Printer in the DMZ. - Firewalls

This is a discussion on Printer in the DMZ. - Firewalls ; I have a small network with a wireless access point in the DMZ. The idea is that when our users are conencted to the wired network, they can access the entire internal network. When they switch to wireless to roam ...

+ Reply to Thread
Results 1 to 8 of 8

Thread: Printer in the DMZ.

  1. Printer in the DMZ.

    I have a small network with a wireless access point in the DMZ.
    The idea is that when our users are conencted to the wired network,
    they can access the entire internal network.

    When they switch to wireless to roam around the site, they have public
    internet access only.

    Problem is that we have only 1 printer and I'd like to be able to
    print to this from the DMZ or the internal network.
    Should I put the printer on the internal network or the DMZ?

    I assume there is some way of configuring the firewall to allow
    traffic to/from the printer to pass to the DMZ.

    Mark.

  2. Re: Printer in the DMZ.

    mark.hannah@totalise.co.uk wrote:
    > I have a small network with a wireless access point in the DMZ. The
    > idea is that when our users are conencted to the wired network, they
    > can access the entire internal network.
    >
    > When they switch to wireless to roam around the site, they have public
    > internet access only.
    >
    > Problem is that we have only 1 printer and I'd like to be able to
    > print to this from the DMZ or the internal network. Should I put the
    > printer on the internal network or the DMZ?


    If you want print from both LAN and DMZ the printer belongs into the
    DMZ.

    cu
    59cobalt
    --
    "If a software developer ever believes a rootkit is a necessary part of
    their architecture they should go back and re-architect their solution."
    --Mark Russinovich

  3. Re: Printer in the DMZ.

    Ansgar -59cobalt- Wiechers wrote:

    > If you want print from both LAN and DMZ the printer belongs into the
    > DMZ.


    Or as an alternate plan: If the printer has both a parallel/USB port
    AND a network port, hook up the network port the LAN, and an external
    printserver box to the other port.

    This way, the printer is present in BOTH networks without having to
    modify the firewall, and will take a genius to get the printer to route
    traffic between the nets :-)

    Juergen Nieveler
    --
    Arrange for Monica E to bring the packages. Poisoning will occur on Monday
    so Bob will burn.

  4. Re: Printer in the DMZ.

    You should use a VPN to access the printer. Some printers use windows
    operating system so if they are compromised, even if they cant access
    the LAN, they may tell the attacker what's being printed.

  5. Re: Printer in the DMZ.

    In article ,
    juergen.nieveler.nospam@arcor.de says...
    > Or as an alternate plan: If the printer has both a parallel/USB port
    > AND a network port, hook up the network port the LAN, and an external
    > printserver box to the other port.


    That assumes the printer will accept data from two different ports. Or
    what happens when it received data on two different ports. Not all will
    support that.

    --
    If there is a no_junk in my address, please REMOVE it before replying!
    All junk mail senders will be prosecuted to the fullest extent of the
    law!!
    http://home.att.net/~andyross

  6. Re: Printer in the DMZ.

    rounner@yahoo.com wrote:

    > You should use a VPN to access the printer. Some printers use windows
    > operating system



    WTF? I heavily doubt that Windows runs well on ARM9 CPUs with ~ 100 MHz and
    only 4 MByte of RAM. Quite typical are Linux, JavaOS and some RTOS.

    Indeed, the ones with JavaOS typically have the problem to allow everyone to
    upload his very own Java applets to the printer.

  7. Re: Printer in the DMZ.

    On Dec 11, 10:33 am, "Sebastian G." wrote:

    > WTF? I heavily doubt that Windows runs well on ARM9 CPUs with ~ 100 MHz and
    > only 4 MByte of RAM. Quite typical are Linux, JavaOS and some RTOS.
    >
    > Indeed, the ones with JavaOS typically have the problem to allow everyone to
    > upload his very own Java applets to the printer.


    My main concern was that he protect it from the internet not qualify
    my example vulnerability.

    http://www.smallbusinesscomputing.co...le.php/3563401
    http://www.schneier.com/blog/archive...r_securit.html

    read some of the stories. I've had similar experiences myself. You'd
    be amazed at how many black box appliances use windows os. They even
    use older versions because its not worth their while upgrading their
    software.

    PS I thought ARM processors supported mobile windows os'es, but I dont
    know what the score of printers (out of hundreds if you include up to
    10 years old) that use it are running.

    Sorry for wasting your time, just trying to help.


  8. Re: Printer in the DMZ.

    You can configure the firewall to accept/deny packets receving/sending
    to any printer in DMZ Zone.
    If the printer is IP based printer then you should not face any
    problem.

    You can create rule like this..
    Internal Subnet --------> DMZ Printer IP ------> Accpt --------
    >Printer printing ports.


    Above should work. As for low level to above level security zones we
    need to put policy.


    Thanks .. CK



+ Reply to Thread