ISA Firewalls and IPv6
I was recently exposed to a small tempest in a teapot regarding the ISA firewall’s support for IPv6. The reporter of this non-exploit stated that when you install IPv6 support on the ISA firewall that the ISA firewall will allow IPv6 traffic to pass through it. This is normal and expected, since the ISA firewall is not yet IPv6 aware. It’s also a non-issue because since the ISA firewall does not support IPv6 and is not IPv6 aware, then installing IPv6 is a misconfiguration issue. No firewall can protect you from an irresponsible or incompetent operator, no matter how hard the firewall vendor tries to do so.
In spite of what seems like a common sense response to this issue, there are a number of Chicken Littles out there who insist that the sky is falling. In order to allay your concerns and disabuse you of the FUD that’s making its way through the transom, here’s avered security expert Tim Mullen’s response to this issue:
"ISA Server is an application that is installed on top of the base OS. Are you suggesting that the application should actually prevent the local administrator of the host machine from installing and configuring what protocols are bound to what adapters?
To me, *that* is the borderline.There is no such thing as "for what ever reason IPv6 in enabled on ISA" when it comes to administering an enterprise firewall product.If an administrator installs configures IPv6 on the OS of the firewall, and then binds IPv6 to a protected network segment, then they absolutely, positively, without-a-doubt get exactly what they deserve. Anyone who does that without understanding what they are doing are simply taking jobs away from competent, knowledgeable administrators.
The mindset of "protecting the ignorant administrator from themselves" in this business has got to end.Positioning this as if there is some flaw in ISA because the application does not prohibit a local administrator from binding unsupported protocols to interfaces is simply ludicrous. In fact, it is the opposite that is true:If I as an administrator of a machine want to bind a protocol to an adapter for some reason (as in a separate, private segment for use in a particular environment) then I should, indeed MUST, beable to do it.And I will be responsible for the implications of doing so.
There was an earlier thread today where a simple list of host names being filtered from the Win32 HOSTS file was positioned as "deliberate sabotage" of our machines by Microsoft; a case of "It’s my computer- keep your hands off."Yet here, the integrity of a product is being challenged because the application does not prevent an administrator from installing and binding protocols at the OS-level in cases where the application is not designed to filter those protocols?That is a double-standard at its best."
Thomas W Shinder, M.D.
MVP -- ISA Firewalls