Re[3]: Bypassing ISA Server 2004 with IPv6

To: Christine Kronberg <seeker@xxxxxxxxx>
Subject: Re[3]: Bypassing ISA Server 2004 with IPv6
From: 3APA3A <3APA3A@xxxxxxxxxxxxxxxx>
Date: Sat, 15 Apr 2006 15:17:28 +0400
Cc: bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <Pine.LNX.4.64.0604102122350.11673@xxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: http://www.security.nnov.ru
References: <20060403150855.23543.qmail@xxxxxxxxxxxxxxxxx> <251662912.20060404164057@xxxxxxxxxxxxxxxx> <Pine.LNX.4.64.0604051207220.27173@xxxxxxxxx> <1083495427.20060410162247@xxxxxxxxxxxxxxxx> <Pine.LNX.4.64.0604102122350.11673@xxxxxxxxx>
Reply-to: 3APA3A <3APA3A@xxxxxxxxxxxxxxxx>

Dear Christine Kronberg,

Microsoft  ISA  Server  can't  filter  events  from Microsoft Mouse, but
Microsoft Mouse can be bound to computer. It's security risk, but I know
how to secure mouse without ISA and I accept this risk.

IPv6  can  not  be  filtered  by  ISA,  but  it still can be filtered by
different  tools,  or  by  it's own means, as IPv6 support network-level
security.  Unlike IPv4, IPv6 supports authentication, integrity checking
and  encryption  natively.  See ipsec6.exe and descriptions for Security
Association Batabase and Security Policy Database.

--Monday, April 10, 2006, 11:34:16 PM, you wrote to 3APA3A@xxxxxxxxxxxxxxxx:

CK> On Mon, 10 Apr 2006, 3APA3A wrote:
>> --Wednesday, April 5, 2006, 2:12:10 PM, you wrote to 
>> bugtraq@xxxxxxxxxxxxxxxxx:
>>
>>
>> CK>    is  open  for any attacks as long as they are IPv6 based. If that
>> CK>    is  right,  this is an extremly nasty bug. If ISA Server 2004 and
>> CK>    Windows  2003  Basic  Firewall cannot filter that stuff it should
>> CK>    simply drop it.
>>
>> You are not right.
>>
>> 1. IPv6 is not installed by default.
>> 2. If IPv6 is installed, routing is not enabled by default.
>> 3. If  you  install  IPv6,  you  can be bind it to only interfaces it's
>> required. To prevent IPv6 (or another routable protocol, such as IPX) on
>> external  interface  you  can (and you should) unbind this protocol from
>> interface in network connection properties. ISA is not required for this
>> task and is not supposed for this task.

CK>    Thanks for clearing that. But: If ISA is not able to filter IPv6 so
CK>    why can it be bound to an interface anyway? Just to route things
CK>    through? Blindly through a firewall?
CK>    Another posting talks about limited filtering capabilities. Roman
CK>    wrote, icmp went through. So where is the borderline? It still seems
CK>    to me that in the moment for what ever reason ipv6 is enabled on ISA
CK>    the network it should secure is exposed.

CK>    Cheers,

CK>    Christine Kronberg.

-- 
~/ZARAZA
Машина оказалась способной к единственному действию,
а именно умножению 2x2, да и то при этом ошибаясь. (Лем)

Follow-Ups:
- Re[3]: Bypassing ISA Server 2004 with IPv6
  - From: Christine Kronberg

References:
- Bypassing ISA Server 2004 with IPv6
  - From: Romain . Le . Guen
- Re: Bypassing ISA Server 2004 with IPv6
  - From: 3APA3A
- Re: Bypassing ISA Server 2004 with IPv6
  - From: Christine Kronberg
- Re[2]: Bypassing ISA Server 2004 with IPv6
  - From: 3APA3A
- Re[2]: Bypassing ISA Server 2004 with IPv6
  - From: Christine Kronberg

Prev by Date: [SECURITY] [DSA 1035-1] New fcheck packages fix insecure temporary file creation
Next by Date: PHP Album <= 0.3.2.3 remote commnads execution
Previous by thread: Re[2]: Bypassing ISA Server 2004 with IPv6
Next by thread: Re[3]: Bypassing ISA Server 2004 with IPv6
Index(es):
- Date
- Thread