Does your printer really need internet access?
I should say from the outset that all the words of wisdom below don’t belong to me, but to Rob Nichols from Hydro-Logic who was kind enough to write in after reading one of the bizarrer articles to appear on the website: HP warns LaserJet owners to patch their printers. Over to Rob.
Your article highlights an important security issue ignored by many people when setting up network equipment. That is “does this piece of equipment need to access the internet?”.
If the answer is “No”, usually because the piece of kit is only for users directly connected to the network, then the best policy is not to set the default gateway. By leaving the default gateway blank in a network device’s configuration you effectively deny access to it from the internet, as the device will not be able to reply to any request coming in from another network.
An external hacker could aim a denial of service attack or possible stack overflow type attack, but to do either they would have to know that the device was at a specific address and for the latter exactly which make and model of printer it was. Both of which are extremely difficult to determine from the outside, and made virtually impossible if the network is behind a NAT firewall/router. The hack would also have to be done blind as the printer wouldn’t respond to the attack. Though also bear in mind that not setting a default gateway does not block attack from within the network.
So for example, if owners of the LaserJets covered by the article leave the default gateway blank on their printers the ability to hack in from outside the network would be curtailed. Similarly, network attached storage (NAS) devices that are only used locally should not have their default gateway set.
For these kind of devices often the only need for internet access is to allow updates, and this is usually more easily and certainly more securely achieved via local upload rather than letting the device do it itself. For many such devices they do not have the facility to automatically update, so even this is not a reason to set the default gateway.
My personal experience is that the vast majority of home users should not set the default gateway on dumb network devices such as NAS boxes and network printers. The same is true for many small single site businesses.
Even multi-site businesses, or those managed via remote access have a choice as to whether to set the default gateway, and administrators of such networks should ask the question “should I set the default gateway” and only do so if there is a good reason to.
For example, if remote administrators dial into an “admin” workstation or server, they could access the local network devices from there without each device having a default gateway set.
This is a classic example of thinking twice before setting up absolutely everything in a network configuration. It is up there with not enabling every protocol available (enabling TCP/IP, IPX/SPX and NetBEUI on a network device will slow it down!).
The best advice is always to only enable what is needed. So in the check list of “do I need anything more than TCP/IP?” (usually no), “do I need UPNP or SNMP?” (often no), “have I changed the default password?” (should always be yes), every one should add “do I need to set the default gateway?”.
Just because you can set a default gateway, does not mean you should!