IPsec/Firewall configuration (V.38.xx)
(Full-featured print servers only) IPsec/Firewall features provide network-layer security on both IPv4 and IPv6 networks. The Firewall provides simple control of IP addresses that are allowed access. Internet protocol security (IPsec, RFC 2401) provides the additional security benefits of authentication and encryption,
IPsec configuration is relatively complex. However, because IPsec provides security at the network layer and can be relatively independent of application layers, the opportunity for secure host-to-host communications over a widespread network, such as the Internet, is greatly enhanced.
●
|
If IPsec is supported, you can control IP traffic using both Firewall and IPsec protection.
|
|
●
|
If IPsec is not supported, you can control IP traffic using Firewall protection.
|
|
| NOTE:
|
In addition to Firewall and IPsec protection at the network layer, the print server also supports an SNMPv3 agent at the application layer for management application security, and open secure sockets layer (SSL) standards at the transport layer for secure client-server applications, such as client-server authentication or HTTPS Web browsing.
|
For IPsec/Firewall operation on the print server, you must configure an IPsec/Firewall policy to apply to specified IP traffic. IPsec and Firewall policy pages are accessed through the embedded Web server and displayed by your Web browser. Typical IPsec and Firewall policy pages are shown below.
| NOTE:
|
To ensure communications with an HP Jetdirect print server configured with an IPsec policy, ensure that computer systems communicating with the print server are properly configured. IPsec policies configured on the print server and computer systems must be compatible. Otherwise, connections will fail.
|
After a policy is configured, it is not activated until you click Apply button.
Firewall Policy page
IPsec Policy page
The items on the IPsec/Firewall policy pages are described in the following table:
IPsec/Firewall Policy page
|
|
|
Select the check box to enable your IPsec or Firewall policy. Clear this check box to disable IPsec/Firewall operation.
|
|
|
Configure up to ten rules in descending order of precedence. For example, Rule 1 is higher in precedence than Rule 2.
|
Define each rule using the following fields:
|
●
|
Enable Select whether a configured rule is enabled or disabled for the policy.
|
|
●
|
Address Template Set the IP addresses for which the rule applies. Select among several predefined templates, or specify a custom template. Click on a template entry to view or modify the template configuration.
|
|
●
|
Services Template Identify the services for which the rule applies. Select among several predefined templates, or specify a custom template. Click on a template entry to view or modify the template configuration.
|
| CAUTION:
|
If the All Services template for a rule is not specified, a security risk can exist. Future networking applications deployed after the IPsec Policy is in place might not be IPsec-protected unless the All Services template is used.
For example, installing a third-party Chai service plug-in, or upgrading firmware for the printer or print server, can result in a new service that is not covered by the IPsec policy. Review policies whenever firmware is updated or a new Chai applet is installed.
|
|
●
|
Action on Match Define how to process the IP traffic that contains the addresses and services specified.
|
For Firewall operation, the traffic is allowed or dropped, depending on the action specified by the rule.
For IPsec operation, the traffic is allowed without IPsec protection, dropped, or IPsec-protected using an IPsec template specified for the rule. Click on a template entry to view or modify the template configuration.
|
|
|
Indicate whether the default rule drops or allows the traffic. The default rule specifies whether to process IP packets that do not match the configured rules.
|
Select Drop (default) to discard traffic not covered by the configured rules.
|
Select Allow to allow traffic that is not covered by the configured rules. Allowing IP packets that do not match the configured rules is not secure.
|
|
|
Select Add Rules to configure rules using the IPsec wizard..
|
Select Delete Rules to remove one or more rules from the policy.
|
|
|
Configure a Failsafe feature to prevent lock out of the print server over HTTPS (secure Web browser access) during IPsec/Firewall policy set up.
|
You can allow selected multicast and broadcast traffic to bypass your IPsec/Firewall policy. This might be required for device discovery by system installation utilities.
|
|
HP Jetdirect Print Servers IPsec/Firewall configuration (V.38.xx)