Overview
CONSOLE INTEGRATION
There are no new UIs to learn - the config is stored in Security Groups directly, and the flow & audit logs go to CloudWatch. Because only AWS APIs are used for interfacing, you will never have to leave the AWS console or introduce new tooling.
TIP: Drop us an email at devsecops@chasersystems.com to receive quarterly version update release notes one week prior to GA. Also for a demo, best practices and architecture review.
TRANSPARENT OPERATION
No need to set http_proxy like environment variables or change any code. Everything in the VPC, from VMs to EKS, Fargate, Lambda and even zero-trust WorkSpaces [2], will have its egress traffic routed via DiscrimiNAT. Swapping to (and from) AWS NAT Gateway is just updating the route tables.
SAFE WILDCARDS
Public Suffix List [4] safeguard in place, by default, to reject wildcard patterns matching all tenants on a CSP or a CDN (aka Effective TLDs); precise patterns can also be configured with use of glob characters (*, ?).
DEVELOPER GUARD RAILS
With bidirectional enforcement of TLS 1.2+ and SSH v2, automated expiry of exemptions, dropping unencrypted Internet-bound traffic, etc., each feature has been carefully designed to avoid footguns.
REFINED OPERABILITY
We are an AWS Gateway Load Balancing Partner for Security Appliances [3] and the DiscrimiNAT runs with high-availability, load-balancing & auto-scaling within your VPC. It's also completely maintenance-free!
ENTERPRISE READY
Whether you seek compliance with PCI DSS v4.0 or NIST SP 800-53 AC-4, SC-7 and SC-8, we've got it covered. DiscrimiNAT is hardened to CIS benchmarks, receives quarterly updates (critical OS updates in 10 days) and rolling updates apply with zero downtime.
[2] https://chasersystems.com/solutions/daas-ztna/
Highlights
- SPOOFING PREVENTION: Unlike AWS Network Firewall, DiscrimiNAT does conduct out-of-band DNS lookups, so TLS SNI spoofing by supply-chain malware will be logged & stopped. It even supports allowing SSH by FQDNs. The next Log4J [1] won't slip through! [1] https://chasersystems.com/blog/log4shell-and-its-traces-in-a-network-egress-filter/
- LEAST PRIVILEGE EGRESS: You no longer need to apply the entire allowlist to large CIDR ranges hosting multiple applications. The policies are as granular as AWS Security Groups, so each application gets access to only what it needs.
- FQDN DISCOVERY: Don't know what needs allowing? With the 'see-thru' monitor mode, egress traffic can be logged without blocking; then a CloudWatch query extracts FQDNs accessed. Watch this 3 minute video on how easy it is: https://youtu.be/63EfQQiirZQ
Details
Typical total price
$0.291/hour
Features and programs
Financing for AWS Marketplace purchases
Pricing
Free trial
Instance type | Product cost/hour | EC2 cost/hour | Total/hour |
---|---|---|---|
t3.small Recommended | $0.27 | $0.021 | $0.291 |
c6i.large | $0.27 | $0.085 | $0.355 |
c6i.xlarge | $0.27 | $0.17 | $0.44 |
c6a.large | $0.27 | $0.076 | $0.346 |
c6a.xlarge | $0.27 | $0.153 | $0.423 |
Additional AWS infrastructure costs
Type | Cost |
---|---|
EBS General Purpose SSD (gp3) volumes | $0.08/per GB/month of provisioned storage |
Vendor refund policy
You may terminate the EC2 instance(s) at any time to stop incurring charges. Email devsecops@chasersystems.com for questions on billing.
Legal
Vendor terms and conditions
Content disclaimer
Delivery details
64-bit (x86) Amazon Machine Image (AMI)
Amazon Machine Image (AMI)
An AMI is a virtual image that provides the information required to launch an instance. Amazon EC2 (Elastic Compute Cloud) instances are virtual servers on which you can run your applications and workloads, offering varying combinations of CPU, memory, storage, and networking resources. You can launch as many instances from as many different AMIs as you need.
Version release notes
Additional details
Usage instructions
Resources
Vendor resources
Support
Vendor support
INCLUDED: Enterprise support is included in the Cloud marketplace pricing.
Use of your work email is advised so we can provide support in the right context.
SCREEN SHARE: Contact us for hands-on help at devsecops@chasersystems.com at any stage of your journey: we'll jump on a screen-sharing call right away.
WALK THROUGH: Why not book our 60-minute demo ? It's a 40-minute, complete walk-through of configuring and operating the DiscrimiNAT Firewall, including tasks such as creating allowlists swiftly, with remaining time for Q&A. Engineers from the development, operations (SRE, DevOps, etc.) and security domains would find it useful to participate.
TIP: Drop us an email anyway to receive quarterly version update release notes one week prior to GA. Also for a demo, best practices and architecture review.
AWS infrastructure support
AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.
Similar products
Customer reviews
Secure egress solution with very straightforward rule configuration
We simply replaced our existing NAT Gateways with DiscrimiNAT, added the rules to our security groups, then checked traffic details in CloudWatch logs (AWS) or Cloud Logging (GCP).
It's particularly well suited to our organization with a large number of autonomous teams who want a simple, secure egress solution that's easy to configure, no change to application code, and no need for explicit proxy settings.
DiscrimiNAT is available via AWS and GCP Marketplaces, so it's easy to procure - as the cost is simply included in the monthly cloud provider bill.
There's a high standard of documentation with example Terraform code, and we received a prompt response to a minor technical query.