Release Notes
version 2.6.0 (2023-07-24)β
- the TLS notation for allowlisting now supports IP v4 addresses besides FQDNs (i.e. without SNI), for example
discriminat:tls:203.0.113.9
- the see-thru monitoring mode now accepts all specifications of IP addresses, Protocols & Ports on Security Groups. Previously, it had required IP addresses to be set to
0.0.0.0/0
and Ports & Protocols to be to set to all. - two new
-flow
logreason
messages when a network packet isdisallowed
have been introduced:cache not ready
: this message is logged when a new address is added in the allowlist but the firewall has not yet warmed up its cache for it. Expected to occur for up to 2 minutes after adding a new address (FQDN or IP.)spoofing detected
: logged when TLS SNI has been manipulated and a connection is attempted to an IP address that doesn't otherwise belong to the given FQDN (in the SNI.)
- enabled Finite Field DiffieβHellman ciphers for TLS 1.2, for example DHE as opposed to ECDHE
- enabled ciphers without Forward Secrecy for TLS 1.2
- instance types have been updated to
t3.small
,c6i.large
,c6i.xlarge
,c6i.2xlarge
,c6a.large
,c6a.xlarge
,c6a.2xlarge
,c5.large
,c5.xlarge
andc5.2xlarge
. Note that thec6a
AMD types, although cheaper and equally performant, may not be available in all Availability Zones.
Breaking Changes
- the
-config
log has itsfqdn
field name changed toaddr
. Field names have not changed in the-flow
log. - in the
-config
log, association of a public IP for egress from the firewall had its category (cat
field) set tostatic-ip
. This is now set toegress-ip
.
version 2.5.3 (2023-05-31)β
- increased tolerance towards some rare TLS servers that otherwise resulted in DiscrimiNAT logging connection test failures and not allowing connections to them
version 2.5.2 (2023-03-27)β
- change of base OS from Ubuntu 18.04 to Ubuntu 20.04
version 2.5.1 (2023-02-03)β
- general OS updates
version 2.5.0 (2022-11-07)β
- DiscrimiNAT now supports load balancing, high availability and auto scaling with AWS' Gateway Load Balancer (GWLB).
- With the GWLB, the RTO for DiscrimiNAT is reduced from ~120 seconds to 10 seconds!
- New
-gwlb
Terraform module published at the registry to deploy a load balancing, highly available and an auto scaling set of DiscrimiNAT Firewalls.
Breaking Changes
- CloudWatch log group name changed from
discrimiNAT
toDiscrimiNAT
. The first letter of the word DiscrimiNAT is, and going-forwards will be, in upper-case. - IAM Policy has been updated to reflect the upper-case letter D.
- AMI name has seen the same change.
- A new patch version, 2.4.1, of the ENI Terraform module has been released that constrains it to DiscrimiNAT version 2.4.x AMIs only. The ENI Terraform module will be updated in due course to support DiscrimiNAT version 2.5.x and onwards.
version 2.4.2 (2022-10-11)β
- improved connection handling for very short lived TLS connections with specific server-side implementations (such as Envoy Proxy)
version 2.4.1 (2022-05-11)β
- fixed a sporadic connection reset issue, that emitted
unexpected response
in the logs, and which only occurred in thesee-thru
monitoring mode while connecting to a destination at very high latency
version 2.4.0 (2022-03-01)β
- new warning message in config logs when a connection test to an FQDN, carried out by discrimiNAT itself, in any allowlist fails
- added support for self-attaching an allocated Elastic IP
- discrimiNAT's own instance ID added to every log line under the key
instance
, indicating which instance the log line was emitted from - updated TLS ECH draft extension identifiers
version 2.2.0 (2021-09-06)β
- see-thru mode introduced; build allowlists super-quick by putting a Security Group in monitor mode first
- serverless support introduced; Lambdas etc. with an interface in the VPC will have their outbound traffic filtered
- full bypass hook added; please reach out to support for instructions on this
version 2.1.0 (2021-08-19)β
- improved handling for a large number of FQDNs in the allowlists
- updated TLS ECH draft extension identifiers
version 2.0.5 (2021-05-11)β
- restricted firewall rule scanning to the same VPC as discrimiNAT firewall was deployed in
version 2.0.4 (2021-04-07)β
- updated TLS ECH draft extension identifiers
version 2.0.3 (2020-11-10)β
- v2 launch
- completely new architecture addressing the potential for mismatch of IPs addresses as looked up by a protected workload from the VPC resolver and as looked up by the discrimiNAT firewall
- rewritten in Rust
version 20200524 (2020-05-27)β
available on request; v1 is now deprecated; please upgrade to v2
version 20200516 (2020-05-20)β
available on request; v1 is now deprecated; please upgrade to v2
version 20191207 (2019-12-10)β
available on request; v1 is now deprecated; please upgrade to v2
version 20191108 (2019-11-12)β
available on request; v1 is now deprecated; please upgrade to v2
version 20190911 (2019-09-13)β
- v1 launch