Welcome Wildcards!​

From v2.8.0, DiscrimiNAT Firewall supports use of wildcards in an FQDN allowlist.

Last updated: January 10, 2025 to incorporate v2.9.0 improvements

Syntax​

➟ The character _ (or even ? on GCP) may be used to substitute exactly one wild character in an FQDN to be allowed.

➟ Each _ (or ?) character must match one domain name permissible letter. It cannot match zero or more than one characters.

➟ The character * (or %) may be used to substitute any number of characters.

➟ The set of wild characters is from a to z, 0 to 9 and the - (hyphen or minus) only.

➟ The . (period, dot or full stop) character is not included.

➟ You may use any number of wildcards in a single FQDN address (in the allowlist). See examples below.

Introduction​

The increasing prevalence of AI-powered tools has redefined software development. Like many others, we wanted to adopt these tools to enhance productivity and keep up with an evolving landscape. However, the integration of codebases, cloud services, and unsolicited telemetry raises important concerns about user privacy, data security and intellectual property protection.

This report seeks to answer some of our, and our customers', questions for seven of the most popular agentic code editors and plugins. By intercepting and analysing their network flows across a set of standardised tasks, we aim to gain insight into the behaviour, privacy implications, and telemetry patterns of these tools in real-world scenarios.

Incidentally, a side-effect was running into OWASP LLM07:2025 System Prompt Leakage for three of the chosen coding agents. You can see the system prompts in the appendix.

Data on CRL availability, number of entries, expiry & refresh times, etc. from various x509 leaf server SSL certificates.

In light of Let's Encrypt announcing their Intent to End OCSP Service in favour of Certificate Revocation Lists (CRLs), we assembled some data today to guide our own roadmap.

Last updated: June 16, 2024

In cases where inspection of domain names in TLS connections is acceptable and desirable (such as in enterprise environments), TLS Encrypted ClientHello in Google Chrome can be disabled.

The DiscrimiNAT Firewall now integrates with AWS' Gateway Load Balancer. Deploying this version alleviates five distinct problems.

1. Exfiltration and Command & Control TTPs
2. Discovery and maintenance of outbound FQDNs' allowlists
3. High Availability
4. Load Balancing
5. Auto Scaling

Read on for more details.

Log4Shell in a nutshell​

➟ An attacker is able to conduct a completely unauthenticated Remote Code Execution on a publicly-exposed service.

➟ If a JVM-based service (Java, Scala, etc.) is using the log4j logging library (very popular), the service is vulnerable.

➟ A patched version of the log4j library, version 2.15.0, that fixes this issue was released on 06 Dec 2021.

➟ log4j 2.16.0 was released at 13 Dec 22:28 with the following note:

It runs in a self-hosted GitHub Actions Runner, spun up on AWS spot instances by philips-labs' terraform-aws-github-runner, connecting to Snowflake – with 'secrets' stored in GitHub itself.

🏗 we build the normal list of FQDNs such a pipeline accesses when run
🔒 enforce it via the DiscrimiNAT Firewall
🔇 introduce an unobtrusive curl command, like in the Codecov Uploader breach
🚫 see it fail in exfiltrating any data from the CI environment
🔎 detect the attempt in flow logs

The situation is nothing to write home about. C2 malware, supply-chain risk, ransomware, cryptomining, unsolicited telemetry, plaintext protocols across the Internet, escalating data egress charges – you name it – this one unplugged gap in the Cloud, the outbound connections originating from your deployments, keeps on giving (or taking.)

With no human-readable visibility on any egress flows, not much you can do with all those IP addresses in the flow logs. Talk about flying blind. It's time to install a filtering proxy, and Squid is the word on the grapevine.

Let's take a deep-dive 🔎

Why do we seek IP addresses in the Cloud-first world?

• Is it the mindset leftover from the bygone era of procured hardware & CIDR blocks?
• Is it the availability of published IP ranges that makes you want to utilise them?
• Or is it a hard bit of how the internet works to detach from?

Let's consider the case of Datadog Agent v7.32.3, the endpoint for which, as per official docs, would simply be 7-32-3-app.agent.datadoghq.com. This is the contract Datadog will fulfil, and we shouldn't assume more.

But first, Datadog IP ranges at present...

Routine Test​

At Chaser, we routinely test a variety of real-world setups through the DiscrimiNAT Firewall. It helps keep on top of implementation subtleties by different vendors and identify any regressions early as we improve the product.

FQDN filter for Ubuntu on GCP egress, shall we?

So we fire up Ubuntu Bionic Beaver LTS this time, with egress allowed to 0.0.0.0/0 on all ports.