10-01-2019 08:29 AM
Hello,
does anyone have any suggested configurations, ACLs, etc for securing printers, especially HP and giving network access to just their essential functions only?
All replies rated,
Thanks in advance!
10-01-2019 08:41 AM
We use MAB for printers, I send a DACL down so they can't talk on their vlan, then the firewall does the rest of the upstream access.
10-01-2019 09:25 AM
Every environment is different and there is no one size fits all. Here are some general thoughts:
- First thing is to try to do 802.1x if at all possible with your printers and if there is a centralized management system to push the configurations for them. You don't want to have to visit each printer to configure them manually.
- If you have to use MAB, you can use a static identity group for your printers called something like "Corporate_Printers". When you find printers on the network using dynamic profiling and the printers logical profile, have someone verify it is a corporate-approved printer, and then statically assign it to the "Corporate_Printers" identity group. Use that group in your authorization profile. It is a little more secure than just allowing any device that is profiled as a printer.
- dACL will depend on your environment, what you are using for printer management, and how the users add printers on their machines. Recommendation would be to SPAN a printer port for a while and capture the traffic. Build your dACL from there. And you will likely have to adjust over time based on feedback.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide