Securing a Network’s Print Data Stream with TLS/SSL Encryption
Awareness that a thorough security policy should include measures for secure network printing is rising slowly but surely.
by Mike Majewski
Every organization and enterprise has sensitive data that needs to be protected from unauthorized access. Organizations usually protect this data with passwords and similar security measures, but managers should take extra measures when the data are sent, over the network, to be printed. Unprotected data are easy prey for hackers -- those inside and outside the organization -- who can attain these data without much technical know-how. Encrypting print data during transmission with the Secure Socket Layer (SSL) protocol, defined by the IETF (Internet Engineering Task Force) which later renamed it Transport Layer Security (TLS), is an effective protection technology against such attacks. However, in Windows networks this is very difficult (sometimes even impossible) to do, and only a few proprietary solutions exist.
Awareness that a thorough security policy should include measures for secure network printing is rising slowly but surely. Compliance -- a state of being in accordance with established guidelines, specifications, or legislation, or the process of becoming so -- is also relevant in this context as it includes the protection of sensitive data often found in print documents. Unencrypted print jobs in a network are an easy target for attacks.
External and Internal Attacks on Print Data
If hackers gain access to a network from outside the organization, they can intercept print data. WAN architectures like those used by businesses -- which transmit their data via insecure Internet connections (e.g., DSL) to branch offices, customers, and suppliers -- are especially endangered. The greater danger is often harbored within: Recent studies reveal that about half of all business crimes are committed by employees who have access rights and their own accounts.
The damage for companies that are victims of such attacks can be significant, whether measured in money or time (e.g., delayed business processes, competitive disadvantages, legal consequences). Immaterial damage, such as the loss of a trustworthy image, can also result from these attacks. In this moment, managers often realize that compared to such damages, the costs for preventive security measures would have been much less.
Unencrypted Print Data are Easy Prey
Unencrypted print data are a weakness in every IT security environment because without encryption, all printing protocols transmit print data as (more or less) readable, clear text. The printer command languages PCL (Printer Control Language) and Postscript are page-description protocols that include the document information in clear text in addition to control and command characters. Reading a text transmitted in ASCII format is even simpler.
Hackers need only a simple sniffer application -- which they can download from the Internet -- to record print data during transmission. They can easily find freeware applications that enable them to read this data -- even in the format of the original document. Attackers can manipulate and resend this data with agent software to redirect print data coming from other clients to the sniffer, then manipulate the original data with a simple editor and print it via the Windows LPR command. Common printing protocols (LPD/LPR/Sockets, SMB/CIFS etc.) cannot encrypt print data and offer no protection.
Print Data Encryption -- Lack of Standards and Proprietary Solutions
Encrypting print data is a potent preventive measure against attacks on print data streams. The Internet Printing Protocol version 1.1 (IPPv1.1) defined in the RFCs 2910, 2911, and 3196, is based on HTTP 1.1 and can utilize all extensions of HTTP, including SSL/TLS (128 bit encryption). IPPv1.1 can be regarded as a standard for print data encryption with TLS/SSL, but only with limitations (e.g., in cases with return channel messages such as paper jams, printer failures, etc). In different environments, certain conditions must be met.
Linux and Unix environments and Mac OS X CUPS (Common Unix Printing System) support IPPv1.1. The network connection of a printer via print server or interface card is with a URI (Uniform Resource Identifier) -- an IP address, printer port, protocol, logical printer port -- via HTTP or HTTPS, such as
Current Windows operating systems neither support IPPv1.1 nor include board measures for print data encryption. Windows 2000, XP Professional, Vista, Windows Server 2003, and Windows Server 2008 can install the IIS Web server as a Windows component in the software rubric of system control; IIS can be configured as a print server which enables IPP printing and SSL-encrypted print data transmission via the Internet. Attached network printers are managed through a Web interface.
Only a few third-party solutions exist for encrypted print data transmission in Windows environments. External and internal print servers that support print data encryption represent a move in this direction. HP, Lexmark, and Kyocera Mita offer such devices. A vendor-independent solution is the proprietary tool SEH print monitor, which SEH Technology (the company I work for) integrates into its complete print server portfolio.
Print Data Encryption in Server-based Computing Environments
The server-based computing market is dominated by Citrix Presentation Server and Microsoft Terminal Server architectures. Print data needs to be protected in these environments, too.
In pure Microsoft Terminal Services environments, users remotely access the Windows Terminal server via the RDP (Remote Desktop Protocol) protocol, which has been developed by Microsoft. Beginning at version 5.2, this protocol can be encrypted with SSL upon demand (to do so requires server and root certificates). The root certificates of the established certification authorities (CA) are already integrated into all Windows operating systems, so as a rule they need not be imported. Alternatively, self-signed certificates for servers and clients can be used.
When all necessary certificates are imported and SSL is activated, all data transfer including print data between server and client is protected for the session in question.
In Citrix environments, data are transferred via the proprietary ICA (Independent Computing Architecture) protocol. As long as data is transmitted in the ICA channel, it is safe from unauthorized access.
TCP/IP and Encryption
A security risk occurs at the moment print data has to leave the RDP or ICA session to be sent via TCP/IP. This occurs every time a user generates a print job in the session to be sent directly to a network printer or when a user works with local or central dedicated print servers. All print data sent via TCP/IP are unencrypted and are prone to attacks like those we’ve described. A print management solution such as ThinPrint .print (by ThinPrint) can help.
In addition to its core functions (print job compression, bandwidth optimization with server and client modules), ThinPrint .print allows print job encryption with SSL from Terminal Server to the Client, including the RDP and ICA channels. The ThinPrint solution is able to detect whether data have been manipulated or lost. It also includes client authentication, which is only optional for SSL. Consequently, the server only sends print data to trustworthy clients. This is regulated via certificate management: the ThinPrint Server Certificate is installed on the server and all client certificates require digital signatures from this certificate. In this way, the server is able to identify authorized clients, ensuring that sensitive data is not sent to unauthorized third parties.
ThinPrint SSL encryption is available for servers and clients in Windows environments and heterogeneous environments (e.g., Linux, Unix, IBM mainframes, AS/400 etc.).
Because print data often includes information that requires protection, measures for secure network printing should be part of IT security policies to prevent attacks and resulting damage. Encrypting the print data stream is an effective way to secure data against attacks that intercept and manipulate print data.
Taking these precautions is difficult in Windows environments because the Windows operating systems, as a rule, do not support IPPv1.1, which is required for SSL encryption. Although it is possible to work around this problem with the help of the IIS server in Windows 2000, XP Professional, Vista, Windows Server 2003, and Windows Server 2008, proprietary solutions are generally more reliable and comparatively easy to manage.
Mike Majewski is the CEO at SEH Technology. Majewski opened the SEH U.S. sales office in Phoenixville, PA, in 2002; three years later Mike became CEO of newly founded SEH Technology, a fully-owned subsidiary of the German vendor SEH, a specialist in network printing solutions for more than 20 years. You can contact the author at firstname.lastname@example.org.