[isalist] Re: FW: Re[2]: Bypassing ISA Server 2004 with IPv6

• From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
• To: <isalist@xxxxxxxxxxxxx>
• Date: Sun, 16 Apr 2006 19:05:18 -0500

http://www.ISAserver.org
-------------------------------------------------------

It's not a reflexive thing, it's an agreement in number thing.

Sent via ISA firewall protected Exchange 2003 Windows Mobile


-----Original Message-----
From: "Thor (Hammer of God)"<thor@xxxxxxxxxxxxxxx>
Sent: 4/16/06 4:58:27 PM
To: "isalist@xxxxxxxxxxxxx"<isalist@xxxxxxxxxxxxx>
Subject: [isalist] Re: FW: Re[2]: Bypassing ISA Server 2004 with IPv6

http://www.ISAserver.org
-------------------------------------------------------
  
It should be "installs *and* configures," and you should check the spacing
on the post... Looks like some spaces were removed.

Thanks for the post, though.  Refexive pronouns and all ;)

T


On 4/16/06 6:50 AM, "Thomas W Shinder" <tshinder@xxxxxxxxxxx> spoketh to
all:

> http://www.ISAserver.org
> -------------------------------------------------------
> 
> Here you go:
> 
> http://blogs.isaserver.org/shinder/2006/04/16/isa-firewalls-and-ipv6/
> 
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> 
>  
> 
>> -----Original Message-----
>> From: isalist-bounce@xxxxxxxxxxxxx
>> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thor
>> (Hammer of God)
>> Sent: Saturday, April 15, 2006 10:40 PM
>> To: isalist@xxxxxxxxxxxxx
>> Subject: [isalist] FW: Re[2]: Bypassing ISA Server 2004 with IPv6
>> 
>> http://www.ISAserver.org
>> -------------------------------------------------------
>>   
>> 
>> Just to keep the ISA Lists in the mix when it comes to this
>> "IPv6 Bypassing
>> ISA" thing...
>> 
>> 
>> 
>> ------ Forwarded Message
>> From: "Thor   (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
>> Date: Sat, 15 Apr 2006 20:28:36 -0700
>> To: Bugtraq <bugtraq@xxxxxxxxxxxxxxxxx>
>> Conversation: Re[2]: Bypassing ISA Server 2004 with IPv6
>> Subject: Re: Re[2]: Bypassing ISA Server 2004 with IPv6
>> 
>> ISA Server is an application that is installed on top of the
>> base OS. Are
>> you suggesting that the application should actually prevent the local
>> administrator of the host machine from installing and configuring what
>> protocols are bound to what adapters?
>> 
>> To me, *that* is the borderline.  There is no such thing as
>> "for what ever
>> reason ipv6 in enabled on ISA" when it comes to administering
>> an enterprise
>> firewall product.  If an administrator installs configures
>> ipv6 on the OS of
>> the firewall, and then binds ipv6 to a protected network
>> segment, then they
>> absolutely, positively, without-a-doubt get exactly what they deserve.
>> Anyone who does that without understanding what they are
>> doing are simply
>> taking jobs away from competent, knowledgeable administrators.
>> 
>> The mindset of "protecting the ignorant administrator from
>> themselves" in
>> this business has got to end.  Positioning this as if there
>> is some flaw in
>> ISA because the application does not prohibit a local
>> administrator from
>> binding unsupported protocols to interfaces is simply
>> ludicrous. In fact, it
>> is the opposite that is true:  If I as an administrator of a
>> machine want to
>> bind a protocol to an adapter for some reason (as in a
>> separate, private
>> segment for use in a particular environment) then I should,
>> indeed MUST, be
>> able to do it.  And I will be responsible for the
>> implications of doing so.
>> 
>> There was an earlier thread today where a simple list of
>> hostnames being
>> filtered from the Win32 HOSTS file was positioned as
>> "deliberate sabotage"
>> of our machines by Microsoft; a case of "It's my computer-
>> keep your hands
>> off."  Yet here, the integrity of a product is being
>> challenged because the
>> application does not prevent an administrator from installing
>> and binding
>> protocols at the OS-level in cases where the application is
>> not designed to
>> filter those protocols?  That is a double-standard at its best.
>> 
>> t
>> 
>> 
>> On 4/10/06 12:34 PM, <You can get the OP from Bugtraq> spoketh to all:
>> 
>>>    Thanks for clearing that. But: If ISA is not able to
>> filter IPv6 so
>>>    why can it be bound to an interface anyway? Just to route things
>>>    through? Blindly through a firewall?
>>>    Another posting talks about limited filtering capabilities. Roman
>>>    wrote, icmp went through. So where is the borderline? It
>> still seems
>>>    to me that in the moment for what ever reason ipv6 is
>> enabled on ISA
>>>    the network it should secure is exposed.
>>> 
>> 
>> 
>> ------ End of Forwarded Message
>> 
>> 
>> ------------------------------------------------------
>> List Archives: //www.freelists.org/archives/isalist/
>> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
>> ISA Server Articles and Tutorials:
>> http://www.isaserver.org/articles_tutorials/
>> ISA Server Blogs: http://blogs.isaserver.org/
>> ------------------------------------------------------
>> Visit TechGenix.com for more information about our other sites:
>> http://www.techgenix.com
>> ------------------------------------------------------
>> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
>> Report abuse to listadmin@xxxxxxxxxxxxx
>> 
>> 
>> 
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> 
> 


------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/  
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp 
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ 
ISA Server Blogs: http://blogs.isaserver.org/ 
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com 
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp 
Report abuse to listadmin@xxxxxxxxxxxxx 


------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx

• Follow-Ups:
  • [isalist] Re: FW: Re[2]: Bypassing ISA Server 2004 with IPv6
    • From: Thor (Hammer of God)

Other related posts:

• » [isalist] FW: Re[2]: Bypassing ISA Server 2004 with IPv6
• » [isalist] Re: FW: Re[2]: Bypassing ISA Server 2004 with IPv6
• » [isalist] Re: FW: Re[2]: Bypassing ISA Server 2004 with IPv6
• » [isalist] Re: FW: Re[2]: Bypassing ISA Server 2004 with IPv6
• » [isalist] Re: FW: Re[2]: Bypassing ISA Server 2004 with IPv6
• » [isalist] Re: FW: Re[2]: Bypassing ISA Server 2004 with IPv6
• » [isalist] Re: FW: Re[2]: Bypassing ISA Server 2004 with IPv6

1. Home
2. isalist
3. Archive
4. 04-2006

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---