this post was submitted on 14 Jul 2023
14 points (100.0% liked)

Cybersecurity

5677 readers
142 users here now

c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.

THE RULES

Instance Rules

Community Rules

If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.

Learn about hacking

Hack the Box

Try Hack Me

Pico Capture the flag

Other security-related communities !databreaches@lemmy.zip !netsec@lemmy.world !cybersecurity@lemmy.capebreton.social !securitynews@infosec.pub !netsec@links.hackliberty.org !cybersecurity@infosec.pub !pulse_of_truth@infosec.pub

Notable mention to !cybersecuritymemes@lemmy.world

founded 1 year ago
MODERATORS
 

I hope I can ask for advice here. I didn't see anything against this in the rules, but also don't want to harsh the vibe. If it's not ok, please delete my most.

TL;DR - I need to share a network printer with the greater network, while also making it available to non-networked Windows XP and Vista computers. I am seeking advice on how to do this without connecting the out-of-compliance computers to the network (or to each other).


I can't believe I have to consider this problem, but here I am. We have a bunch of equipment ranging from about $20k to over $250k each, with computers running Windows Vista and Windows XP. We can't replace the computers, because both the software and device drivers are proprietary and we can't get the updated versions without purchasing new devices. The department must be able to print from these computers.

So far, I've implemented a "floating USB" methodology, where the printer is connected through one USB cable that the tech moves from computer to computer, as s/he needs to print. They only ever use one, MAYBE two, at a time, so the floating USB isn't as inconvenient as it sounds. The subscription on the printer that's in there now, ends soon and corporate is unwilling/unable to renew at this time. The only other printer the department has, is across the hall.

I proposed to move that printer to the other office, connect it to the network to allow them continued ability to print from their laptops, while continuing the floating USB for the WinXP and WinVista machines. They declined, as they use that printer quite often, and don't want to have to run across the hall during high-stress tasks.

I thought about running USB the distance, but it's capped at about 5 meters / 16 feet.

My latest proposals include an active USB extension cable or USB-over-Ethernet and running USB cabling in the rafters, which will allow for the floating USB method as well as keep the printer networked. My goal is to keep these XP and Vista computers disconnected from the network. I know connecting them to a networked printer isn't great, but it's better than connecting them directly to the greater network.

Another idea I had was to create a physically segregated network for these computers only, disconnected from the greater network, with the printer connected to this network's firewall via USB and shared as a Networked printer inside this internal network. The printer will also be connected to the greater network via Ethernet, and used there. The issue I have with this, is that it keeps the XP/Vista computers connected to each other and to the printer, which still holds the risk of infection spreading among them.

I'm anticipating the (worst case) push to connect them to the internal network and "just put them behind the firewall," which, as you all know, is a very bad idea. Therefore, I'm trying to amass as many viable ideas as I can, in the hope that one of them will prevent the worst case.

Does anyone have any other ideas for sharing this printer with networked and non-networked computers?

you are viewing a single comment's thread
view the rest of the comments
[–] Blackbird@infosec.pub 7 points 1 year ago (1 children)

Proxy/firewall that only lets them talk to the printer?

+1 for “USB Extender over CAT5E or CAT6 Connection up to 150ft” since that keeps the current workflow they seem capable of doing. That’s probably what I would do.

The main issue with the proxy/firewall is that the printer must also talk to other devices. That printer then becomes the common denominator, and traversal becomes a higher risk than we would like to accept.

I have a meeting with the department head next week, and I'll likely push the USB over CAT5/6 through to approvals afterwards.