IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Hardware & Software Remarks
____________________________________________________________________ .........................................
networks which implement an Internet access. Attention must be paid to
aspects of data privacy law and the right of co-determination.
At present it is not yet possible to deactivate lease time in the Netware 4.x
DHCP server. It is therefore recommended to set it to the maximum value of
10,000 days and 23 hours.
Exclusion of specific network nodes from address assignment
The assignment of an IP address can be prevented for certain network nodes.
To do this, the same steps have to be carried out under the EXCLUDED
NODES menu item as described for the static assignment of IP addresses.
This has the effect that certain programs based on TCP/IP cannot be invoked
from those workstations. This "block" is easy to infiltrate, however, by
assigning an IP address manually to the "blocked" network node (provided the
TCP/IP protocol stack has been loaded on that node). As soon as a free IP
address is found in the course of manual assignment, communication is just as
possible with this computer via TCP/IP as with nodes which have received
their IP addresses from the DHCP server. The method of excluding network
nodes from the assignment of an IP address using EXCLUDED NODES
therefore offers only a relative degree of security.
In addition, blocking MAC addresses for assignment by the DHCP server can
also be used to control load balancing in networks with several DHCP servers.
It is also possible to prevent nodes which have their own DHCP server in their
segment from requesting an IP address from a DHCP server located in another
segment. It should be borne in mind that in this case in the event of failure of
the local DHCP server no IP address can be assigned to local clients. Use of
the EXCLUDED NODES option therefore calls for careful planning.
DHCP service in routed networks
An intermediate router located between the segment of the DHCP client and
the segment of the DHCP server may in some cases suppress the DHCP
request. Routers which are RFC 1542-compatible have an agent known as the
DHCP/BOOTP relay agent. This agent ensures that DHCP relay packets are
routed further as required. In the case of routers that are not RFC 1542compatible,
separate DHCP servers must be defined in every network
segment. An IP address is then assigned by the DHCP server in the same way
as in non-routed networks. Forwarding of the DHCP relay packets does not
mean, however, that all broadcast packets are automatically forwarded.
"Normal" broadcast data packets are still filtered out by the router.
Use of multiple DHCP servers in networks
In networks of a sufficient size, in certain circumstances it may be appropriate
to work with multiple DHCP servers. In some operating systems the
administration of 10,000 IP addresses per DHCP server is considered to be the
upper load limit. This figure can be exceeded by the Netware DHCP server
many times over. In addition, when considering how many DHCP servers are
required in the network, account should be taken of the positions of the
routers.
Irrespective of the structure of the IP network, whenever multiple DHCP
servers are used it is essential to prevent two (or more) network nodes that are
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000