Bugtraq mailing list archives
Re: Re[3]: Bypassing ISA Server 2004 with IPv6
From: "Thor (Hammer of God)" <thor () hammerofgod com>
Date: Wed, 19 Apr 2006 21:22:29 -0700
RIL: On 4/15/06 1:23 PM, "Christine Kronberg" <seeker () shalla de> spoketh to all:
IPv6 can not be filtered by ISA, but it still can be filtered by different tools, or by it's own means, as IPv6 support network-level security. Unlike IPv4, IPv6 supports authentication, integrity checking and encryption natively. See ipsec6.exe and descriptions for Security Association Batabase and Security Policy Database.So you state that it is perfectly well for a firewall to allow any traffic through. Per default? And that this firewall does not need to have the interface to configure what traffic is allowed? I disagree. If a firewall supports a protocol, that same firewall should also provide the proper means and interface to configure it. And not blow holes in networks.
Based on your responses to this thread, my guess is that you have never installed or managed an ISA firewall. Just a guess... Regardless, let's try to clear this up one final time. IPv6 is NOT installed on ISA by default. BY DEFAULT, EVERYTHING IS BLOCKED. ISA *does not* support IPv6. There are NO holes blown in networks. This entire argument is crazy, and based on misinformation. You don't install or configure IPv6 through ISA. You have to be an administrator of the host machine and go into the network properties and explicitly install, bind, and configure IPv6 for it to work. You also have to do the same on your border routers and upstream ISP. It takes deliberate action on the part of the admin to do this. DOING THIS EXPLICITLY ENABLES IPV6. Duh! It's like you people would complain that if the administrator uninstalled ISA, that the resultant lack of a firewall was a critical Microsoft vulnerability! Jim Harrison and I are doing a 2-day immersion training for ISA at BlackHat Vegas. ISA Server freaking rocks. If you are really interested in ISA and want to get the skills needed to build robust firewalls, then take the course. If you can honestly tell me that you think ISA is "broken" after that course, I'll give you back every single penny of your fee personally. And *that* is a *promise.* T
Current thread:
- Bypassing ISA Server 2004 with IPv6 Romain . Le . Guen (Apr 03)
- Re: Bypassing ISA Server 2004 with IPv6 3APA3A (Apr 04)
- Re: Bypassing ISA Server 2004 with IPv6 Christine Kronberg (Apr 09)
- Re[2]: Bypassing ISA Server 2004 with IPv6 3APA3A (Apr 10)
- Re[2]: Bypassing ISA Server 2004 with IPv6 Christine Kronberg (Apr 14)
- Re[3]: Bypassing ISA Server 2004 with IPv6 3APA3A (Apr 15)
- Re[3]: Bypassing ISA Server 2004 with IPv6 Christine Kronberg (Apr 19)
- Re: Re[3]: Bypassing ISA Server 2004 with IPv6 Thor (Hammer of God) (Apr 20)
- Re: Re[3]: Bypassing ISA Server 2004 with IPv6 offtopic (Apr 20)
- Re: Bypassing ISA Server 2004 with IPv6 Christine Kronberg (Apr 09)
- Re: Re[2]: Bypassing ISA Server 2004 with IPv6 Thor (Hammer of God) (Apr 19)
- Re: Re[2]: Bypassing ISA Server 2004 with IPv6 Christine Kronberg (Apr 19)
- Re: Bypassing ISA Server 2004 with IPv6 3APA3A (Apr 04)
- Re: Bypassing ISA Server 2004 with IPv6 Thor (Hammer of God) (Apr 10)
- <Possible follow-ups>
- Re: Re: Bypassing ISA Server 2004 with IPv6 Romain . Le-Guen (Apr 09)
- Re: Bypassing ISA Server 2004 with IPv6 Thor (Hammer of God) (Apr 10)
- Re: Bypassing ISA Server 2004 with IPv6 noreply (Apr 11)