FAQs

Why is Deep Packet Inspection superior to use of Proxies

Deep Packet Inspection, or DPI for short, does not alter the data packets in any way. DPI simply observes metadata in the data packets en-route, keeping a track of the sessions, and making judgements based on an aggregated view.

Proxies terminate the connection from the client and initiate a new one to the destination. This not only adds huge latency in TLS, but security settings in the form of connection preferences from the original client get can lost.

Will the client application need Proxy configuration

No. The client applications will need no reconfiguration at all. Chaser's Secure Egress Gateway is a fully transparent solution operating on the outbound routes of the VPC network.

Is this for HTTPS or for TLS traffic

HTTPS is in fact HTTP encapsulated in TLS. The Secure Egress Gateway is a TLS metadata inspection firewall. It can also deal with other application protocols encapsulated in TLS such as LDAPS, FTPS, IMAPS, POP3S and SMTPS.

How is configuration changed in an AWS deployment

The configuration is a Parameter in the AWS Systems Manager service by the name of /<deployment name>/whitelist . You can use the AWS Console to make a change to it by browsing to Systems Manager -> Parameter Store, or make the AmazonSSM.PutParameter RESTful API call to update the configuration on-the-fly.

How is configuration changed in a GCP deployment

The configuration is a Key in the Compute Metadata of the GCP Project by the name of <deployment name>-whitelist . You can use the GCP Console to make a change to it by browsing to Compute Engine -> Metadata, or make the projects.setCommonInstanceMetadata RESTful API call to update the configuration on-the-fly.

Is traffic decrypted for inspection

No. Our Deep Packet Inspection technology, or DPI for short, does not decrypt the data packets in any way. DPI simply observes the metadata in the data packets en-route, keeping a track of the sessions, and making judgements based on an aggregated view.

Will the client application need a substitute destination hostname

No. Our Deep Packet Inspection technology does not need forced routing like Proxies to have the traffic pass through the filters.

Will the client application need certificates to be installed

No. Since Deep Packet Inspection only observes the metadata in the data packets, it does not terminate or initiate TLS connections - a result of which is usually certificates signed by an intermediary that needs to be trusted.

The TLS connections remain end-to-end encrypted with the final, intended destination. If the connection works without filtering, it would continue to work through our Secure Egress Gateway.

Is TLS 1.3 supported

Yes. TLS versions 1.2 and 1.3 are fully supported.

What protocols other than TLS are supported

None. We believe strongly in maintaining the integrity of supply chains in the Cloud. Therefore plain-text protocols and others with no trust and validation mechanisms are simply not allowed through the firewall.

How do I pass plain HTTP traffic through the firewall

You cannot. We urge you to upgrade all connections to HTTPS.

How do I pass protocols such as SSH, etc. through the firewall

Please get in touch with us so we can understand your application requirements. We would love to support more authenticated protocols if there are use-cases.

What is the "permissive" configuration key

The permissive configuration key when set to the value yes, enables connections to destinations not on the whitelist through as well. This feature is useful in order to build up the whitelist, by looking at the flow logs, when the entire list of destinations that your application connects to is not known upfront.

When in permissive mode, the flow logs will continue to indicate the how the firewall would have behaved for each connection but let it through in any case. Each log line will also indicate that permissive was enabled.

The default value if left unspecified of permissive is no. In that configuration, the firewall will actively deny connections to destinations not on the whitelist.