DHCP, Port Forwarding, and DMZ Hosts

You will, as a Network administrator, probably deal with DHCP, port forwarding, and
the DMZ more often than you may like. These technologies are classically associated
with NAT technology; so, many modern networks utilize them to provide various
network services and greater security.

DHCP
Dynamic Host Configuration Protocol, or DHCP, is the service that allows for the
dynamic (often called auto-magical) IP configuration of client nodes on a given
network. Typically (in most home or small-office networks), DHCP is employed over
manual configuration. In larger networks, DHCP can be very advantageous because it
allows network administrators to "kick back and relax" while addresses are auto-
magically assigned through a DHCP server. However sometimes a manual configuration
may be more desirable so that administrators know which computers correspond to which
IP address – that is, so that the assignments are permanent.

DHCP works on a “release/renew” system. When an address is requested and assigned,

it is actually “leased” to the requesting node for a given period of time. After half of the
lease time has expired, the requesting node will automatically request a “renewal” of the
IP to the original DHCP server. In most cases, the server will help the client renew the
assigned IP address. If the server that the IP was originally assigned from (the DHCP
server that assigned the IP) is unavailable after around 87.5% of the lease time has
expired, the client will send a broadcast to all network nodes asking for an IP address.
When the lease expires, however, the node will lose the IP address. Note that DHCP
operates in a client/server rationale, so a DHCP client requests an IP address from a
willing DHCP server. DHCP assigns the:

• IP address
• Subnet mask
• Default gateway

Microsoft Windows, Linux, and Macintosh all offer built-in DHCP server
functionality.

Port Forwarding
Most routers today offer a feature called port forwarding that works in conjunction with
NAT (Network Address Translation) to provide openings for incoming traffic to
“internal network” nodes. A typical application of port forwarding is network
configuration for a file sharing program. The file sharing program on node 192.168.1.4
may need a specific port open to accept incoming traffic – for example, let’s say TCP
4444. Because of NAT, requests on TCP 4444 will not be handled because the traffic is
being directed to the router, which does not have any service operating on TCP 4444.
However, the router can be configured to forward requests on port TCP 4444 to
192.168.1.4, which can handle the requests on TCP 4444, thus allowing for the incoming
traffic to be handled on that port. The general formulation for port forwarding is:

Port Request on (TCP/UDP) (Port Number) Forwards to (Internal IP Address)

DMZ Host
A DMZ (Demilitarized Zone) host is a special (security) feature in many modern routers.
A DMZ host is basically a “catch-all” host for requests on non-configured ports. For
example, in the previous example, let’s say port forwarding is not configured, but a DMZ
host on 192.168.1.33 is. Then, the request to the router on TCP 4444 (because it is not
forwarded) will be automatically sent to 192.168.1.33:4444. There are two main benefits
associated with DMZ hosts.

1. Port forwarding doesn’t have to be configured for each individual service (though
it is generally a BAD idea to setup an ordinary PC as a DMZ host)

2. As a security feature (quite the opposite of number 1), so that all of the suspicious
(non-port-forwarded) traffic can be directed to a single sanitized host