Adding a small port switch for user on a network for printer?
What concerns in a work environment are there with letting users add a network switch to their desk that is connected to the rest of the company network? For example to add ports for a persona printer issues from company, instead of dropping another network drop?
Does adding a switch like that typically introduce security concerns?
Does adding a switch like that typically introduce security concerns?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Thank you much and I was pleased to help you.
I disagree with the above. The very first thing that comes to mind is that by permitting the user to add a micro-switch to the environment you have just:
1. Added a non-managed device to your network
2. Explicitly given permission to that user to leverage their extra ports
3. Created the potential for a network choke point/bottleneck that has the very real potential to impact performance moving forward.
4. Due to number 1 - the introduction of numerous security concerns.
Long and short of it - if they need the printer right there and they unable to locomote to another area to pick up prints, then have a new drop put in and connect the printer there. The plan for the micro switch is a spectacular idea until it isn't and then it rapidly devolves into a nightmare. From experience? They always devolve.
1. Added a non-managed device to your network
2. Explicitly given permission to that user to leverage their extra ports
3. Created the potential for a network choke point/bottleneck that has the very real potential to impact performance moving forward.
4. Due to number 1 - the introduction of numerous security concerns.
Long and short of it - if they need the printer right there and they unable to locomote to another area to pick up prints, then have a new drop put in and connect the printer there. The plan for the micro switch is a spectacular idea until it isn't and then it rapidly devolves into a nightmare. From experience? They always devolve.
Just keep a mild watch on things. Most users (almost all of mine) want to improve there work place and are not likely to hook extra things up. Just watch occasionally
Also be sure it is a Switch and not a hub ...
And if you use Gbps speeds connections some Home "switches" might tend to run very hot when Gbps speeds are Actually used.
And if you use Gbps speeds connections some Home "switches" might tend to run very hot when Gbps speeds are Actually used.
What knid of printer?
If it's a cheap dumb printer, you don't have to do much, but many network printers have insecure open port settings. Connect to the printer's ip address via a web browser. If there's a web page, you can manage it remotely. See if there are things you can change. Some printers give an informational page and allow simple controls to pause the printer and restart. Some just give an informational page.
A lot of network printers have configuration pages with default password settings. You should change the default and record that password. Next, turn off all the insecure settings such as ftp, http(if you have https available), etc.... Turn off settings you don't need. A lot of HP printers have a lot of different ways to print to it, so I turn off all the unnecessary parts, such as airprint, webprint, etc..., since I only use lpd and connect the printer to a print server. You can also set and limit the IP address to just the print server or local subnet, depending on what access you want it to have. Ricoh, Canon, Xerox, etc... all have something similar, so make sure you check. Most settings are turned on by default so non-tech users can connect whatever they need to it and be able to print. You have to turn them off to secure it.
I find that printers are generally the least secured sysadmin controlled devices because most sysadmins don't really know their printers. They just want it to work, so they connect their print server and drivers, but forget that modern printers have their own OS and a small web server built-in. I've had to secure so many printers whenever I take over a new site, because it's one of the most overlooked items.
If it's a cheap dumb printer, you don't have to do much, but many network printers have insecure open port settings. Connect to the printer's ip address via a web browser. If there's a web page, you can manage it remotely. See if there are things you can change. Some printers give an informational page and allow simple controls to pause the printer and restart. Some just give an informational page.
A lot of network printers have configuration pages with default password settings. You should change the default and record that password. Next, turn off all the insecure settings such as ftp, http(if you have https available), etc.... Turn off settings you don't need. A lot of HP printers have a lot of different ways to print to it, so I turn off all the unnecessary parts, such as airprint, webprint, etc..., since I only use lpd and connect the printer to a print server. You can also set and limit the IP address to just the print server or local subnet, depending on what access you want it to have. Ricoh, Canon, Xerox, etc... all have something similar, so make sure you check. Most settings are turned on by default so non-tech users can connect whatever they need to it and be able to print. You have to turn them off to secure it.
I find that printers are generally the least secured sysadmin controlled devices because most sysadmins don't really know their printers. They just want it to work, so they connect their print server and drivers, but forget that modern printers have their own OS and a small web server built-in. I've had to secure so many printers whenever I take over a new site, because it's one of the most overlooked items.
ASKER