Unknown DHCP Leases


Every morning I open up the DHCP console to looking for unknown computers connecting to our network. I know that every device that is part of our domain list the computer name as computer_name.domain.net. When a computer shows up with a DHCP lease without the .domain.net part of the name I look to see if what device it is and if it is authorized to connect to our network. I know that device is not a member of our domain. We do have a Linksys AP that is secured using WEP. I know WEP is not the greatest. Also, we use Microsoft ISA 2004 server as our firewall. Now the Linksys AP is connected directly to our switch. Is that bypassing ISA? Can a computer get an IP lease from DHCP without being a domain member? Does the server require Authentication before assigning a DHCP lease?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

DHCP has no authentication method built in, so anyone whose broadcasts could be seen by your dhcp server can/will get a lease.

You access point inside your switch most likely does bypass your Microsoft server's firewall function.

Using a microsoft server as a fierwall is a security incident waiting to happen, use a Cisco ASA5500 series. They range from $350 - $150,000 so there will be one in your price/performance range.
You do not need to be part of the domain to get a lease from DHCP.  I would lock your wireless down ASAP.  If you only have WEP enabled then I would shut the wireless down or create a totally separate network for wireless use and require users to VPN into the network from the wireless.  There are other things you could do like set static IP leases and whatnot that inevitably someone here will say but they will still have access to your network and be able to sniff traffic.  I would shut it down until I could get at least a WPA2 AP installed.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Rob WilliamsCommented:
>>"Linksys AP is connected directly to our switch. Is that bypassing ISA?"
Yes, and anyone can obtain a DHCP lease. That does not necessarily mean they have gained access to any network resources, they still have to authenticate to AD for that.
A much more secure method would be to place the Wireless access point on the public/WAN side of the ISA server, enable DHCP on the wireless, and set up a VPN, within ISA, to allow users access to the LAN. This way the wireless users are treated securely the same as if they were in an Internet café, but can still gain access to LAN resources.
Have you got the answers you were after, Penflex?
PenflexAuthor Commented:
Thank you....
I will lock down my wireless with WAP2 and move it from the switch.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Forefront ISA Server

From novice to tech pro — start learning today.