[isalist] FW: Re[3]: Bypassing ISA Server 2004 with IPv6

  • From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
  • To: "isalist@xxxxxxxxxxxxx" <isalist@xxxxxxxxxxxxx>
  • Date: Mon, 24 Apr 2006 14:10:02 -0700

http://www.ISAserver.org
-------------------------------------------------------
  

I give up.  There is just no educating some people.

------ Forwarded Message
From: Christine Kronberg
Date: Mon, 24 Apr 2006 22:55:00 +0200 (CEST)
To: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
Cc: Bugtraq <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: Re: Re[3]: Bypassing ISA Server 2004 with IPv6

On Wed, 19 Apr 2006, Thor (Hammer of God) wrote:
> On 4/15/06 1:23 PM, "Christine Kronberg" <seeker@xxxxxxxxx> spoketh to all:
>
> Based on your responses to this thread, my guess is that you have never
> installed or managed an ISA firewall.  Just a guess...

   ... which is wrong. Although I never used ipv6 with ISA. Had no
   reason to do so.

> Regardless, let's try to clear this up one final time.  IPv6 is NOT
> installed on ISA by default. BY DEFAULT, EVERYTHING IS BLOCKED.  ISA *does

   None denied that.

> not* support IPv6.  There are NO holes blown in networks.  This entire
> argument is crazy, and based on misinformation.  You don't install or
> configure IPv6 through ISA. You have to be an administrator of the host
> machine and go into the network properties and explicitly install, bind, and
> configure IPv6 for it to work.  You also have to do the same on your border
> routers and upstream ISP.  It takes deliberate action on the part of the
> admin to do this.  DOING THIS EXPLICITLY ENABLES IPV6.  Duh!  It's like you
> people would complain that if the administrator uninstalled ISA, that the
> resultant lack of a firewall was a critical Microsoft vulnerability!

   So I have to use the network properties to install ... or activate ipv6?
   It is not that you have to show up with the cd, right? Just a few clicks
   and off we go. Fine. Being an expert about ISA you certainly know that
   ISA is shutting down a good amount of services (running or not) which
   are considered probably harmful. Yet ipv6 is not considered harmful as
   ISA is not aware of it. Doesn't that sound secure but ignorant. If ISA
   is not ready for ipv6 then it should remove the possiblity of using it.
   Everything is careless.
   And don't speculate that your isp does not support ipv6. This kind of
   security thinking had never worked out well.
   You may be good with ISA, I don't know, but your lack in understanding
   how to build security software gives me a chill.

> Jim Harrison and I are doing a 2-day immersion training for ISA at BlackHat
> Vegas.  ISA Server freaking rocks.  If you are really interested in ISA and

   A server making funny assumptions about my network rocks? No sir.
   Although this is an entirely different subject (finding that sweet ISA
   was adding all private IP ranges to the internal network without being
   told so).

> want to get the skills needed to build robust firewalls, then take the

   In the last seven years I worked for a firewall vendor. And that vendor
   builds robust firewalls.

   Cheers,

   Christine Kronberg.




------ End of Forwarded Message


------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/  
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp 
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ 
ISA Server Blogs: http://blogs.isaserver.org/ 
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com 
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp 
Report abuse to listadmin@xxxxxxxxxxxxx 

Other related posts: