Re[3]: Bypassing ISA Server 2004 with IPv6

[Christine Kronberg <seeker () shalla de>]

  Dear 3APA3A,


> Microsoft  ISA  Server  can't  filter  events  from Microsoft Mouse, but

  Apples and peas?

> Microsoft Mouse can be bound to computer. It's security risk, but I know
> how to secure mouse without ISA and I accept this risk.

  Nice, that you do. If I manage by any means to see remotely
  that you have attached a mouse to your ISA and to (ab)use it,
  I'm much better that I thought - and you have much bigger problems
  than you thought.
  The nice thing about icmp is that I do not require much knowledge
  to get information remotely. Same true with ipv6. Unless something
  in between stops me. Which brings us back to the topic: a firewall
  allowing too much.

> IPv6  can  not  be  filtered  by  ISA,  but  it still can be filtered by
> different  tools,  or  by  it's own means, as IPv6 support network-level
> security.  Unlike IPv4, IPv6 supports authentication, integrity checking
> and  encryption  natively.  See ipsec6.exe and descriptions for Security
> Association Batabase and Security Policy Database.

  So you state that it is perfectly well for a firewall to allow
  any traffic through. Per default? And that this firewall does not
  need to have the interface to configure what traffic is allowed?
  I disagree.
  If a firewall supports a protocol, that same firewall should also
  provide the proper means and interface to configure it. And not blow
  holes in networks.

  Cheers,

  Christine Kronberg.