1. Consider a Separate Virtual LAN
Printers have complex software, but they don’t have the same level of support, bug fixes and security testing that we expect in desktop, server and smartphone operating systems. Start by acknowledging that printers can never be fully secured, and so network-based access controls are a critical tool for isolation and protection. If you can, place printers on a separate virtual LAN, with all access controlled by a firewall. If your buildings and printers are too dynamic to identify which ports the printers are attached to, you can use tools such as 802.1X authentication based on the media.
2. Modify Configurations to Reduce Attack Surface
Out of the box, printers can have as many as 20 printing protocols and services enabled. This makes the devices user-friendly and allows users to plug and play, but it also creates a huge attack surface. By whittling the configuration down to the absolute minimum needed for operation in your network, you can reduce the risk of someone taking control of a printer or gaining access to stored print jobs. Don’t forget other basics: Change the default password or, better yet, use a campuswide directory for authentication. Disable unencrypted management traffic, and only enable SNMPv3 (if you are using SNMP at all). If you haven’t rolled out IPv6 yet, don’t enable it on printers either.
3. Explore a Centralized Printing as a Service Model
The temptation to litter inexpensive printers all over the network can be strong, especially in distributed, budget-constrained environments like higher education. Having dozens of printer types from different vendors to manage and secure turns a hard job into an impossible one. If a centralized Printing as a Service model works for your campus, this is your best choice to deliver the highest level of security and reliability overall, as devices are provided, managed, secured and controlled by a third-party partner. For campuses that need a more distributed approach, use security as the lens to view basic standards for all printers connected to your network. This ensures that you only restrict choice when there is a clear and compelling reason.
4. Isolate Devices to Reduce Security Risks
Configure the printer to only communicate with the print server, eliminating the possibility of someone communicating directly with the device. This strategy is especially important if you find that you cannot put printers on their own firewalled network segment. Print servers provide a level of separation between the end user and the printer that will reduce (but not eliminate) the likelihood of security problems.