• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 760
  • Last Modified:

Unknown DHCP Leases


Every morning I open up the DHCP console to looking for unknown computers connecting to our network. I know that every device that is part of our domain list the computer name as computer_name.domain.net. When a computer shows up with a DHCP lease without the .domain.net part of the name I look to see if what device it is and if it is authorized to connect to our network. I know that device is not a member of our domain. We do have a Linksys AP that is secured using WEP. I know WEP is not the greatest. Also, we use Microsoft ISA 2004 server as our firewall. Now the Linksys AP is connected directly to our switch. Is that bypassing ISA? Can a computer get an IP lease from DHCP without being a domain member? Does the server require Authentication before assigning a DHCP lease?
3 Solutions
DHCP has no authentication method built in, so anyone whose broadcasts could be seen by your dhcp server can/will get a lease.

You access point inside your switch most likely does bypass your Microsoft server's firewall function.

Using a microsoft server as a fierwall is a security incident waiting to happen, use a Cisco ASA5500 series. They range from $350 - $150,000 so there will be one in your price/performance range.
You do not need to be part of the domain to get a lease from DHCP.  I would lock your wireless down ASAP.  If you only have WEP enabled then I would shut the wireless down or create a totally separate network for wireless use and require users to VPN into the network from the wireless.  There are other things you could do like set static IP leases and whatnot that inevitably someone here will say but they will still have access to your network and be able to sniff traffic.  I would shut it down until I could get at least a WPA2 AP installed.
Rob WilliamsCommented:
>>"Linksys AP is connected directly to our switch. Is that bypassing ISA?"
Yes, and anyone can obtain a DHCP lease. That does not necessarily mean they have gained access to any network resources, they still have to authenticate to AD for that.
A much more secure method would be to place the Wireless access point on the public/WAN side of the ISA server, enable DHCP on the wireless, and set up a VPN, within ISA, to allow users access to the LAN. This way the wireless users are treated securely the same as if they were in an Internet café, but can still gain access to LAN resources.
Have you got the answers you were after, Penflex?
PenflexAuthor Commented:
Thank you....
I will lock down my wireless with WAP2 and move it from the switch.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now