Adding a small port switch for user on a network for printer?

garryshape
garryshape used Ask the Experts™
on
What concerns in a work environment are there with letting users add a network switch to their desk that is connected to the rest of the company network? For example to add ports for a persona printer issues from company, instead of dropping another network drop?
Does adding a switch like that typically introduce security concerns?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018
Commented:
If it is a plain simple wired switch (3-Com or like), and the printer is connected by Ethernet, and the printer is an ordinary dumb device, then no concerns.

Do not use wireless and a smart wireless printer with Air Print and so because you would not have total control over the device.

Author

Commented:
Thanks that makes sense. Do you have a recommendation on securing that printer from being printed to by anyone else other than that assigned user then? Would it be a firewall MAC to MAC allow policy type of thing?
Business Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018
Commented:
So long as the printer is wired, and no driver put on the server, then you should be fine.

It will not be firewalled with a simple switch, so if people insist on looking they might find it.

The user should turn if off when not using it.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Thank you much and I was pleased to help you.
atlas_shudderedSr. Network Engineer

Commented:
I disagree with the above.  The very first thing that comes to mind is that by permitting the user to add a micro-switch to the environment you have just:

1.  Added a non-managed device to your network
2.  Explicitly given permission to that user to leverage their extra ports
3.  Created the potential for a network choke point/bottleneck that has the very real potential to impact performance moving forward.
4.  Due to number 1 - the introduction of numerous security concerns.

Long and short of it - if they need the printer right there and they unable to locomote to another area to pick up prints, then have a new drop put in and connect the printer there.  The plan for the micro switch is a spectacular idea until it isn't and then it rapidly devolves into a nightmare.  From experience?  They always devolve.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Just keep a mild watch on things. Most users (almost all of mine) want to improve there work place and are not likely to hook extra things up. Just watch occasionally
nociSoftware Engineer
Distinguished Expert 2018

Commented:
Also be sure it is a Switch and not a hub ...
And if you use Gbps speeds connections some Home "switches" might tend to run very hot when Gbps speeds are Actually used.
What knid of printer?

If it's a cheap dumb printer, you don't have to do much, but many network printers have insecure open port settings.  Connect to the printer's ip address via a web browser.  If there's a web page, you can manage it remotely.  See if there are things you can change.  Some printers give an informational page and allow simple controls to pause the printer and restart.  Some just give an informational page.

A lot of network printers have configuration pages with default password settings.  You should change the default and record that password.  Next, turn off all the insecure settings such as ftp, http(if you have https available), etc....  Turn off settings you don't need.  A lot of HP printers have a lot of different ways to print to it, so I turn off all the unnecessary parts, such as airprint, webprint, etc..., since I only use lpd and connect the printer to a print server.  You can also set and limit the IP address to just the print server or local subnet, depending on what access you want it to have.  Ricoh, Canon, Xerox, etc... all have something similar, so make sure you check.  Most settings are turned on by default so non-tech users can connect whatever they need to it and be able to print.  You have to turn them off to secure it.

I find that printers are generally the least secured sysadmin controlled devices because most sysadmins don't really know their printers.  They just want it to work, so they connect their print server and drivers, but forget that modern printers have their own OS and a small web server built-in.  I've had to secure so many printers whenever I take over a new site, because it's one of the most overlooked items.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial