Many businesses, universities and even some public networks tend to have a network connected printer to allow customers, employees or students to print their work or information they would like a hard copy of. Recently, hackers and others have been targeting internet connected printers in order to waste resources (paper, toner, etc...) or find a way to exploit protocols to gain access to more vital systems on the network. There are many brands of printers sold that can be connected to a network either through ethernet or wireless connections. This article is going to focus on the most prolific brand of network attached printers, HP. If you have an HP printer that is connected to a network that has an internet connection, your printer may at times print out random pages that you did not print yourself. The reason this happens is most likely due to configuration issues in the JetDirect card or external server that is connected to the printer. In order to prevent printing to the printer from outside the local network, the most appropiate solutions would be putting the printer behind a firewall or implementing an access control list.

Implementing a firewall can be easy as pie or, it could end up being the bane of your existence depending on your skills and knowledge of computer networks. The easiest way to implement a firewall is usually to buy a router and place it between your internet connection and your network. Most routers these days have a simple built-in firewall that will offer simple protection for your network and network attached devices. In many cases the router will have a setup/configuration wizard that will guide you through the process of setting up your network. In some cases, rather it be budget issues, network topology or some other special case, this method is not preferred or just not viable option. In cases where a router cannot be used, firewall software is usally installed on a machine and the network connections for devices, computers, etc... route through that machine so that the firewall software can control the connections from inside and outside your network. Note, configuring firewall software can be a daunting, almost impossible task for those who have little to no knowledge of networks, protocols and ports. This article will not go into setting up or configuring firewalls, instead, we are going to focus on setting access control lists on the JetDirect cards and external servers of HP printers.

According to HP, all newer JetDirect devices have the ability to implement an access control list to restrict access to the printer from specific ip addresses or ip ranges. Depending on the age of your device, and hp printers are known for their longevity, the firmware in your JetDirect device could be outdated and therefore does not support access control lists. If you are unsure of the version of the firmware inside your device, the current configuration of both the JetDirect device and the printer itself can be printed from the printer's internal menu. If you are unsure of how to do this or you cannot find the option, use your favorite search engine and lookup the documentation for your printer. Most JetDirect devices come from the factory setup with an internal webserver which, if you're lucky, can be used to configure the device. Most times though, these internal webservers are implemented using Java, which in my experince never works correctly. Because of this, HP also provides alternative access to the device using Telnet. Since the java webserver never seems to work for me, this article will focus on using telent to login to the JetDirect device and configure the access control list. If you try to telnet to the address of the JetDirect card, but you get an error saying connection refused, either there is an admin password on the device or you need to do a cold reset to reactivate the telnet server inside the device. To do a cold reset on most HP printers, you would turn the printer off, then hold the "GO" button while turning the printer back on.

Once you have your JetDirect model number, click the following link for HP firmware updates. HP JetDirect Firmware

Once you have the appropiate firmware download, you will now have to update the firmware in the JetDirect device to the new version that you downloaded. I have found that the steps HP recommends to update the firmware, in most cases, doesn't work unless your device is running a newer firmware version. Many hours were spent searching the internet looking for a reliable way to upgrade the firmware until I found this link. All the devices I have had to update have worked using the instructions found in the provided link. The process of updating involves setting up a TFTP server that hosts the update file. Once you have your TFTP server up and running, the steps provided in the link have worked every time for me. I primarily use Linux, so setting up a TFTP server to host the new firmware file is a fairly easy process. If you are using Windows and don't have access to a Linux machine, you can download virtualization software to install Linux to a virtual machine or you can search the internet for instructions on how to do this in Windows.

Once the device has rebooted from installing the firmware update, you can now telnet into the device and implement your access control list. The access control list allows you to specify a single ip or a range of ip addresses using an ip address and netmask. The allow command is the basis for the access control list. NOTE: The access control list in most cases will only hold 10 entries. If you need to specify more than 10 indivdual ip addresses, it is best to use the ip range notation. Examples of how to use the allow command are listed below.

Once you have finished adding your addresses to the access control list, type "quit" to save and exit the JetDirect device. NOTE: The access control list not only defines which ip addresses can print to the device, it also defines which ip addresses can connect to the device via telnet or the web interface. I have found that it is always a good idea to add at least one single ip address to the access control list incase of any typos or configurations mistakes, this way you will be able to get back into the device and make changes from that single ip address.