S 4.103 DHCP server under Novell Netware 4.x

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Administrators

Setting up TCP/IP protocols involves considerable effort if the IP address, the subnetwork mask, the default gateway etc. have to be assigned manually for each workstation. If it is intended to change only the default gateway entry in a particular segment, for example, this requires a great deal of work and also increases the risk of incorrect inputs being made. These tasks can be centralised and automated through the use of a DHCP (Dynamic Host Configuration Protocol) server.

In order to ensure reliable handling of the DHCP server from Novell Netware 4.x, it is necessary to know the structure of the TCP/IP network whose addresses are to be administered with the aid of the DHCP server. The important features here, apart from the address class (TCP/IP network class A - C), are also the subnet masks that are used and the addresses of the default gateways, so as to allow cross-segment data traffic on the basis of TCP/IP.

The following sections examine certain aspects relating to the configuration of the DHCP service under Novell Netware 4.x that are of particular relevance to the security of the system as a whole.

Configuration of TCP/IP segments

The TCP/IP segments that are to be managed by the server are defined using the SUBNETWORK PROFILE option. Values such as the subnetwork name, address range and type of assigment are read out automatically from the configuration menu of the DHCP server when it is started up. If the DHCP server is supposed to take care of several IP segments, it is advisable to delete the values that are read in automatically and to replace them with "meaningful", manually configured values. For example, if "3CX9_1_EII" is read out as the subnetwork name, it is easier for troubleshooting and for subsequent configuration work on that segment if this entry is replaced manually by an entry that describes the segment better, such as the name "EthernetII". It is also possible to use other descriptive naming conventions, which designate a segment according to its topological arrangement, for example (Building A, 2nd floor or Management).

Automatic assignment of IP addresses

One of the key services of the DHCP server is the automatic assignment of IP addresses. The AUTOMATIC IP ADDRESS ASSIGNMENT parameter identifies the address range from which the DHCP server dynamically distributes the addresses to the network nodes that request an address. This range should be chosen such that the addresses for servers, printers and routers are not included within the range of dynamic allocation. The general rule is that servers, printers, routers and the network nodes with dynamic address assignment should be assigned clearly distinguishable IP address ranges. This ensures that it is obvious from the address range alone which type a network node belongs to, if problems arise in the IP area.

Static assignment of IP addresses

For certain components in the network it is advisable to link the required IP address permanently to the MAC (Medium Access Control) address of the network node by means of static address assignment. Such components include network printers and routers, for example. The advantage of static assignment by a DHCP server in comparison with local manual configuration at the network node is the ability to carry out central administration of the assignments with the DHCP server configuration tool. Although static assignment of their IP address is also mandatory for servers, these addresses are not assigned via the DHCP server. The IP addresses of Netware servers are always assigned manually.

Configuration of the static address assignments is carried out with the IP ADDRESS ASSIGNMENT option. The node is added to the menu using any required name, and the IP address is linked directly to the network card (MAC address) of the node. When choosing the name, Novell recommends using the login name of the user who works at that workstation.

Lease time

The lease time determines how long a network node that receives its TCP/IP address from the DHCP server dynamically can retain that address. The assignment of the IP addresses is implemented on booting of the network node. A period of at least 24 hours should be chosen for the lease time, because otherwise the following problems may occur:

• Programs whose access rights are granted on the basis of TCP/IP addresses may no longer be executable after the computer is rebooted because the IP address of the computer accessing it has changed. The new address may not have the authorisation to execute the program.

• If workstations are unstable in operation and have to be restarted several times per day, an unnecessary burden is imposed on the network after every restart as a result of the assignment of a new IP address.

• During access to the Internet, intermediate proxy servers log the Internet pages that have been opened from the workstations. In the resultant logging files, the DNS names of the opened Internet pages are usually assigned to the IP addresses of the computers from where the pages were requested. If these IP addresses constantly change, in the event of a problem it is very difficult to track back to determine which workstation was assigned the corresponding IP address at what time.

It is necessary to designate a lease time when using DHCP servers if a network contains more nodes than there are IP addresses available. Through the use of an appropriately chosen lease time, an IP address that has become free because the node no longer needs it (the PC has been switched off) can be assigned to a different node that requests an address from the DHCP server. In networks that have at least as many IP addresses available as nodes are installed, the configuration of a lease time can be dispensed with. For some time it has been possible to work in LANs with "private" IP addresses (see RFC 1597). The problem of having more nodes than IP addresses can therefore be avoided. The assignment of private IP addresses according to these specifications may be advisable for auditing reasons, for example, for networks which implement an Internet access. Attention must be paid to aspects of data privacy law and the right of co-determination.

At present it is not yet possible to deactivate lease time in the Netware 4.x DHCP server. It is therefore recommended to set it to the maximum value of 10,000 days and 23 hours.

Exclusion of specific network nodes from address assignment

The assignment of an IP address can be prevented for certain network nodes. To do this, the same steps have to be carried out under the EXCLUDED NODES menu item as described for the static assignment of IP addresses. This has the effect that certain programs based on TCP/IP cannot be invoked from those workstations. This "block" is easy to infiltrate, however, by assigning an IP address manually to the "blocked" network node (provided the TCP/IP protocol stack has been loaded on that node). As soon as a free IP address is found in the course of manual assignment, communication is just as possible with this computer via TCP/IP as with nodes which have received their IP addresses from the DHCP server. The method of excluding network nodes from the assignment of an IP address using EXCLUDED NODES therefore offers only a relative degree of security.

In addition, blocking MAC addresses for assignment by the DHCP server can also be used to control load balancing in networks with several DHCP servers. It is also possible to prevent nodes which have their own DHCP server in their segment from requesting an IP address from a DHCP server located in another segment. It should be borne in mind that in this case in the event of failure of the local DHCP server no IP address can be assigned to local clients. Use of the EXCLUDED NODES option therefore calls for careful planning.

DHCP service in routed networks

An intermediate router located between the segment of the DHCP client and the segment of the DHCP server may in some cases suppress the DHCP request. Routers which are RFC 1542-compatible have an agent known as the DHCP/BOOTP relay agent. This agent ensures that DHCP relay packets are routed further as required. In the case of routers that are not RFC 1542-compatible, separate DHCP servers must be defined in every network segment. An IP address is then assigned by the DHCP server in the same way as in non-routed networks. Forwarding of the DHCP relay packets does not mean, however, that all broadcast packets are automatically forwarded. "Normal" broadcast data packets are still filtered out by the router.

Use of multiple DHCP servers in networks

In networks of a sufficient size, in certain circumstances it may be appropriate to work with multiple DHCP servers. In some operating systems the administration of 10,000 IP addresses per DHCP server is considered to be the upper load limit. This figure can be exceeded by the Netware DHCP server many times over. In addition, when considering how many DHCP servers are required in the network, account should be taken of the positions of the routers.

Irrespective of the structure of the IP network, whenever multiple DHCP servers are used it is essential to prevent two (or more) network nodes that are "supplied" from different DHCP servers from being assigned the same IP address. This risk applies if every DHCP server in the network (or in the segment) each administers the entire IP area that was set up for dynamic assignment, because the DHCP servers are not synchronised with each other under Netware 4.x. Each individual DHCP server stores its configuration data in a separate DHCPTAB file. However, as this file is not part of NDS under Netware 4.x, it is not distributed to other servers using its replication mechanisms, either, nor is it compared with other DHCPTAB files. If multiple DHCP servers are used, therefore, each server should be assigned its own IP address range which it administers exclusively.