lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1306419752.20060415151728@SECURITY.NNOV.RU>
Date: Sat, 15 Apr 2006 15:17:28 +0400
From: 3APA3A <3APA3A@...URITY.NNOV.RU>
To: Christine Kronberg <seeker@...lla.de>
Cc: bugtraq@...urityfocus.com
Subject: Re[3]: Bypassing ISA Server 2004 with IPv6


Dear Christine Kronberg,

Microsoft  ISA  Server  can't  filter  events  from Microsoft Mouse, but
Microsoft Mouse can be bound to computer. It's security risk, but I know
how to secure mouse without ISA and I accept this risk.

IPv6  can  not  be  filtered  by  ISA,  but  it still can be filtered by
different  tools,  or  by  it's own means, as IPv6 support network-level
security.  Unlike IPv4, IPv6 supports authentication, integrity checking
and  encryption  natively.  See ipsec6.exe and descriptions for Security
Association Batabase and Security Policy Database.


--Monday, April 10, 2006, 11:34:16 PM, you wrote to 3APA3A@...URITY.NNOV.RU:

CK> On Mon, 10 Apr 2006, 3APA3A wrote:
>> --Wednesday, April 5, 2006, 2:12:10 PM, you wrote to bugtraq@...urityfocus.com:
>>
>>
>> CK>    is  open  for any attacks as long as they are IPv6 based. If that
>> CK>    is  right,  this is an extremly nasty bug. If ISA Server 2004 and
>> CK>    Windows  2003  Basic  Firewall cannot filter that stuff it should
>> CK>    simply drop it.
>>
>> You are not right.
>>
>> 1. IPv6 is not installed by default.
>> 2. If IPv6 is installed, routing is not enabled by default.
>> 3. If  you  install  IPv6,  you  can be bind it to only interfaces it's
>> required. To prevent IPv6 (or another routable protocol, such as IPX) on
>> external  interface  you  can (and you should) unbind this protocol from
>> interface in network connection properties. ISA is not required for this
>> task and is not supposed for this task.

CK>    Thanks for clearing that. But: If ISA is not able to filter IPv6 so
CK>    why can it be bound to an interface anyway? Just to route things
CK>    through? Blindly through a firewall?
CK>    Another posting talks about limited filtering capabilities. Roman
CK>    wrote, icmp went through. So where is the borderline? It still seems
CK>    to me that in the moment for what ever reason ipv6 is enabled on ISA
CK>    the network it should secure is exposed.

CK>    Cheers,

CK>    Christine Kronberg.




-- 
~/ZARAZA
Машина оказалась способной к единственному действию,
а именно умножению 2x2, да и то при этом ошибаясь. (Лем)



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ