Overview

CONSOLE INTEGRATION

There are no new UIs to learn - the config is stored in Security Groups directly, and the flow & audit logs go to CloudWatch. Because only AWS APIs are used for interfacing, you will never have to leave the AWS console or introduce new tooling.

TRANSPARENT OPERATION

No need to set http_proxy like environment variables or change any code. Everything in the VPC, from VMs to EKS, Fargate, Lambda and even zero-trust WorkSpaces [2], will have its egress traffic routed via DiscrimiNAT. Swapping to (and from) AWS NAT Gateway is just updating the route tables.

DEVELOPER GUARD RAILS

With bidirectional enforcement of TLS 1.2+ and SSH v2, automated expiry of exemptions, dropping unencrypted Internet-bound traffic, etc., each feature has been carefully designed to avoid footguns.

REFINED OPERABILITY

We are an AWS Gateway Load Balancing Partner for Security Appliances [3] and the DiscrimiNAT runs with high-availability, load-balancing & auto-scaling within your VPC. It's also completely maintenance-free!

ENTERPRISE READY

Whether you seek compliance with PCI DSS v4.0 or NIST SP 800-53 AC-4, SC-7 and SC-8, we've got it covered. DiscrimiNAT is hardened to CIS benchmarks, receives quarterly updates (critical OS updates in 10 days) and rolling updates apply with zero downtime.

[2] https://chasersystems.com/solutions/daas-ztna/ [3] https://aws.amazon.com/elasticloadbalancing/partners/

Highlights

SPOOFING PREVENTION: Unlike AWS Network Firewall, DiscrimiNAT does conduct out-of-band DNS lookups, so TLS SNI spoofing by supply-chain malware will be logged & stopped. It even supports allowing SSH by FQDNs. The next Log4J [1] won't slip through! [1] https://chasersystems.com/blog/log4shell-and-its-traces-in-a-network-egress-filter/
LEAST PRIVILEGE EGRESS: You no longer need to apply the entire allowlist to large CIDR ranges hosting multiple applications. The policies are as granular as AWS Security Groups, so each application gets access to only what it needs.
FQDN DISCOVERY: Don't know what needs allowing? With the 'see-thru' monitor mode, egress traffic can be logged without blocking; then a CloudWatch query extracts FQDNs accessed. Watch this 3 minute video on how easy it is: https://youtu.be/63EfQQiirZQ

Details

Sold by

Chaser Systems

Features and programs

Financing for AWS Marketplace purchases

AWS Marketplace now accepts line of credit payments through the PNC Vendor Finance program. This program is available to select AWS customers in the US, excluding NV, NC, ND, TN, & VT.

View financing details

Pricing

DiscrimiNAT Firewall - BYOL

Info

View purchase options

Pricing and entitlements for this product are managed outside of AWS Marketplace through an external billing relationship between you and the vendor. You activate the product by supplying an existing license purchased outside of AWS Marketplace, while AWS provides the infrastructure required to launch the product. Subscriptions have no end date and may be cancelled any time. However, the cancellation won't affect the status of an active license if it was purchased outside of AWS Marketplace.

Additional AWS infrastructure costs may apply. Use the AWS Pricing Calculator to estimate your infrastructure costs.

Additional AWS infrastructure costs

Type	Cost
EBS General Purpose SSD (gp2) volumes	$0.10/per GB/month of provisioned storage

Vendor refund policy

There are no refunds for BYOL licensing.

Legal

Vendor terms and conditions

Upon subscribing to this product, you must acknowledge and agree to the terms and conditions outlined in the vendor's End User License Agreement (EULA) .

Content disclaimer

Vendors are responsible for their product descriptions and other product content. AWS does not warrant that vendors' product descriptions or other product content are accurate, complete, reliable, current, or error-free.

Usage information

Info

Version

Delivery details

64-bit (x86) Amazon Machine Image (AMI)

Amazon Machine Image (AMI)

An AMI is a virtual image that provides the information required to launch an instance. Amazon EC2 (Elastic Compute Cloud) instances are virtual servers on which you can run your applications and workloads, offering varying combinations of CPU, memory, storage, and networking resources. You can launch as many instances from as many different AMIs as you need.

Version release notes

https://chasersystems.com/docs/discriminat/aws/release-notes/

Additional details

Usage instructions

https://chasersystems.com/docs/discriminat/aws/quick-start/

Resources

Vendor resources

Quick Start Guide

Comparison with AWS Network Firewall

Terraform Modules

Support

Vendor support

Contact us for expert help at devsecops@chasersystems.com at any stage of your journey - we'll jump on a screen-sharing call right away! Use of your work email is advised so we can provide support in the right context.

AWS infrastructure support

AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.

Get support

Similar products

DiscrimiNAT Firewall

By Chaser Systems

The DiscrimiNAT Firewall is a transparent, proxy-less NAT Gateway alternative to discover & filter egress traffic by FQDNs in a VPC.

View product

DiscrimiNAT Firewall - Deprecated

By Chaser Systems

The DiscrimiNAT Firewall is a transparent, proxy-less NAT Gateway alternative to discover & filter egress traffic by FQDNs in a VPC.

View product

Customer reviews

Write a review

Ratings and reviews

Info

0 ratings

5 star

4 star

3 star

2 star

1 star

0 AWS reviews

1 external reviews

External reviews are sourced from G2 and are not included in the star rating for this product.

Paul S.

Secure egress solution with very straightforward rule configuration

Reviewed on Nov 18, 2021

Review provided by G2

What do you like best about the product?

We really like the speed and simplicity of deployment using Terraform with the vendor-supplied modules, no need for console access, and authorization determined by security group rule descriptions. We initially used the "see-thru" mode to determine existing outbound traffic without enforcement.

We simply replaced our existing NAT Gateways with DiscrimiNAT, added the rules to our security groups, then checked traffic details in CloudWatch logs (AWS) or Cloud Logging (GCP).

It's particularly well suited to our organization with a large number of autonomous teams who want a simple, secure egress solution that's easy to configure, no change to application code, and no need for explicit proxy settings.

DiscrimiNAT is available via AWS and GCP Marketplaces, so it's easy to procure - as the cost is simply included in the monthly cloud provider bill.

There's a high standard of documentation with example Terraform code, and we received a prompt response to a minor technical query.

What do you dislike about the product?

One downside of DiscrimiNAT is that it can't filter on URL path - for example, you can't block all of github.com except for github.com/mycompany. However, implementing that level of control would require an SSL interception solution which isn't suitable for us, due to the need to install the proxy certificate chain as trusted in our server operating systems and applications.

What problems is the product solving and how is that benefiting you?

DiscrimiNAT provides controlled egress to authorized domains from cloud computing environments in AWS and GCP, using TLS and SSH. It significantly reduces the risk of data exfiltration, malware, and command and control using reverse shell attacks.