Skip to main content

Quick Start (from Marketplace)

This is a quick visual walkthrough of deploying a brand new VPC in AWS, secured by the DiscrimiNAT Firewall for egress traffic filtering right from the onset.

info

Contact our DevSecOps Support for queries at any stage of your journey. Alternatively, reach out in the live chat.

i. MARKETPLACE SUBSCRIBE

AWS Marketplace Subscription

Proceed to our AWS Marketplace page and click the Continue to Subscribe button. This step is entirely self-service.

info

If you have deployed through Terraform or are considering, jump straight to the Security Groups section. You may skip everything before that.

ii. CLOUDFORMATION TEMPLATE

CloudFormation Pre-launch

Choose CloudFormation Template as the delivery method, and the Complete VPC example, with networking for 1 AZ template for this exercise.

Ensure Software Version 2.4.2 is selected, and the Region is one intended.

iii. LAUNCH

CloudFormation Launch

Choose Launch CloudFormation and hit Launch.

iv. STACK PARAMETERS

CloudFormation Stack Parameters

info

Contact our DevSecOps Support for queries at any stage of your journey. Alternatively, reach out in the live chat.

Stack name: This is a unique identifier for the deployment. In the case of this example, we have chosen the name plugleak. This name will prefix many resources that this stack will create.

InstanceType: A machine type with at least 2 vCPU and 2 GiB RAM. A t3.small should suffice where throughput requirements are basic and allowlists small. Otherwise a c5.large makes a good choice for constant throughput. Talk to our DevSecOps to get the sizing right!

KeyPairName: Leaving it blank will not setup any SSH keys in the firewall instance, so you won't be able to log in and have a nose around. If you wish to enable SSH access (not advised for a security appliance), paste in the exact key name from EC2 -> Key Pairs.

VPCCIDR: The VPC level CIDR block to deploy in this region. If going with the example layout, try 10.10.0.0/21 .

PrivateSubnetAZA: The Private Subnet for Availability Zone A. If going with the example layout, try 10.10.0.0/23 .

PublicSubnetAZA: The Public Subnet for Availability Zone A. If going with the example layout, try 10.10.6.0/25 .

v. CREATE STACK

CloudFormation Stack IAM Permissions

The firewall needs some permissions from AWS IAM to carry out its job. You will find these in IAM prefixed with the stack name chosen earlier.

vi. SMALL WAIT

CloudFormation Deployment Wait

Shouldn’t be more than a few minutes.

CloudFormation Stack Deployed

The stack is ready!

vii. SECURITY GROUPS

AWS Security Group with FQDN

info

Contact our DevSecOps Support for queries at any stage of your journey. Alternatively, reach out in the live chat.

We encourage you to create Security Groups as you would normally. Tight in scope and attached to their respective applications.

FQDN based egress filtering enhancements for AWS follow!

For an effective use of the DiscrimiNAT Firewall:

  • Add destination protocols and FQDNs to the description field of each outbound rule. The format of this text is DiscrimiNAT:<protocol>:<fqdn>[,<fqdn>] .

    • Valid protocols are ssh and tls only.
    • There can be as many FQDNs as you can fit separated by commas. There cannot be whitespace, though.
    • There can be other text leading and trailing this specification, separated by whitespace.
    • All of it is case insensitive.
tip

You can attach multiple Security Groups to EC2 instances. It's a great way to bunch together related FQDNs.

  • Some examples of what can go in the description field:

    • DiscrimiNAT:TLS:api.foo.example.com,downloads.example.net
    • DiscrimiNAT:SSH:sftp.txs.example.org,ssh.github.com
    • discriminat:tls:api-v2.example.com discriminat:tls:www.example.org
    • lorem ipsum discriminat:ssh:ssh.github.com,gitlab.com dolor sit amet

  • Must be under Outbound rules.

  • Under Type, choose any TCP protocol type and specify exactly one port number in Port range. Multiple ports, ranges, other protocols, and so on are not supported.

    • For your typical HTTPS outbound connection, the port number would be 443.
    • A typical SFTP connection has the port number of 22.

  • Destination must be set to the narrowest IP block you can think of. Now if you don't have anything narrower than 0.0.0.0/0 that is absolutely fine! The firewall takes care of validating the destination IP address of actual packets in many ways, but the outbound rule at the AWS networking and security level must allow the packet to leave the virtual machine at all. We repeat, 0.0.0.0/0 is a safe choice with the DiscrimiNAT Firewall in the way.

  • Should you wish to use the same port number again with a different rule, set the destination to 0.0.0.0/1 or 0.0.0.0/2 or 0.0.0.0/3 and so on.

  • That's it! Although you may want to check the full reference for more possibilities.

viii. CONFIGURATION LOG

CloudWatch DiscrimiNAT config log

Let’s now look at the configuration logs. Browse to CloudWatch -> Log Groups -> discrimiNAT -> config . You will see each instance of the firewall pick up the changes! Logs are structured (JSON) so filtering them in any way you like should be a walk in the park!

ix. TEST A VIRTUAL MACHINE

New EC2 instance for test

Time to test with a virtual machine. Create one as usual, in the same region as the firewall was deployed in. Pick the Private subnet created by your stack to place this machine in.

EC2 Security Group attachment

Attach the security group we created earlier to this machine.

You can now look at the flow logs to observe traffic from this machine. Browse to CloudWatch -> Log Groups -> discrimiNAT -> flow . You will see each connection that is allowed or disallowed!

info

Contact our DevSecOps Support for queries at any stage of your journey. Alternatively, reach out in the live chat.