Short Description:
By defining Firewall:Bypass (or changing this field from internal to public address or vice versa) on NAT-rule someone having only networking privileges can circumvent any security rules defined in the gateway firewall.
Let’s assume as a Security Admin we want to block ICMP for an example, so we create the below displayed block icmp rule as security rule
Here is an example traceroute after setting this GWY Firewall Rule
So our rule is successfully blocking any outgoing (but also incoming) ICMP
Now if a Network administrator without any security privileges does not want to have that restriction what can he do on NSX ?
Quite simple he can define a NO-NAT rule and specify to BYPASS any Gateway Firewall rule on that Gateway
NOTE: that here I am using NO-SNAT and a general wildcard for the source address as an extreme example but it equally works with any SNAT or DNAT and more specific addresses
And the result is a complete bypass of the previous defined rule and we can successfully Ping any outside address
Resume
- The Security relevant design flaw lies in the fact, that the firewall setting in the NAT rule is highly security relevant, but can be set using only networking privileges.
- And NSX-GUI is used by Networking and Security Admins quite separately
- IMHO it would be more secure to allow setting/changes on the firewall field in the NAT rules only with appropriate security privileges.
Recent Comments