Re[3]: Bypassing ISA Server 2004 with IPv6

To: 3APA3A <3APA3A@xxxxxxxxxxxxxxxx>
Subject: Re[3]: Bypassing ISA Server 2004 with IPv6
From: Christine Kronberg <seeker@xxxxxxxxx>
Date: Sat, 15 Apr 2006 22:23:48 +0200 (CEST)
Cc: bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <1306419752.20060415151728@xxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20060403150855.23543.qmail@xxxxxxxxxxxxxxxxx> <251662912.20060404164057@xxxxxxxxxxxxxxxx> <Pine.LNX.4.64.0604051207220.27173@xxxxxxxxx> <1083495427.20060410162247@xxxxxxxxxxxxxxxx> <Pine.LNX.4.64.0604102122350.11673@xxxxxxxxx> <1306419752.20060415151728@xxxxxxxxxxxxxxxx>


  Dear 3APA3A,

Microsoft  ISA  Server  can't  filter  events  from Microsoft Mouse, but


  Apples and peas?

Microsoft Mouse can be bound to computer. It's security risk, but I know
how to secure mouse without ISA and I accept this risk.


  Nice, that you do. If I manage by any means to see remotely
  that you have attached a mouse to your ISA and to (ab)use it,
  I'm much better that I thought - and you have much bigger problems
  than you thought.
  The nice thing about icmp is that I do not require much knowledge
  to get information remotely. Same true with ipv6. Unless something
  in between stops me. Which brings us back to the topic: a firewall
  allowing too much.

IPv6  can  not  be  filtered  by  ISA,  but  it still can be filtered by
different  tools,  or  by  it's own means, as IPv6 support network-level
security.  Unlike IPv4, IPv6 supports authentication, integrity checking
and  encryption  natively.  See ipsec6.exe and descriptions for Security
Association Batabase and Security Policy Database.


  So you state that it is perfectly well for a firewall to allow
  any traffic through. Per default? And that this firewall does not
  need to have the interface to configure what traffic is allowed?
  I disagree.
  If a firewall supports a protocol, that same firewall should also
  provide the proper means and interface to configure it. And not blow
  holes in networks.

  Cheers,

  Christine Kronberg.

Follow-Ups:
- Re: Re[3]: Bypassing ISA Server 2004 with IPv6
  - From: offtopic
- Re: Re[3]: Bypassing ISA Server 2004 with IPv6
  - From: Thor (Hammer of God)

References:
- Bypassing ISA Server 2004 with IPv6
  - From: Romain . Le . Guen
- Re: Bypassing ISA Server 2004 with IPv6
  - From: 3APA3A
- Re: Bypassing ISA Server 2004 with IPv6
  - From: Christine Kronberg
- Re[2]: Bypassing ISA Server 2004 with IPv6
  - From: 3APA3A
- Re[2]: Bypassing ISA Server 2004 with IPv6
  - From: Christine Kronberg
- Re[3]: Bypassing ISA Server 2004 with IPv6
  - From: 3APA3A

Prev by Date: Re: Re[2]: Bypassing ISA Server 2004 with IPv6
Next by Date: Re: Re: [Full-disclosure] Microsoft DNS resolver: deliberately sabotaged hosts-file lookup
Previous by thread: Re[3]: Bypassing ISA Server 2004 with IPv6
Next by thread: Re: Re[3]: Bypassing ISA Server 2004 with IPv6
Index(es):
- Date
- Thread