lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.64.0604152203050.10189@shalla.de>
Date: Sat, 15 Apr 2006 22:23:48 +0200 (CEST)
From: Christine Kronberg <seeker@...lla.de>
To: 3APA3A <3APA3A@...URITY.NNOV.RU>
Cc: bugtraq@...urityfocus.com
Subject: Re[3]: Bypassing ISA Server 2004 with IPv6



   Dear 3APA3A,


> Microsoft  ISA  Server  can't  filter  events  from Microsoft Mouse, but

   Apples and peas?

> Microsoft Mouse can be bound to computer. It's security risk, but I know
> how to secure mouse without ISA and I accept this risk.

   Nice, that you do. If I manage by any means to see remotely
   that you have attached a mouse to your ISA and to (ab)use it,
   I'm much better that I thought - and you have much bigger problems
   than you thought.
   The nice thing about icmp is that I do not require much knowledge
   to get information remotely. Same true with ipv6. Unless something
   in between stops me. Which brings us back to the topic: a firewall
   allowing too much.

> IPv6  can  not  be  filtered  by  ISA,  but  it still can be filtered by
> different  tools,  or  by  it's own means, as IPv6 support network-level
> security.  Unlike IPv4, IPv6 supports authentication, integrity checking
> and  encryption  natively.  See ipsec6.exe and descriptions for Security
> Association Batabase and Security Policy Database.

   So you state that it is perfectly well for a firewall to allow
   any traffic through. Per default? And that this firewall does not
   need to have the interface to configure what traffic is allowed?
   I disagree.
   If a firewall supports a protocol, that same firewall should also
   provide the proper means and interface to configure it. And not blow
   holes in networks.

   Cheers,

   Christine Kronberg.




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ