Skip to main content

discrimiNAT FAQ

Does it cope well with CDN, Elastic and DNS load balanced IPs for target FQDNs?

Yes. discrimiNAT has been engineered from the ground up with Cloud patterns in mind and therefore does not suffer from drawbacks of old-school security appliances that have been shoehorned into the Cloud.

Are policies applied at a granular, application level or the VPC level?

The allowlist is defined at the granular, application level. discrimiNAT extends the capability of the platform-native Firewall Rules/Security Groups and therefore works with the level of granularity these constructs work. The security function of your organisation can audit these rules with read-only permissions too, and you can continue to use the tooling that you already use to maintain those rules.

Are out-of-band DNS lookups carried out?

Yes. Unlike some other cloud-native offerings which only check the connecting client's arbitrarily-set headers, the discrimiNAT carries out a whole range of checks to detect attempts at spoofing. This thwarts sophisticated malware, RCEs and insider threats alike, and prepares your VPCs for a proper pentest too.

Are the out-of-band DNS lookups susceptible to IP address mismatches?

No. FQDNs in today's world can and often resovle to multiple IPs indeed. We've spent over a year in analysing the various mechanisms behind this to come up with the right solution. Therefore, our unparalleled engine (designed and built completely in-house) is able to provide the lowest rate of false positives in the NGFW-class of products across the industry. And by lowest we mean zero.

Will the client application need HTTP proxy configuration?

No. The client applications will need no configuration at all. Chaser's discrimiNAT firewall is a fully transparent solution operating on the outbound routes of the VPC network.

info

Contact our DevSecOps Support for queries at any stage of your journey. Alternatively, reach out in the live chat.

Can I see some customer reviews?

Yes. The product reviews are at G2.com. G2 ensure the individuals leaving the review are real customers. All our marketplace listings also syndicate reviews from G2.

We have so many accounts/projects in the Cloud. Do you offer volume licensing for all these deployments?

Yes. We understand the motivation behind your design and hold developers' autonomy in the highest regard. We also recommend that each deployment carry its own NAT solution, so the blast radius is limited. Do get in touch with us and we'll do our best to accommodate you in a suitable tier given your numbers.

Is this for HTTPS or TLS traffic?

HTTPS is in fact HTTP encapsulated in TLS. discrimiNAT is a TLS metadata inspection firewall. It can also deal with other application protocols encapsulated in TLS such as LDAPS, FTPS, IMAPS, POP3S and SMTPS.

Is this for SSH or SFTP/SCP traffic?

SFTP and SCP work on the SSH protocol. discrimiNAT can check SSH v2 connections so wouldn't have a problem with any subsystems that run within.

Is traffic decrypted for inspection?

No. Our Deep Packet Inspection technology, or DPI for short, does not decrypt the data packets in any way. DPI observes the metadata in the data packets en-route, keeping track of the sessions, and making judgements based on an aggregated view.

Will the client application need a substitute destination hostname?

No. Our Deep Packet Inspection technology does not need forced routing like proxies to have the traffic pass through the filters.

Will the client application need certificates to be installed?

No. Since Deep Packet Inspection only observes the metadata in the data packets, it does not terminate or initiate TLS connections – a side-effect of which is usually certificates signed by an intermediary that need to be trusted.

The TLS connections remain end-to-end encrypted with the final, intended destination. If the connection works without filtering, it will continue to work through the discrimiNAT firewall.

Why is Deep Packet Inspection superior to use of outbound proxies?

Deep Packet Inspection, or DPI for short, does not alter the data packets in any way. DPI observes metadata in the data packets en-route, keeping track of the sessions, and making judgements based on an aggregated view.

Proxies, such as squid, terminate the connection from the client and initiate a new one to the destination. This not only adds huge latency in TLS, but security settings in the form of handshake preferences from the original client can get diluted.

Is TLS 1.3 supported?

Yes. TLS versions 1.2 and 1.3 are fully supported and checked both ways in Client-Server chatter.

info

Should you have more questions around the specifics of any protocols, ESNI, etc., do get in touch and we will satisfy your inner geek!

What protocols other than TLS and SSH are supported?

None. We believe strongly in maintaining the integrity of supply chains in the Cloud. Therefore other protocols are not allowed through the firewall.

How do I pass plain HTTP traffic through the firewall?

You cannot. We urge you to upgrade all connections to HTTPS or find private routing to these HTTP endpoints. Reach out to our DevSecOps Support and they should be able to point you in the right direction.

How do I pass protocol X through the firewall?

Get in touch with us so we can understand your application requirements. We would love to support more protocols if there are use-cases.