• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 742
  • Last Modified:

Unknown DHCP Leases

Hello,

Every morning I open up the DHCP console to looking for unknown computers connecting to our network. I know that every device that is part of our domain list the computer name as computer_name.domain.net. When a computer shows up with a DHCP lease without the .domain.net part of the name I look to see if what device it is and if it is authorized to connect to our network. I know that device is not a member of our domain. We do have a Linksys AP that is secured using WEP. I know WEP is not the greatest. Also, we use Microsoft ISA 2004 server as our firewall. Now the Linksys AP is connected directly to our switch. Is that bypassing ISA? Can a computer get an IP lease from DHCP without being a domain member? Does the server require Authentication before assigning a DHCP lease?
0
Penflex
Asked:
Penflex
3 Solutions
 
Nothing_ChangedCommented:
DHCP has no authentication method built in, so anyone whose broadcasts could be seen by your dhcp server can/will get a lease.

You access point inside your switch most likely does bypass your Microsoft server's firewall function.

Using a microsoft server as a fierwall is a security incident waiting to happen, use a Cisco ASA5500 series. They range from $350 - $150,000 so there will be one in your price/performance range.
0
 
DewFreakCommented:
You do not need to be part of the domain to get a lease from DHCP.  I would lock your wireless down ASAP.  If you only have WEP enabled then I would shut the wireless down or create a totally separate network for wireless use and require users to VPN into the network from the wireless.  There are other things you could do like set static IP leases and whatnot that inevitably someone here will say but they will still have access to your network and be able to sniff traffic.  I would shut it down until I could get at least a WPA2 AP installed.
0
 
Rob WilliamsCommented:
>>"Linksys AP is connected directly to our switch. Is that bypassing ISA?"
Yes, and anyone can obtain a DHCP lease. That does not necessarily mean they have gained access to any network resources, they still have to authenticate to AD for that.
A much more secure method would be to place the Wireless access point on the public/WAN side of the ISA server, enable DHCP on the wireless, and set up a VPN, within ISA, to allow users access to the LAN. This way the wireless users are treated securely the same as if they were in an Internet café, but can still gain access to LAN resources.
0
 
Nothing_ChangedCommented:
Have you got the answers you were after, Penflex?
0
 
PenflexAuthor Commented:
Thank you....
I will lock down my wireless with WAP2 and move it from the switch.
0

Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now