discrimiNAT FAQ

Does it cope well with CDN, Elastic, and DNS load balanced IPs for target FQDNs?

Yes. discrimiNAT has been engineered from the ground up with Cloud patterns in mind and therefore does not suffer from drawbacks of old-school security appliances that have been shoehorned into the Cloud.

Are policies applied at a granular, application level or the VPC level?

The allowlist is defined at the granular, application level. discrimiNAT extends the capability of the platform-native Firewall Rules/Security Groups and therefore works with the level of granularity these constructs work. The security function of your organisation can audit these rules with read-only permissions too, and you can continue to use the tooling that you already use to maintain those rules.

Are out-of-band DNS lookups carried out?


Unlike some other cloud-native offerings which only check what the connecting client is able to arbitrarily set, the discrimiNAT carries out a whole range of checks to detect attempts at spoofing. This thwarts sophisticated malware and insider threats alike, and prepares your VPCs for a proper pentest too.

Will the client application need HTTP proxy configuration?

No. The client applications will need no configuration at all. Chaser’s discrimiNAT firewall is a fully transparent solution operating on the outbound routes of the VPC network.

Contact our DevSecOps at [email protected] for queries at any stage of your journey. Alternatively, just reach out in the live chat.

We have so many accounts/projects in the Cloud. Do you offer volume licensing for all these deployments?

Yes. We understand the motivation behind your design and hold developers' autonomy in the highest regard. We also recommend that each deployment carry its own NAT solution, so the blast radius is limited. Do get in touch with us and we’ll do our best to accommodate you in a suitable tier given your numbers.

Is this for HTTPS or TLS traffic?

HTTPS is in fact HTTP encapsulated in TLS. discrimiNAT is a TLS metadata inspection firewall. It can also deal with other application protocols encapsulated in TLS such as LDAPS, FTPS, IMAPS, POP3S and SMTPS.

Is this for SSH or SFTP/SCP traffic?

SFTP and SCP work on the SSH protocol. discrimiNAT can check SSH v2 connections so wouldn’t have a problem with any subsystems that run within.

Is traffic decrypted for inspection?

No. Our Deep Packet Inspection technology, or DPI for short, does not decrypt the data packets in any way. DPI observes the metadata in the data packets en-route, keeping track of the sessions, and making judgements based on an aggregated view.

Will the client application need a substitute destination hostname?

No. Our Deep Packet Inspection technology does not need forced routing like proxies to have the traffic pass through the filters.

Will the client application need certificates to be installed?

No. Since Deep Packet Inspection only observes the metadata in the data packets, it does not terminate or initiate TLS connections – a side-effect of which is usually certificates signed by an intermediary that need to be trusted.

The TLS connections remain end-to-end encrypted with the final, intended destination. If the connection works without filtering, it will continue to work through the discrimiNAT firewall.

Why is Deep Packet Inspection superior to use of outbound proxies?

Deep Packet Inspection, or DPI for short, does not alter the data packets in any way. DPI observes metadata in the data packets en-route, keeping track of the sessions, and making judgements based on an aggregated view.

Proxies, such as squid, terminate the connection from the client and initiate a new one to the destination. This not only adds huge latency in TLS, but security settings in the form of handshake preferences from the original client can get diluted.

Is TLS 1.3 supported?

Yes. TLS versions 1.2 and 1.3 are fully supported and checked both ways in Client-Server chatter.

Should you have more questions around the specifics of any protocols, do get in touch and we will satisfy your inner geek!

What protocols other than TLS and SSH are supported?

None. We believe strongly in maintaining the integrity of supply chains in the Cloud. Therefore other protocols are not allowed through the firewall.

How do I pass plain HTTP traffic through the firewall?

You cannot. We urge you to upgrade all connections to HTTPS or find private routing to these HTTP endpoints. Reach out to the concierge and our DevSecOps should be able to point you in the right direction.

How do I pass protocol X through the firewall?

Get in touch with us so we can understand your application requirements. We would love to support more protocols if there are use-cases.