Unauthorized IP's on DHCP Network

[youch]

Hey All,

Through several tools at my disposal (Ethereal, Remote Desktop, Intermapper, etc.), there appears to be an IP or two, within the range I've setup for DHCP (a range of only 5 IP addresses.

I can NOT account for this one IP--no matter how hard I try. I'm sure it's coming in from my Wireless Access Point. Short of killing of the wireless network and DHCP services here, what's the best way to stop someone from using my Wireless network's DHCP addresses? Yes, I *DO* have a Sonicwall 2040, and everything is (I thought) secure, but this is bugging the hell out of me. I *did* do a search of the MAC address, and it's an HP box of some sort too.

Thanks for any insight anyone can offer.

--Youch

 

[Grenage]

Hi Youch,

Is the wireless AP not protected using WEP or WPA? DHCP will not assign an address until the connection has been established (after authentication).

Russell.


Carlsberg don't run I.T departments, but if they did they'd probably be more fun.

 

[youch]

Hi Russell,

Thanks very much for the quick reply!
The answer to your question is yes... the Wireless network IS protected via WEP. I don't understand how or why, but I was told that WEP was pretty weak, so for good measure, I also killed the broadcasting of this network (it's an Apple Airport Base Station, which makes this quite easy to do). Thus, I *thought* this LAN was reasonably secure, but I can't be sure now, which is obviously disconcerting.

So if I understand what you're saying in your reply, my DHCP server won't assign an address until AFTER the intruder (or whoever) has authenticated?

Thanks again,
Mike

 

[Grenage]

WEP is admittedly weak (WPA2-PSK is what you want if possible) , someone would still really have to care a lot to bother decrypting the key.

Correct, your DHCP server will not give out an IP address unless the connection has been authenticated. Without the connection being established it cannot talk to the DHCP server/module.

Do you have a wired network section that this IP might be coming across or does the device MAC show up on the wireless devices list?


Carlsberg don't run I.T departments, but if they did they'd probably be more fun.

 

[Spirit]

Could someone have discovered the IP range and added a static route?

Thinking they could browse the internet or something?

Any records that there's a bruteforce attack or attempted decryption of your WEP key in the logs?

Iain

 

[Lote]

Apparently WEP can be decrypted with about 5gig's worth of captured data. This makes it not as secure as people believe. If you have VLan capability I suggest you stick the AP point in a VLAN. Stick a second network card in your server. set that up for VPN and only have the VPN ports open (PPTP 1723). With this done all your Wireless traffic will go to the server with only VPN access this will stop anyone browsing your network as they would have to authenticate themself to the server before they will be able to access anything. Once this has been done the user will get an IP address once he has authenticated himself.

 

[Lote]

I also suggest WPA as stated by Grenage and to change the key once a month if possible. Just to one silly questions its not your actual access point?

 

[youch]

Hey All,

Sorry I've been away for the last day and a half--
To answer the first questin first... Yes, the IS a wired segment of the LAN (matter of fact, it's the primary connection that the employees all use). The wireless is only there for one user in particular, plus any visitors who show up with their laptops. They still would need to come to me for the password to get onto the wireless network, however.

As stated, otherwise, the majority of the users at the company are connecting via Ethernet, but I was quite confident of the security it *it*. But now, this has become one of those, I don't know what I don't know scenarios, which again, is disconcerting.

To answer "Spriti's" question, I suppose it IS possible that someone could have discovered the range (which is your typical, standard, PRIVATE IP range beginning with 192.168........., so someone *could* have added a static route, but I wasn't aware that this was that easy to do. Regarding the same person's question of "Any records that there's a bruteforce attack or attempted decryption of your WEP key in the logs"? -- where would I look for this log? In my firewall? That's one of the things that's confusing me... if this is a wireless connection that the user's connecting over, doesn't that render my firewall pretty much obsolete at this point? (please forgive my lack of knowledge of this level, security is my "last frontier" in 10 years as an IT person.

Finally, regarding "Lote's" excellent suggestions, this would involve setting up more VPN clients on some of the user's workstations than we currently have licenses for (we have 5, mine of the them, and the rest are also spoken for. I have recently begun to research Open Source ones (like IPSecuritas), that I can dabble with, just haven't had the time of late, as this isn't one of my strong points either. The 5 I mentioned earlier were (are) using VPN Tracker, which is a "paid" for client.

Thanks everyone for your replies. I hope no-one's given up on the thread from the lack of my reply in 2 days! : ).

--Youch

 

[eyec]

it is possible (on your network) that someone installed OpenDNS/OpenNIC?

 

[Lote]

To answer you question regarding your firewall yes it becomes useless as it only filters your in and out bound Internet traffic not what comes in from the AP. Just out of curiosity. The lease on this IP address, when does it run out? Can you delete it and then keep a track of it to see if it gets used again. Just to keep an I on what is happening. Install a hub on your network and run Ethereal (

http://www.ethereal.com/)

on a PC which is attached to the hub. As this will allow you to monitor most of your network traffic. Run a Filter search and remove the IP addresses that you have resolved. This will then leave any unkown source for you to pick up and monitor. Knowing where this traffic is going to and from will make your diagnoses a lot easier.

 

[youch]

I thought I had replied to "eyec" yesterday, but just saw that it didn't take... what I said to him was that I wasn't familiar w/ either product (OpenDNS / OpenNIC), but could gather from the context of the acronymns that it would require *physical" access to the network. If that's true, I really don't think anyone did this (it's a relatively small company (30 users), and not one of these people are that savvy. The owners wouldn't do this either.

To reply to Lote, thanks for that info regarding the firewall--it's been on my mind for a while. Regarding Ethereal, I actually *do* have a dedicated box that I just recently (2 weeks ago) setup, but haven't patched into my network yet, but I'll be doing this today for sure. Finally, I have the leases set for 60 minutes. Through Apple's Server Admin tools, there's really no way to delete the lease itself, the only way I'm aware of is to temporarily kill DHCP on the server itself.

Thanks again for the tips, I'll post back what I find.

--Youch

 

[trojanman]

Correct, your DHCP server will not give out an IP address unless the connection has been authenticated

Define "authenticated".

 

[Roadki11]

How many people know the wep keys? I am betting its an employee's nice shiny new handheld device like an HP iPAQ or something similar and they got it on the network because they wrote down the wep keys you told them to use or saved the email you sent out telling them how to connect to the wireless? if thats not the case does sonicwall have MAC filtering? even linksys has MAC filtering so i would turn that on and add the authorized MAC's to the filter list. this can be defeated also by sniffing and spoofing but its one more obstacle.

Hope this helps,

RoadKi11