<<< Date Index >>>     <<< Thread Index >>>

Re[3]: Bypassing ISA Server 2004 with IPv6



Dear Christine Kronberg,

Microsoft  ISA  Server  can't  filter  events  from Microsoft Mouse, but
Microsoft Mouse can be bound to computer. It's security risk, but I know
how to secure mouse without ISA and I accept this risk.

IPv6  can  not  be  filtered  by  ISA,  but  it still can be filtered by
different  tools,  or  by  it's own means, as IPv6 support network-level
security.  Unlike IPv4, IPv6 supports authentication, integrity checking
and  encryption  natively.  See ipsec6.exe and descriptions for Security
Association Batabase and Security Policy Database.


--Monday, April 10, 2006, 11:34:16 PM, you wrote to 3APA3A@xxxxxxxxxxxxxxxx:

CK> On Mon, 10 Apr 2006, 3APA3A wrote:
>> --Wednesday, April 5, 2006, 2:12:10 PM, you wrote to 
>> bugtraq@xxxxxxxxxxxxxxxxx:
>>
>>
>> CK>    is  open  for any attacks as long as they are IPv6 based. If that
>> CK>    is  right,  this is an extremly nasty bug. If ISA Server 2004 and
>> CK>    Windows  2003  Basic  Firewall cannot filter that stuff it should
>> CK>    simply drop it.
>>
>> You are not right.
>>
>> 1. IPv6 is not installed by default.
>> 2. If IPv6 is installed, routing is not enabled by default.
>> 3. If  you  install  IPv6,  you  can be bind it to only interfaces it's
>> required. To prevent IPv6 (or another routable protocol, such as IPX) on
>> external  interface  you  can (and you should) unbind this protocol from
>> interface in network connection properties. ISA is not required for this
>> task and is not supposed for this task.

CK>    Thanks for clearing that. But: If ISA is not able to filter IPv6 so
CK>    why can it be bound to an interface anyway? Just to route things
CK>    through? Blindly through a firewall?
CK>    Another posting talks about limited filtering capabilities. Roman
CK>    wrote, icmp went through. So where is the borderline? It still seems
CK>    to me that in the moment for what ever reason ipv6 is enabled on ISA
CK>    the network it should secure is exposed.

CK>    Cheers,

CK>    Christine Kronberg.




-- 
~/ZARAZA
Машина оказалась способной к единственному действию,
а именно умножению 2x2, да и то при этом ошибаясь. (Лем)