ISE for Printer Security

angel-moon · ‎10-01-2019

Hello,

does anyone have any suggested configurations, ACLs, etc for securing printers, especially HP and giving network access to just their essential functions only?

All replies rated,

Thanks in advance!

Dustin Anderson · ‎10-01-2019

We use MAB for printers, I send a DACL down so they can't talk on their vlan, then the firewall does the rest of the upstream access.

Colby LeMaire · ‎10-01-2019

Every environment is different and there is no one size fits all. Here are some general thoughts:

- First thing is to try to do 802.1x if at all possible with your printers and if there is a centralized management system to push the configurations for them. You don't want to have to visit each printer to configure them manually.

- If you have to use MAB, you can use a static identity group for your printers called something like "Corporate_Printers". When you find printers on the network using dynamic profiling and the printers logical profile, have someone verify it is a corporate-approved printer, and then statically assign it to the "Corporate_Printers" identity group. Use that group in your authorization profile. It is a little more secure than just allowing any device that is profiled as a printer.

- dACL will depend on your environment, what you are using for printer management, and how the users add printers on their machines. Recommendation would be to SPAN a printer port for a while and capture the traffic. Build your dACL from there. And you will likely have to adjust over time based on feedback.