http://www.ISAserver.org ------------------------------------------------------- It's not a reflexive thing, it's an agreement in number thing. Sent via ISA firewall protected Exchange 2003 Windows Mobile -----Original Message----- From: "Thor (Hammer of God)"<thor@xxxxxxxxxxxxxxx> Sent: 4/16/06 4:58:27 PM To: "isalist@xxxxxxxxxxxxx"<isalist@xxxxxxxxxxxxx> Subject: [isalist] Re: FW: Re[2]: Bypassing ISA Server 2004 with IPv6 http://www.ISAserver.org ------------------------------------------------------- It should be "installs *and* configures," and you should check the spacing on the post... Looks like some spaces were removed. Thanks for the post, though. Refexive pronouns and all ;) T On 4/16/06 6:50 AM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> spoketh to all: > http://www.ISAserver.org > ------------------------------------------------------- > > Here you go: > > http://blogs.isaserver.org/shinder/2006/04/16/isa-firewalls-and-ipv6/ > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://blogs.isaserver.org/shinder/ > Book: http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > > > >> -----Original Message----- >> From: isalist-bounce@xxxxxxxxxxxxx >> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thor >> (Hammer of God) >> Sent: Saturday, April 15, 2006 10:40 PM >> To: isalist@xxxxxxxxxxxxx >> Subject: [isalist] FW: Re[2]: Bypassing ISA Server 2004 with IPv6 >> >> http://www.ISAserver.org >> ------------------------------------------------------- >> >> >> Just to keep the ISA Lists in the mix when it comes to this >> "IPv6 Bypassing >> ISA" thing... >> >> >> >> ------ Forwarded Message >> From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx> >> Date: Sat, 15 Apr 2006 20:28:36 -0700 >> To: Bugtraq <bugtraq@xxxxxxxxxxxxxxxxx> >> Conversation: Re[2]: Bypassing ISA Server 2004 with IPv6 >> Subject: Re: Re[2]: Bypassing ISA Server 2004 with IPv6 >> >> ISA Server is an application that is installed on top of the >> base OS. Are >> you suggesting that the application should actually prevent the local >> administrator of the host machine from installing and configuring what >> protocols are bound to what adapters? >> >> To me, *that* is the borderline. There is no such thing as >> "for what ever >> reason ipv6 in enabled on ISA" when it comes to administering >> an enterprise >> firewall product. If an administrator installs configures >> ipv6 on the OS of >> the firewall, and then binds ipv6 to a protected network >> segment, then they >> absolutely, positively, without-a-doubt get exactly what they deserve. >> Anyone who does that without understanding what they are >> doing are simply >> taking jobs away from competent, knowledgeable administrators. >> >> The mindset of "protecting the ignorant administrator from >> themselves" in >> this business has got to end. Positioning this as if there >> is some flaw in >> ISA because the application does not prohibit a local >> administrator from >> binding unsupported protocols to interfaces is simply >> ludicrous. In fact, it >> is the opposite that is true: If I as an administrator of a >> machine want to >> bind a protocol to an adapter for some reason (as in a >> separate, private >> segment for use in a particular environment) then I should, >> indeed MUST, be >> able to do it. And I will be responsible for the >> implications of doing so. >> >> There was an earlier thread today where a simple list of >> hostnames being >> filtered from the Win32 HOSTS file was positioned as >> "deliberate sabotage" >> of our machines by Microsoft; a case of "It's my computer- >> keep your hands >> off." Yet here, the integrity of a product is being >> challenged because the >> application does not prevent an administrator from installing >> and binding >> protocols at the OS-level in cases where the application is >> not designed to >> filter those protocols? That is a double-standard at its best. >> >> t >> >> >> On 4/10/06 12:34 PM, <You can get the OP from Bugtraq> spoketh to all: >> >>> Thanks for clearing that. But: If ISA is not able to >> filter IPv6 so >>> why can it be bound to an interface anyway? Just to route things >>> through? Blindly through a firewall? >>> Another posting talks about limited filtering capabilities. Roman >>> wrote, icmp went through. So where is the borderline? It >> still seems >>> to me that in the moment for what ever reason ipv6 is >> enabled on ISA >>> the network it should secure is exposed. >>> >> >> >> ------ End of Forwarded Message >> >> >> ------------------------------------------------------ >> List Archives: //www.freelists.org/archives/isalist/ >> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp >> ISA Server Articles and Tutorials: >> http://www.isaserver.org/articles_tutorials/ >> ISA Server Blogs: http://blogs.isaserver.org/ >> ------------------------------------------------------ >> Visit TechGenix.com for more information about our other sites: >> http://www.techgenix.com >> ------------------------------------------------------ >> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp >> Report abuse to listadmin@xxxxxxxxxxxxx >> >> >> > ------------------------------------------------------ > List Archives: //www.freelists.org/archives/isalist/ > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server Articles and Tutorials: > http://www.isaserver.org/articles_tutorials/ > ISA Server Blogs: http://blogs.isaserver.org/ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > Report abuse to listadmin@xxxxxxxxxxxxx > > > ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx