious location (major, big-time, you're-fired security hole).
And think about physical security, too. Printers often sit in public areas that can double as waiting areas. Some yahoo unplugs a printer and plugs in his laptop, and all of a sudden, he has DHCP-ified access to the network while you're in a meeting room discussing the new sugar spout design.
Printer manufacturers aren't unaware of this stuff. The better players, including both Kyocera and HP, issue regular patches for the operating systems on their machines. These need to be made part of the automatic patching process on the network. These same companies often have software management suites of their own with built-in security functionality — Kyocera just demoed its version to me a little while back. You also need to find a systems management solution and an end-point security solution that have features specific to printers. And if you buy a lot of these things from a manufacturer or a VAR, you might discuss a custom configuration so that you don't need to spend so many man-hours reconfiguring them yourself.
Sure, it's one more headache in an Advil-heavy world, but it's better than having an HR rep call for support on her hacked printer so that she can print your pink slip.