mark.hannah@totalise.co.uk wrote:
> I have a small network with a wireless access point in the DMZ. The
> idea is that when our users are conencted to the wired network, they
> can access the entire internal network.
>
> When they switch to wireless to roam around the site, they have public
> internet access only.
>
> Problem is that we have only 1 printer and I'd like to be able to
> print to this from the DMZ or the internal network. Should I put the
> printer on the internal network or the DMZ?

If you want print from both LAN and DMZ the printer belongs into the
DMZ.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Ansgar -59cobalt- Wiechers wrote:

> If you want print from both LAN and DMZ the printer belongs into the
> DMZ.

Or as an alternate plan: If the printer has both a parallel/USB port
AND a network port, hook up the network port the LAN, and an external
printserver box to the other port.

This way, the printer is present in BOTH networks without having to
modify the firewall, and will take a genius to get the printer to route
traffic between the nets :-)

Juergen Nieveler
--
Arrange for Monica E to bring the packages. Poisoning will occur on Monday
so Bob will burn.

You should use a VPN to access the printer. Some printers use windows
operating system so if they are compromised, even if they cant access
the LAN, they may tell the attacker what's being printed.

In article ,
juergen.nieveler.nospam@arcor.de says...
> Or as an alternate plan: If the printer has both a parallel/USB port
> AND a network port, hook up the network port the LAN, and an external
> printserver box to the other port.

That assumes the printer will accept data from two different ports. Or
what happens when it received data on two different ports. Not all will
support that.

--
If there is a no_junk in my address, please REMOVE it before replying!
All junk mail senders will be prosecuted to the fullest extent of the
law!!
http://home.att.net/~andyross

rounner@yahoo.com wrote:

> You should use a VPN to access the printer. Some printers use windows
> operating system


WTF? I heavily doubt that Windows runs well on ARM9 CPUs with ~ 100 MHz and
only 4 MByte of RAM. Quite typical are Linux, JavaOS and some RTOS.

Indeed, the ones with JavaOS typically have the problem to allow everyone to
upload his very own Java applets to the printer.

On Dec 11, 10:33 am, "Sebastian G." wrote:

> WTF? I heavily doubt that Windows runs well on ARM9 CPUs with ~ 100 MHz and
> only 4 MByte of RAM. Quite typical are Linux, JavaOS and some RTOS.
>
> Indeed, the ones with JavaOS typically have the problem to allow everyone to
> upload his very own Java applets to the printer.

My main concern was that he protect it from the internet not qualify
my example vulnerability.

http://www.smallbusinesscomputing.co...le.php/3563401
http://www.schneier.com/blog/archive...r_securit.html

read some of the stories. I've had similar experiences myself. You'd
be amazed at how many black box appliances use windows os. They even
use older versions because its not worth their while upgrading their
software.

PS I thought ARM processors supported mobile windows os'es, but I dont
know what the score of printers (out of hundreds if you include up to
10 years old) that use it are running.

Sorry for wasting your time, just trying to help.

You can configure the firewall to accept/deny packets receving/sending
to any printer in DMZ Zone.
If the printer is IP based printer then you should not face any
problem.

You can create rule like this..
Internal Subnet --------> DMZ Printer IP ------> Accpt --------
>Printer printing ports.

Above should work. As for low level to above level security zones we
need to put policy.


Thanks .. CK