6/15/2007

Firewall

What is a firewall?
A firewall protects networked computers from intentional hostile intrusion that could compromise confidentiality or result in data corruption or denial of service. It may be a hardware device running on a secure host computer. In either case, it must have at least two network interfaces, one for the network it is intended to protect, and one for the network it is exposed to. A firewall sits at the junction point or gateway between the two networks, usually a private network and a public network such as the Internet. The earliest firewalls were simply routers. The term firewall comes from the fact that by segmenting a network into different physical subnetworks, they limited the damage that could spread from one subnet to another just like firedoors or firewalls.

What does a firewall do?
A firewall examines all traffic routed between the two networks to see if it meets certain criteria. If it does, it is routed between the networks, otherwise it is stopped. A firewall filters both inbound and outbound traffic. It can also manage public access to private networked resources such as host applications. It can be used to log all attempts to enter the private network and trigger alarms when hostile or unauthorized entry is attempted. Firewalls can filter packets based on their source and destination addresses and port numbers. This is known as address filtering. Firewalls can also filter specific types of network traffic. This is also known as protocol filtering because the decision to forward or reject traffic is dependant upon the protocol used, for example HTTP, ftp or telnet. Firewalls can also filter traffic by packet attribute or state.

What can't a firewall do?
A firewall cannot prevent individual users with modems from dialling into or out of the network, bypassing the firewall altogether. Employee misconduct or carelessness cannot be controlled by firewalls. Policies involving the use and misuse of passwords and user accounts must be strictly enforced. These are management issues that should be raised during the planning of any security policy but that cannot be solved with firewalls alone.
The arrest of the Phonemasters cracker ring brought these security issues to light. Although they were accused of breaking into information systems run by AT&T Corp., British Telecommunications Inc., GTE Corp., MCI WorldCom, Southwestern Bell, and Sprint Corp, the group did not use any high tech methods such as IP spoofing . They used a combination of social engineering and dumpster diving. Social engineering involves skills not unlike those of a confidence trickster. People are tricked into revealing sensitive information. Dumpster diving or garbology, as the name suggests, is just plain old looking through company trash. Firewalls cannot be effective against either of these techniques.

Who needs a firewall?
Anyone who is responsible for a private network that is connected to a public network needs firewall protection. Furthermore, anyone who connects so much as a single computer to the Internet via modem should have personal firewall software. Many dial-up Internet users believe that anonymity will protect them. They feel that no malicious intruder would be motivated to break into their computer. Dial up users who have been victims of malicious attacks and who have lost entire days of work, perhaps having to reinstall their operating system, know that this is not true. Irresponsible pranksters can use automated robots to scan random IP addresses and attack whenever the opportunity presents itself.

How does a firewall work?
There are two access denial methodologies used by firewalls. A firewall may allow all traffic through unless it meets certain criteria, or it may deny all traffic unless it meets certain criteria . The type of criteria used to determine whether traffic should be allowed through varies from one type of firewall to another. Firewalls may be concerned with the type of traffic, or with source or destination addresses and ports. They may also use complex rule bases that analyse the application data to determine if the traffic should be allowed through. How a firewall determines what traffic to let through depends on which network layer it operates at. A discussion on network layers and architecture follows.

What are the OSI and TCP/IP Network models?
To understand how firewalls work it helps to understand how the different layers of a network interact. Network architecture is designed around a seven layer model. Each layer has its own set of responsibilities, and handles them in a well-defined manner. This enables networks to mix and match network protocols and physical supports. In a given network, a single protocol can travel over more than one physical support (layer one) because the physical layer has been dissociated from the protocol layers (layers three to seven). Similarly, a single physical cable can carry more than one protocol. The TCP/IP model is older than the OSI industry standard model which is why it does not comply in every respect. The first four layers are so closely analogous to OSI layers however that interoperability is a day to day reality.
Firewalls operate at different layers to use different criteria to restrict traffic. The lowest layer at which a firewall can work is layer three. In the OSI model this is the network layer. In TCP/IP it is the Internet Protocol layer. This layer is concerned with routing packets to their destination. At this layer a firewall can determine whether a packet is from a trusted source, but cannot be concerned with what it contains or what other packets it is associated with. Firewalls that operate at the transport layer know a little more about a packet, and are able to grant or deny access depending on more sophisticated criteria. At the application level, firewalls know a great deal about what is going on and can be very selective in granting access.
It would appear then, that firewalls functioning at a higher level in the stack must be superior in every respect. This is not necessarily the case. The lower in the stack the packet is intercepted, the more secure the firewall. If the intruder cannot get past level three, it is impossible to gain control of the operating system.
Professional firewall products catch each network packet before the operating system does, thus, there is no direct path from the Internet to the operating system's TCP/IP stack. It is therefore very difficult for an intruder to gain control of the firewall host computer then "open the doors" from the inside.
According To Byte Magazine, traditional firewall technology is susceptible to misconfiguration on non-hardened OSes. More recently, however, "...firewalls have moved down the protocol stack so far that the OS doesn't have to do much more than act as a bootstrap loader, file system and GUI". The author goes on to state that newer firewall code bypasses the operating system's IP layer altogether, never permitting "potentially hostile traffic to make its way up the protocol stack to applications running on the system".

What different types of firewalls are there?
Firewalls fall into four broad categories: packet filters, circuit level gateways, application level gateways and stateful multilayer inspection firewalls. Packet filtering firewalls work at the network level of the OSI model, or the IP layer of TCP/IP. They are usually part of a router. A router is a device that receives packets from one network and forwards them to another network. In a packet filtering firewall each packet is compared to a set of criteria before it is forwarded. Depending on the packet and the criteria, the firewall can drop the packet, forward it or send a message to the originator. Rules can include source and destination IP address, source and destination port number and protocol used. The advantage of packet filtering firewalls is their low cost and low impact on network performance. Most routers support packet filtering. Even if other firewalls are used, implementing packet filtering at the router level affords an initial degree of security at a low network layer. This type of firewall only works at the network layer however and does not support sophisticated rule based models . Network Address Translation (NAT) routers offer the advantages of packet filtering firewalls but can also hide the IP addresses of computers behind the firewall, and offer a level of circuit-based filtering.
Circuit level gateways work at the session layer of the OSI model, or the TCP layer of TCP/IP. They monitor TCP handshaking between packets to determine whether a requested session is legitimate. Information passed to remote computer through a circuit level gateway appears to have originated from the gateway. This is useful for hiding information about protected networks. Circuit level gateways are relatively inexpensive and have the advantage of hiding information about the private network they protect. On the other hand, they do not filter individual packets.
Application level gateways, also called proxies, are similar to circuit-level gateways except that they are application specific. They can filter packets at the application layer of the OSI model. Incoming or outgoing packets cannot access services for which there is no proxy. In plain terms, an application level gateway that is configured to be a web proxy will not allow any ftp, gopher, telnet or other traffic through. Because they examine packets at application layer, they can filter application specific commands such as http:post and get, etc. This cannot be accomplished with either packet filtering firewalls or circuit level neither of which know anything about the application level information. Application level gateways can also be used to log user activity and logins. They offer a high level of security, but have a significant impact on network performance. This is because of context switches that slow down network access dramatically. They are not transparent to end users and require manual configuration of each client computer.
Stateful multilayer inspection firewalls combine the aspects of the other three types of firewalls. They filter packets at the network layer, determine whether session packets are legitimate and evaluate contents of packets at the application layer. They allow direct connection between client and host, alleviating the problem caused by the lack of transparency of application level gateways. They rely on algorithms to recognize and process application layer data instead of running application specific proxies. Stateful multilayer inspection firewalls offer a high level of security, good performance and transparency to end users. They are expensive however, and due to their complexity are potentially less secure than simpler types of firewalls if not administered by highly competent personnel.

Is a firewall sufficient to secure my network or do I need anything else?
The firewall is an integral part of any security program, but it is not a security program in and of itself. Security involves data integrity (has it been modified?), service or application integrity (is the service available, and is it performing to spec?), data confidentiality (has anyone seen it?) and authentication (are they really who they say they are?). Firewalls only address the issues of data integrity, confidentiality and authentication of data that is behind the firewall. Any data that transits outside the firewall is subject to factors out of the control of the firewall. It is therefore necessary for an organization to have a well planned and strictly implemented security program that includes but is not limited to firewall protection.

What is IP spoofing?
Many firewalls examine the source IP addresses of packets to determine if they are legitimate. A firewall may be instructed to allow traffic through if it comes from a specific trusted host. A malicious cracker would then try to gain entry by "spoofing" the source IP address of packets sent to the firewall. If the firewall thought that the packets originated from a trusted host, it may let them through unless other criteria failed to be met. Of course the cracker would need to know a good deal about the firewall's rule base to exploit this kind of weakness. This reinforces the principle that technology alone will not solve all security problems. Responsible management of information is essential. One of Courtney's laws sums it up: "There are management solutions to technical problems, but no technical solutions to management problems".
An effective measure against IP spoofing is the use of a Virtual Private Network (VPN) protocol such as IPSec. This methodology involves encryption of the data in the packet as well as the source address. The VPN software or firmware decrypts the packet and the source address and performs a checksum. If either the data or the source address have been tampered with, the packet will be dropped. Without access to the encryption keys, a potential intruder would be unable to penetrate the firewall.

Firewall related problems:

  • Firewalls introduce problems of their own. Information security involves constraints, and users don't like this. It reminds them that Bad Things can and do happen. Firewalls restrict access to certain services. The vendors of information technology are constantly telling us "anything, anywhere, any time", and we believe them naively. Of course they forget to tell us we need to log in and out, to memorize our 27 different passwords, not to write them down on a sticky note on our computer screen and so on.
  • Firewalls can also constitute a traffic bottleneck. They concentrate security in one spot, aggravating the single point of failure phenomenon. The alternatives however are either no Internet access, or no security, neither of which are acceptable in most organizations.

Benefits of a firewall:

  • Firewalls protect private local area networks from hostile intrusion from the Internet. Consequently, many LANs are now connected to the Internet where Internet connectivity would otherwise have been too great a risk.
  • Firewalls allow network administrators to offer access to specific types of Internet services to selected LAN users. This selectivity is an essential part of any information management program, and involves not only protecting private information assets, but also knowing who has access to what. Privileges can be granted according to job description and need rather than on an all-or-nothing basis.
Thanks Ayub for sending me this post.
Posted by at No comments:
Labels:

6/11/2007

Microsoft Excel formulas

Following are the most asked questions of microsoft excel. I hope you'll find it worthwhile.

Excel settings:
  • When I enter a value, it appears with two decimal places. For example, when I enter 154 it shows up as 1.54. What's wrong?
    Somehow Excel's fixed-decimal mode was turned on. To return to normal select Tools » Options » Edit » remove the check mark from the Fixed decimal option.
  • Can I change the color of the worksheet tabs in my workbook?
    No. It would certainly be helpful to be able to color-code your worksheet tabs. Microsoft hasn't implemented this feature (please check this feature in Microsoft Office Live. I heard its available in this new version of office, though not sure) which has been available in 1-2-3 and Quattro Pro for quite a while.
  • I saved my workbook with a password, but Excel doesn't recognize it and won't let me open the file. Am I out of luck?
    Passwords are case sensitive. So if you originally entered your password as Xyzzy then typing xyzzy won't work. If you are entering the password correctly then it's time to start looking for a password recovery utility. Several utilities exist and some of them are free. Google search for Excel password recovery and you'll find several products that will come to the rescue. These products might raise some alarms for the security minded.
    Bottom line?
    Excel password protection isn't as secure as you might expect.
  • How can I increase the number of rows or columns in a worksheet?
    Every workbook in Excel has 255 columns and 65,526 rows. These values are fixed and cannot be changed. If you need more rows use Microsoft Access or latest version of Excel also known as Microsoft Excel Online.

Formulas and Functions:

  • Is there a function that returns the name of the worksheet?
    Excel's CELL function comes close. The following formula displays the workbook's full path along with the worksheet name:
    =CELL("filename")
    For example this formula might return something like:
    C:\Windows\Desktop\[Budget.xls]Sheet2
    Returning only the sheet name requires a more complex formula:
    =MID(CELL("filename"), FIND("]",CELL("filename"))+1, LEN(CELL("filename"))-FIND("]", CELL("filename")))
  • I have a price list stored in a worksheet and I need to increase all prices by 5 percent. Can I do this without re-entering all the prices?
    Excel provides two ways traditional technique which goes something like this...
    Insert or find a blank column near the prices.
    In that column's first cell enter a formula to multiply the price in that row by 1.05.
    Copy the formula down the column.
    Then select and copy the entire column of formulas, select the original prices and choose Edit » Paste Special » select Values to overwrite the original prices with the formulas results.
    And finally delete the column of formulas.
    Another more efficient approach also uses the Paste Special dialog box.
    To increase a range of values (prices in this example) by 5 percent enter 1.05 into any blank cell.
    Select the cell and choose Edit » Copy.
    Then select the range of values and choose Edit » Paste Special.
    Choose the Multiply option and click OK.
    Then delete the cell that contains the 1.05.
  • I've created some clever formulas and I don't want anyone else to see them. Is it possible to hide the formulas but display the results?



    Every cell has two key properties: locked and hidden.
    A locked cell can't be changed and the contents of a hidden cell don't appear in the formula bar when the cell is selected.
    By default every cell is locked and not hidden. But it's important to remember that these attributes have no effect unless the worksheet itself is protected.
    To change the attributes select the appropriate cell or range and then choose Format » Cells » Protection » Locked or Hidden (or both).
    Unlock cells that accept user input and lock formula and other cells that should stay unchanged (such as titles).
    To prevent others from seeing your formulas lock and hide the formula cells. The results of the formulas will be visible but the formulas will not.



    To protect the worksheet choose Tools » Protection » Protect Sheet. Make sure the Contents box is checked. Enter a password to prevent others from unprotecting the sheet. Locked cells in a protected sheet cannot be edited and changes are disabled.
  • Can I write a formula that returns the number of distinct entries in a range?
    Say we're hunting for a formula that, given the range 100, 99, 98, 100, 98, 100, 98, would return 3. This type of counting requires an array formula. For example counts the number of distinct entries in the range A1:D100.
    =SUM(1/COUNTIF(A1:D100, A1:D100))
    When you enter this formula you must press Ctrl-Shift-Enter.
    Pressing only Enter will give you the wrong result.
    Excel will place brackets around the formula to remind you that you've created an array formula.
    The preceding formula works fine in many cases but it will return an error if the range contains any blank cells.
    The formula below with Ctrl-Shift-Enter is more complex but it will handle a range that contains a blank cell.
    =SUM(IF(COUNTIF(A1:D100,A1:D100)=0, "", 1/COUNTIF(A1:D100,A1:D100)))

Thanks Ayub for sending me this great finding. Also thanks Imageshack for hosting the above images for free.

Posted by at 19 comments:
Labels: ,

6/10/2007

Excel Tricks

writing this set of tricks I found more than 600 relevant blogs and sites with the help of Google. Not all of them are different but some have incredible codes which empowers you to control Excel in very easy way and in full. Some of the codes and tricks are given below, I hope it will help you save your time and increase your productivity.

When I open a workbook Excel asks if I want to update the links. I've looked everywhere, and I can't find any links in my formulas!
  • I've never known Excel to be wrong about identifying links, so there's an excellent chance your workbook does contain one or more links but they are probably not formula links.
  • If you have a chart in your workbook click each data series in the chart and examine the Series formula in the formula bar. If the formula refers to another workbook, you've identified the link. To eliminate it and move the chart's data into the current workbook and recreate your chart. If your workbook contains any dialog sheets then select each object in each dialog box and examine the formula bar. If any object contains a reference to another workbook just edit or delete that reference. And if these two approaches don't solve your problem simply follow the following steps...
  • Step 1:
    Select Edit » Links. The link dialog box will appear.
    (In some cases, this command is not available. If you can't select it just skip to step 4.)
  • Step 2:
    Click the Change Source button and change the link to the active file.
  • Step 3:
    Select Insert » Name » Define. Scroll down the list in the Define Name dialog box and examine the Refers to box. Delete names that refer to another workbook or that contain an erroneous reference (such as #REF!). This is the most common cause of phantom links.
  • Step 4:
    Save your workbook. When you re-open it, Excel won't ask you to update links! Simple!!

How can I make text in a cell display in multiple lines?
When entering text into the cell, press Alt-Enter to insert a line break.
When you do so, Excel will automatically apply text wrapping to the cell.
To re-format existing cells so they sport wrapped text, select the Cells and choose Format » Cells. On the Alignment tab select Wrap text and click OK.

Sometimes my formulas do not get fully calculated. This often happens when I use custom functions created with Visual Basic.
Microsoft has acknowledged some problems with the Excel calculation engine. In order to be assured that all of your formulas have been calculated press Ctrl-Alt-F9 to force a complete recalculation.

Dates and times:

How can I calculate the difference between two dates?
Excel stores dates as serial numbers. The number 1 represents 1st January 1900, the number 2 represents 2nd January 1900 and so on. Formatting these numbers using a date format causes them to appear as actual dates. Therefore, if you have dates stored in two cells, you can simply create a formula that subtracts one from the other to get the number of intervening days. You'll want to make sure that the formula cell is formatted as a number, not a date. DATEDIF function which was not documented prior to Excel 2000 returns the difference between two dates expressed in years, months or days.
Excel's DATEDIF function takes three arguments. Its syntax is:
=DATEDIF (start_date, end_date, units)
In the syntax start_date is a date or reference to a date... end_date is a date or reference to a date... and units is a one- or two-digit string (in double quotes) specifying the units for the difference between the two dates.
Acceptable values for the units argument are shown below...

  • y returns the number of full years in the period.
  • m returns the number of full months in the period.
  • d returns the number of full days in the period.
  • md returns the number of full days in excess of the last full month.
  • ym returns the number of full months in excess of the last full year.
  • yd returns the number of full days in excess of the last full year.
    For example, assume cells A1 and B1 contain dates. The formula below returns the number of full years between the dates (useful for calculating a person's age):
    =DATEDIF(A1,B1,"y")
    The formula below calculates the number of full months between the two dates:
    =DATEDIF(A1,B1,"m")

I have a range of time values but when I try to sum them the total is never greater than 24 hours.
When you add a range that contains time values, Excel ignores the hours that exceed 24. The solution is to use a custom number format. Activate the cell that contains your total time and then choose Format » Cells » Number tab. Choose Custom from the Category list and type [h]:mm into the box labeled Type. Using brackets around the hour portion of the format string tells Excel to display hours that exceed 24 hours.

I have a worksheet that shows total hours and minutes worked along with the hourly pay rate. When I multiply these vales I don't get the result I'm looking for. What's wrong?
Multiply the result by 24 for the number of hours in a day.
If cell A1 contains the number of hours worked (for example, 16:45, for 16 hours and 45 minutes) and cell B1 has the hourly rate then the formula below will calculate the total wages...
=A1*B1*24
Make sure the cell that contains the formula is formatted as a number and not as time.

Is it possible to determine the day of the week for a particular date?
Yes, assume that cell A1 contains a date value. The formula below uses the WEEKDAY function, which returns an integer between 1 and 7 (1 for Sunday, 2 for Monday, and so on).
=WEEKDAY(A1)
If you'd prefer to see words rather than integers please modify the formula as follows:
=CHOOSE(WEEKDAY(A1), "Sunday", "Monday", "Tuesday", "Wednesday", "Thursday", "Friday", "Saturday")
Another approach is activate the cell that contains your date and then choose Format » Cells » Number tab. Choose Custom from the Category list and type a custom number format string into the box labeled Type. The trick here is to use dddd as part of the format string.
For example, a format string of dddd mmmm d, yyyy will display the date and the day of the week, like this: Thursday November 23, 2000.

I need to determine the difference between two times. If the difference is positive, it works fine. But Excel doesn't want to display negative time values. Why not?
Excel stores dates and times as numeric values, so it should be possible to add or subtract one from the other. The problem occurs if you have a workbook containing only times and no dates. Subtracting one time from another doesn't always work. Negative time values appear as a series of pound signs, even though you've assigned the [h]:mm format to the cells. By default, Excel uses a date system that begins with January 1, 1900. A negative time value generates a date-time combination that falls before this date, which is invalid.
The solution is to use the 1904 date system. Select Tools » Options » Calculation tab and check the 1904 date system option to change the starting date to January 2, 1904. Your negative times will now be displayed correctly.
Note: If you use the 1904 date system, be careful when linking to date cells in other workbooks. If the linked workbook uses the 1900 date system, the dates retrieved by the links will be incorrect.

How can I enter the current date into a cell so it doesn't change from day to day? When I use the NOW function it always shows the current date!
The easiest way to enter the current date into a cell is to use the Ctrl-; key combination (press the Ctrl key and type a semicolon).
Similarly you can enter the current time by pressing Ctrl-Shift-; (press the Ctrl and Shift keys and type a semicolon). Both of these key combinations enter the information as a volatile value and not as a formula.

Chart and printing:

How can I print a workbook's full path in the header or footer? The Page Setup dialog box doesn't seem to offer the option.



Microsoft continues to ignore what must be thousands of requests for this feature. Although Microsoft Word offers this feature but Excel offers no direct way to print a workbook's full path in the header or footer. The only solution is to create a macro. The technique described below works with Excel 97 and later.
Press Alt-F11 to activate the Visual Basic editor.
In the Project window, double-click the project that corresponds to your workbook. The project list will expand to show several objects.
Double-click the item labeled Microsoft Excel Objects and then double-click the object labeled ThisWorkbook.
Enter the following three lines of VBA code into the code module for the ThisWorkbook object (usually in the right pane of the window you're seeing at this point).

Private Sub Workbook_BeforePrint (Cancel As Boolean)
ActiveSheet.PageSetup.LeftHeader = ThisWorkbook.FullName
End Sub
After inserting the code, press Alt-Q to return to Excel.

This procedure will be executed before you print or preview your workbook. It simply inserts the workbook's path into the left header position. If you prefer to put the path in a different position, substitute any of the following for LeftHeader: CenterHeader, RightHeader, LeftFooter, CenterFooter or RightFooter.

How can I save a chart as a GIF file?
You can save your worksheet as an HTML file and Excel will automatically convert any charts to GIF files. If that seems like overkill you can write a simple macro that will do the job. Press Alt-F11 to activate the Visual Basic editor. Select your workbook in the Projects window and choose Insert » Module to insert a new VBA module. Then type the following four-line procedure into the module...

Sub SaveChartAsGIF ()
Fname = ThisWorkbook.Path & "\" & ActiveChart.Name & ".gif"
ActiveChart.Export FileName:=Fname, FilterName:="GIF"
End Sub

After the macro is entered, reactivate Excel and click the chart to be saved.
Press Alt-F8 to display the Macro dialog box.
Select the SaveChartAsGIF macro and click Run. The procedure uses the chart's name as the GIF file name, and the file is stored in the same directory as the workbook.
This simple macro does no error checking, so it will generate an error if a chart is not selected or if the workbook has not been saved.

The above information is freely available on the internet. Ayub, Umakant and some friends helped me finding related questions.
Thanks Imageshack fo hosting the above image for free. Please use imageshack for all your website picture hosting.

Posted by at 2 comments:
Labels:

6/08/2007

DHCP Complete

What is DHCP?
DHCP (Dynamic Host Configuration Protocol) is a protocol that lets network administrators manage centrally and automate the assignment of IP (Internet Protocol) configurations on a computer network. When using the Internet's set of protocols (TCP/IP), in order for a computer system to communicate to another computer system it needs a unique IP address. Without DHCP, the IP address must be entered manually at each computer system. DHCP lets a network administrator supervise and distribute IP addresses from a central point. The purpose of DHCP is to provide the automatic (dynamic) allocation of IP client configurations for a specific time period (lease period) and to eliminate the work necessary to administer a large IP network.

Who created DHCP?
DHCP was created by the Dynamic Host Configuration Working Group of the Internet Engineering Task Force (IETF) a volunteer organization which defines protocols for use on the Internet. Its definition is recorded in an Internet RFC (standard) and the Internet Activities Board (IAB) is asserting its status as to Internet Standardization.

Why is DHCP important?
When connected to a network, every computer must be assigned a unique address. However, when adding a machine to a network, the assignment and configuration of network (IP) addresses has required human action. The computer user had to request an address and then the administrator would manually configure the machine. Mistakes in the configuration process are easy for novices to make, and can cause difficulties for both the administrator making the error as well as neighbors on the network. Also, when mobile computer users travel between sites, they have had to relive this process for each different site from which they connected to a network. In order to simplify the process of adding machines to a network and assigning unique IP addresses manually, there is a need to automate the task. The introduction of DHCP alleviated the problems associated with manually assigning TCP/IP client addresses. Network administrators have quickly appreciated the importance, flexibility and ease-of-use offered in DHCP.

How does DHCP work?
When a client needs to start up TCP/IP operations, it broadcasts a request for address information. The DHCP server receives the request, assigns a new address for a specific time period (called a lease period) and sends it to the client together with the other required configuration information. This information is acknowledged by the client, and used to set up its configuration. The DHCP server will not re allocate the address during the lease period and will attempt to return the same address every time the client requests an address. The client may extend its lease with subsequent requests, and may send a message to the server before the lease expires telling it that it no longer needs the address so it can be released and assigned to another client on the network.

What advantages does DHCP have over manual configuration methods?
The use of DHCP is highly recommended and there are a number of obvious reasons why you should use it. As mentioned before, there are two ways you can configure client addresses on a computer network, either manually or automatically. Manual configuration requires the careful input of a unique IP address, subnet mask, default router address and a Domain Name Server address. In an ideal world, manually assigning client addresses should be relatively straight forward and error free. Unfortunately we do not live in an ideal world so computers are frequently moved and new systems get added to a network. Also if a major network resource, such as a router (which interconnects networks) changes network addresses, this could mean changing EVERY system's configuration. For a network administrator this process can be time consuming, tedious and error prone. Problems can occur when manually setting up your client machines, so if you have the option to set-up your client machines automatically, please do, as it will save you time and a lot of headaches. DHCP has several major advantages over manual configurations. Each computer gets its configuration from a "pool" of available numbers automatically for a specific time period (called a leasing period), meaning no wasted numbers. When a computer has finished with the address, it is released for another computer to use. Configuration information can be administered from a single point. Major network resource changes ( e.g. a router changing address), requires only the DHCP server be updated with the new information, rather than every system.

Can DHCP provide support for mobile users?
Yes. The benefits of dynamic addressing are especially helpful in mobile computing environments where users frequently change locations. Mobile users simply plug-in their laptop to the network, and receive their required configuration automatically. When moving to a different network using a DHCP server, then the configuration will be supplied by that network's server. No manual reconfiguration is required at all.

Are DHCP servers easy to set-up and administer?
DHCP Servers offer completely centralized management of all TCP/IP client configurations, including IP address, gateway address and DNS address. DHCP servers are easy to administer and can be set-up in just a few minutes. Client addresses are assigned automatically unlike static set-up which requires the manual input of client addresses which can be a time consuming and tedious task.

Are there any limitations that I should be aware of?
Some machines on your network need to be at fixed addresses, for example servers and routers. The DHCP server you choose should be capable of assigning pre-allocated addresses to these specific machines. You need to be able to assign a machine to run the DHCP server continually as it must be available at all times when clients need IP access. To avoid conflicts between addresses assigned by the DHCP server and those assigned manually, users should be discouraged, or preferably prevented, from reconfiguring their own IP addresses. Some older operating systems do not support DHCP. If you have such systems you may be able to upgrade them. If this is not possible they may support the older BOOTP protocol, and a DHCP server can be chosen that will support this option. For peace of mind, it is a good idea to decide what is important to you, which of the available DHCP servers is best suited to meet your specific requirements and always get a second opinion.

How is it different than BOOTP or RARP?
DHCP is based on BOOTP and maintains some backward compatibility. The main difference is that BOOTP was designed for manual pre-configuration of the host information in a server database, while DHCP allows for dynamic allocation of network addresses and configurations to newly attached hosts. Additionally, DHCP allows for recovery and reallocation of network addresses through a leasing mechanism. RARP is a protocol used by Sun and other vendors that allows a computer to find out its own IP number, which is one of the protocol parameters typically passed to the client system by DHCP or BOOTP. RARP doesn't support other parameters and using it, a server can only serve a single LAN. DHCP and BOOTP are designed so they can be routed.

Why shouldn't clients assign IP numbers without the use of a server?
It is theoretically possible for client-machines to find addresses to use by picking an address out of the blue and broadcasting a request of all the other client machines to see if they are using them. Apple talk is designed around this idea, and Apple's MacTCP can be configured to do this for IP. However, this method of IP address assignment has disadvantages. A computer that needs a permanently-assigned IP number might be turned off and lose its number to a machine coming up. This has problems both for finding services and for security. A network might be temporarily divided into two non-communicating networks while a network component is not functioning. During this time, two different client-machines might end up claiming the same IP number. When the network comes back, they start malfunctioning. If such dynamic assignment is to be confined to ranges of IP addresses, then the ranges are configured in each desktop machine rather than being centrally administered. This can lead both to hidden configuration errors and to difficulty in changing the range. Another problem with the use of such ranges is keeping it easy to move a computer from one subnet to another.

Can DHCP support statically defined addresses?
Yes. At least there is nothing in the protocol to preclude this and one expects it to be a feature of any DHCP server. This is really a server matter and the client should work either way. The RFC refers to this as manual allocation.

Can a BOOTP client boot from a DHCP server?
Only if the DHCP server is specifically written to also handle BOOTP queries.

Can a DHCP client boot from a BOOTP server?
Only if the DHCP client were specifically written to make use of the answer from a BOOTP server. It would presumably treat a BOOTP reply as an unending lease on the IP address. In particular, the TCP/IP stack included with Windows 95 does not have this capability.

Is a DHCP server "supposed to" be able to support a BOOTP client?
The RFC on such interoperability (1534) is clear: "In summary, a DHCP server: ... MAY support BOOTP clients," (section 2). The word "MAY" indicates such support, however useful, is left as an option.

Can a DHCP server back up another DHCP server?
You can have two or more servers handing out leases for different addresses. If each has a dynamic pool accessible to the same clients, then even if one server is down, one of those clients can lease an address from the other server. However, without communication between the two servers to share their information on current leases, when one server is down, any client with a lease from it will not be able to renew their lease with the other server. Such communication is the purpose of the "server to server protocol" (see next question). It is possible that some server vendors have addressed this issue with their own proprietary server-to-server communication.

In a subnetted environment, how does the DHCP server discover what subnet a request has come from?
DHCP client messages are sent to off-net servers by DHCP relay agents, which are often a part of an IP router. The DHCP relay agent records the subnet from which the message was received in the DHCP message header for use by the DHCP server.
Note: a DHCP relay agent is the same thing as a BOOTP relay agent, and technically speaking, the latter phrase is correct.

If a physical LAN has more than one logical subnet, how can different groups of clients be allocated addresses on different subnets?
One way to do this is to preconfigure each client with information about what group it belongs to. A DHCP feature designed for this is the user class option. To do this, the client software must allow the user class option to be preconfigured and the server software must support its use to control which pool a client's address is allocated from.

Can DHCP support remote access?
PPP has its own non-DHCP way in which communications servers can hand clients an IP address called IPCP (IP Control Protocol) but doesn't have the same flexibility as DHCP or BOOTP in handing out other parameters. Such a communications server may support the use of DHCP to acquire the IP addresses it gives out. This is sometimes called doing DHCP by proxy for the client. I know that Windows NT's remote access support does this. A feature of DHCP under development (DHCPinform) is a method by which a DHCP server can supply parameters to a client that already has an IP number. With this, a PPP client could get its IP number using IPCP, then get the rest of its parameters using this feature of DHCP. SLIP has no standard way in which a server can hand a client an IP address, but many communications servers support non-standard ways of doing this that can be utilized by scripts, etc. Thus, like communications servers supporting PPP, such communications servers could also support the use of DHCP to acquire the IP addressees to give out.
I am not currently aware of any way in which DHCP can support client-computers served solely by PPP or SLIP. Such a computer doesn't have the IEEE-style MAC address that DHCP requires to act as its key to determining which client-computer is which within the same subnet. Communications servers that acquire IP numbers for their clients via DHCP run into the same roadblock in that they have just one MAC address, but need to acquire more than one IP address. One way such a communications server can get around this problem is through the use of a set of unique pseudo-MAC addresses for the purposes of its communications with the DHCP server. Another way (used by Shiva) is to use a different "client ID type" for your hardware address. lient ID type 1 means you're using MAC addresses. However, client ID type 0 means an ASCII string.

How can I relay DHCP if my router does not support it?
A server on a net(subnet) can relay DHCP or BOOTP for that net. Microsoft has software to make Windows NT do this.

Can you limit which MAC addresses are allowed to roam?
Sites may choose to require central pre-configuration for all computers that will be able to acquire a dynamic address. A DHCP server could be designed to implement such a requirement, presumably as an option to the server administrator.

What are the Gotcha's?
A malicious user could make trouble by putting up an unofficial DHCP server. The immediate problem would be a server passing out numbers already belonging to some computer yielding the potential for two or more "innocent bystander" nodes ending up with the same IP number. Net result is problems using the nodes, possibly intermittent of one or the other is sometimes turned off. A lot of problems are possible if a renegade server manages to get a client to accept its lease offering, and feeds the client its own version of other booting parameters. One scenario is a client that loads its OS over the network via tftp being directed to a different file (possibly on a different server), thus allowing the perpetrator to take over the client. Given that boot parameters are often made to control many different things about the computers' operation and communication, many other scenarios are just as serious. Note that BOOTP has the same vulnerabilities.
The "broadcast flag" DHCP includes a way in which client implementations unable to receive a packet with a specific IP address can ask the server or relay agent to use the broadcast IP address in the replies (a "flag" set by the client in the requests). The definition of DHCP states that implementations "should" honor this flag, but it doesn't say they "must". Some Microsoft TCP/IP implementations used this flag, which meant in practical terms, relay agents and servers had to implement it. A number of BOOTP-relay-agent implementations ( e.g. in routers) handled DHCP just fine except for the need for this feature, thus they announced new versions stated to handle DHCP.
Some of the virtual LAN schemes, i.e., those that use the packet's IP number to decide which "virtual LAN" a client-computer is on for the purposes of TCP/IP, don't work when using DHCP to dynamically assign addresses. DHCP servers and relay agents use their knowledge of what LAN the client-station is on to select the subnet number for the client-station's new IP address whereas such switches use the subnet number sent by the client-station to decide which (virtual) LAN to put the station on. Routers are sometimes configured so that one LAN on one port has multiple network (or subnet) numbers. When the router is relaying requests from such a LAN to the DHCP server, it must pass along as IP number that is associated with one of the network (or subnet) numbers. The only way the DHCP server can allocate addresses on one of the LAN's other network (or subnet) numbers is if the DHCP server is
specifically written to have a feature to handle such cases, and it has a configuration describing the situation.
The knowledge that a particular IP number is associated with a particular node is often used for various functions. Examples are: for security purposes, for network management, and even for identifying resources. Furthermore, if the DNS's names are going to identify IP numbers, the numbers, the IP numbers have to be stable. Dynamic
configuration of the IP numbers undercuts such methods. For this reason, some sites try to keep the continued use of dynamically allocable IP numbers to a minimum. With two or more servers serving a LAN, clients that are moved around (e.g. mobile clients) can end up with redundant leases. Consider a home site with two DHCP servers, a remote site with DHCP services, and a mobile client. The client first connects to the home site and receives an address from one of the two serves. He/she then travels to the remote site (without releasing the lease at the home site) and attempts to use the acquired address. It is of course NAK'ed and the client receives an address appropriate for the remote site. The client then returns home and tries to use the address from the remote site. It is NAK'ed but now the client broadcasts a DHCP DISCOVER to get a address. The server that holds the previous lease will offer the address back to the client but there is no guarantee that the client will accept that address; consequently, it is possible for the client to acquire an address on the other server and therefore have two leases within the site. The problem can be solved by using only one server per subnet/site and can be mitigated by short lease lengths. But in a very mobile environment, it is possible for these transient servers to consume more than their fair share of addresses. If departments, offices, or individuals run DHCP servers with their own small address pools on LANs shared by other departments, offices, or individuals, they can find that their addresses are being used by anyone on the LAN that happens to set their IP configuration to use DHCP.
Posted by at No comments:
Labels: ,
Subscribe to: Posts (Atom)