Keep Your Data Safe With HP
More than ever, it’s critical for institutions to protect their most important, confidential, and sensitive data on their networks. That includes the information on their printers, which can store an enormous amount of data. In fact, for most companies, it’s a luxury to have a large-format printer with security features manufactured in a trade-compliant country that can make the IT administrator’s life easy.
HP DesignJet printers are designed with these needs in mind, featuring multiple security measures designed to keep data safe from harm and protected from incompatibility, tampering, theft, or disaster.
1. Data in transit
Internet Protocol Security IPsec compatibility
IPsec is a standard that provides security at the IP (network) layer of TCP/IP-based
communication. IPSec allows for private and secure communications over the public Internet.
HP DesignJet printers are compatible with IPSec and provide the following benefits:
• Help ensure data confidentiality by making it difficult for anyone but the receiver to
understand the data being communicated
• Allow each party in a communication session to reliably authenticate each other
• Help ensure that the data is not altered during transmission
• Protect against unauthorized resending of data
IPv6 and IPv4 compatibility
Easily transition from IPv4 to IPv6 with HP DesignJet printers. While IPv4 was a solid and
long-lasting TCP/IP protocol version, the IPv6 protocol takes you to the next generation,
solving the IP address limitation problem for an ever-increasing number of network devices.
CA/JD certificates
You can request, install, and manage digital certificates on the HP Jetdirect Embedded Print
Server included in most HP DesignJet printers. Certificates are used to identify the HP Jetdirect
Embedded Print Server both as a valid web server for network clients and as a valid client
requesting access on a network with security features. By default, the HP Jetdirect Embedded
Print Server contains a self-signed pre-installed certificate to provide optimal security from
setup. It is possible to issue new certificates using this card.
TLS/SSL protocols
TLS/SSL are most widely recognized as the protocols that provide secure HTTP (HTTPS) for
Internet transactions between web browsers and web servers. TLS/SSL can help to secure
transmitted data using encryption. TLS/SSL also authenticates servers and, optionally,
authenticates clients to prove the identities of parties engaged in secure communication.
It also provides data integrity through an integrity check value. In addition to protecting
against data disclosure, the TLS/SSL security protocol can be used to help protect against
masquerade attacks, man-in-the-middle or bucket brigade attacks, rollback attacks, and
replay attacks.
2. Data in storage
Secure File Erase
Secure File Erase is a feature that manages how files are deleted from the printer’s hard
disk, which can help ensure that no data is left behind in the printer. There are three security
modes to the Secure File Erase feature, with the most secure meeting the United States
Department of Defense (US DOD) 5220-22.M requirements for clearing and sanitization of
disk media. When the Secure File Erase feature is enabled, all temporary files that might
contain sensitive data are erased and no temporary files remain after a job has completed
(scan, copy, or print). Secure File Erase is performed whenever the system is finished with
a file and calls the delete procedure. If the Secure File Erase mode is never set to a secure
mode, the system still deletes these files on a continuous basis, using an insecure manner.
The printer performance can be affected while increasing the Secure File Erase level.
Secure Disk Erase
Secure Disk Erase allows the erasing of all information from the hard disk drive inside the
printer in a secure manner, making it impossible to recover the information. It is possible to
trigger a Secure Disk Erase using the US DOD 5220-22.M specification to erase all data from
the hard disk partition that contains the user data.
High-performance Self-encrypting Drive (SED)
The Self-encrypting Drive (SED) is designed to ensure your print data is automatically encrypted
every time data is sent to the printer and written to the drive. It provides an additional layer of
security for all of your printed files and reduces the risk of tampering or unauthorized access
to the data. With an SED installed on select HP DesignJet printers, workgroups can safely store
and print their most sensitive data over a network with security features.
The Advanced Encryption Standard (AES) reduces the risk of stolen data. AES technology
provides trust that the printer’s hard drive data is not readable if the hard disk is removed
from the device. The SED supports AES256 encryption, following the FIPS 140-2 Level 2
(tamper evident sticker compliant) requirement.
There’s no need to activate any settings or perform any action to encrypt the content. The SED
is also protected with an ATA password, unique for each printer and changeable when required.
3. Authentication and authorization
HP native security capability
Control panel access lock
The control panel access is a feature intended for IT administrators, which allows them to
lock the printer’s control panel using either HP Web Jetadmin software, or the printer’s
HP Embedded Web Server. This feature prevents unauthorized users from accessing the
control panel and changing the printer’s settings. There are four levels of access that can be
set:
• Minimum Lock—this option denies access to the Resets options, Enable/Disable
connectivity options, and the Service Menu
• Moderate Lock—in addition to the Minimum Lock, this option also denies access to all
printer settings, the job queue, information and service prints, and the printer log
• Intermediate Lock—in addition to the Moderate Lock, this option also denies access to
the paper and ink supplies handling options, maintenance options, and demo prints; only
viewing of printer and supplies information is allowed
• Maximum Lock—this option denies access to all options in the control panel
Disable interfaces
HP DesignJet printers are designed so that some ports can be disabled to help prevent
unauthorized printing and scanning and possible data theft. For example, disabling the
USB printing port prevents people from inserting a USB drive into the printer and printing or
scanning to it.
Personal identification number (PIN) printing
Does your business need to print confidential or sensitive documents? Often, users need to
print private documents to shared printers across a company’s network. The HP DesignJet
printer portfolio holds print jobs until a user enters a PIN to release the job to help ensure
that confidential documents do not print until the user is physically present at the printer.
NTLMv2
NTLMv2 is used to authenticate the device to file servers, so it is allowed to put files from the
scanner into a shared file folder. V2 is the latest version of this protocol, required by savvy
administrators to make sure that authentication credentials are not captured in transit on
the network.
Third-party security solutions
API Netgard® MFD Smartcard security appliance for CAC, PIV, and CIV cards
API Netgard® MFD is a drop-in, inline, multi-factor, user authentication solution for
networked, special-purpose devices such as multifunction printers, scanners, and copiers.
Netgard® protects a network by requiring users to authenticate themselves with a smartcard
(CAC/PIV-personal identity verification, CIV commercial identity verification) and personal
identification number (PIN), thereby preventing unauthorized users from accessing privileged
materials or distributing unauthorized material. Without a card and PIN, Netgard® does not
permit the user to print, scan, or send from the multifunction device to network resources.
• CAC/PIV/CIV authentication (HSPD-12 and DOD Compliant)
• Email encryption, secure print release, and scan-to-home
• Integrated with the HP DesignJet on-screen display
4. Intrusion prevention
Disabling unused protocols
In some cases, you may want to disable all protocols that you do not plan to use to access
your printer. For example, you might prevent users from sending files through the FTP
or connecting through telnet to ‘manage protocols’ the printer network settings. You can
disable unused protocols through the Mgmt.protocols option in the HP Embedded Web
Server or Network Enable features in HP Web Jetadmin.
Network management security features through SNMP v3
HP DesignJet printers can be managed through SNMP v1 and v2. In addition, most HP DesignJet
printers can be managed via SNMP v3 which provides the following additional benefits:
• Integrity—protects data flowing from side-to-side from being modified by a third party
• Authentication—verifies the data source
• Encryption—protects data from being accessed by a third party
• Access control—restricts Managed Device data that can be accessed by each Network
Management System
802.1x compatibility
To provide additional security, a select number of HP DesignJet printers are 802.1x
compatible out of the box. The 802.1x standard provides access control to the Ethernet
network, and network devices that are unable to authenticate to the 802.1x authorization
server are denied all network access. 802.1x can prevent unauthorized users from attaching
devices to the network and can help ensure that only IT-deployed and trusted devices, such
as those with virus protection software, are allowed access.
Supported 802.1x authentication protocols and configuration settings support the
following protocols:
• PEAP—Protected Extensible Authentication Protocol (PEAP) is a mutual authentication
protocol that uses digital certificates for network server authentication and passwords for client
authentication.
• EAP-TLS—Extensible Authentication Protocol using Transport Layer Security (EAP-TLS) is
a mutual authentication protocol based on digital certificates for authentication of both the
client and the network authentication server.