discrimiNAT FAQ

Why is Deep Packet Inspection superior to use of proxies?

Deep Packet Inspection, or DPI for short, does not alter the data packets in any way. DPI simply observes metadata in the data packets en-route, keeping track of the sessions, and making judgements based on an aggregated view.

Proxies terminate the connection from the client and initiate a new one to the destination. This not only adds huge latency in TLS, but security settings in the form of handshake preferences from the original client can get diluted.

Will the client application need proxy configuration?

No. The client applications will need no configuration at all. Chaser’s discrimiNAT firewall is a fully transparent solution operating on the outbound routes of the VPC network.

Is this for HTTPS or for TLS traffic?

HTTPS is in fact HTTP encapsulated in TLS. discrimiNAT is a TLS metadata inspection firewall. It can also deal with other application protocols encapsulated in TLS such as LDAPS, FTPS, IMAPS, POP3S and SMTPS.

Is this for SSH or for SFTP/SCP traffic?

SFTP and SCP work on the SSH protocol. discrimiNAT can check SSH v2 connections so wouldn’t have a problem with any subsystems that run within.

Is traffic decrypted for inspection?

No. Our Deep Packet Inspection technology, or DPI for short, does not decrypt the data packets in any way. DPI simply observes the metadata in the data packets en-route, keeping track of the sessions, and making judgements based on an aggregated view.

Will the client application need a substitute destination hostname?

No. Our Deep Packet Inspection technology does not need forced routing like proxies to have the traffic pass through the filters.

Will the client application need certificates to be installed?

No. Since Deep Packet Inspection only observes the metadata in the data packets, it does not terminate or initiate TLS connections — a side-effect of which is usually certificates signed by an intermediary that need to be trusted.

The TLS connections remain end-to-end encrypted with the final, intended destination. If the connection works without filtering, it will continue to work through the discrimiNAT firewall.

Is TLS 1.3 supported?

Yes. TLS versions 1.2 and 1.3 are fully supported and checked both ways in Client-Server chatter.

What protocols other than TLS and SSH are supported?

None. We believe strongly in maintaining the integrity of supply chains in the Cloud. Therefore other protocols are simply not allowed through the firewall.

How do I pass plain HTTP traffic through the firewall?

You cannot. We urge you to upgrade all connections to HTTPS or find private routing to these HTTP endpoints. Write to us via support and our team should be able to point you in the right direction!

How do I pass protocol X through the firewall?

Please get in touch with us so we can understand your application requirements. We would love to support more protocols if there are use-cases.