Static IP Vs DHCP

Did anyone teach me STATIC IP Vs DHCP in company network , which is good ?

Re: Static IP Vs DHCP

Takcal schrieb:

> Did anyone teach me STATIC IP Vs DHCP in company network , which is good ?

Both are better than each other.

--
Uli

These opinions are mine. All found typos are yours.

Re: Static IP Vs DHCP

DHCP is good for large companies as they do not have to keep a log of
all IP addresses used, it also gives the flexibility when lets say for
example you have 300 PCs in a Class C network but at anyone given time
there is no more than 200 PCs active.

Re: Static IP Vs DHCP

wayne.taylor2@gmail.com kirjoitti:
> DHCP is good for large companies as they do not have to keep a log of
> all IP addresses used, it also gives the flexibility when lets say for
> example you have 300 PCs in a Class C network but at anyone given time
> there is no more than 200 PCs active.

From the (theoretical) security point of view, DHCP is good for all
networks with workstations. It prevents running services in hosts that
shouldn't have any. Only dedicated servers need stable IP addresses.

But in real life, it really doesn't matter that much. IP addresses are
pretty permanent even in DHCP networks, because the hosts renew their
leases before they expire. A host in active use may have the same IP
address for many years. And even renumbering permanent servers isn't
that bad, since DNS updates can cover the changes.

IMHO, DHCP is the way to go. Static IPs should be considered only in the
management interfaces of low level infrastructure (routers &c) that need
to be accessible even when the network is crippled.

-- Lassi

Re: Static IP Vs DHCP

"Uli Link" wrote in message
news:4222ec96$0$26540$9b4e6d93@newsread4.arcor-online.net...

> Both are better than each other.

Uli is exctly right.When people say "DHCP is better" or static IPs are
better, they are speaking for THEIR particular situation, which is going to
be different than your situation.

Ever since businesses got onto this "activity based costing" fad, I/T
departments have pretty much been forced to screw their users. The costs of
anything I/T does to the user base is so diffuse that it's untrackable. But
the costs to I/T are out there for all to see.

This question is a little like that. In most cases, static IP's are pretty
expensive to maintain compared to DHCP. In general, DHCP is a lot less
functional and very confusing for users. 100 people will respond with "oh
but you could ...". Well, yes you could, but you won't because of the
costs.

So, do you want to screw your users or get screwed by your boss. The choice
is yours.

...

Re: Static IP Vs DHCP

In article <6sDUd.38997$k4.760649@news1.nokia.com>, Lassi Hippeläinen wrote:

>wayne.taylor2@gmail.com kirjoitti:

>> DHCP is good for large companies as they do not have to keep a log of
>> all IP addresses used,

Thus, when someone does something stupid the company has no means of
determining who. This is especially true if the non-techincal users have
administrative rights to their computers and can install all the spyware
they desire.

>> it also gives the flexibility when lets say for example you have 300 PCs
>> in a Class C network

Do all of those computers need to be reachable from the Internet? If not,
why are you wasting valuable IP addresses? See RFC1918 - there are nearly
nineteen million IP addresses available that you can use as you wish. Being
non-routable over the Internet also increases security.

>> but at anyone given time there is no more than 200 PCs active.

Something wrong with the business model.

>From the (theoretical) security point of view, DHCP is good for all
>networks with workstations. It prevents running services in hosts that
>shouldn't have any.

Setting the computer up correctly in the first place (which includes
setting static addresses, and enabling/disabling software) and not giving
the administrative password to the users provides more security.

>Only dedicated servers need stable IP addresses.

You like to guess where the computer is that some luser installed the
latest virus on - that is trashing your bandwidth?

>But in real life, it really doesn't matter that much. IP addresses are
>pretty permanent even in DHCP networks, because the hosts renew their
>leases before they expire.

Is that why microsoft developed the 'link-local' or 'zero-conf' service
that allows the computer to grab some random address out of mid air?

>A host in active use may have the same IP address for many years. And even
>renumbering permanent servers isn't that bad, since DNS updates can cover
>the changes.

I think a lot of that depends on individual circumstances.

>IMHO, DHCP is the way to go. Static IPs should be considered only in the
>management interfaces of low level infrastructure (routers &c) that need
>to be accessible even when the network is crippled.

If you have a thousand employees, and only one can spell 'IP', and you
allow anyone to install anything on your network - you may be right. I'd
certainly hate to be that one person.

Background: True story - my wife works at a small company in an office
with about 125 employees. The company president decided to drop a pile of
money upgrading the desktops to w2k, but didn't think it was necessary
to have any computer support other than the retailer who installed the
hardware and gave everyone the administrative password (even more
brilliant - the same password "password" on all systems). It took almost
two months before the inevitable happened, and the computers were so
infested with mal-ware as to be unusable. Not only did their profits
fall through the floor, the computers were so badly screwed that they
missed the quarterly tax return to the state. The state was "not amused".
Four people got fired (but not, of course, the company president). They
now have a staff of three (one with clue, one who has heard of that word
and may eventually discover it's meaning, and a grunt to carry hardware
around and replace toner cartridges). Meanwhile, I'm the net-admin at a
larger facility with about 2000 computers and part of a staff of 9 doing
all computer/network maintenance. We don't have computer problems.

Old guy

Re: Static IP Vs DHCP

um....For the security , for now we control all of the ip adress , all
of the
users don't know their ip , subnet mask , dns ..... , but after we use
the
DHCP server , they can easy to go to our network if they bring their
laptop and network cable without any permission . Do you have any
suggestion for the following paragraphs.

<<
This is the tradeoff unfortunately. I don't consider it a big threat.

On the old network its true that they needed to know an IP address to
get
their computer working. However if they have access to a computer,
they can
just copy the settings from there, ping the network until they find a
vacant IP address and then use that.

On the new network getting an IP address will be easier for sure.
However,
on the new network, you don't really need to control the IP space
quite so
tightly, as there will be no mission critical servers on it -- they'll
all
be on a separate subnet. In order to use network resources they'll
need a
login and a password, so really the worst they can do is use the
internet.
Also, you'll have more IP addresses to play with, so you don't have to
worry about them all getting used up.
You are right of course, its not a good idea to let people plug in
their
own machines without permission, so I think it would be best to ask
Dennis
to send out a company wide memo after we make the changes, reinforcing
this
point. I'll also put it into the new IT policy

>>

Static IP is old network and DHCP is New Network ??

Thank's




ibuprofin@painkiller.example.tld (Moe Trin) wrote in message news:...
> In article <6sDUd.38997$k4.760649@news1.nokia.com>, Lassi Hippeläinen wrote:
>
> >wayne.taylor2@gmail.com kirjoitti:
>
> >> DHCP is good for large companies as they do not have to keep a log of
> >> all IP addresses used,
>
> Thus, when someone does something stupid the company has no means of
> determining who. This is especially true if the non-techincal users have
> administrative rights to their computers and can install all the spyware
> they desire.
>
> >> it also gives the flexibility when lets say for example you have 300 PCs
> >> in a Class C network
>
> Do all of those computers need to be reachable from the Internet? If not,
> why are you wasting valuable IP addresses? See RFC1918 - there are nearly
> nineteen million IP addresses available that you can use as you wish. Being
> non-routable over the Internet also increases security.
>
> >> but at anyone given time there is no more than 200 PCs active.
>
> Something wrong with the business model.
>
> >From the (theoretical) security point of view, DHCP is good for all
> >networks with workstations. It prevents running services in hosts that
> >shouldn't have any.
>
> Setting the computer up correctly in the first place (which includes
> setting static addresses, and enabling/disabling software) and not giving
> the administrative password to the users provides more security.
>
> >Only dedicated servers need stable IP addresses.
>
> You like to guess where the computer is that some luser installed the
> latest virus on - that is trashing your bandwidth?
>
> >But in real life, it really doesn't matter that much. IP addresses are
> >pretty permanent even in DHCP networks, because the hosts renew their
> >leases before they expire.
>
> Is that why microsoft developed the 'link-local' or 'zero-conf' service
> that allows the computer to grab some random address out of mid air?
>
> >A host in active use may have the same IP address for many years. And even
> >renumbering permanent servers isn't that bad, since DNS updates can cover
> >the changes.
>
> I think a lot of that depends on individual circumstances.
>
> >IMHO, DHCP is the way to go. Static IPs should be considered only in the
> >management interfaces of low level infrastructure (routers &c) that need
> >to be accessible even when the network is crippled.
>
> If you have a thousand employees, and only one can spell 'IP', and you
> allow anyone to install anything on your network - you may be right. I'd
> certainly hate to be that one person.
>
> Background: True story - my wife works at a small company in an office
> with about 125 employees. The company president decided to drop a pile of
> money upgrading the desktops to w2k, but didn't think it was necessary
> to have any computer support other than the retailer who installed the
> hardware and gave everyone the administrative password (even more
> brilliant - the same password "password" on all systems). It took almost
> two months before the inevitable happened, and the computers were so
> infested with mal-ware as to be unusable. Not only did their profits
> fall through the floor, the computers were so badly screwed that they
> missed the quarterly tax return to the state. The state was "not amused".
> Four people got fired (but not, of course, the company president). They
> now have a staff of three (one with clue, one who has heard of that word
> and may eventually discover it's meaning, and a grunt to carry hardware
> around and replace toner cartridges). Meanwhile, I'm the net-admin at a
> larger facility with about 2000 computers and part of a staff of 9 doing
> all computer/network maintenance. We don't have computer problems.
>
> Old guy

Re: Static IP Vs DHCP

In article <2f615901.0502282021.190cd447@posting.google.com>,
Takcal wrote:
:In order to use network resources they'll
:need a
:login and a password, so really the worst they can do is use the
:internet.

That 'worst' can be pretty bad...

What would be done if someone setup a file-trading system? If someone
decided to go hang around warez sites? If someone decided that it'd be
nice to have an IM chat and someone zapped them with a forced-download
trojan?

Unless you have good monitoring tools, dhcp + user laptops is a
recipie for network abuse, intentional or otherwise.

:You are right of course, its not a good idea to let people plug in
:their
:own machines without permission, so I think it would be best to ask
:Dennis
:to send out a company wide memo after we make the changes, reinforcing
:this
:point. I'll also put it into the new IT policy

Company-wide memos saying "It isn't good to plug in your home
laptop" are not very effective. If people -can- do so and
you don't have sufficient monitoring to catch them fairly quickly,
then people *will* do it... unless, that is, you are prepared to
make examples of people in a very public way.

If you want useful protection from user laptops in a dhcp
environment, then you need to impliment one of the MAC-level security
solutions such as VMPS or 802.1x or simply configuring port-level
MAC security for every port.
--
"Meme" is self-referential; memes exist if and only if the "meme" meme
exists. "Meme" is thus logically a meta-meme; but until the existance
of meta-memes is more widely recognized, "meta-meme" is not a meme.
-- A Child's Garden Of Memes

Re: Static IP Vs DHCP

In article , ibuprofin@painkiller.example.tld (Moe Trin) writes:
>In article <6sDUd.38997$k4.760649@news1.nokia.com>, Lassi Hippeläinen wrote:
>
>>wayne.taylor2@gmail.com kirjoitti:
>
>>> DHCP is good for large companies as they do not have to keep a log of
>>> all IP addresses used,
>
>Thus, when someone does something stupid the company has no means of
>determining who. This is especially true if the non-techincal users have
>administrative rights to their computers and can install all the spyware
>they desire.
>

The DHCP servers can generally be configured to keep logs of which IP address
was given out to which machine (MAC address) at what time and when the address
was given up.

>>> it also gives the flexibility when lets say for example you have 300 PCs
>>> in a Class C network
>
>Do all of those computers need to be reachable from the Internet? If not,
>why are you wasting valuable IP addresses? See RFC1918 - there are nearly
>nineteen million IP addresses available that you can use as you wish. Being
>non-routable over the Internet also increases security.
>

Whether these are private or public addresses has no bearing on whether or not
to use DHCP.
If you have a class C network then why not use it.
NAT is not a security solution see previous posts to this group.
NAT can cause problems with certain applications.

>>> but at anyone given time there is no more than 200 PCs active.
>
>Something wrong with the business model.
>

Pretty standard in large organisations.
Not everyone uses a PC all the time.


David Webb
Security team leader
CCSS
Middlesex University


>>From the (theoretical) security point of view, DHCP is good for all
>>networks with workstations. It prevents running services in hosts that
>>shouldn't have any.
>
>Setting the computer up correctly in the first place (which includes
>setting static addresses, and enabling/disabling software) and not giving
>the administrative password to the users provides more security.
>

>>Only dedicated servers need stable IP addresses.
>
>You like to guess where the computer is that some luser installed the
>latest virus on - that is trashing your bandwidth?
>
>>But in real life, it really doesn't matter that much. IP addresses are
>>pretty permanent even in DHCP networks, because the hosts renew their
>>leases before they expire.
>
>Is that why microsoft developed the 'link-local' or 'zero-conf' service
>that allows the computer to grab some random address out of mid air?
>
>>A host in active use may have the same IP address for many years. And even
>>renumbering permanent servers isn't that bad, since DNS updates can cover
>>the changes.
>
>I think a lot of that depends on individual circumstances.
>
>>IMHO, DHCP is the way to go. Static IPs should be considered only in the
>>management interfaces of low level infrastructure (routers &c) that need
>>to be accessible even when the network is crippled.
>
>If you have a thousand employees, and only one can spell 'IP', and you
>allow anyone to install anything on your network - you may be right. I'd
>certainly hate to be that one person.
>
>Background: True story - my wife works at a small company in an office
>with about 125 employees. The company president decided to drop a pile of
>money upgrading the desktops to w2k, but didn't think it was necessary
>to have any computer support other than the retailer who installed the
>hardware and gave everyone the administrative password (even more
>brilliant - the same password "password" on all systems). It took almost
>two months before the inevitable happened, and the computers were so
>infested with mal-ware as to be unusable. Not only did their profits
>fall through the floor, the computers were so badly screwed that they
>missed the quarterly tax return to the state. The state was "not amused".
>Four people got fired (but not, of course, the company president). They
>now have a staff of three (one with clue, one who has heard of that word
>and may eventually discover it's meaning, and a grunt to carry hardware
>around and replace toner cartridges). Meanwhile, I'm the net-admin at a
>larger facility with about 2000 computers and part of a staff of 9 doing
>all computer/network maintenance. We don't have computer problems.
>
> Old guy
>

Re: Static IP Vs DHCP

Moe Trin wrote:

> In article <6sDUd.38997$k4.760649@news1.nokia.com>, Lassi Hippeläinen
> wrote:
<,,,>
>>Only dedicated servers need stable IP addresses.
>
> You like to guess where the computer is that some luser installed the
> latest virus on - that is trashing your bandwidth?

That has nothing to do with static IP addresses. Even in DHCP networks the
machines have static link layer addresses that identify them.

>>But in real life, it really doesn't matter that much. IP addresses are
>>pretty permanent even in DHCP networks, because the hosts renew their
>>leases before they expire.
>
> Is that why microsoft developed the 'link-local' or 'zero-conf' service
> that allows the computer to grab some random address out of mid air?

I can't speak for MS, but they seem to be obsessed with some anonymity
issues. They pushed the stupid RFC3041 that changes the lower part of an
IPv6 addresses, as if it helped much.

Zero-conf or UPnP has value, though. When computer-illiterate home users are
plugging together computers and peripherals, they have a change in getting
it all to work. MS recognises the importance of ease of use (it sells
better) even at the cost of less security (put the blame on "hackers").

-- Lassi

Re: Static IP Vs DHCP

In article <2f615901.0502282021.190cd447@posting.google.com>, Takcal wrote:

>um....For the security , for now we control all of the ip adress , all
>of the users don't know their ip , subnet mask , dns ..... , but after
>we use the DHCP server , they can easy to go to our network if they bring
>their laptop and network cable without any permission .

1. Company wide policy: No non-company computers allowed.
2. Company wide mailing - advising users of this policy. See your company
legal advisor for requirements and details.
3. Big sign at every entrance to the building - warning that non-company
computers will be confiscated. Again, see your company legal advisor,
but here, the computers may be returned to the owner if there isn't
legal action taken. The computers will have the disks wiped in that case.

>This is the tradeoff unfortunately. I don't consider it a big threat.
>
>On the old network its true that they needed to know an IP address to
>get their computer working. However if they have access to a computer,
>they can just copy the settings from there, ping the network until they
>find a vacant IP address and then use that.

So, none of your computers have local firewalls and/or have disabled
ping responses?

Another story - the above happened to a friend. Some user decides to
set up their own laptop, and copies data from another. Doesn't really
understand all that technical stuff, and somehow chooses to use the IP
address of an old SunOS box that was the internal DNS server. Boots up,
and tries to use the network. In the mean time, the Sun box hears some
other box answering ARP requests for it's address - goes off into the
corner and starts crying (and no longer answering DNS queries). This was
on a 10Base5 (thicknet) network. The admin spots the problem, but where
in a two hundred room office building is the interloper? Spent an hour
trying to find it. Meanwhile, the user is not able to get the new
computer working, but hasn't the brains to disconnect it - but merely
puts it on the back of his desk, where it's out of the way (and not very
visible). User then tries to get back to work using the company computer
and discovers that the internet is broken, and joins the growing crowd of
people in the hall ways all trying to ask the admin when is he going to
get the network fixed.

>On the new network getting an IP address will be easier for sure.
>However, on the new network, you don't really need to control the IP
>space quite so tightly, as there will be no mission critical servers on
>it -- they'll all be on a separate subnet. In order to use network
>resources they'll need a login and a password, so really the worst they
>can do is use the internet.

Not enough context here - so I don't know if the network in question is
recreational or what.

>Also, you'll have more IP addresses to play with, so you don't have to
>worry about them all getting used up.

Guessing this means the local network will use RFC1918 addresses.

>You are right of course, its not a good idea to let people plug in
>their own machines without permission, so I think it would be best to
>ask Dennis to send out a company wide memo after we make the changes,
>reinforcing this point. I'll also put it into the new IT policy

As noted above, it's probably a good idea to run this past your
company legal types as well.

Old guy

Re: Static IP Vs DHCP

In article , david20@alpha2.mdx.ac.uk wrote:

>The DHCP servers can generally be configured to keep logs of which IP address
>was given out to which machine (MAC address) at what time and when the address
>was given up.

True, but

1. How many do?
2. How many people have a current database of which MAC is in which computer
and where is that computer? (We do, but we're paranoid.)

>Whether these are private or public addresses has no bearing on whether or not
>to use DHCP.

My point is that the abundance of private addresses eliminates the need for
address sharing/reuse. It's one of the justifications cited in RFC1918.

RFC1531 was written (and quickly replaced by RFC1541) to use BOOTP protocol
for dynamic allocation of reusable network addresses in October 1993. Private
addresses were first proposed in RFC1597 (March 1994), contested in RFC1627
in July 1994, and finally standardized in RFC1918 in February 1996. The DHCP
author was at Bucknell University (a small private school in Lewisburg PA),
though the Dynamic Host Configuration Working Group of the IETF had members
from much larger schools, and industry. Bucknell actually had a /16 assigned
to them in 1989, but only have about 4000 students and staff, so I'm not sure
why they would need reusable addresses. Prior to microsoft's invention of DHCP,
the majority of uses were re-use. In both RFC1541 and RFC2131 which replaced
it, section 7 clearly recognizes (and states that) the protocol is insecure.

>If you have a class C network then why not use it.

Actually, we have several, but we also have around 2000 systems. Their
access to the Internet is intentionally limited, but is mainly through
proxy servers. Most of the public IPs are used in the DMZ.

>NAT is not a security solution see previous posts to this group.

[compton ~]$ /sbin/ifconfig eth0 | grep inet | cut -d':' -f2 | cut -d' ' -f1
192.168.1.126
[compton ~]$

OK, I'll open telnet on this box. Can you connect? True, users doing
stupid things is a bigger problem, and we try to reduce it through the
use of proxy servers and whatnot. But one problem we _don't_ have is
skript kiddiez trying to hack their way in through the users systems.
NAT means they can't initiate a connection, because the NAT box won't
permit this.

>NAT can cause problems with certain applications.

If not implemented correctly, yes. And whose problem is that?

>Pretty standard in large organisations.
>Not everyone uses a PC all the time.

About the only systems not "in use" around here during the normal workday
are the systems used by people on vacation, out sick, etc., and the spares
in storage. Are they actively typing commands/data/whatever all the time?
I doubt it. Would productivity suffer if they all didn't have their
computers on their desk? Absolutely.

Old guy

Re: Static IP Vs DHCP

xpyttl wrote:
> "Uli Link" wrote in message
> news:4222ec96$0$26540$9b4e6d93@newsread4.arcor-online.net...
>
>
>>Both are better than each other.
>
>
> Uli is exctly right.When people say "DHCP is better" or static IPs are
> better, they are speaking for THEIR particular situation, which is going to
> be different than your situation.
>
> Ever since businesses got onto this "activity based costing" fad, I/T
> departments have pretty much been forced to screw their users. The costs of
> anything I/T does to the user base is so diffuse that it's untrackable. But
> the costs to I/T are out there for all to see.
>
> This question is a little like that. In most cases, static IP's are pretty
> expensive to maintain compared to DHCP. In general, DHCP is a lot less
> functional and very confusing for users.

Less functional? There are many boot parameters that can ONLY be
configured via DHCP!

Re: Static IP Vs DHCP

In article , Lassi Hippeläinen wrote
>Moe Trin wrote:

>> You like to guess where the computer is that some luser installed the
>> latest virus on - that is trashing your bandwidth?
>
>That has nothing to do with static IP addresses. Even in DHCP networks the
>machines have static link layer addresses that identify them.

That assumes you have a database that tells where each hardware address
is located. We do, but I'll bet we're unusual in that manner. On the
other hand, we're also using NIS, and a quick 'ypcat hosts | grep foo'
gives us the full data entry (with comments giving room number and user
name).

>> Is that why microsoft developed the 'link-local' or 'zero-conf' service
>> that allows the computer to grab some random address out of mid air?
>
>I can't speak for MS, but they seem to be obsessed with some anonymity
>issues.

link-local/zero-conf is a microsoft developed fallback for when the DHCP
server is so mis-configured that even windoze can't get an IP. See
http://www.ietf.org/internet-drafts/draft-ietf-zeroconf-ipv4 -linklocal-17.txt
which is their (expired) 17th attempt at wiggling past the IETF.

>Zero-conf or UPnP has value, though. When computer-illiterate home users are
>plugging together computers and peripherals, they have a change in getting
>it all to work. MS recognises the importance of ease of use (it sells
>better) even at the cost of less security (put the blame on "hackers").

There is no doubt that microsoft knows how to sell it - but I find it rather
interesting that their total lack of competence in writing reasonable
software has spawned a moneymaking third party industry supplying
anti-malware tools and somewhat reliable firewalls that the ordinary home
user can use. It's also quite sad that a whole generation now expects
computers to crash randomly and thinks nothing of it. The little fiasco
in Southern California last September, where the FAA's radio network got
shut down because the application had been moved from Unix to windoze, and
now required rebooting every 30 days is a typical example (See comp.risks
Risks Digest 23.53 16 Sep 2004).

Old guy

Re: Static IP Vs DHCP

In article <1129sp22jdqf2d5@news.supernews.com>, T. Sean Weintz wrote:

>xpyttl wrote:

>> This question is a little like that. In most cases, static IP's are pretty
>> expensive to maintain compared to DHCP. In general, DHCP is a lot less
>> functional and very confusing for users.
>
>Less functional? There are many boot parameters that can ONLY be
>configured via DHCP!

Such as? Remember, most of us are not running diskless workstations
any more.

Old guy

Re: Static IP Vs DHCP

Moe Trin wrote:
> In article , david20@alpha2.mdx.ac.uk wrote:
>
>
>>The DHCP servers can generally be configured to keep logs of which IP address
>>was given out to which machine (MAC address) at what time and when the address
>>was given up.
>
>
> True, but
>
> 1. How many do?

I would hope most. Even if you don't log it, most of the time problems
are going to surface befor ethe DHCP lease expires anyway, so you only
need to look at the DHCP database.

> 2. How many people have a current database of which MAC is in which computer
> and where is that computer? (We do, but we're paranoid.)

Don't need one. If you have the IP, you know what network its on. How
many switches is one likely to have on one network? Should not be to
hard to query the switches and see what port that mac address isplugged
into.

I have had to do steps one and two above several times in the last year.
In most cases I was able to nail down what port on what switch the
device was on in under 5 minutes. In most cases it was "consultants"
coming in and plugging in laptops.

Re: Static IP Vs DHCP

Moe Trin schrieb:

>>Less functional? There are many boot parameters that can ONLY be
>>configured via DHCP!
>
>
> Such as? Remember, most of us are not running diskless workstations
> any more.
>

Even worse: a few weeks ago I built a image for about 400 MS-DOS based
handheld WLAN scanners. Using good ole Clarkson TE for tn3270 to the big
iron. It's using BOOTP and works great.
Now the customer want's DHCP, and they assign static ip by MAC in their
database. Only they won't use another terminal emulator and the Clarkson
is much older than DHCP :-)

--
Uli

These opinions are mine. All found typos are yours.

Re: Static IP Vs DHCP

In article , ibuprofin@painkiller.example.tld (Moe Trin) writes:
>In article , david20@alpha2.mdx.ac.uk wrote:
>
>
>>NAT is not a security solution see previous posts to this group.
>
>[compton ~]$ /sbin/ifconfig eth0 | grep inet | cut -d':' -f2 | cut -d' ' -f1
>192.168.1.126
>[compton ~]$
>
>OK, I'll open telnet on this box. Can you connect? True, users doing
>stupid things is a bigger problem, and we try to reduce it through the
>use of proxy servers and whatnot. But one problem we _don't_ have is
>skript kiddiez trying to hack their way in through the users systems.
>NAT means they can't initiate a connection, because the NAT box won't
>permit this.
>

This is a side effect of NAT not it's purpose.
Also if you don't have a firewall then someone making an outgoing connection
may open up a hole for connections back to that machine see
the posting in this group by Walter Robinson in Dec 2003

http://groups-beta.google.com/group/comp.security.misc/msg/b b10b0a3b3f83bcc

If you want security then use the right tool - use a Firewall.

>>NAT can cause problems with certain applications.
>
>If not implemented correctly, yes. And whose problem is that?
>
Many applications, especially those written before NAT was widespread, embed
addresses in the data packets. Good NAT devices have to provide workarounds for
these problem applications.

See some of the posts by Melinda Shore in this group.


>>Pretty standard in large organisations.
>>Not everyone uses a PC all the time.
>
>About the only systems not "in use" around here during the normal workday
>are the systems used by people on vacation, out sick, etc., and the spares
>in storage. Are they actively typing commands/data/whatever all the time?
>I doubt it. Would productivity suffer if they all didn't have their
>computers on their desk? Absolutely.
>

Like everything else this depends very much on the company.
In some companies there are lots of people who just need to log on once a day
to check their email.


David Webb
Security team leader
CCSS
Middlesex University





> Old guy

Re: Static IP Vs DHCP

In article ,
Moe Trin wrote:
:>Pretty standard in large organisations.
:>Not everyone uses a PC all the time.

:About the only systems not "in use" around here during the normal workday
:are the systems used by people on vacation, out sick, etc., and the spares
:in storage.

We have about 5 times as many IPs in our records as we have hosts
that are active on our slowest days. On very active days, somewhere
between 1/3 to 1/2 of those IPs are used. Our ratio of hosts to
people exceeds 3:1.

Is this a "bad business model" ? Perhaps -- but we are perpetually
short of computers. Printers, copiers, fax machines, lab device
control systems, building control systems, switches, routers,
compute servers, file servers, firewalls, scanners, data stations
at the lab equipment so people can transfer their data or work on things
while they wait for experiments to finish... Networked devices add
up!!
--
I don't know if there's destiny,
but there's a decision! -- Wim Wenders (WoD)

Re: Static IP Vs DHCP

Uli Link wrote:
> Moe Trin schrieb:
>
>>> Less functional? There are many boot parameters that can ONLY be
>>> configured via DHCP!
>>
>>
>>
>> Such as? Remember, most of us are not running diskless workstations
>> any more.
>>
>
> Even worse: a few weeks ago I built a image for about 400 MS-DOS based
> handheld WLAN scanners. Using good ole Clarkson TE for tn3270 to the big
> iron. It's using BOOTP and works great.
> Now the customer want's DHCP, and they assign static ip by MAC in their
> database. Only they won't use another terminal emulator and the Clarkson
> is much older than DHCP :-)
>

Um, given that most dhcp servers can be set to honor bootp requests out
of the same database, what exactly is the problem? Assign the static IP
in the dhcp database as the customer wants it, and have the dhcp server
honor the bootp requests.

Re: Static IP Vs DHCP

Moe Trin wrote:
> In article <1129sp22jdqf2d5@news.supernews.com>, T. Sean Weintz wrote:
>
>
>>xpyttl wrote:
>
>
>>>This question is a little like that. In most cases, static IP's are pretty
>>>expensive to maintain compared to DHCP. In general, DHCP is a lot less
>>>functional and very confusing for users.
>>
>>Less functional? There are many boot parameters that can ONLY be
>>configured via DHCP!
>
>
> Such as? Remember, most of us are not running diskless workstations
> any more.
>
> Old guy
>
All three of my last jobs used thin clients booting via ftp, ftp server
that the client used set by DHCP option.

2 of the three used PXE for network boot for loading workstation images
onto the hard disks via norton ghost. Again, all set up via dhcp options.

When doing a mass rollout of several hundred workstation, do you REALLY
want to hard code the addresses on several hundred DOS boot disks just
so you can load the image?

Even so, wheteher this functionality is used or not is not at issue -
you stated that DHCP had less functionality than static addresses.

So the question is, what can static addressing accomplish that DHCP cannot?

Re: Static IP Vs DHCP

T. Sean Weintz schrieb:

>
> Um, given that most dhcp servers can be set to honor bootp requests out
> of the same database, what exactly is the problem? Assign the static IP
> in the dhcp database as the customer wants it, and have the dhcp server
> honor the bootp requests.
>

The Clarkson didn't receive the search domain. I verified Clarkson TE's
BOOTP client with Windows2000, HP-UX and AIX and had no problems.

The problem is the DHCP server. They migrated from HP-UX to a wonderful?
Enterprise System. And it's BOOTP support is buggy. Don't know, it's
another department in a very large company, and a strategic management
decision ;-)

They pay me for troubleshooting those old DOS devices, And it is max an
hour of work integrating FTP Software's TN. 8-)
The IP stack is already on the handheld for another app, a nice XML http
browser.

--
Uli

These opinions are mine. All found typos are yours.

Re: Static IP Vs DHCP

T. Sean Weintz schrieb:
> So the question is, what can static addressing accomplish that DHCP cannot?

Booting even when the DHCP server is down?

O.k. usually central DHCP server are well managed, monitored and
redundant machines, so it isn't any problem in the real world.

--
Uli

These opinions are mine. All found typos are yours.

Re: Static IP Vs DHCP

In article <112a0eeos2obt8d@news.supernews.com>, T. Sean Weintz wrote:

>I have had to do steps one and two above several times in the last year.
>In most cases I was able to nail down what port on what switch the
>device was on in under 5 minutes. In most cases it was "consultants"
>coming in and plugging in laptops.

And people wonder why we get gray hair. For the past seven years,
there have been large and rather prominent signs at all entrances to
our buildings prohibiting non-company computers, and warning that they
will be confiscated if found. If a consultant is allowed to bring a
computer in (very rare), we require that the computer be passed to
security for inspection when coming in or out of the building. They
just pass the box to IT, who actually audits the box.

About a year after we started this, the CEO came to visit from the
other side of the country. Being a high mucky-muck, he manages to ignore
security, and had brought along his little lap top. He then decides to
check his e-mail... you can see where this is going, right? The system
that monitors the network sees this new box with a strange IP, and unknown
MAC address, and alarms. "Oh, crap - there's an intruder, and it's up on
the mahogany row net." Cue the thundering herd of sys-admins and guards
pounding down the halls - pandemonium. The really funny part is that you
_KNOW_ who had signed the policy about "visiting" computers.

Old guy

Re: Static IP Vs DHCP

In article , ibuprofin@painkiller.example.tld (Moe Trin) writes:
>In article <112a0eeos2obt8d@news.supernews.com>, T. Sean Weintz wrote:
>
>>I have had to do steps one and two above several times in the last year.
>>In most cases I was able to nail down what port on what switch the
>>device was on in under 5 minutes. In most cases it was "consultants"
>>coming in and plugging in laptops.
>
>And people wonder why we get gray hair. For the past seven years,
>there have been large and rather prominent signs at all entrances to
>our buildings prohibiting non-company computers, and warning that they
>will be confiscated if found. If a consultant is allowed to bring a
>computer in (very rare), we require that the computer be passed to
>security for inspection when coming in or out of the building. They
>just pass the box to IT, who actually audits the box.
>

If only everybody could be in a position where it was possible to ban laptops.
In the UK the Government's Dearing report explicitly expected the Universities
to provide facilities to support the expectation that every student would be
required to have their own portable computer by 2005/2006.

Also although not in any government report there is a general expectation that
Universities should be providing some wireless access to their networks for
their students.


David Webb
Security team leader
CCSS
Middlesex University

>About a year after we started this, the CEO came to visit from the
>other side of the country. Being a high mucky-muck, he manages to ignore
>security, and had brought along his little lap top. He then decides to
>check his e-mail... you can see where this is going, right? The system
>that monitors the network sees this new box with a strange IP, and unknown
>MAC address, and alarms. "Oh, crap - there's an intruder, and it's up on
>the mahogany row net." Cue the thundering herd of sys-admins and guards
>pounding down the halls - pandemonium. The really funny part is that you
>_KNOW_ who had signed the policy about "visiting" computers.
>
> Old guy
>

Re: Static IP Vs DHCP

Uli Link wrote:
> Takcal schrieb:
>
>> Did anyone teach me STATIC IP Vs DHCP in company network , which is
>> good ?
>
>
> Both are better than each other.
>

And so is bootp...

Re: Static IP Vs DHCP

Uli Link wrote:
> T. Sean Weintz schrieb:
>
>> So the question is, what can static addressing accomplish that DHCP
>> cannot?
>
>
> Booting even when the DHCP server is down?
>
> O.k. usually central DHCP server are well managed, monitored and
> redundant machines, so it isn't any problem in the real world.
>

Even if the DHCP server is down, this often is not a problem. Depends on
how long the lease is set for. If the lease is set for say three days,
and the dhcp server goes down, most computers will still boot just fine,
using the DHCP lease they got last time the server was up, so long as
the three day lease has not yet expired. They may boot more slowly as
they send renews to the server, which time out since it is down, but
they will still boot.

Re: Static IP Vs DHCP

In article , david20@alpha1.mdx.ac.uk wrote:

>If only everybody could be in a position where it was possible to ban laptops.

I'm not at a university, but work at a facility that does a lot of accounting
for the corporation as well as it's primary function as an R&D site. Both
functions demand a lot tighter control on visitors.

>In the UK the Government's Dearing report explicitly expected the
>Universities to provide facilities to support the expectation that every
>student would be required to have their own portable computer by 2005/2006.

Yeah, it used to be nice when all you had to worry about was the students
using floppies that were pre-stuffed with viruses and what not. Still, you
can gain limited improvements in security by requiring registration of the
student hardware, and then fix your DHCP server to hand out RFC1918 IPs
based on the MAC. It's certainly not foolproof, especially if you have CS
students, but it's better than nothing. If they really need "Internet"
access (as opposed to just access to the university's internal net), you
can use proxy servers. Our firewall already re-routes all internal access
to proxy servers.

>Also although not in any government report there is a general expectation
>that Universities should be providing some wireless access to their
>networks for their students.

Oh, joy. We have enough difficulties with people with cell phones.

Old guy

Re: Static IP Vs DHCP

In article , Walter Roberson wrote:

>Our ratio of hosts to people exceeds 3:1.

You are at NRC - that's not unreasonable. We're closer to 2.5:1 in the
R&D area. There are two systems on my desk, and another on the table next
to that, but the secretary only has one as does the department head. On
the other hand, the accounting section is very much closer to 1:1.

Old guy

Re: Static IP Vs DHCP

In article <112cd1emtsves33@news.supernews.com>, T. Sean Weintz wrote:

>Moe Trin wrote:
>> In article <1129sp22jdqf2d5@news.supernews.com>, T. Sean Weintz wrote:


>>>Less functional? There are many boot parameters that can ONLY be
>>>configured via DHCP!
>>
>>
>> Such as? Remember, most of us are not running diskless workstations
>> any more.

The question I was asking is what are these magical boot parameters that
can ONLY be configured via DHCP.

>All three of my last jobs used thin clients

That's fine.

>When doing a mass rollout of several hundred workstation, do you REALLY
>want to hard code the addresses on several hundred DOS boot disks just
>so you can load the image?

First, I'm not using DOS (or windoze), so we really do install all the
software ourselves. Not a big deal - the systems are set up on a maintenance
network, by booting to a floppy, then running a network application that
copies a generic image from a server. When done, we then go in and set
the network parameters (hostname, address, network mask, gateway IP
nameservers, and NIS domain). The system is then rebooted, and the
BIOS is set to boot from the hard disk. For _most_ of the systems, that
reboot is when we also physically remove the floppy drive, and then
install a mechanical security lock on the case.

>Even so, wheteher this functionality is used or not is not at issue -
>you stated that DHCP had less functionality than static addresses.

No, _I_ didn't. I want to know what it is that can not be manually
configured, but can "ONLY" be configured by DHCP.

>So the question is, what can static addressing accomplish that DHCP cannot?

Other way round. What can DHCP accomplish that static can not. In case you
haven't noticed, we don't allow our hosts to go walkies, and we certainly
don't allow our users to muck about with the system files.

Old guy