Friday, February 10, 2012

HP Wi-Fi Direct Printing in the Enterprise

Have you been thinking that Wi-Fi Direct will mainly be limited to consumer applications? Think again. HP just announced support for Wireless Direct Printing, which allows any Wi-Fi capable device to print directly to the printer when in proximity without connecting through the corporate network.


This solution works by leveraging the Wi-Fi Direct standard that was developed last year by the Wi-Fi Alliance and the Apple AirPrint technology that eliminates software or driver installation on Apple mobile devices. The user simply needs to connect to the Wi-Fi network that the printer advertises, then print.

Pros: Easy printing from mobile devices in the enterprise

This should help simplify support for BYOD (bring your own device) initiatives. Since BYOD typically is also designed with security restrictions around corporate network access, and printers are usually distributed throughout the network, providing access to those printers would be a management headache to say the least.

Also, mobile device printing via Apple AirPrint on a corporate network is not usable at this point due to protocol limitations that prevent printer discovery and access across layer 3 network boundaries. The ability to connect directly to the printer and print documents will allow immediate adoption of AirPrint in the enterprise.

HP Wireless Direct Printing is Easy using AirPrint
(but appears to lack any security)

Cons: Unproven security


The security issues involved with a Wi-Fi network being advertised by a printer that is directly cabled into your network are significant. Printers have historically been easy targets for attackers to gain access to corporate networks due to their lack of focus on security. Just look here! By allowing direct wireless access to the printer, enterprises risk exploitation of numerous printer vulnerabilities which could result in broad internal network access for an attacker.

HP's implementation also appears to use an open Wi-Fi network, which makes the risk even greater! The Wi-Fi Direct faq states the use of a separate "security domain" from the corporate wireless network. What this means is that security of the Wi-Fi Direct connection can be different (and simpler) than security required to access the corporate network. But that doesn't require an open connection. Wi-Fi Direct supports strong WPA2 pre-shared key security and ease-of-setup using WPS. However, HP's documentation implies a wide-open wireless network.

HP Wireless Direct Printing Appears to Lack Any Security


Recommendation: Wait and see

I can't provide a solid recommendation on this technology or use in the enterprise until I learn more about HP's implementation. I have more questions than answers at this point. The prudent path for enterprises will be to wait and see what is discovered about this solution by the community over the coming weeks / months and engage your HP account team to learn more about the solution and security features.

Additionally, verify if the printers that your organization are purchasing support this technology, what the default settings are, and what controls can be put in place to prevent use of this feature until its use is appropriately secured and approved.

Cheers,
Andrew

5 comments:

  1. Lantronix just launch a product that will enable iOS printing to traverse layer 3 boundaries and enable iOS printing on non-AirPrint devices:

    http://www.lantronix.com/it-management/mobile-print-servers/xprintserver.html

    Also, when using these consumer-grade printers they tend go into a "stand-by" or "passive" mode where they do not generate any traffic and the client thus can't reach them as the WLC will delete the ARP entry after 10min. This is documented in CSCsq46427.

    http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsq46427

    ReplyDelete
  2. Thanks for the Lantronix information. I expect we will see more solutions for this, and Apple to provide that feature soon, as well.

    On the printer connection, I think the more likely scenario in the enterprise is a wired connection to the network, and Wi-Fi only used for wireless direct printing by client devices.

    Also, Cisco addressed passive Wi-Fi devices with the Passive Client feature introduced in more recent versions of code. Previously, admins could also create a static entry in the WLC that didn't timeout (but that was manual and didn't scale well if many devices needed to be supported).

    Thanks,
    Andrew

    ReplyDelete
  3. The problem is many AirPrint printers are Wi-Fi only.

    Also, the Passive Client feature does not apply to HREAP APs. HREAP is becoming the preferred AP mode for many organizations.

    ReplyDelete
  4. Apple would have to get rid of Bonjour (multicast with a TTL of 1) to enable L3 traversal. I don't see this happening anytime soon as it's their answer to "easy" networking :)

    ReplyDelete
  5. Great points on H-REAP (ahem, FlexConnect) and AirPrint printers being WiFi only. That is definitely relevant in more small businesses and education. In larger organizations, wired printers are the norm though. I'm interested to see how far HP takes this feature and into what product lines.

    Also, I don't think Bonjour is going away, but will be updated to work across subnet boundaries. How, I'm not sure, but I bet it would involve Lion Server and a coordinated service of some sort. If only Apple would use DNS like the rest of the world ;)

    Andrew

    ReplyDelete