Release Notes
version 2.9.0 (2024-11-28)β
- default preferences (see docs), of which there are four at this time, can now be stored in an SSM Parameter named
DiscrimiNAT
(case-sensitive):wildcard_exposure
: control whether*
is accepted in FQDNs or not, and if accepted, with prohibit public suffix safeguard or not. Please familiarise yourself with operation and caveats on the behaviour of wildcard rules before using them.flow_log_verbosity
: control whether all logs are emitted, just disallowed or none at allsee_thru
: set non-blocking, monitoring see-thru mode as a default (useful with new deployments so traffic is not blocked upon deployment)x509_crls
: whether to automatically allow CRL Endpoints of x509 SSL certificates for all TLS FQDNs allowlisted. This was a feature introduced in v2.7.0
- list of FQDNs for allowlisting, in JSON format, can now be read in from an SSM Parameter or a Secret in Secrets Manager
- format is
{"addrs": ["fqdn1.com", "*.github.com", ...]}
- a symbolic reference of the Parameter/Secret, using its full ARN, will need to be added to the Security Group Rules' description field instead of comma-separated FQDNs. For example,
discriminat:tls:arn:aws:ssm:eu-west-2:111111111111:parameter/team-foo-allowed-fqdns
anddiscriminat:tls:arn:aws:secretsmanager:eu-west-2:111111111111:secret:service-foo-allowed-fqdns
- DiscrimiNAT's IAM Role's Policy will need ssm:GetParameter (for SSM Parameters) and secretsmanager:GetSecretValue (for Secret) permissions on the ARNs referred
- previous method of storing comma-separated FQDNs in Security Group Rules' description fields is preserved and will continue to work
- format is
- version of bundled Public Suffix List: 931546b
- improvement in startup time with a large allowlist (>500 FQDNs)
- new config log reason:
rejected
. This is emitted in case a wildcard FQDN is specified but the wildcard_exposure preference value does not allow its inclusion. For example,{addr: "*.github.io", cat: "addr", outcome: "publicsuffix[.]org list matched with `github.io`"}
- raw packet captures (PCAP) for ~10 seconds may be included in telemetry data if Automated System Health Reporting is not opted out of
- fixed a bug where wildcard matched FQDNs would not be allowed, until the cache for them was warmed up, in spite of see-thru mode being set
- fixed occassional "spoofing detected" flow logs disallowing connections to Cloudinary and Azure Cloud CDN FQDNs
- TLS and SSH connectivity improvements to some hosts that would not acknowledge trailing zeroes in padding bytes of a handshake
- absence of leading zeroes in month and date components of a see-thru date now works. For example, previously,
2024-9-1
would not have worked, however,2024-09-01
would have. Both work now. - wildcard matched connections are now timed out on first attempt, instead of connection reset, until the cache has warmed up for them. This reduces the number of attempts made by an app/client when accessing a wildcarded FQDN for the first time.
Breaking Changes
- plaintext HTTP CRL Endpoints of x509 SSL certificates for all TLS FQDNs allowlisted are no longer allowed automatically. Set the preference
x509_crls
toauto_allow
to restore previous behaviour. If you did not know about this, you are likely not affected. We have proactively informed the customers we definitely knew were relying on this.
Terraform Updates
- preferences' defaults in JSON format are deployed automatically, along with the IAM Policy permission for DiscrimiNAT to be able to read them, from v2.9.0 of our Terraform module to serve as a starting point. Can be overriden from the new
preferences
variable. - option to disable automatic updates to the Launch Template when a new DiscrimiNAT AMI version is available with the
ami_auto_update
boolean variable - renamed variable
ami_name
toami_version
. It now accepts the semver for DiscrimiNAT. - list-type variables
iam_get_additional_ssm_params
andiam_get_additional_secrets
introduced to automatically add IAM Get permissions on DiscrimiNAT's IAM Role's Policy for the ones specified. This enables DiscrimiNAT to read allowlists specified in these resources. - full diff between previous version and this can be found here for the -gwlb module, and here for the -eni module
version 2.8.0 (2024-08-20)β
- wildcard support is now in preview:
- they are supported for the TLS protocol only
- the character
_
may be used to substitute one wild character in an FQDN to be allowed - the set of wild characters is from
a
toz
,0
to9
and the-
(hyphen or minus) only; the.
(period, dot or fullstop) character is not included - you may use any number of wildcards in a single FQDN address (in the allowlist)
- see our dedicated page on using wildcards with examples and the caveats expected in this preview; ensure you've read the Operation section as well
- further improvements are expected in the next version of DiscrimiNAT; please write to us with your experience on using this feature
- suppressed repetitive warning log messages
no ip addresses resolved
about CRL endpointcrl.comodo.net
- improved compatibility with proprietary SSH server-side implementations, such as GoAnywhere, that send a larger than normal list of ciphers during the initial handshake
- Terraform module v2.8.0 will need to be used to deploy the v2.8.x AMIs of DiscrimiNAT
version 2.7.1 (2024-02-12)β
warning
type messages inconfig
logs now do not repeat before 10 minutes. This will reduce the frequency ofno ip addresses resolved
, etc. log messages significantly.- disabling Automated System Health Reporting can now be done by setting variable
ashr
tofalse
from Terraform module v2.7.1 onwards. The earlier method will continue to work. - automated system health reporting, if left enabled, now runs at shutdown too.
- automatically allowed CRL Endpoints of x509 SSL certificates now emit the name of the otherwise allowed FQDN and the issuing CA in the certificate chain, from which the CRL Endpoint was determined, in the
reason
field of theconfig
log. For example,crl endpoint from issuer GTS Root R1 in certificate chain of trends.google.com
.
version 2.7.0 (2024-01-14)β
HTTP
flow
Logs: additional log fields ofhttp_method
,http_user_agent
andhttp_path
will be present for plaintext HTTP traffic to aid in determining the source of unencrypted traffic. The traffic will always be denied with the messageinsecure protocol, use https
, though.CRL Endpoints of x509 SSL certificates, which are over plaintext HTTP, are now automatically allowed for all TLS FQDNs allowlisted. Only HTTP methods
HEAD
andGET
are allowed to these URLs from only the clients that otherwise have the TLS FQDNs (to which these CRL Endpoints belong) allowed.no ip addresses resolved
warning message inconfig
log for FQDNs found in the allowlist but for which a DNS lookup did not resolve any IP addresses. This is useful in spotting typos and domain names not configured yet by third parties.Terraform module v2.7.0 update: variable
has been renamedstartup_script_base64
user_data_base64
.Automated System Health Reporting: 10 minutes after boot and then at 0200 UTC every day, each instance of DiscrimiNAT will collect its OS internals & system logs since instance creation, config changes & traffic flow information from last two hours and upload it to a Chaser-owned cloud bucket. This information is encrypted at rest with a certain public key so only relevant individuals with access to the corresponding private key can decrypt it. The transfer is encrypted over TLS.
Access to this information will be immensely useful to create a faster and more reliable DiscrimiNAT as we add new features. We also aim to learn about how users are interacting with the product in order to further improve the usability of it as they embark on a very ambitious journey of fully accounted for and effective egress controls.
We understand if certain environments within your deployment would rather not have this turned on. To disable it, a file at the path
/etc/chaser/disable_automated-system-health-reporting
should exist. From our Terraform module v2.7.0 onwards, this can be accomplished by including the following statement:user_data_base64 = "I2Nsb3VkLWNvbmZpZwp3cml0ZV9maWxlczoKLSBwYXRoOiAvZXRjL2NoYXNlci9kaXNhYmxlX2F1dG9tYXRlZC1zeXN0ZW0taGVhbHRoLXJlcG9ydGluZwo="
The base64 value above decodes to:
#cloud-config
write_files:
- path: /etc/chaser/disable_automated-system-health-reportingWhich is a cloud-init way of creating that file in the instance.
Instance types
c5.large
,c5.xlarge
,c5.2xlarge
,c6i.2xlarge
andc6a.2xlarge
are no longer supported. Please choose from one oft3.small
,c6i.large
,c6i.xlarge
,c6a.large
andc6a.xlarge
.DiscrimiNAT Firewall's product code on the AWS Marketplace has changed from
toa83las5cq95zkg3x8i17x6wyy
bz1yq0sc5ta99w5j7jjwzym8g
. This has no impact on users unless they had been using the product code to lookup its AMI ID, for example. Terraform modules version 2.7.0 onward encapsulate this change.
version 2.6.1 (2023-10-13)β
- health check logic now also waits for the firewall cache to build up a bit before giving a green light to the load balancer (and therefore accepting traffic on new VMs)
- two new warning log message types which indicate if the configured port in a Firewall Rule has a connection-level issue:
- for example
test for TLS on 203.0.113.5:80 failed
β port 80 was not listening with TLS - and for example
timed out testing connection to 203.0.113.6:443
β port 443 on that IP address is not open (from DiscrimiNAT's public IP point of view)
- for example
version 2.6.0 (2023-07-24)β
- the TLS notation for allowlisting now supports IP v4 addresses besides FQDNs (i.e. without SNI), for example
discriminat:tls:203.0.113.9
- the see-thru monitoring mode now accepts all specifications of IP addresses, Protocols & Ports on Security Groups. Previously, it had required IP addresses to be set to
0.0.0.0/0
and Ports & Protocols to be to set to all. - two new
flow
logreason
messages when a network packet isdisallowed
have been introduced:cache not ready
: this message is logged when a new address is added in the allowlist but the firewall has not yet warmed up its cache for it. Expected to occur for up to 2 minutes after adding a new address (FQDN or IP.)spoofing detected
: logged when TLS SNI has been manipulated and a connection is attempted to an IP address that doesn't otherwise belong to the given FQDN (in the SNI.)
- enabled Finite Field DiffieβHellman ciphers for TLS 1.2, for example DHE as opposed to ECDHE
- enabled ciphers without Forward Secrecy for TLS 1.2
- instance types have been updated to
t3.small
,c6i.large
,c6i.xlarge
,c6i.2xlarge
,c6a.large
,c6a.xlarge
,c6a.2xlarge
,c5.large
,c5.xlarge
andc5.2xlarge
. Note that thec6a
AMD types, although cheaper and equally performant, may not be available in all Availability Zones.
Breaking Changes
- the
config
log has itsfqdn
field name changed toaddr
. Field names have not changed in theflow
log. - in the
config
log, association of a public IP for egress from the firewall had its category (cat
field) set tostatic-ip
. This is now set toegress-ip
.
version 2.5.3 (2023-05-31)β
- increased tolerance towards some rare TLS servers that otherwise resulted in DiscrimiNAT logging connection test failures and not allowing connections to them
version 2.5.2 (2023-03-27)β
- change of base OS from Ubuntu 18.04 to Ubuntu 20.04
version 2.5.1 (2023-02-03)β
- general OS updates
version 2.5.0 (2022-11-07)β
- DiscrimiNAT now supports load balancing, high availability and auto scaling with AWS' Gateway Load Balancer (GWLB).
- With the GWLB, the RTO for DiscrimiNAT is reduced from ~120 seconds to 10 seconds!
- New
-gwlb
Terraform module published at the registry to deploy a load balancing, highly available and an auto scaling set of DiscrimiNAT Firewalls.
Breaking Changes
- CloudWatch log group name changed from
discrimiNAT
toDiscrimiNAT
. The first letter of the word DiscrimiNAT is, and going-forwards will be, in upper-case. - IAM Policy has been updated to reflect the upper-case letter D.
- AMI name has seen the same change.
- A new patch version, 2.4.1, of the ENI Terraform module has been released that constrains it to DiscrimiNAT version 2.4.x AMIs only. The ENI Terraform module will be updated in due course to support DiscrimiNAT version 2.5.x and onwards.
version 2.4.2 (2022-10-11)β
- improved connection handling for very short lived TLS connections with specific server-side implementations (such as Envoy Proxy)
version 2.4.1 (2022-05-11)β
- fixed a sporadic connection reset issue, that emitted
unexpected response
in the logs, and which only occurred in thesee-thru
monitoring mode while connecting to a destination at very high latency
version 2.4.0 (2022-03-01)β
- new warning message in config logs when a connection test to an FQDN, carried out by discrimiNAT itself, in any allowlist fails
- added support for self-attaching an allocated Elastic IP
- discrimiNAT's own instance ID added to every log line under the key
instance
, indicating which instance the log line was emitted from - updated TLS ECH draft extension identifiers
version 2.2.0 (2021-09-06)β
- see-thru mode introduced; build allowlists super-quick by putting a Security Group in monitor mode first
- serverless support introduced; Lambdas etc. with an interface in the VPC will have their outbound traffic filtered
- full bypass hook added; please reach out to support for instructions on this
version 2.1.0 (2021-08-19)β
- improved handling for a large number of FQDNs in the allowlists
- updated TLS ECH draft extension identifiers
version 2.0.5 (2021-05-11)β
- restricted firewall rule scanning to the same VPC as discrimiNAT firewall was deployed in
version 2.0.4 (2021-04-07)β
- updated TLS ECH draft extension identifiers
version 2.0.3 (2020-11-10)β
- v2 launch
- completely new architecture addressing the potential for mismatch of IPs addresses as looked up by a protected workload from the VPC resolver and as looked up by the discrimiNAT firewall
- rewritten in Rust
version 20200524 (2020-05-27)β
available on request; v1 is now deprecated; please upgrade to v2
version 20200516 (2020-05-20)β
available on request; v1 is now deprecated; please upgrade to v2
version 20191207 (2019-12-10)β
available on request; v1 is now deprecated; please upgrade to v2
version 20191108 (2019-11-12)β
available on request; v1 is now deprecated; please upgrade to v2
version 20190911 (2019-09-13)β
- v1 launch