Printer, Camera, IoT device, etc. Security Recommendations


Introduction

Introduction

All devices that are owned or managed by Virginia Tech or use the network need to be configured properly.

Instructions

Security Recommendations

 

  1. Review the following standards:
  2. Use Virginia Tech Private VLANs for printers, cameras, IoT devices, etc. when possible. This is strongly encouraged for areas that expect no off-campus web clients to connect to the service.  
    1.  Have your Network Liaison contact Network Infrastructure & Services (NI&S) to have this setup. 
    2.  Continue to monitor and secure the host as if it were connected to the public Internet.
  3.  Update the device to the latest firmware / operating system version.
  4.  Ensure all the password for all logins meets or exceeds the VT password complexity rules.
  5.  Disable unneeded services and protocols such as:
    • Port 21, File Transfer Protocol (FTP)
    • Port 23, Telnet
    • Port 80, HTTP
  6. Enable IPv4 filter restrictions to at least the ranges shown below. Both CIDR notation and the corresponding IP ranges will be listed below for ease of configuration. If IPv6 is not used but the device has an IPv6 filter, it should be ENABLED and configured to DENY ALL traffic. 
    CIDR Notation IPv4 Start IPv4 End
    128.173.0.0/16  128.173.0.0 128.173.255.255
    198.82.0.0/16 198.82.0.0  198.82.255.255
    172.16.0.0/12  172.16.0.0 172.31.255.255
     This will restrict IPv4 communication with your device to any on-campus source, including VT wireless and VPN connections.
    CIDR Notation IPv6 Start IPv6 End
    2607:b400:20::/44 2607:b400:20:0:0:0:0:0 2607:b400:2f:ffff:ffff:ffff:ffff:ffff
    2001:468:c80::/48 2001:468:c80:0:0:0:0:0  2001:468:c80:ffff:ffff:ffff:ffff:ffff
    2607:b400::/40 2607:b400:0:0:0:0:0:0  2607:b400:ff:ffff:ffff:ffff:ffff:ffff
      This will restrict IPv6 communication with your device to any on-campus source, including VT wireless and VPN connections.
  7. For devices that lack firewall and access controls, VT employee Dominik Borkowski documented a workable option.
  8. For printers, PCL is recommended and PS and PJL should be disabled if not explicitly needed.  If you have an explicit need to run PS or PJL, be aware that anyone who has access through the printer’s IP filtering can potentially exploit vulnerabilities in those printer interpreter languages that may allow them to print, change device settings, use the printer for file storage, add unwanted content (graffiti and overlays) to print jobs, or send unwanted print jobs to the device without creating an event in the printer’s logs. In this case, it is recommended to use a print server or implement print job tracking as potential mitigating security controls.