Re: Re[3]: Bypassing ISA Server 2004 with IPv6

RIL:


On 4/15/06 1:23 PM, "Christine Kronberg" <seeker@xxxxxxxxx> spoketh to all:

IPv6 can not be filtered by ISA, but it still can be filtered by
different tools, or by it's own means, as IPv6 support network-level
security. Unlike IPv4, IPv6 supports authentication, integrity checking
and encryption natively. See ipsec6.exe and descriptions for Security
Association Batabase and Security Policy Database.

So you state that it is perfectly well for a firewall to allow
any traffic through. Per default? And that this firewall does not
need to have the interface to configure what traffic is allowed?
I disagree.
If a firewall supports a protocol, that same firewall should also
provide the proper means and interface to configure it. And not blow
holes in networks.

Based on your responses to this thread, my guess is that you have never
installed or managed an ISA firewall. Just a guess...

Regardless, let's try to clear this up one final time. IPv6 is NOT
installed on ISA by default. BY DEFAULT, EVERYTHING IS BLOCKED. ISA *does
not* support IPv6. There are NO holes blown in networks. This entire
argument is crazy, and based on misinformation. You don't install or
configure IPv6 through ISA. You have to be an administrator of the host
machine and go into the network properties and explicitly install, bind, and
configure IPv6 for it to work. You also have to do the same on your border
routers and upstream ISP. It takes deliberate action on the part of the
admin to do this. DOING THIS EXPLICITLY ENABLES IPV6. Duh! It's like you
people would complain that if the administrator uninstalled ISA, that the
resultant lack of a firewall was a critical Microsoft vulnerability!

Jim Harrison and I are doing a 2-day immersion training for ISA at BlackHat
Vegas. ISA Server freaking rocks. If you are really interested in ISA and
want to get the skills needed to build robust firewalls, then take the
course. If you can honestly tell me that you think ISA is "broken" after
that course, I'll give you back every single penny of your fee personally.
And *that* is a *promise.*

T

Relevant Pages

  • Re[3]: Bypassing ISA Server 2004 with IPv6
    ... how to secure mouse without ISA and I accept this risk. ... Same true with ipv6. ... Which brings us back to the topic: a firewall ... See ipsec6.exe and descriptions for Security ...
    (Bugtraq)
  • Re: ipv6 question
    ... connection now has a nice, routable IPv6 address back to the machine ... now have to have to be routed through an external IPv6 SPI firewall ... you've got a webserver, it can see if you've got a mail server, etc. ...
    (Fedora)
  • Re: Firewall or Little Snitch
    ... In Airport Utility, click on Internet at the top. ... At the bottom of the Internet Connection settings is "Connection ... firewall due to the NAT translation. ... You should also turn off external access to IPv6, ...
    (uk.comp.sys.mac)
  • Re[3]: Bypassing ISA Server 2004 with IPv6
    ... It's security risk, but I know ... how to secure mouse without ISA and I accept this risk. ... IPv6 can not be filtered by ISA, but it still can be filtered by ... CK> Windows 2003 Basic Firewall cannot filter that stuff it should ...
    (Bugtraq)
  • Re: FreeBSD Firewall/Router/Gateway questions.
    ... It really does seem to depend on where in the Internet one is connected. ... the how-to for setting up and running an IPv6 firewall? ... ISP's are happy to sell NAT ...
    (comp.unix.bsd.freebsd.misc)