lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.64.0604162312450.10665@shalla.de>
Date: Sun, 16 Apr 2006 23:35:03 +0200 (CEST)
From: Christine Kronberg <seeker@...lla.de>
To: "Thor (Hammer of God)" <thor@...merofgod.com>
Cc: Bugtraq <bugtraq@...urityfocus.com>
Subject: Re: Re[2]: Bypassing ISA Server 2004 with IPv6


On Sat, 15 Apr 2006, Thor (Hammer of God) wrote:
> 
> ISA Server is an application that is installed on top of the base OS. Are
> you suggesting that the application should actually prevent the local
> administrator of the host machine from installing and configuring what
> protocols are bound to what adapters?

   No, I'm suggesting that the application should enable the local
   administrator to configure that application. Configuring a firewall
   is a bit more than setting a domain name. It must contain some
   (preferebly reasonable) filtering mechanisms.
   From what is said so far this seems not to be possible. If that is
   true, ISA is broken by design. We are talking about a firewall. A
   firewall that cannot filter is not a firewall. Agreed?

> To me, *that* is the borderline.  There is no such thing as "for what ever
> reason ipv6 in enabled on ISA" when it comes to administering an enterprise
> firewall product.  If an administrator installs configures ipv6 on the OS of
> the firewall, and then binds ipv6 to a protected network segment, then they
> absolutely, positively, without-a-doubt get exactly what they deserve.

   Do you think the same applies to ipv4? I said "for what ever reason ipv6
   in enabled on ISA" because I am definitely not in the position to guess
   all possible reasons for activating ipv6.

> Anyone who does that without understanding what they are doing are simply
> taking jobs away from competent, knowledgeable administrators.

   You are speaking out of my deepest heart. Anyhow, you are aware that
   it is not always the incompentent admin; sometimes it is the incompetent
   superior and not every admin has the nerv and the backing to say no
   to idiotic orders by management.

> The mindset of "protecting the ignorant administrator from themselves" in
> this business has got to end.  Positioning this as if there is some flaw in

   Definitely.

> ISA because the application does not prohibit a local administrator from
> binding unsupported protocols to interfaces is simply ludicrous. In fact, it

   I still fail to see why an unsupported protocol goes through anyway.
   The reason for implementing a firewall is to separate networks with
   different trust levels. Not to connect them wide open. For this any
   router will do.

> is the opposite that is true:  If I as an administrator of a machine want to
> bind a protocol to an adapter for some reason (as in a separate, private
> segment for use in a particular environment) then I should, indeed MUST, be
> able to do it.  And I will be responsible for the implications of doing so.

   Sure. But even in a protected enviroment you may want some additional
   restrictions.

> There was an earlier thread today where a simple list of hostnames being
> filtered from the Win32 HOSTS file was positioned as "deliberate sabotage"
> of our machines by Microsoft; a case of "It's my computer- keep your hands
> off."  Yet here, the integrity of a product is being challenged because the
> application does not prevent an administrator from installing and binding
> protocols at the OS-level in cases where the application is not designed to
> filter those protocols?  That is a double-standard at its best.

   Again: If that application is a firewall it's a must to be able to
   filter. Anything else is not logical.
   If the application is some funny network gaming tool, then I heartly
   agree.

   Cheers,

   Christine Kronberg.




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ