ISA Server Firewall Impotent Against IPv6 Traffic. Possible Alternatives.

The National Cyber-Alert Vulnerability System:

** DISPUTED ** Microsoft ISA Server 2004 allows remote attackers to bypass certain filtering rules, including ones for (1) ICMP and (2) TCP, via IPv6 packets. NOTE: An established researcher has disputed this issue, saying that “Neither ISA Server 2004 nor Windows 2003 Basic Firewall support IPv6 filtering … This is different network protocol.”Impact
CVSS Severity: 7.0 (High)
Range: Remotely exploitable
Authentication: Not required to exploit
Impact Type: Provides unauthorized access
– CVE-2006-1651

Microsoft’s ISA Server Product Team agrees that IPv6 handling isn’t in the cards:

ISA Server does not handle IPv6 traffic. IPv6 traffic will pass through the ISA Server firewall regardless of your firewall policy. We recommend that you not enable IPv6 traffic on the ISA Server computer or array. If you have enabled IPv6 traffic, we recommend that you disable it on the ISA Server computer, or on each member of the ISA Server array.

The team offers step-by-step guidelines for avoiding IPv6 trouble with an ISA Server.

IPv6 has long been heralded as the replacement for the existing Internet IP convention, IPv4. When… or if… it is universally implemented, the protocol will open up virtually limitless IP addresses. Here’s how Microsoft envisions an IPv6 future:

Imagine an address space that would allow every human on the planet to have about 1 million networks (assuming a population under 10 billion in the next 20 years, consistent with United Nations projections); that’s about two networks per square foot of the planet, and each network could include billions of network devices. That means that we could all have cars that talk to our mechanic, refrigerators that talk to the grocery store and doorknobs that welcome us home.

While Microsoft and everyone else agrees that ISA Server 2004 can’t handle IPv6, some think the inability is a bug, while the rest say it simply can’t do it, as in, “Can your roadster handle offroad? Can your text editor do statistics?”

For many admins, the whole question of whether to roll-out IPv6 is currently academic anyway. While there are several demonstration projects, few ISPs have implemented it.

Nonetheless, a number of government agencies demand that new equipment have IPv6 ability to maintain future viability.

If you are among those rushing (or being pushed) into the IPv6 future, you may decide it’s time to replace your ISA Server with an IPv6-capable firewall. In that case, we’ve assembled a list of vendors who are active in the IPv6 arena, based off the IPv6 Ready Logo Program, Phase 1. The IPv6 Ready Logo roster provides a detailed listing of universities and other entities, along with equipment and software models certified. This is an excellent way to check the IPv6 capability of a specific product.

We point you only to the websites of vendors actively offering IPv6 products, under the theory that offerings are evolving rapidly.

Warning: As both BSD and Linux have particularly good firewall offerings, you may find yourself straying off the Windows plantation.

Let us know if we left anybody out, or you find a better link.

Email Battles Backgrounder:

• Latest Approved Application List; IPv6 Ready Logo Phase-1; IPv6 Ready Logo Program; IPv6 Forum; 28 April 2006.
• ISA Server and IPv6; Nathan Bigman; ISA Server Product Team Blog; Microsoft TechNet; 27 April 2006.
• ISA Server 2006 Beta Review; Peter Pawlak; USEast News Service; 11 April 2006.
• Vulnerability Summary CVE-2006-1651; National Cyber-Alert System; US-CERT/NIST; 7 April 2006.
• ISA Firewalls and IPv6; Thomas Shinder Blog; isaserver.org.
• Using IPv6 Today; Joseph Davies; The Cable Guy; Microsoft TechNet; 19 October 2005.
• Troubleshooting IPv6; Joseph Davies; The Cable Guy; Microsoft TechNet; 14 March 2005.