How to print to a remote printer securely using a ssh tunnel
On the "head office" side, you have 3 choices to set up a SSH server:
(1) [Legacy] set up a LRP firewall with hard disk option and install sshd or
(2) Setup a Linux box on the internal network with an openSSH server (called sshd), or
(3) Setup a Windows XP box on the internal network, install cygwin-openssh and install sshd as a Windows service.
If you choose (2) or (3), set your router or firewall to port forward tcp port 22 (ssh traffic) to the
internal ssh server's IP address.
On the "road warrior" laptop, install cygwin and ssh or putty
Next, add a "special" printer that prints to IP=127.0.0.1 , port=9100
Please have the appropriate "printer driver" ready, either on a floppy, or on a hard disk, or on a network shared drive. If your printer is not included in Windows' default list, use the "Have Disk" method. Windows XP: Windows 2000 (method A) Windows 2000 (method B) Windows 2000 quirks Windows NT: Windows 98/ME: Windows 95 |
If you have Windows XP SP2, you need to tweak the "windows firewall" to open
TCP Port 22.
Click Start...Control Panel...(in Category View mode)...Security Centre...Windows Firewall
...Exceptions Tab...Add port....port name ssh, port 22, TCP
Thanks to Stefano of Sardegna, Italy for the XP-SP2 reminder.
When the "road warrior" or "branch office" is ready to print to the remote printer:
Double click the cygwin icon, a black screen pops up, type
ssh root@myoffice.com -L 9100:192.168.1.252:9100 (log on to LRP box as root)
or
ssh user@myoffice.com -L 9100:192.168.1.252:9100 (log on to Linux box or Windows box as user)
Above command invokes ssh to logon to the head office's ssh server and creates a "tunnel".
(assuming you setup a DNS to point myoffice.com to the IP address of the LRP)
The -L option says "tunnel port 9100 traffic on the road warrior's computer to the remote side,
send the road warrior's TCP traffic to port 9100 of a computer with IP address=192.168.1.252 on the remote side".
Printer traffic on port 9100 is now encrypted (tunneled) by the ssh protocol.
Now the road warrior can print confidential documents to the remote printer safely and securely.
If the "road warrior" hates typing long commands, create a Windows batch file
that has the following content. Double clicking on the batch file icon will do all the typing
@echo off c: cd c:\cygwin\bin bash --login -c "ssh -l root myoffice.com -L 9100:192.168.1.252:9100" |
(you can also use an ip address instead of myoffice.com)
If the "road warrior" also hates typing password, set up authentication using RSA public key and
private key, so that the "road warrior" does not have to type password to login to the sshd server.
Obviously this is a security risk, you have to balance between safety and convenience.
Here is how to set up RSA public key and private key authentication so that password is not required.
You can use the same technique to securely access other resources behind a firewall.
For example, if the road warrior or branch office wants to do secure email,
setup a ssh session to the LRP box or Linux box or Windows box in the internal network,
tunnel port 110 to the other side, for POP3 mail (for most email users)
tunnel port 143 to the other side, for IMAP mail (only needed by advanced email users)
tunnel port 25 to the other side, for SMTP outbound traffic (to send email via the Linux box)
In this case, configure the road warriors email client software to use
POP3 server = 127.0.0.1
IMAP server = 127.0.0.1
SMTP server = 127.0.0.1
Create a batch file like this example and a desktop icon.
Double click the batch file icon to launch the ssh session and setup tunnels.
If you use LRP as the firewall, you may want to adjust LRP Seawall's timeout to lengthen
the ssh session timeout. See this page on how to adjust Seawall's ssh session timeout.
Design footnote:
In the above system design, the corporate firewall only opens port 25 and port 22.
This is a better design than exposing port 110 or port 143 of the in-house email server to the outside world.
Personnel behind the firewall can use port 110 or port 143 to read their emails.
Personnel working from home or on the road must come in via SSH and set up tunnels
to read and send corporate emails under the protection of SSH's strong encryption.
The world is moving away from plain text protocols by hardening them with TLS or SSL:
newer versions of POP3 has TLS support at port 110, and SSL support at port 995
newer versions of IMAP has TLS support at port 143, and SSL support at port 993
newer versions of SMTP has TLS support at port 25
a version of "smtps" uses port 465 with SLL support, now becomes legacy
newer versions of telnet has SSL support at port 992
SSH uses pure tcp protocol, it does not have the nasty firewall traversal problems like IPSec or PPTP.
SSH with tunneling has become the foundation technology of next generation VPN designs.
This next generation VPN is called SSL VPN.
One excellent SSL VPN implementation is OpenVPN.
1 comments:
I carefully read the whole article and tried to interpret whatever information that you have posted about how to print to a remote printer securely. I am new to this concept so is facing difficulties as I am not having any programming knowledge.
digital signature
Post a Comment