Uh, well, sorry to correct you Sameer, but...
DHCP is an extension of BOOTP, and it is designed to dynamically assign IP
configuration information to a device. A device using DHCP sends out a
broadcast looking for a DHCP server, the DHCP server responds with an IP
address, subnet mask, domain name, etc... see RFC 1533, 1534, 1541, and
1542.
DHCP is initiated using a UDP broadcast, so its not possible to force a
particular DHCP server to respond. If the DHCP server is on the same
segment as the client that does the broadcast, it is eligible to respond.
Cisco and other router vendors have ways to get a DHCP broadcast requests
across segments to a specific subnet or even a specific DHCP server, but
because DHCP is broadcast based, this function is normally turned off on
routers segments exposed to the Internet.
There is normally no mechanism in clients for DHCP servers to force an
update to the information the clients have previously received, and once
the request broadcast has been responded, the client has no listening port
running for DHCP, so its as secure as a static configuration (assuming the
client hasn't had the DHCP request code modified). A "lease" parameter
tells the client how long it may have the IP configuration for. At the
first boot after the lease has expired, the client will automatically do a
DHCP request again, possibly getting a different address than before.
Although I'm not sure what you mean by security level, DHCP is normally
contained to your own segment, so unless your Internet router is forwarding
DHCP broadcasts (or all broadcasts) to the Internet the security risks are
within your site.
The question about whether or not you need a Firewall is a basic security
question, do you have anything that needs to be protected? If you were
setting up a lab of machines to surf the net, and they were separated from
your in-house LANs, you might not need a Firewall at all if you consider
them sacrificial. If, on the other hand, you question is about IP address
translation, then yes, you would still need something to hide the IP
addresses of your machines. DHCP itself does not provide a way to hide IP
addresses, so you will have to give them Internet routable IP addresses
(RFC 1918) if you want them to get to the Internet.
Hope that makes things a little clearer for you.
Cheers,
Russ
|
|
