lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <C06707F4.2E25%thor@hammerofgod.com>
Date: Sat, 15 Apr 2006 20:28:36 -0700
From: "Thor (Hammer of God)" <thor@...merofgod.com>
To: Bugtraq <bugtraq@...urityfocus.com>
Cc: Christine Kronberg <seeker@...lla.de>
Subject: Re: Re[2]: Bypassing ISA Server 2004 with IPv6


ISA Server is an application that is installed on top of the base OS. Are
you suggesting that the application should actually prevent the local
administrator of the host machine from installing and configuring what
protocols are bound to what adapters?

To me, *that* is the borderline.  There is no such thing as "for what ever
reason ipv6 in enabled on ISA" when it comes to administering an enterprise
firewall product.  If an administrator installs configures ipv6 on the OS of
the firewall, and then binds ipv6 to a protected network segment, then they
absolutely, positively, without-a-doubt get exactly what they deserve.
Anyone who does that without understanding what they are doing are simply
taking jobs away from competent, knowledgeable administrators.

The mindset of "protecting the ignorant administrator from themselves" in
this business has got to end.  Positioning this as if there is some flaw in
ISA because the application does not prohibit a local administrator from
binding unsupported protocols to interfaces is simply ludicrous. In fact, it
is the opposite that is true:  If I as an administrator of a machine want to
bind a protocol to an adapter for some reason (as in a separate, private
segment for use in a particular environment) then I should, indeed MUST, be
able to do it.  And I will be responsible for the implications of doing so.

There was an earlier thread today where a simple list of hostnames being
filtered from the Win32 HOSTS file was positioned as "deliberate sabotage"
of our machines by Microsoft; a case of "It's my computer- keep your hands
off."  Yet here, the integrity of a product is being challenged because the
application does not prevent an administrator from installing and binding
protocols at the OS-level in cases where the application is not designed to
filter those protocols?  That is a double-standard at its best.

t


On 4/10/06 12:34 PM, "Christine Kronberg" <seeker@...lla.de> spoketh to all:

>    Thanks for clearing that. But: If ISA is not able to filter IPv6 so
>    why can it be bound to an interface anyway? Just to route things
>    through? Blindly through a firewall?
>    Another posting talks about limited filtering capabilities. Roman
>    wrote, icmp went through. So where is the borderline? It still seems
>    to me that in the moment for what ever reason ipv6 is enabled on ISA
>    the network it should secure is exposed.
> 
>    Cheers,
> 
>    Christine Kronberg.




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ