Eric Jahn wrote:
> At my last job, I was able to connect my laptop running Debian to my
> work's MS 2000 Server ethernet LAN and via DHCP get an instant internet
> connection (of course never any Windows file services as to be
> expected). I didn't even have to log in. Is this a universally true
> occurance?
Nope.
> Can I connect to any LAN's internet services (if internet is
> available to Windows boxes) by plugging a DHCP-compliant device into the
> wall?
Maybe.
>
As others have said, "It depends."
There are fundamentally two types of firewalls that connect LANs to the
Internet. (Remember that every firewall is a router, but not every
router is a firewall.)
The first type uses NAT (Network Address Translation). Typically, they
use SNAT (Source address NAT) so that they spoof the IP addy DHCP
assigns to your NIC and use a fake address and port when sending packets
to the Internet. They keep track of what lies they have told to both
sides and translate in both directions so machines on the LAN can do
things like grab web pages from Internet web servers. Since they mung
the header of the IP packet to lie about the source address they also
(conveniently) prohibit the initiation of a TCP handshake from the
Internet to the LAN, and thus provide a large amount of protection to
the LAN. There is also DNAT (Destination address NAT), and it is
commonly seen as poking a hole through your firewall (allows connections
from the Internet).
The second type uses a proxy server. This is generally more secure. In
this setup the proxy is the machine that sends a thing like a web page
to the client's browser, not the real machine on the Internet. It does
this by going to the Internet and, by proxy, making their request for
the client, examining the result, and deciding to honor the request or
not. Proxy servers have the advantage over plain NAT in that they can
examine all parts of the packet, not just the IP header, and can be much
more paranoid about the things they let through. Proxy servers show a
performance hit the first time a web page is requested, but a
performance boost as they serve it out of their cache the next time the
page is requested. Proxies exist for more than just web pages too.
Proxy servers have the disadvantage of being more complex to configure
(if you want to actually use those advanced features) and requiring much
more robust hardware than a simple NAT. Unlike a simple NAT they need
to cache, and probably examine, the entire payload of each packet.
If the IP addy handed to your NIC by the DHCP server is one of the
private addresses allocated in RFC 1918 section 3,
http://www.ietf.org/rfc/rfc1918.txt?number=1918
10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
then it is extremely likely (basically certain) that your address gets
NATed on the way to the Internet.
It is possible, even common, to use both types of firewalls, NAT and
proxy. Either or both might require authentication to allow packets to
pass through them from a client machine, as in the, "You can't get there
from here without a username, password, and, oh yeah, what's that public
key?" type of security.
The more secure it is, the harder it is to administer. I've seen many
places not requiring anything other than a valid DHCP-provided IP
address to get to the Internet.
If everyone really is out to get you paranoia is not a mental disease,
but a lucid recognition of reality.
Plug in and give it a shot.
-----------------------------------------------------------------------
This list is provided as an unmoderated internet service by Networked
Knowledge Systems (NKS). Views and opinions expressed in messages
posted are those of the author and do not necessarily reflect the
official policy or position of NKS or any of its employees.
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 16:00:43 EDT