A few people have contacted me lately regarding possible security issues with ISA firewalls and IPv6. They tell me that they’re heard or read that ISA firewalls are liable to IPv6 attacks and they want to know what to do about it. Since I was curious about this issue, I decided to install the IPv6 stack on my Windows XP machine.
After installing the IPv6 stack on my Windows XP client, I tried to “attack” my ISA firewall by passing ICMP and TCP connections through my ISA firewall, in order to bypass ISA firewall policy. To my amazement, the ISA firewall did not pass the IPv6 traffic. This came as quite a surprise, given the fact that an alleged security issue related to ISA and IPv6 has been making the rounds. You can see an example of this at http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-1651
Why did my ISA firewall not pass the IPv6 “exploits”? Because I did not misconfigure my ISA firewall. Misconfiguration is the leading cause of exploits related to firewalls. The misconfiguration that I did not commit was that of installing the IPv6 stack on my ISA firewall. Why would I install a network protocol stack on a firewall that doesn’t support that protocol and is clearly documented that the firewall doesn’t support that protocol?
Installing the IPv6 stack on the ISA firewall requires explicit actions by the firewall administrator to purposely subvert firewall security. This is no different than installing a key logger, root kit, or P2P application on the ISA firewall. No firewall can protect you from incompetent administrators, no matter how creative the firewall vendor might be.
So, this is an official announcement that the ISA firewall completely protects you from IPv6 exploits. What the ISA firewall can’t do is protect you from a malicious or uninformed firewall administrator.
Thomas W Shinder, M.D.
MVP — ISA Firewalls