Summary re: Xerox N40 printers and Code Red worm

[der Mouse <mouse () Rodents Montreal QC CA>]

Back last Thursday, I wrote (in response to griping about Xerox
printers being killed by Code Red and someone's saying "buy HP instead")

> > Is HP any better?  I have a IIIsi and haven't found any way to stop
> > it from taking print jobs from anyone who can connect to port 9100,
> > so I have had to put it in the RFC1918 part of the house LAN.

This is a summary of what responses I've gotten, if our illustrious
Aleph One thinks it's worth the posting. :-)

The resposnes I've seen have fallen into two general classes.

One is the "what's a printer doing outside your firewall/NAT box"
attitude.  As for that, I don't do NAT (it breaks the assumptions
underlying IP too badly, breaking too many higher-layer protocols), and
it *is* inside what firewalling I'm doing.  (My firewall is really
minimal, since my attitude towards firewalls is that they're saying "I
know I've got broken software but rather than fix it I'd rather try to
hide the holes".  Hard shell, soft and chewy interior.  That's why the
printer was so annoying, because in this respect I saw it as broken and
unfixable.)

The other, largest, class says to frob with my bootp/dhcp configuration
and get it to TFTP a config file.  I haven't been doing bootp/dhcp; I
configure the printer from its front panel.  I'm not sure how
reasonable I think it is to provide ACLs but only via some config
mechanisms; in my case, I would rather leave it in the 1918 part of my
house LAN than make it depend on having a bootp/dhcp server up.

One message from HP gave a good deal more info, saying it was also
possible to use telnet or the thing's Web server.  If it's possible to
push-change its configuration over the net, that's a pretty major
security issue right there; it's definitely staying right where it is,
in 1918 space.  (I'm not quite sure what sort of mind it takes to see a
webserver in a printer as a feature, and I don't think I want to know.)

Two people pointed me at
http://www.hp.com/cposupport/networking/support_doc/bpj05999.html.
Unfortunately, the address picked for www.hp.com (192.151.52.13) is one
of the many webhosts with the won't-frag disease, the problem outlined
in RFC 2923 section 2.1, at least from where I sit.  I could play
guessing games with the rest of the addresses, but it doesn't seem
worthwhile, especially since it probably won't say anything not already
covered above.

Two people said, basically, "use a newer printer".  I have two
responses to that: (1) this was about using existing hardware - the
message that started this all off said (of Xerox) "They say they have
lots of security on the current models.  Well that's great if you're
buying their current products, but not so great if you are a past
customer."; (2) "use a newer printer" is easy to say when it's someone
else's money - send me the price of a suitable upgrade and I'll get one
and shut up.

/~\ The ASCII                           der Mouse
\ / Ribbon Campaign
 X  Against HTML               mouse () rodents montreal qc ca
/ \ Email!           7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B