[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1306419752.20060415151728@SECURITY.NNOV.RU>
Date: Sat, 15 Apr 2006 15:17:28 +0400
From: 3APA3A <3APA3A@...URITY.NNOV.RU>
To: Christine Kronberg <seeker@...lla.de>
Cc: bugtraq@...urityfocus.com
Subject: Re[3]: Bypassing ISA Server 2004 with IPv6
Dear Christine Kronberg,
Microsoft ISA Server can't filter events from Microsoft Mouse, but
Microsoft Mouse can be bound to computer. It's security risk, but I know
how to secure mouse without ISA and I accept this risk.
IPv6 can not be filtered by ISA, but it still can be filtered by
different tools, or by it's own means, as IPv6 support network-level
security. Unlike IPv4, IPv6 supports authentication, integrity checking
and encryption natively. See ipsec6.exe and descriptions for Security
Association Batabase and Security Policy Database.
--Monday, April 10, 2006, 11:34:16 PM, you wrote to 3APA3A@...URITY.NNOV.RU:
CK> On Mon, 10 Apr 2006, 3APA3A wrote:
>> --Wednesday, April 5, 2006, 2:12:10 PM, you wrote to bugtraq@...urityfocus.com:
>>
>>
>> CK> is open for any attacks as long as they are IPv6 based. If that
>> CK> is right, this is an extremly nasty bug. If ISA Server 2004 and
>> CK> Windows 2003 Basic Firewall cannot filter that stuff it should
>> CK> simply drop it.
>>
>> You are not right.
>>
>> 1. IPv6 is not installed by default.
>> 2. If IPv6 is installed, routing is not enabled by default.
>> 3. If you install IPv6, you can be bind it to only interfaces it's
>> required. To prevent IPv6 (or another routable protocol, such as IPX) on
>> external interface you can (and you should) unbind this protocol from
>> interface in network connection properties. ISA is not required for this
>> task and is not supposed for this task.
CK> Thanks for clearing that. But: If ISA is not able to filter IPv6 so
CK> why can it be bound to an interface anyway? Just to route things
CK> through? Blindly through a firewall?
CK> Another posting talks about limited filtering capabilities. Roman
CK> wrote, icmp went through. So where is the borderline? It still seems
CK> to me that in the moment for what ever reason ipv6 is enabled on ISA
CK> the network it should secure is exposed.
CK> Cheers,
CK> Christine Kronberg.
--
~/ZARAZA
Машина оказалась способной к единственному действию,
а именно умножению 2x2, да и то при этом ошибаясь. (Лем)
Powered by blists - more mailing lists