Listing Thumbnail

    DiscrimiNAT Firewall - BYOL

     Info
    The DiscrimiNAT Firewall is a transparent, proxy-less NAT Gateway alternative to discover & filter egress traffic by FQDNs in a VPC.
    Listing Thumbnail

    DiscrimiNAT Firewall - BYOL

     Info

    Overview

    CONSOLE INTEGRATION

    There are no new UIs to learn - the config is stored in Security Groups directly, and the flow & audit logs go to CloudWatch. Because only AWS APIs are used for interfacing, you will never have to leave the AWS console or introduce new tooling.

    TIP: Drop us an email at devsecops@chasersystems.com  to receive quarterly version update release notes one week prior to GA. Also for a demo, best practices and architecture review.

    TRANSPARENT OPERATION

    No need to set http_proxy like environment variables or change any code. Everything in the VPC, from VMs to EKS, Fargate, Lambda and even zero-trust WorkSpaces [2], will have its egress traffic routed via DiscrimiNAT. Swapping to (and from) AWS NAT Gateway is just updating the route tables.

    SAFE WILDCARDS

    Public Suffix List [4] safeguard in place, by default, to reject wildcard patterns matching all tenants on a CSP or a CDN (aka Effective TLDs); precise patterns can also be configured with use of glob characters (*, ?).

    DEVELOPER GUARD RAILS

    With bidirectional enforcement of TLS 1.2+ and SSH v2, automated expiry of exemptions, dropping unencrypted Internet-bound traffic, etc., each feature has been carefully designed to avoid footguns.

    REFINED OPERABILITY

    We are an AWS Gateway Load Balancing Partner for Security Appliances [3] and the DiscrimiNAT runs with high-availability, load-balancing & auto-scaling within your VPC. It's also completely maintenance-free!

    ENTERPRISE READY

    Whether you seek compliance with PCI DSS v4.0 or NIST SP 800-53 AC-4, SC-7 and SC-8, we've got it covered. DiscrimiNAT is hardened to CIS benchmarks, receives quarterly updates (critical OS updates in 10 days) and rolling updates apply with zero downtime.

    [2] https://chasersystems.com/solutions/daas-ztna/ 

    [3] https://thinkwithwp.com/elasticloadbalancing/partners/ 

    [4] https://publicsuffix.org/ 

    Highlights

    • SPOOFING PREVENTION: Unlike AWS Network Firewall, DiscrimiNAT does conduct out-of-band DNS lookups, so TLS SNI spoofing by supply-chain malware will be logged & stopped. It even supports allowing SSH by FQDNs. The next Log4J [1] won't slip through! [1] https://chasersystems.com/blog/log4shell-and-its-traces-in-a-network-egress-filter/
    • LEAST PRIVILEGE EGRESS: You no longer need to apply the entire allowlist to large CIDR ranges hosting multiple applications. The policies are as granular as AWS Security Groups, so each application gets access to only what it needs.
    • FQDN DISCOVERY: Don't know what needs allowing? With the 'see-thru' monitor mode, egress traffic can be logged without blocking; then a CloudWatch query extracts FQDNs accessed. Watch this 3 minute video on how easy it is: https://youtu.be/63EfQQiirZQ

    Details

    Delivery method

    Delivery option
    64-bit (x86) Amazon Machine Image (AMI)

    Latest version

    Operating system
    Ubuntu 20.04

    Features and programs

    Financing for AWS Marketplace purchases

    AWS Marketplace now accepts line of credit payments through the PNC Vendor Finance program. This program is available to select AWS customers in the US, excluding NV, NC, ND, TN, & VT.
    Financing for AWS Marketplace purchases

    Pricing

    DiscrimiNAT Firewall - BYOL

     Info
    Pricing and entitlements for this product are managed outside of AWS Marketplace through an external billing relationship between you and the vendor. You activate the product by supplying an existing license purchased outside of AWS Marketplace, while AWS provides the infrastructure required to launch the product. Subscriptions have no end date and may be cancelled any time. However, the cancellation won't affect the status of an active license if it was purchased outside of AWS Marketplace.
    Additional AWS infrastructure costs may apply. Use the AWS Pricing Calculator  to estimate your infrastructure costs.

    Additional AWS infrastructure costs

    Type
    Cost
    EBS General Purpose SSD (gp3) volumes
    $0.08/per GB/month of provisioned storage

    Vendor refund policy

    There are no refunds for BYOL licensing.

    Legal

    Vendor terms and conditions

    Upon subscribing to this product, you must acknowledge and agree to the terms and conditions outlined in the vendor's End User License Agreement (EULA) .

    Content disclaimer

    Vendors are responsible for their product descriptions and other product content. AWS does not warrant that vendors' product descriptions or other product content are accurate, complete, reliable, current, or error-free.

    Usage information

     Info

    Delivery details

    64-bit (x86) Amazon Machine Image (AMI)

    Amazon Machine Image (AMI)

    An AMI is a virtual image that provides the information required to launch an instance. Amazon EC2 (Elastic Compute Cloud) instances are virtual servers on which you can run your applications and workloads, offering varying combinations of CPU, memory, storage, and networking resources. You can launch as many instances from as many different AMIs as you need.

    Support

    Vendor support

    INCLUDED: Enterprise support is included in the Cloud marketplace pricing.

    Use of your work email is advised so we can provide support in the right context.

    SCREEN SHARE: Contact us for hands-on help at devsecops@chasersystems.com  at any stage of your journey: we'll jump on a screen-sharing call right away.

    WALK THROUGH: Why not book our 60-minute demo ? It's a 40-minute, complete walk-through of configuring and operating the DiscrimiNAT Firewall, including tasks such as creating allowlists swiftly, with remaining time for Q&A. Engineers from the development, operations (SRE, DevOps, etc.) and security domains would find it useful to participate.

    TIP: Drop us an email anyway to receive quarterly version update release notes one week prior to GA. Also for a demo, best practices and architecture review.

    AWS infrastructure support

    AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.

    Similar products

    Customer reviews

    Ratings and reviews

     Info
    0 ratings
    5 star
    4 star
    3 star
    2 star
    1 star
    0%
    0%
    0%
    0%
    0%
    0 AWS reviews
    |
    1 external reviews
    External reviews are sourced from G2  and are not included in the star rating for this product.
    Paul S.

    Secure egress solution with very straightforward rule configuration

    Reviewed on Nov 18, 2021
    Review provided by G2
    What do you like best about the product?
    We really like the speed and simplicity of deployment using Terraform with the vendor-supplied modules, no need for console access, and authorization determined by security group rule descriptions. We initially used the "see-thru" mode to determine existing outbound traffic without enforcement.

    We simply replaced our existing NAT Gateways with DiscrimiNAT, added the rules to our security groups, then checked traffic details in CloudWatch logs (AWS) or Cloud Logging (GCP).

    It's particularly well suited to our organization with a large number of autonomous teams who want a simple, secure egress solution that's easy to configure, no change to application code, and no need for explicit proxy settings.

    DiscrimiNAT is available via AWS and GCP Marketplaces, so it's easy to procure - as the cost is simply included in the monthly cloud provider bill.

    There's a high standard of documentation with example Terraform code, and we received a prompt response to a minor technical query.
    What do you dislike about the product?
    One downside of DiscrimiNAT is that it can't filter on URL path - for example, you can't block all of github.com except for github.com/mycompany. However, implementing that level of control would require an SSL interception solution which isn't suitable for us, due to the need to install the proxy certificate chain as trusted in our server operating systems and applications.
    What problems is the product solving and how is that benefiting you?
    DiscrimiNAT provides controlled egress to authorized domains from cloud computing environments in AWS and GCP, using TLS and SSH. It significantly reduces the risk of data exfiltration, malware, and command and control using reverse shell attacks.
    View all reviews