Secure Printing?

RiverWolf asks: "As a Systems Administrator (a.k.a. 'paranoid security freak') I spend much of my time tightening down systems, loading patches, and just generally making sure no one does what they're not supposed too. While tools like ssh have become a staple for file transfer and terminal sessions, I recently began looking at all the little print servers we have throughout my offices and wondered "hmm, can those things be sniffed?". Until now, my focus for printing has always been 'just get it working', but if someone can sniff the print jobs (like payroll and other confidential information) as they go across the network, then it doesn't matter how locked down eveything else is. Is there a standard for secure (encrypted transmission) network printing, or does anyone know of a way to do this? I found this document that deals with it in a round about fashion, but with dozens of printers spread throughout multiple locations, I don't see it as an option."

How about direct connections?

[BusterB]

If you're printing confidential information like payroll, the the printer is probably not in a public location. Otherwise, it's just as easy to look at the paper coming out as it is to sniff packets, if not easier.

What's wrong with a private network or a direct computer->printer connection via parallel/usb in this special case?

Is it really worth the trouble?

[jsimon12]

Why bother? I am sure some people would say it would be needed for government or secret, blah blah. Well I work in a "secure" government facility and the physical security alone is enough to make printing in the area safe and secure, and the network is isolated and sheilded, etc etc etc, so to me this is a mute point. Anyway once you print it it can be intercepted, copied etc, not to mention the fact that the last page is still technically on the print drum till it is used again.

Unstated assumptions

[coyote-san]

LPRng seems to support Kerberos, but I don't know if it provides data encryption or is just used for authentication. I've also been playing around with the idea of adding direct SSL support to LPRng as an experiment, but it would probably only work with this bounce queues from another system.

The reason I'm mentioning this is to point out the unstated assumption that the worst that happens is that somebody can sniff the traffic to your printer. To me, that takes a distance back seat to the risk that somebody could impersonate your printer or feed it additional jobs.

As an example of this, imagine a shared printer in the sales department where someone has quietly changed the IP address - the print jobs are actually going to a laptop hidden in a closet where they'er spooled off to a competitor before being forwarded to the expected printer.

Or imagine monthly checks being spooled to the same system where the attacker can learn exactly who you get services from... and/or insert checks to dummy organizations they control into the data stream.

You can use SSL tunnels to provide a measure of confidentiality, but if you're serious about security you really need to be thinking about autheticating the printer (and possibly clients as well).