Release Notes

version 2.9.0 (2024-11-28)

• default preferences (see docs), of which there are four at this time, can now be stored in an SSM Parameter named DiscrimiNAT (case-sensitive):
  • wildcard_exposure: control whether * is accepted in FQDNs or not, and if accepted, with prohibit public suffix safeguard or not. Please familiarise yourself with operation and caveats on the behaviour of wildcard rules before using them.
  • flow_log_verbosity: control whether all logs are emitted, just disallowed or none at all
  • see_thru: set non-blocking, monitoring see-thru mode as a default (useful with new deployments so traffic is not blocked upon deployment)
  • x509_crls: whether to automatically allow CRL Endpoints of x509 SSL certificates for all TLS FQDNs allowlisted. This was a feature introduced in v2.7.0
• list of FQDNs for allowlisting, in JSON format, can now be read in from an SSM Parameter or a Secret in Secrets Manager
  • format is {"addrs": ["fqdn1.com", "*.github.com", ...]}
  • a symbolic reference of the Parameter/Secret, using its full ARN, will need to be added to the Security Group Rules' description field instead of comma-separated FQDNs. For example, discriminat:tls:arn:aws:ssm:eu-west-2:111111111111:parameter/team-foo-allowed-fqdns and discriminat:tls:arn:aws:secretsmanager:eu-west-2:111111111111:secret:service-foo-allowed-fqdns
  • DiscrimiNAT's IAM Role's Policy will need ssm:GetParameter (for SSM Parameters) and secretsmanager:GetSecretValue (for Secret) permissions on the ARNs referred
  • previous method of storing comma-separated FQDNs in Security Group Rules' description fields is preserved and will continue to work
• version of bundled Public Suffix List: 931546b
• improvement in startup time with a large allowlist (>500 FQDNs)
• new config log reason: rejected. This is emitted in case a wildcard FQDN is specified but the wildcard_exposure preference value does not allow its inclusion. For example, {addr: "*.github.io", cat: "addr", outcome: "publicsuffix[.]org list matched with `github.io`"}
• raw packet captures (PCAP) for ~10 seconds may be included in telemetry data if Automated System Health Reporting is not opted out of
• fixed a bug where wildcard matched FQDNs would not be allowed, until the cache for them was warmed up, in spite of see-thru mode being set
• fixed occassional "spoofing detected" flow logs disallowing connections to Cloudinary and Azure Cloud CDN FQDNs
• TLS and SSH connectivity improvements to some hosts that would not acknowledge trailing zeroes in padding bytes of a handshake
• absence of leading zeroes in month and date components of a see-thru date now works. For example, previously, 2024-9-1 would not have worked, however, 2024-09-01 would have. Both work now.
• wildcard matched connections are now timed out on first attempt, instead of connection reset, until the cache has warmed up for them. This reduces the number of attempts made by an app/client when accessing a wildcarded FQDN for the first time.

Breaking Changes

• plaintext HTTP CRL Endpoints of x509 SSL certificates for all TLS FQDNs allowlisted are no longer allowed automatically. Set the preference x509_crls to auto_allow to restore previous behaviour. If you did not know about this, you are likely not affected. We have proactively informed the customers we definitely knew were relying on this.

Terraform Updates

• preferences' defaults in JSON format are deployed automatically, along with the IAM Policy permission for DiscrimiNAT to be able to read them, from v2.9.0 of our Terraform module to serve as a starting point. Can be overriden from the new preferences variable.
• option to disable automatic updates to the Launch Template when a new DiscrimiNAT AMI version is available with the ami_auto_update boolean variable
• renamed variable ami_name to ami_version. It now accepts the semver for DiscrimiNAT.
• list-type variables iam_get_additional_ssm_params and iam_get_additional_secrets introduced to automatically add IAM Get permissions on DiscrimiNAT's IAM Role's Policy for the ones specified. This enables DiscrimiNAT to read allowlists specified in these resources.
• full diff between previous version and this can be found here for the -gwlb module, and here for the -eni module

version 2.8.0 (2024-08-20)

• wildcard support is now in preview:
  • they are supported for the TLS protocol only
  • the character _ may be used to substitute one wild character in an FQDN to be allowed
  • the set of wild characters is from a to z, 0 to 9 and the - (hyphen or minus) only; the . (period, dot or fullstop) character is not included
  • you may use any number of wildcards in a single FQDN address (in the allowlist)
  • see our dedicated page on using wildcards with examples and the caveats expected in this preview; ensure you've read the Operation section as well
  • further improvements are expected in the next version of DiscrimiNAT; please write to us with your experience on using this feature
• suppressed repetitive warning log messages no ip addresses resolved about CRL endpoint crl.comodo.net
• improved compatibility with proprietary SSH server-side implementations, such as GoAnywhere, that send a larger than normal list of ciphers during the initial handshake
• Terraform module v2.8.0 will need to be used to deploy the v2.8.x AMIs of DiscrimiNAT

version 2.7.1 (2024-02-12)

• warning type messages in config logs now do not repeat before 10 minutes. This will reduce the frequency of no ip addresses resolved, etc. log messages significantly.
• disabling Automated System Health Reporting can now be done by setting variable ashr to false from Terraform module v2.7.1 onwards. The earlier method will continue to work.
• automated system health reporting, if left enabled, now runs at shutdown too.
• automatically allowed CRL Endpoints of x509 SSL certificates now emit the name of the otherwise allowed FQDN and the issuing CA in the certificate chain, from which the CRL Endpoint was determined, in the reason field of the config log. For example, crl endpoint from issuer GTS Root R1 in certificate chain of trends.google.com.

version 2.7.0 (2024-01-14)

• HTTP flow Logs: additional log fields of http_method, http_user_agent and http_path will be present for plaintext HTTP traffic to aid in determining the source of unencrypted traffic. The traffic will always be denied with the message insecure protocol, use https, though.

• CRL Endpoints of x509 SSL certificates, which are over plaintext HTTP, are now automatically allowed for all TLS FQDNs allowlisted. Only HTTP methods HEAD and GET are allowed to these URLs from only the clients that otherwise have the TLS FQDNs (to which these CRL Endpoints belong) allowed.

• no ip addresses resolved warning message in config log for FQDNs found in the allowlist but for which a DNS lookup did not resolve any IP addresses. This is useful in spotting typos and domain names not configured yet by third parties.

• Terraform module v2.7.0 update: variable startup_script_base64 has been renamed user_data_base64.

• Automated System Health Reporting: 10 minutes after boot and then at around 0200 UTC every day, each instance of DiscrimiNAT will collect its OS internals & system logs since instance creation, config changes & traffic flow information from last two hours and upload it to a Chaser-owned cloud bucket. This information is encrypted at rest with a certain public key so only relevant individuals with access to the corresponding private key can decrypt it. The transfer is encrypted over TLS.

  Access to this information will be immensely useful to create a faster and more reliable DiscrimiNAT as we add new features. We also aim to learn about how users are interacting with the product in order to further improve the usability of it as they embark on a very ambitious journey of fully accounted for and effective egress controls.

  We understand if certain environments within your deployment would rather not have this turned on. To disable it, a file at the path /etc/chaser/disable_automated-system-health-reporting should exist. From our Terraform module v2.7.0 onwards, this can be accomplished by including the following statement:

  user_data_base64 = "I2Nsb3VkLWNvbmZpZwp3cml0ZV9maWxlczoKLSBwYXRoOiAvZXRjL2NoYXNlci9kaXNhYmxlX2F1dG9tYXRlZC1zeXN0ZW0taGVhbHRoLXJlcG9ydGluZwo="

  The base64 value above decodes to:

  #cloud-config
  write_files:
  - path: /etc/chaser/disable_automated-system-health-reporting

  Which is a cloud-init way of creating that file in the instance.

• Instance types c5.large, c5.xlarge, c5.2xlarge, c6i.2xlarge and c6a.2xlarge are no longer supported. Please choose from one of t3.small, c6i.large, c6i.xlarge, c6a.large and c6a.xlarge.

• DiscrimiNAT Firewall's product code on the AWS Marketplace has changed from a83las5cq95zkg3x8i17x6wyy to bz1yq0sc5ta99w5j7jjwzym8g. This has no impact on users unless they had been using the product code to lookup its AMI ID, for example. Terraform modules version 2.7.0 onward encapsulate this change.

version 2.6.1 (2023-10-13)

• health check logic now also waits for the firewall cache to build up a bit before giving a green light to the load balancer (and therefore accepting traffic on new VMs)
• two new warning log message types which indicate if the configured port in a Firewall Rule has a connection-level issue:
  • for example test for TLS on 203.0.113.5:80 failed – port 80 was not listening with TLS
  • and for example timed out testing connection to 203.0.113.6:443 – port 443 on that IP address is not open (from DiscrimiNAT's public IP point of view)

version 2.6.0 (2023-07-24)

• the TLS notation for allowlisting now supports IP v4 addresses besides FQDNs (i.e. without SNI), for example discriminat:tls:203.0.113.9
• the see-thru monitoring mode now accepts all specifications of IP addresses, Protocols & Ports on Security Groups. Previously, it had required IP addresses to be set to 0.0.0.0/0 and Ports & Protocols to be to set to all.
• two new flow log reason messages when a network packet is disallowed have been introduced:
  • cache not ready: this message is logged when a new address is added in the allowlist but the firewall has not yet warmed up its cache for it. Expected to occur for up to 2 minutes after adding a new address (FQDN or IP.)
  • spoofing detected: logged when TLS SNI has been manipulated and a connection is attempted to an IP address that doesn't otherwise belong to the given FQDN (in the SNI.)
• enabled Finite Field Diffie–Hellman ciphers for TLS 1.2, for example DHE as opposed to ECDHE
• enabled ciphers without Forward Secrecy for TLS 1.2
• instance types have been updated to t3.small, c6i.large, c6i.xlarge, c6i.2xlarge, c6a.large, c6a.xlarge, c6a.2xlarge, c5.large,c5.xlarge and c5.2xlarge. Note that the c6a AMD types, although cheaper and equally performant, may not be available in all Availability Zones.

Breaking Changes

• the config log has its fqdn field name changed to addr. Field names have not changed in the flow log.
• in the config log, association of a public IP for egress from the firewall had its category (cat field) set to static-ip. This is now set to egress-ip.

version 2.5.3 (2023-05-31)

• increased tolerance towards some rare TLS servers that otherwise resulted in DiscrimiNAT logging connection test failures and not allowing connections to them

version 2.5.2 (2023-03-27)

• change of base OS from Ubuntu 18.04 to Ubuntu 20.04

The CIS Ubuntu Linux 20.04 LTS Benchmark v1.1.0 Level 2 - Server report is available upon request by contacting support. The image scored 215/219. An explanation will be attached for the unmet 4.

version 2.5.1 (2023-02-03)

• general OS updates

version 2.5.0 (2022-11-07)

• DiscrimiNAT now supports load balancing, high availability and auto scaling with AWS' Gateway Load Balancer (GWLB).
• With the GWLB, the RTO for DiscrimiNAT is reduced from ~120 seconds to 10 seconds!
• New -gwlb Terraform module published at the registry to deploy a load balancing, highly available and an auto scaling set of DiscrimiNAT Firewalls.

Breaking Changes

• CloudWatch log group name changed from discrimiNAT to DiscrimiNAT. The first letter of the word DiscrimiNAT is, and going-forwards will be, in upper-case.
• IAM Policy has been updated to reflect the upper-case letter D.
• AMI name has seen the same change.
• A new patch version, 2.4.1, of the ENI Terraform module has been released that constrains it to DiscrimiNAT version 2.4.x AMIs only. The ENI Terraform module will be updated in due course to support DiscrimiNAT version 2.5.x and onwards.

version 2.4.2 (2022-10-11)

• improved connection handling for very short lived TLS connections with specific server-side implementations (such as Envoy Proxy)

version 2.4.1 (2022-05-11)

• fixed a sporadic connection reset issue, that emitted unexpected response in the logs, and which only occurred in the see-thru monitoring mode while connecting to a destination at very high latency

version 2.4.0 (2022-03-01)

• new warning message in config logs when a connection test to an FQDN, carried out by discrimiNAT itself, in any allowlist fails
• added support for self-attaching an allocated Elastic IP
• discrimiNAT's own instance ID added to every log line under the key instance, indicating which instance the log line was emitted from
• updated TLS ECH draft extension identifiers

version 2.2.0 (2021-09-06)

• see-thru mode introduced; build allowlists super-quick by putting a Security Group in monitor mode first
• serverless support introduced; Lambdas etc. with an interface in the VPC will have their outbound traffic filtered
• full bypass hook added; please reach out to support for instructions on this

version 2.1.0 (2021-08-19)

• improved handling for a large number of FQDNs in the allowlists
• updated TLS ECH draft extension identifiers

version 2.0.5 (2021-05-11)

• restricted firewall rule scanning to the same VPC as discrimiNAT firewall was deployed in

version 2.0.4 (2021-04-07)

• updated TLS ECH draft extension identifiers

version 2.0.3 (2020-11-10)

• v2 launch
• completely new architecture addressing the potential for mismatch of IPs addresses as looked up by a protected workload from the VPC resolver and as looked up by the discrimiNAT firewall
• rewritten in Rust

version 20200524 (2020-05-27)

available on request; v1 is now deprecated; please upgrade to v2

version 20200516 (2020-05-20)

available on request; v1 is now deprecated; please upgrade to v2

version 20191207 (2019-12-10)

available on request; v1 is now deprecated; please upgrade to v2

version 20191108 (2019-11-12)

available on request; v1 is now deprecated; please upgrade to v2

version 20190911 (2019-09-13)

• v1 launch