[isalist] Re: FW: Re[3]: Bypassing ISA Server 2004 with IPv6
- From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Mon, 24 Apr 2006 16:36:13 -0700
http://www.ISAserver.org
-------------------------------------------------------
"My question is surely ISA will pickup from / supports the stacks that the
operating system does?"
This statement is incorrect.
Windows doesn't provide a "magic pickup point" to intercept "all traffic".
Each and every protocol has its own implementation in the system and IPV6 is
completely separate from IPV4.
Along with this comes the requirement for the system to provide the "hooks"
necessary for an application to connect into so that it can redirect data to
itself for processing.
Windows 2000/2003 doesn't provide the hook ISA needs to properly control IPV6
traffic.
This will come in a later OS release.
-------------------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-------------------------------------------------------
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Simon Whale
Sent: Monday, April 24, 2006 16:05
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: FW: Re[3]: Bypassing ISA Server 2004 with IPv6
http://www.ISAserver.org
-------------------------------------------------------
Apologies for interrupting a thread but I use this list for learning as well as
troubleshooting ISA (which I thank you all).
You say ISA doesn't support IPv6! But if W2k3 server support IPv6 as shown in
this Microsoft Doc
http://www.microsoft.com/windowsserver2003/evaluation/overview/technologies/
networking.mspx
Internet Protocol version 6 (IPv6)
IPv6 is the next generation of the Internet layer protocols of the TCP/IP
protocol suite. IPv6 solves the current problems of Internet Protocol version 4
(IPv4) with respect to address depletion, security, autoconfiguration,
extensibility, and more.
The IPv6 protocol driver provided with Windows Server 2003 is production
quality and includes utilities, extensive API support (Windows Sockets, remote
procedure call [RPC], and IPHelper), and IPv6-enabled system components such as
Microsoft Internet Explorer, Telnet client, FTP client, Microsoft Internet
Information Services (IIS) 6.0, file and print sharing, and others. IPv6 for
Windows Server 2003 also provides support for IPv6/IPv4 coexistence
technologies such as 6to4 and Intra-site Automatic Tunnel Addressing Protocol
(ISATAP).
My question is surely ISA will pickup from / supports the stacks that the
operating system does?
If I'm wrong point me to the right material
Many thanks
Simon
------ Forwarded Message
From: Christine Kronberg
Date: Mon, 24 Apr 2006 22:55:00 +0200 (CEST)
To: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
Cc: Bugtraq <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: Re: Re[3]: Bypassing ISA Server 2004 with IPv6
On Wed, 19 Apr 2006, Thor (Hammer of God) wrote:
> On 4/15/06 1:23 PM, "Christine Kronberg" <seeker@xxxxxxxxx> spoketh to
all:
>
> Based on your responses to this thread, my guess is that you have
> never installed or managed an ISA firewall. Just a guess...
... which is wrong. Although I never used ipv6 with ISA. Had no
reason to do so.
> Regardless, let's try to clear this up one final time. IPv6 is NOT
> installed on ISA by default. BY DEFAULT, EVERYTHING IS BLOCKED. ISA
> *does
None denied that.
> not* support IPv6. There are NO holes blown in networks. This entire
> argument is crazy, and based on misinformation. You don't install or
> configure IPv6 through ISA. You have to be an administrator of the
> host machine and go into the network properties and explicitly
> install, bind, and configure IPv6 for it to work. You also have to do
> the same on your border routers and upstream ISP. It takes deliberate
> action on the part of the admin to do this. DOING THIS EXPLICITLY
> ENABLES IPV6. Duh! It's like you people would complain that if the
> administrator uninstalled ISA, that the resultant lack of a firewall
> was a
critical Microsoft vulnerability!
So I have to use the network properties to install ... or activate ipv6?
It is not that you have to show up with the cd, right? Just a few clicks
and off we go. Fine. Being an expert about ISA you certainly know that
ISA is shutting down a good amount of services (running or not) which
are considered probably harmful. Yet ipv6 is not considered harmful as
ISA is not aware of it. Doesn't that sound secure but ignorant. If ISA
is not ready for ipv6 then it should remove the possiblity of using it.
Everything is careless.
And don't speculate that your isp does not support ipv6. This kind of
security thinking had never worked out well.
You may be good with ISA, I don't know, but your lack in understanding
how to build security software gives me a chill.
> Jim Harrison and I are doing a 2-day immersion training for ISA at
> BlackHat Vegas. ISA Server freaking rocks. If you are really
> interested in ISA and
A server making funny assumptions about my network rocks? No sir.
Although this is an entirely different subject (finding that sweet ISA
was adding all private IP ranges to the internal network without being
told so).
> want to get the skills needed to build robust firewalls, then take the
In the last seven years I worked for a firewall vendor. And that vendor
builds robust firewalls.
Cheers,
Christine Kronberg.
------ End of Forwarded Message
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
