Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
IP and DHCP vs Static
- Thread starter jim532
- Start date
In my opinion DHCP is less secure as anyone can plug into your network and be assigned an IP address automatically.
DHCP Pros: Easy to administer, easy to change the IP addressing schema on the fly, 'plug n play'
DHCP Cons: Less secure, less control, more overhead (broadcast) traffic on your network
Static IP is of course the complete opposite of DHCP in terms of pros/cons but it really loses its edge to DHCP on a LAN with a very large number of users.
DHCP Pros: Easy to administer, easy to change the IP addressing schema on the fly, 'plug n play'
DHCP Cons: Less secure, less control, more overhead (broadcast) traffic on your network
Static IP is of course the complete opposite of DHCP in terms of pros/cons but it really loses its edge to DHCP on a LAN with a very large number of users.
DHCP is by far the better choice as soon as you have more than a few stations.
Static entries should be for server and communication devices. DHCP for workstation and printers is best.
Is DHCP more secure than static. I don't think it is better or worst. With static, the ip is given to only one station. You can do that with DHCP too. You can configure it to give IPs to only recognized devices. The advantages of DHCP is in managing your resources (IP addresses, IP of your proxy, DNS, Wins servers, etc) and managing change.
It is a lot easier to change the DNS server in your DHCP database, than to remote connect or sneakernet hundreds of PCs.
I sorry to say i disagree with KiscoKid. Static is not more secure than DHCP. The broadcast traffic occurs only at the opening of one's station. Which means early in the morning when nothing much else is running on your network anyways. Less control, gosh no, more control with DHCP in my view.
I don't know of any reason not to go to DHCP unless you don't have a server on site (But then again, it can be arranged to get the address offsite) or you have a very limited number of devices and one tech on site to make changes.
Go DHCP.
Static entries should be for server and communication devices. DHCP for workstation and printers is best.
Is DHCP more secure than static. I don't think it is better or worst. With static, the ip is given to only one station. You can do that with DHCP too. You can configure it to give IPs to only recognized devices. The advantages of DHCP is in managing your resources (IP addresses, IP of your proxy, DNS, Wins servers, etc) and managing change.
It is a lot easier to change the DNS server in your DHCP database, than to remote connect or sneakernet hundreds of PCs.
I sorry to say i disagree with KiscoKid. Static is not more secure than DHCP. The broadcast traffic occurs only at the opening of one's station. Which means early in the morning when nothing much else is running on your network anyways. Less control, gosh no, more control with DHCP in my view.
I don't know of any reason not to go to DHCP unless you don't have a server on site (But then again, it can be arranged to get the address offsite) or you have a very limited number of devices and one tech on site to make changes.
Go DHCP.
I stick with my comments re: dhcp however I will expand on what I said.
I believe static is more secure. Someone would need specific knowledge of your IP addressing to be able to connect into your network and communicate with devices on it. Most implementations of DHCP assign IP addresses to anyone's PC that requests one (this is my reason for labelling it as giving you less control as you don't typically know which user has what address). The very large majority of DHCP implementations I've seen don't specify MAC addresses to IP addresses as that in itself creates a significant administrative burden (especially for a large user base). So if you implement this, people typically lose one of the key advantages of deploying DHCP - easy administration.
As an aside, I occasionally install and secure wireless networks and I would never ever recommend enabling DHCP on WLAN as this makes a wardriver's job just too easy to get in your network. I've previously worked on certain UK government contracts and have observed how they have purposely decided against dynamic network technologies and opted instead for static addressing and static routing. This gives them control over their resources and provides them with a solid and easy audit trail.
I agree that DHCP does not generate continual broadcast traffic however, as you say, it does tend to generate the traffic first thing in the morning. I've typically found that first thing in the morning and after lunch, network traffic profiles are usually very high whilst people are firing up their applications. So DHCP is indeed impacting on network utilisation in the morning and adding network utilisation.
Don't get me wrong. I'd still deploy DHCP in most situations - it's a no-brainer but I feel the disadvantages above are genuine ones and should be considered.
I believe static is more secure. Someone would need specific knowledge of your IP addressing to be able to connect into your network and communicate with devices on it. Most implementations of DHCP assign IP addresses to anyone's PC that requests one (this is my reason for labelling it as giving you less control as you don't typically know which user has what address). The very large majority of DHCP implementations I've seen don't specify MAC addresses to IP addresses as that in itself creates a significant administrative burden (especially for a large user base). So if you implement this, people typically lose one of the key advantages of deploying DHCP - easy administration.
As an aside, I occasionally install and secure wireless networks and I would never ever recommend enabling DHCP on WLAN as this makes a wardriver's job just too easy to get in your network. I've previously worked on certain UK government contracts and have observed how they have purposely decided against dynamic network technologies and opted instead for static addressing and static routing. This gives them control over their resources and provides them with a solid and easy audit trail.
I agree that DHCP does not generate continual broadcast traffic however, as you say, it does tend to generate the traffic first thing in the morning. I've typically found that first thing in the morning and after lunch, network traffic profiles are usually very high whilst people are firing up their applications. So DHCP is indeed impacting on network utilisation in the morning and adding network utilisation.
Don't get me wrong. I'd still deploy DHCP in most situations - it's a no-brainer but I feel the disadvantages above are genuine ones and should be considered.
cyberspace
Technical User
I dont have anything to really add to the thead, but that was an excellent post KiscoKid!
I have been considering a similar change in the office where I work - no people come in here other than staff and only ports that are in use are patched into the switches so that eliminates the risk of "anybody wandering in and hooking up to the network"
However, one real advantage that find that with the static scheme (29 hosts and 2 servers here) is being able to always know the IP address of a machine at any time. We also have a VPN where the users RDP to their desktop - if DHCP was used then this would not be a reliable option any longer.
Having said that, for machines such as this, a permanent MAC to IP setting could be entered on a DHCP server for these specific machines to ensure that they always get the same IP address and that the leases are set to the maxium allowed time.
There are several applications/services that are easier to maintain when being ran over a static scheme, but this is only really true in smaller environments such as where I work.
DHCP could certainly be a feasbile option, but there are things that you need to consider - like me - are there any VPN users that RDP to desktop? etc etc.
If there are, you can still use DHCP, but it sort of defeats the purpose of low overhead....although, once its set up, maintenance will be much easier. As mentioned, unused ports etc can be shut down, but again this adds to the burdens of network administation that DHCP seeks to avoid!
Just my 2 pence!
'When all else fails.......read the manual'
I have been considering a similar change in the office where I work - no people come in here other than staff and only ports that are in use are patched into the switches so that eliminates the risk of "anybody wandering in and hooking up to the network"
However, one real advantage that find that with the static scheme (29 hosts and 2 servers here) is being able to always know the IP address of a machine at any time. We also have a VPN where the users RDP to their desktop - if DHCP was used then this would not be a reliable option any longer.
Having said that, for machines such as this, a permanent MAC to IP setting could be entered on a DHCP server for these specific machines to ensure that they always get the same IP address and that the leases are set to the maxium allowed time.
There are several applications/services that are easier to maintain when being ran over a static scheme, but this is only really true in smaller environments such as where I work.
DHCP could certainly be a feasbile option, but there are things that you need to consider - like me - are there any VPN users that RDP to desktop? etc etc.
If there are, you can still use DHCP, but it sort of defeats the purpose of low overhead....although, once its set up, maintenance will be much easier. As mentioned, unused ports etc can be shut down, but again this adds to the burdens of network administation that DHCP seeks to avoid!
Just my 2 pence!
'When all else fails.......read the manual'
robertjo24
MIS
We use a combination of static and DHCP addresses.
Static: devices that must be managed, (i.e. switches, servers, wireless, etc.)
DHCP: All workstations
Polocies control what machines are allowed on the network and can pull an address.
Our DHCP scope is set such that workstations pull addresses from am managable range, and the certain ranges are reserved for particular devices.
i.e routers and switches from .1 through .10, servers from .11 through .30, print servers from .50 to...., well you get the picture.
The is room (and I think some need) for the hybrid apporach.
Static: devices that must be managed, (i.e. switches, servers, wireless, etc.)
DHCP: All workstations
Polocies control what machines are allowed on the network and can pull an address.
Our DHCP scope is set such that workstations pull addresses from am managable range, and the certain ranges are reserved for particular devices.
i.e routers and switches from .1 through .10, servers from .11 through .30, print servers from .50 to...., well you get the picture.
The is room (and I think some need) for the hybrid apporach.
Over 10 workstations - DHCP
Server - Static
Printers - Static
The overhead for having manual routes on a large network infrastructure does not bear thinking about - (mind you, if the administrator was a contractor he would be employed there forever).
Server - Static
Printers - Static
The overhead for having manual routes on a large network infrastructure does not bear thinking about - (mind you, if the administrator was a contractor he would be employed there forever).
I don't regard either as very secure. I think what you need to consider is what kind of security you are talking about. Many of the arguments for DHCP being more secure revolve around the fact that every so often it's possible to have a workstations ip address change. Depending on lease times and your user's habits (do they turn off their systems at night?) a particular workstation's ip address might not change for weeks.
I don't regard either as very secure. It depends on who you are trying to guard against. Once somebody has physical access to your network, using DHCP or static ip addresses isn't going to help you. Yes, using DHCP makes life easy for the intruder, but if somebody wants to get on your network, they will. If I wanted to get an idea of your network's setup, ethereal will do. It would not take me long from that point.
DHCP's biggest advantage (in my opinion) is that it makes life easy for the end users. Given static addresses they cannot move their laptop beyond their subnet without making some changes. Minimizing network connectivity problems minimizes calls to me. I look to other means to secure my network.
I don't regard either as very secure. It depends on who you are trying to guard against. Once somebody has physical access to your network, using DHCP or static ip addresses isn't going to help you. Yes, using DHCP makes life easy for the intruder, but if somebody wants to get on your network, they will. If I wanted to get an idea of your network's setup, ethereal will do. It would not take me long from that point.
DHCP's biggest advantage (in my opinion) is that it makes life easy for the end users. Given static addresses they cannot move their laptop beyond their subnet without making some changes. Minimizing network connectivity problems minimizes calls to me. I look to other means to secure my network.
- Status
Similar threads
- Locked
- Question
- Locked
- Question