Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Pearl

What is up with Disabling Source/Destination check for vSEC in AWS?

Jump to solution

I somewhat understand its necessity in case of the single interface vSEC deployment, but if we are using multiple interfaces, what is the reason for nuking the Source/Destination checks?

1 Solution

Accepted Solutions
Highlighted

Not a vSec expert but according to NAT Instances - Amazon Virtual Private Cloud, if we look at Source/Destination Checks, it describes it as follows:

"Each EC2 instance performs source/destination checks by default. This means that the instance must be the source or destination of any traffic it sends or receives. However, a NAT instance must be able to send and receive traffic when the source or destination is not itself. Therefore, you must disable source/destination checks on the NAT instance."

 

Since we want to route the traffic through the vSec gateway, it would not be the source/destination of the traffic, therefore it needs to be disabled.

View solution in original post

6 Replies
Highlighted
Pearl

Regarding the vSEC Gateway for Amazon Web Services - Getting Started Guide, this is required to let your Security Gateway route the traffic of your private subnets.

Page 12:

Routing Traffic through the Security Gateway

To let the Security Gateway route the traffic of your private subnets, make this change.


To route traffic through the Security Gateway:
1. Open the AWS Management Console.
2. Select Services > EC2 > Instances.
3. Right-click the vSEC Gateway instance.
4. Select Networking > Change Source/Destination Check.
5. Click Yes/Disable.

0 Kudos
Highlighted
Pearl

Danny,

I know how to make this work, I am trying to figure out why it is necessary when vSEC is deployed with interfaces corresponding to each subnet in your CIDR.

Since AWS Route tables list your CIDR routing as "Local", it stands to reason that the VPCs router will get the traffic to any interface of vSEC in any subnet of that CIDR.

So what does the Source/Destination check Disabled is actually helping us achieve?

0 Kudos
Highlighted

Not a vSec expert but according to NAT Instances - Amazon Virtual Private Cloud, if we look at Source/Destination Checks, it describes it as follows:

"Each EC2 instance performs source/destination checks by default. This means that the instance must be the source or destination of any traffic it sends or receives. However, a NAT instance must be able to send and receive traffic when the source or destination is not itself. Therefore, you must disable source/destination checks on the NAT instance."

 

Since we want to route the traffic through the vSec gateway, it would not be the source/destination of the traffic, therefore it needs to be disabled.

View solution in original post

Highlighted
Pearl

Thank you. It's been a while since I've played with AWS so definitely nice to refresh the fundamentals. 

0 Kudos
Highlighted
Admin
Admin

The way I describe it is an Anti-Spoofing check for the instance itself.

0 Kudos
Highlighted
Pearl

Nice. Is there any situation where it may not be recommended to apply this setting on one of the vSEC interfaces?

vlad@eversecgroup.com

+1.973.558.2738

0 Kudos