Short Description:
By defining Firewall:Bypass (or changing this field from internal to public address or vice versa) on NAT-rule someone having only networking privileges can circumvent any security rules defined in the gateway firewall.
Let’s assume as a Security Admin we want to block ICMP for an example, so we create the below displayed block icmp rule as security rule
![](https://cloudadvisors.net/wp-content/uploads/2023/07/nsx1.png)
Here is an example traceroute after setting this GWY Firewall Rule
![](https://cloudadvisors.net/wp-content/uploads/2023/07/nsx2.png)
So our rule is successfully blocking any outgoing (but also incoming) ICMP
Now if a Network administrator without any security privileges does not want to have that restriction what can he do on NSX ?
Quite simple he can define a NO-NAT rule and specify to BYPASS any Gateway Firewall rule on that Gateway
![](https://cloudadvisors.net/wp-content/uploads/2023/07/nsx3.png)
NOTE: that here I am using NO-SNAT and a general wildcard for the source address as an extreme example but it equally works with any SNAT or DNAT and more specific addresses
And the result is a complete bypass of the previous defined rule and we can successfully Ping any outside address
![](https://cloudadvisors.net/wp-content/uploads/2023/07/nsx4.png)
Resume
- The Security relevant design flaw lies in the fact, that the firewall setting in the NAT rule is highly security relevant, but can be set using only networking privileges.
- And NSX-GUI is used by Networking and Security Admins quite separately
- IMHO it would be more secure to allow setting/changes on the firewall field in the NAT rules only with appropriate security privileges.
Recent Comments