Secure Network Interfaces
Hardening a networked device is the process of securing the device’s network interfaces. This includes eliminating unneeded or unused features and functions to prevent their abuse, locking down any interfaces that remain, and securing the data hosted by the device.
Lexmark printers and MFPs include a variety of mechanisms to facilitate the device hardening processes.
TCP Connection Filtering
Printers and MFPs can be configured to allow TCP/IP connections only from a specified list of TCP/IP addresses. This disallows all TCP connections from other addresses, which protects the device against unauthorized printing and configuration. TCP Connection Filtering is configured by populating the restricted server list field.
The network ports through which printers and MFPs listen for or transmit network traffic are configurable, allowing a huge degree of control over the device’s network activity. By filtering out traffic on specific network ports, protocols such as telnet, FTP, SNMP, HTTP and many others can be explicitly disallowed.
802.1x port authentication allows printers and MFPs to join wired and wireless networks by requiring the devices to authenticate prior to accessing the network. 802.1x port authentication can be used with the Wi-Fi Protected Access feature of an optional wireless print server to provide WPA Enterprise security support.
IPSec secures all network traffic to and from Lexmark devices with encryption and authentication, allowing data to be sent to printers and MFPs securely. IPSec allows scanned data to be transmitted over the network in an encrypted format. This can protect the contents of jobs that are scanned to any destination, including servers running Lexmark Document Distributor, e-mail, and network storage.
Lexmark devices support the use of Secure Network Time Protocol (SNTP), which is used for clock synchronization of various devices on the network. To support the main requirement for an SNTP implementation, Lexmark devices support an Authenticator and Authorization field within our SNTP configuration.
Lexmark offers a variety of MFP devices that provide both network capability and fax modem capability. In environments where network security is critical, the combination of these two features on a single device may be a concern. Lexmark designs its MFPs to operate in such a way that the device hardware and firmware keep these mechanisms separate, which prevents any direct interaction between the modem and network adapter. In addition, the modem can only accept image data associated with a fax transmission. Any other data, whether it is for remote access or network or firmware updates, is declared invalid and will cause the device to disconnect the telephone connection.