DiscrimiNAT FAQ
Does it cope well with CDN, Elastic and DNS load balanced IPs for target FQDNs?
Yes. DiscrimiNAT has been engineered from the ground up with Cloud patterns in mind and therefore does not suffer from drawbacks of old-school security appliances or lookup scripts in a loop. Our proprietary Wormhole DNS technology, developed with over two years of research, manages load-balanced, round-robin, weighted, etc. DNS responses perfectly well.
Are policies applied at a granular, application level or the VPC level?
In the spirit of the least-privilege principle, the allowlist is defined at the granular, application level. DiscrimiNAT extends the capability of the platform-native Firewall Rules/Security Groups and therefore works with the level of granularity these constructs work. The security function of your organisation can audit these rules with read-only permissions too, and you can continue to use the tooling that you already use to maintain those rules.
Are out-of-band DNS lookups carried out?
Yes. Unlike some other cloud-native offerings which only check the connecting client's arbitrarily-set headers, the DiscrimiNAT carries out a whole range of checks to detect attempts at spoofing. This thwarts sophisticated malware, RCEs and insider threats alike, and prepares your VPCs for a proper pentest too.
Are the out-of-band DNS lookups susceptible to IP address mismatches?
No, the DiscrimiNAT does not have issues such as FWAAS-1501. FQDNs in today's world can and often resolve to multiple IPs indeed. We've spent over two years in analysing the various mechanisms behind this to come up with the right solution. Therefore, our unparalleled engine, Wormhole DNS (designed and built completely in-house), is able to provide the lowest rate of false positives in the NGFW-class of products across the industry. And by lowest we mean zero.
Will the client application need HTTP proxy configuration?
No. The client applications will need no configuration at all. Chaser's DiscrimiNAT Firewall is a fully transparent solution operating on the outbound routes of the VPC network.
Contact our DevSecOps Support for queries at any stage of your journey.
Can I see some customer reviews?
Yes. Have a look at our comprehensive case studies, and product reviews at G2. G2 ensure the individuals leaving the review are real customers. All our marketplace listings also syndicate reviews from G2.
We have so many accounts/projects in the Cloud. Do you offer volume licensing for all these deployments?
Yes. We understand the motivation behind your design and hold developers' autonomy in the highest regard. We also recommend that each deployment carry its own NAT solution, so the blast radius is limited. Do get in touch with us and we'll do our best to accommodate you in a suitable tier given your numbers.
Is this for HTTPS or TLS traffic?
HTTPS is in fact HTTP encapsulated in TLS. DiscrimiNAT is a TLS metadata inspection firewall. It can also deal with other application protocols encapsulated in TLS such as LDAPS, FTPS, IMAPS, POP3S and SMTPS.
Is this for SSH or SFTP/SCP traffic?
SFTP and SCP work on the SSH protocol. DiscrimiNAT can check SSH v2 connections so wouldn't have a problem with any subsystems that run within.
Is traffic decrypted for inspection?
No. Our Deep Packet Inspection technology, or DPI for short, does not decrypt the data packets in any way. DPI observes the metadata in the data packets en-route, keeping track of the sessions, and making judgements based on an aggregated view.
Will the client application need a substitute destination hostname?
No. Our Deep Packet Inspection technology does not need forced routing like proxies to have the traffic pass through the filters.
Will the client application need certificates to be installed?
No. Since Deep Packet Inspection only observes the metadata in the data packets, it does not terminate or initiate TLS connections – a side-effect of which is usually certificates signed by a private intermediary that needs to be trusted.
The TLS connections remain end-to-end encrypted with the final, intended destination. If the connection works without filtering, it will continue to work through the DiscrimiNAT Firewall.
Why is Deep Packet Inspection superior to use of outbound proxies?
Deep Packet Inspection, or DPI for short, does not alter the data packets in any way. DPI observes metadata in the data packets en-route, keeping track of the sessions, and making judgements based on an aggregated view.
Proxies, such as squid, terminate the connection from the client and initiate a new one to the destination. This not only adds huge latency in TLS, but security settings in the form of handshake preferences from the original client can get diluted.
Is TLS 1.3 supported?
Yes. TLS versions 1.2 and 1.3 are fully supported and checked both ways in Client-Server chatter.
Should you have more questions around the specifics of any protocols, ESNI, mTLS, etc., do get in touch and we will satisfy your inner geek!
What protocols other than TLS and SSH are supported?
None. We believe strongly in maintaining the integrity of supply chains in the Cloud. Therefore other protocols are not allowed through the firewall.
How do I pass plain HTTP traffic through the firewall?
Except for CRL Endpoints found in x509 SSL Certificates, you cannot. We urge you to upgrade all connections to HTTPS or find private routing to these HTTP endpoints. Reach out to our DevSecOps Support and they should be able to point you in the right direction.
How do I pass protocol X through the firewall?
Get in touch with us so we can understand your application requirements. We would love to support more protocols if there are use cases.
Are any telemetry features included? Does the product collect usage data or any other information?
Since v2.7.0 by default, yes, but it can be turned off. The automated system health reporting kicks in 10 minutes after boot, at 0200 UTC every day and once at shutdown. Each instance of DiscrimiNAT will collect its OS internals & system logs since instance creation, config changes & traffic flow information from last two hours and upload it to a Chaser-owned bucket. This information is encrypted at rest with a certain public key so only relevant individuals with access to the corresponding private key can decrypt it. The transfer is of course over TLS.
Access to this information is immensely useful to create a faster and more reliable DiscrimiNAT as we add new features. We also aim to learn about how users are interacting with the product in order to further improve the usability of it as they embark on a very ambitious journey of fully accounted for and effective egress controls.
But we understand if certain environments within your deployment would rather not have this turned on. Instructions on disabling this are in the Terraform modules' documentation and release notes.
Are the DiscrimiNAT VM images hardened?
The DiscrimiNAT image is hardened per The CIS Ubuntu Linux 20.04 LTS Benchmark v1.1.0 Level 2 - Server. The report is available upon request by contacting support. The image scored 215/219. An explanation will be attached for the unmet 4.