Quick Start
This is a quick visual walkthrough of deploying a brand new VPC in AWS, secured by the discrimiNAT firewall for egress traffic filtering right from the onset.
info
Contact our DevSecOps Support for queries at any stage of your journey. Alternatively, reach out in the live chat.
i. MARKETPLACE SUBSCRIBE
Proceed to our AWS Marketplace page and click the Continue to Subscribe button. This step is entirely self-service.
info
If you have deployed through Terraform or are considering, jump straight to the Security Groups section. You may skip everything before that.
ii. CLOUDFORMATION TEMPLATE
Choose CloudFormation Template as the delivery method, and the Complete VPC example, with networking for 1 AZ template for this exercise.
Ensure the latest Software Version is selected, and the Region is one intended.
iii. LAUNCH
Choose Launch CloudFormation and hit Launch.
iv. STACK PARAMETERS
info
Contact our DevSecOps Support for queries at any stage of your journey. Alternatively, reach out in the live chat.
Stack name: This is a unique identifier for the deployment. In the case of this example, we have chosen the name plugleak. This name will prefix many resources that this stack will create.
InstanceType: A machine type with at least 2 vCPU and 2 GiB RAM. A t3.small
should suffice where throughput requirements are basic and allowlists small. Otherwise a c5.large
makes a good choice for constant throughput. Talk to our DevSecOps to get the sizing right!
KeyPairName: Leaving it blank will not setup any SSH keys in the firewall instance, so you won't be able to log in and have a nose around. If you wish to enable SSH access (not advised for a security appliance), paste in the exact key name from EC2 -> Key Pairs.
VPCCIDR: The VPC level CIDR block to deploy in this region. If going with the example layout, try 10.10.0.0/21
.
PrivateSubnetAZA: The Private Subnet for Availability Zone A. If going with the example layout, try 10.10.0.0/23
.
PublicSubnetAZA: The Public Subnet for Availability Zone A. If going with the example layout, try 10.10.6.0/25
.
v. CREATE STACK
The firewall needs some permissions from AWS IAM to carry out its job. You will find these in IAM prefixed with the stack name chosen earlier.
vi. SMALL WAIT
Shouldn’t be more than a few minutes.
The stack is ready!
prelaunch### vii. SECURITY GROUPS
info
Contact our DevSecOps Support for queries at any stage of your journey. Alternatively, reach out in the live chat.
We encourage you to create Security Groups as you would normally. Tight in scope and attached to their respective applications.
FQDN based egress filtering enhancements for AWS follow!
For an effective use of the discrimiNAT firewall:
Add destination protocols and FQDNs to the description field of each outbound rule. The format of this text is
discrimiNAT:<protocol>:<fqdn>[,<fqdn>]
.- Valid protocols are
ssh
andtls
only. - There can be as many FQDNs as you can fit separated by commas. There cannot be whitespace, though.
- There can be other text leading and trailing this specification, separated by whitespace.
- All of it is case insensitive.
- Valid protocols are
Some examples of what can go in the description field:
discrimiNAT:TLS:api.foo.example.com,downloads.example.net
discrimiNAT:SSH:sftp.txs.example.org,ssh.github.com
discriminat:tls:api-v2.example.com discriminat:tls:www.example.org
lorem ipsum discriminat:ssh:ssh.github.com,gitlab.com dolor sit amet
Must be under
Outbound rules
.Under
Type
, choose any TCP protocol type and specify exactly one port number inPort range
. Multiple ports, ranges, other protocols, and so on are not supported.- For your typical HTTPS outbound connection, the port number would be
443
. - A typical SFTP connection has the port number of
22
.
- For your typical HTTPS outbound connection, the port number would be
Destination
must be set to the narrowest IP block you can think of. Now if you don't have anything narrower than0.0.0.0/0
that is absolutely fine! The firewall takes care of validating the destination IP address of actual packets in many ways, but the outbound rule at the AWS networking and security level must allow the packet to leave the virtual machine at all. We repeat,0.0.0.0/0
is a safe choice with the discrimiNAT firewall in the way.Should you wish to use the same port number again with a different rule, set to the destination to
0.0.0.0/1
or0.0.0.0/2
or0.0.0.0/3
and so on.That's it! Although you may want to check the full reference for more possibilities.
viii. CONFIGURATION LOG
Let’s now look at the configuration logs. Browse to CloudWatch -> Log Groups -> discrimiNAT -> config . You will see each instance of the firewall pick up the changes! Logs are structured (JSON) so filtering them in any way you like should be a walk in the park!
ix. TEST A VIRTUAL MACHINE
Time to test with a virtual machine. Create one as usual, in the same region as the firewall was deployed in. Pick the Private subnet created by your stack to place this machine in.
Attach the security group we created earlier to this machine.
You can now look at the flow logs to observe traffic from this machine. Browse to CloudWatch -> Log Groups -> discrimiNAT -> flow . You will see each connection that is allowed or disallowed!
info
Contact our DevSecOps Support for queries at any stage of your journey. Alternatively, reach out in the live chat.