I have to agree and disagree. I have had some success in using the HP
applications to manage printers and have been able to set HP Lasterjets up to
bootp with configuration files limiting access to jobs from queues created on
cups servers. We also initially turned off Bonjours because we thought the fact
that the enterprise network was lagging/flapping so badly was causing the
workstation to spend too much CPU time managing network resources. We were
pleased with the results of that. We simply set the workstations cups files to
obtain their queues from the cups servers.
---- Original message ----
>Date: Thu, 01 Nov 2007 09:35:11 -0400
>From: Rick Cochran <email@hidden>
>Subject: Re: mDSN-Discoverable Network Printers
>To: Daniel Bridgman <email@hidden>
>Cc: email@hidden
>
>Daniel,
>
>The "obvious" solution you are missing is that most of today's printers provide
>a mechanism for restricting the IP addresses from which print jobs will be
>accepted. They also allow parallel, USB, and infrared ports (and EtherTalk) to
>be disabled. Finally, if some of your printers are in unsupervised spaces, you
>would want to disable some front panel functions.
>
>That's the good news. The bad news is that the administration required to set,
>monitor, and maintain the configurations of one or two hundred printers is not
>trivial. And I have found that the "free" tools provided by the printer
>manufacturers are not worth what they cost.
>
>You might consider joining the Higher Ed Printing mailing list (by sending
email
>to email@hidden with the word "join" in the email
>body) and asking your question there. This is a "printer" question rather than
>an "operating system" question.
>
>Yours,
>-Rick
>
>Daniel Bridgman wrote:
>> Two years ago our college instituted a print-for-pay mechanism for
>> faculty, students, staff, & has rudely awoken to the fact that nearly
>> all printers (of recent manufacture) advertise themselves via the
>> "Bonjour service," & are discoverable to anyone with a wit of cleverness
>> & a Mac running OS X (or a recent Windows computer, for that matter).
>> This means that nearly all the college's print-for-pay network printers
>> can be exploited once their IP or AppleTalk address is known/discovered.
>>
>> Although not news to the print cognescenti, this revelation is alarming
>> to the folks that insisted on the (expensive) and cumbersome
>> Print-for-Pay mechanism that is being paid off over time, by print
>> revenues.
>>
>> My question is, how one prevents discovery/unmonitored printing to
>> printers from within (& without) the OS X 10.4 networked environment?
>>
>> I've made a case that it's not enough to simply turn off Bonjour
>> announcements, that one has to put all networked printers behind a print
>> server...on a NAT-protected private subnet to assure that all print jobs
>> are authenticated (LDAP/kerberized,OD, AD, NDS sanctioned transactions.
>> Otherwise, anyone can scan subnets for printers, & print to them (either
>> as a spoofed sender, or not) without accruing costs. It's child's play
>> to demonstrate how this can be done.
>>
>> Other than hanging printers behind NAT barriers, are there other ways
>> that one can isolate network printers from discovery/unauthorized use?
>> The goal is to authenticate print requests for a reasonable span, so
>> people don't die of frustration, log all jobs that occur, and
>> ultimately, halt unauthorized printing.
>>
>> Am I missing an obvious solution?
>>
>> Daniel Bridgman
>> Smith College
> _______________________________________________
>Do not post admin requests to the list. They will be ignored.
>Printing mailing list (email@hidden)
>Help/Unsubscribe/Update your Subscription:
>http://lists.apple.com/mailman/options/printing/email@hidden
>
>This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Printing mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/printing/email@hidden
This email sent to email@hidden
