Two years ago our college instituted a print-for-pay mechanism for
faculty, students, staff, & has rudely awoken to the fact that nearly
all printers (of recent manufacture) advertise themselves via the
"Bonjour service," & are discoverable to anyone with a wit of cleverness
& a Mac running OS X (or a recent Windows computer, for that matter).
This means that nearly all the college's print-for-pay network printers
can be exploited once their IP or AppleTalk address is known/discovered.
Although not news to the print cognescenti, this revelation is alarming
to the folks that insisted on the (expensive) and cumbersome
Print-for-Pay mechanism that is being paid off over time, by print
revenues.
My question is, how one prevents discovery/unmonitored printing to
printers from within (& without) the OS X 10.4 networked environment?
I've made a case that it's not enough to simply turn off Bonjour
announcements, that one has to put all networked printers behind a print
server...on a NAT-protected private subnet to assure that all print jobs
are authenticated (LDAP/kerberized,OD, AD, NDS sanctioned transactions.
Otherwise, anyone can scan subnets for printers, & print to them (either
as a spoofed sender, or not) without accruing costs. It's child's play
to demonstrate how this can be done.
Other than hanging printers behind NAT barriers, are there other ways
that one can isolate network printers from discovery/unauthorized use?
The goal is to authenticate print requests for a reasonable span, so
people don't die of frustration, log all jobs that occur, and
ultimately, halt unauthorized printing.
Am I missing an obvious solution?
Daniel Bridgman
Smith College
