- CheckMates
- :
- Products
- :
- CloudMates Products
- :
- Cloud Network Security
- :
- Discussion
- :
- What is up with Disabling Source/Destination check...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is up with Disabling Source/Destination check for vSEC in AWS?
I somewhat understand its necessity in case of the single interface vSEC deployment, but if we are using multiple interfaces, what is the reason for nuking the Source/Destination checks?
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not a vSec expert but according to NAT Instances - Amazon Virtual Private Cloud, if we look at Source/Destination Checks, it describes it as follows:
"Each EC2 instance performs source/destination checks by default. This means that the instance must be the source or destination of any traffic it sends or receives. However, a NAT instance must be able to send and receive traffic when the source or destination is not itself. Therefore, you must disable source/destination checks on the NAT instance."
Since we want to route the traffic through the vSec gateway, it would not be the source/destination of the traffic, therefore it needs to be disabled.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Regarding the vSEC Gateway for Amazon Web Services - Getting Started Guide, this is required to let your Security Gateway route the traffic of your private subnets.
Page 12:
Routing Traffic through the Security Gateway
To let the Security Gateway route the traffic of your private subnets, make this change.
To route traffic through the Security Gateway:
1. Open the AWS Management Console.
2. Select Services > EC2 > Instances.
3. Right-click the vSEC Gateway instance.
4. Select Networking > Change Source/Destination Check.
5. Click Yes/Disable.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Danny,
I know how to make this work, I am trying to figure out why it is necessary when vSEC is deployed with interfaces corresponding to each subnet in your CIDR.
Since AWS Route tables list your CIDR routing as "Local", it stands to reason that the VPCs router will get the traffic to any interface of vSEC in any subnet of that CIDR.
So what does the Source/Destination check Disabled is actually helping us achieve?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not a vSec expert but according to NAT Instances - Amazon Virtual Private Cloud, if we look at Source/Destination Checks, it describes it as follows:
"Each EC2 instance performs source/destination checks by default. This means that the instance must be the source or destination of any traffic it sends or receives. However, a NAT instance must be able to send and receive traffic when the source or destination is not itself. Therefore, you must disable source/destination checks on the NAT instance."
Since we want to route the traffic through the vSec gateway, it would not be the source/destination of the traffic, therefore it needs to be disabled.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you. It's been a while since I've played with AWS so definitely nice to refresh the fundamentals.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The way I describe it is an Anti-Spoofing check for the instance itself.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nice. Is there any situation where it may not be recommended to apply this setting on one of the vSEC interfaces?
vlad@eversecgroup.com
+1.973.558.2738