DiscrimiNAT Firewall - BYOL
Chaser SystemsReviews from AWS customer
0 AWS reviews
-
5 star0
-
4 star0
-
3 star0
-
2 star0
-
1 star0
External reviews
3 reviews
from
External reviews are not included in the AWS star rating for the product.
Straightforward AWS NAT Gateway for egress filtering that doesn't have an SNI spoofing vulnerability
What do you like best about the product?
DiscrimiNAT mitigates the SNI spoofing vulnerabilities present in solutions like Squid and AWS Network Firewall by enforcing strict FQDN checks. Its transparent operation requires no client-side configuration. The allow list rules are easy to configure. The “see-thru” operating mode helps with deployment to production networks by identifying overlooked egress traffic requirements before they get blocked. Additionally, because DiscrimiNAT functions as an inline appliance rather than a NAT gateway server, security assessors and pen testers with authenticated access cannot raise an “unrestricted outbound access” finding for that host during security audits.
What do you dislike about the product?
We have not encountered any drawbacks that prevented deployment. It functions as expected without adding overhead to our infrastructure. Egress traffic must be HTTPS. FQDN wildcard support is available within the inherent limits of the solution.
What problems is the product solving and how is that benefiting you?
We needed to restrict outbound AWS cloud traffic to prevent data exfiltration. Previously we used a Squid web proxy and Linux firewall as the NAT gateway to do this. We replaced it with DiscrimiNAT to prevent our egress rules from being bypassed via SNI spoofing, to address a potential security vulnerability. This provides verifiable egress control, which satisfies our security and compliance requirements.
Good forward proxy for our egress security on Google Cloud
What do you like best about the product?
We like the fact that DiscrimiNAT is doing FQDN filtering on SNI while being a transparent proxy, that it integrates with native firewall rules on GCP and that it's really fast and performant. We deploy it with the Terraform module and it's maintenance-free for us. In addition, we always had really fast feedback and help from the Team anytime we reached out for advice / feedback. Price is also good.
What do you dislike about the product?
We don't have any issues as of now. In the past, the lack of wildcards was a downside, but it's now fully supported.
What problems is the product solving and how is that benefiting you?
We have a security requirement to filter egress traffic from our Cloud infrastructure. DiscrimiNAT makes that easy and integrates well.
Secure egress solution with very straightforward rule configuration
What do you like best about the product?
We really like the speed and simplicity of deployment using Terraform with the vendor-supplied modules, no need for console access, and authorization determined by security group rule descriptions. We initially used the "see-thru" mode to determine existing outbound traffic without enforcement.
We simply replaced our existing NAT Gateways with DiscrimiNAT, added the rules to our security groups, then checked traffic details in CloudWatch logs (AWS) or Cloud Logging (GCP).
It's particularly well suited to our organization with a large number of autonomous teams who want a simple, secure egress solution that's easy to configure, no change to application code, and no need for explicit proxy settings.
DiscrimiNAT is available via AWS and GCP Marketplaces, so it's easy to procure - as the cost is simply included in the monthly cloud provider bill.
There's a high standard of documentation with example Terraform code, and we received a prompt response to a minor technical query.
We simply replaced our existing NAT Gateways with DiscrimiNAT, added the rules to our security groups, then checked traffic details in CloudWatch logs (AWS) or Cloud Logging (GCP).
It's particularly well suited to our organization with a large number of autonomous teams who want a simple, secure egress solution that's easy to configure, no change to application code, and no need for explicit proxy settings.
DiscrimiNAT is available via AWS and GCP Marketplaces, so it's easy to procure - as the cost is simply included in the monthly cloud provider bill.
There's a high standard of documentation with example Terraform code, and we received a prompt response to a minor technical query.
What do you dislike about the product?
One downside of DiscrimiNAT is that it can't filter on URL path - for example, you can't block all of github.com except for github.com/mycompany. However, implementing that level of control would require an SSL interception solution which isn't suitable for us, due to the need to install the proxy certificate chain as trusted in our server operating systems and applications.
What problems is the product solving and how is that benefiting you?
DiscrimiNAT provides controlled egress to authorized domains from cloud computing environments in AWS and GCP, using TLS and SSH. It significantly reduces the risk of data exfiltration, malware, and command and control using reverse shell attacks.
showing 1 - 3