topic Re: What is up with Disabling Source/Destination check for vSEC in AWS? in Cloud Firewall

What is up with Disabling Source/Destination check for vSEC in AWS?

Vladimir — Wed, 04 Oct 2017 17:46:37 GMT

I somewhat understand its necessity in case of the single interface vSEC deployment, but if we are using multiple interfaces, what is the reason for nuking the Source/Destination checks?

Re: What is up with Disabling Source/Destination check for vSEC in AWS?

Danny — Wed, 04 Oct 2017 18:34:04 GMT

Regarding the vSEC Gateway for Amazon Web Services - Getting Started Guide, this is required to let your Security Gateway route the traffic of your private subnets.

Page 12:

Routing Traffic through the Security Gateway

To let the Security Gateway route the traffic of your private subnets, make this change.

To route traffic through the Security Gateway:
1. Open the AWS Management Console.
2. Select Services > EC2 > Instances.
3. Right-click the vSEC Gateway instance.
4. Select Networking > Change Source/Destination Check.
5. Click Yes/Disable.

Re: What is up with Disabling Source/Destination check for vSEC in AWS?

Vladimir — Wed, 04 Oct 2017 18:43:13 GMT

Danny,

I know how to make this work, I am trying to figure out why it is necessary when vSEC is deployed with interfaces corresponding to each subnet in your CIDR.

Since AWS Route tables list your CIDR routing as "Local", it stands to reason that the VPCs router will get the traffic to any interface of vSEC in any subnet of that CIDR.

So what does the Source/Destination check Disabled is actually helping us achieve?

Re: What is up with Disabling Source/Destination check for vSEC in AWS?

Albin_Hakansson — Wed, 04 Oct 2017 21:37:26 GMT

Not a vSec expert but according to NAT Instances - Amazon Virtual Private Cloud, if we look at Source/Destination Checks, it describes it as follows:

"Each EC2 instance performs source/destination checks by default. This means that the instance must be the source or destination of any traffic it sends or receives. However, a NAT instance must be able to send and receive traffic when the source or destination is not itself. Therefore, you must disable source/destination checks on the NAT instance."

Since we want to route the traffic through the vSec gateway, it would not be the source/destination of the traffic, therefore it needs to be disabled.

Re: What is up with Disabling Source/Destination check for vSEC in AWS?

Vladimir — Wed, 04 Oct 2017 23:05:06 GMT

Thank you. It's been a while since I've played with AWS so definitely nice to refresh the fundamentals.

Re: What is up with Disabling Source/Destination check for vSEC in AWS?

PhoneBoy — Thu, 05 Oct 2017 18:47:11 GMT

The way I describe it is an Anti-Spoofing check for the instance itself.

Re: What is up with Disabling Source/Destination check for vSEC in AWS?

Vladimir — Thu, 05 Oct 2017 19:11:56 GMT

Nice. Is there any situation where it may not be recommended to apply this setting on one of the vSEC interfaces?

vlad@eversecgroup.com

+1.973.558.2738