FreeFlow
®
Print Server Security White Paper and Configuration Guide
55
WINS NetBIOS
137
This service is required for Windows Folder Browsing and resolving
Windows server names. E.G., it enables the FreeFlow
®
Print Server to be
visible by “hostname” over a Windows Network (i.e., NetBIOS over T CP/IP)
to enable folder sharing and legacy Windows printing. You can
disable/disable the WINS service in the Options tab from [Setup/Network
Configuration] in the FreeFlow
®
Print Server GUI.
SMB NetBIOS
(UDP)
138
This is an implementation of SMB over NetBIOS using UDP/IP Datagram
Service (Data Transfer), and used by the FreeFlow
®
Print Server platform to
do Network Discovery. Setting the Security profile to ‘High’ closes this port.
The FreeFlow
®
Print Server platform supports SMB directly over TCP, and
therefore recommend closing port 138.
SMB NetBIOS
(TCP)
139
This is an implementation of SMB over NetBIOS using TCP/IP Session
Service (Session Management), and used by the FreeFlow
®
Print Server
platform to do Network Discovery. Setting the Security profile to ‘High’
closes this port. The FreeFlow
®
Print Server platform supports SMB directly
over TCP, and therefore recommend closing port 139.
Net-SNMP v3
161
This service is required for exchanging SNMP v3 messages. The
SNMP
v1/v2 version services are insecure, so the recommendation is to use SNMP
v3 for a “secure” SNMP connection. You can disable/enable the SNMP
Gateway service in the SNMP tab from [Setup/Gateways] in the FreeFlow
®
Print Server GUI. Use SNMP v3 for secure exchange of information.
SNMP Trap
162
This service is required for SNMP Traps. The SNMP v1/v2 version services
are insecure, so the recommendation is to use SNMP v3 for a “secure” SNMP
connection.
AppleTalk Ports
201
202
203
204
205
206
207
208
The AppleTalk Gateway is a legacy service that supports AppleTalk network
for MAC workstations. We recommend closing these ports
The port services are 1. AppleTalk Routing Maintenance (201), 2. AppleTalk
Name Binding (202), 3. Unused #1 (203), 4. AppleTalk Echo (204), 5.
Unused #2 (205), 6. Zone Information (206), 7. Unused #3 (207), 7.
Unused #4 (208).
SVRLOC
7000
The Service Location Protocol (SLP) protocol is for browsing remote file
systems and is required when using NFS and Samba services.
SSL
443
The Secure Sockets Layer service provides encrypted and highly secure
login and file transfer services. This service is required by client submission
applications that support SSL/TLS (e.g., sHTTP, sIPP and SSH). This feature
can be used for the Internet Web Services, IPP clients, JMF/JDF clients,
FreeFlow
®
Print Server Core, Remote Services, and/or the FreeFlow
®
Make
Ready (v2.0 or newer) submission clients. The specific Windows
®
service
associated with this port is ‘World Wide Web Services (HTTPS Traffic-In)’.
SMB (TCP)
445
The SMB (a.k.a., Samba) service provides Windows
®
Folder Sharing
capabilities. Print from SMB, Scan to SMB, Hot Folder, etc. require this SMB
service.
LPR
515
The lpr Gateway supports print job submissions from widely available lpr
client workstations. The lpr print job submission method is the most widely
used print protocol. It is an insecure protocol in that it does not support
authentication or data encryption. However, there is no known way to
exploit the FreeFlow
®
Print Server platform over port 515. Enable IPSec
services to make lpr job submissions “secured”.
IPP
631
3
rd
-Party partners and Xerox
®
(FreeFlow
®
Application Suite Software such
as FreeFlow® Make Ready and FreeFlow
®
Core) and FreeFlow® Print
Server customers have implemented IPP client applications. You can
disable/enable the IPP Gateway service in the IPP tab from
[Setup/Gateways] in the FreeFlow
®
Print Server GUI.
The IPP Gateway on the FreeFlow
®
Print Server platform services these IPP
clients over port 631, and establishes a connection over port 80 to transfer