BlastShield Documentation

BlastShield™ is a secure private network solution that protects assets and data by making them invisible to everyone except authenticated users. Unlike SSL-VPN based solutions, that have known exploits, BlastShield™ uses a patent-pending encrypted transport methodology that is immune to SSL-VPN exploits.

BlastShield™ is deployed as an in-line IP sub-network within an open IP network that creates a zero-trust protective shield around critical infrastructure assets and data by rendering them undetectable by modern network scanning and traffic analysis tools.  BlastShield™ provides a tunnelled secure network overlay for users and protected devices which is encrypted on a peer-to-peer basis and can only be accessed if a user or node has authenticated and is allowed by policy.

How is the BlastShield™ network implemented?

A BlastShield network consists of multiple nodes, a node being either a User, Gateway or Agent where each of which is configured for secure, encrypted communication of data over a general network.   The nodes and protected devices are organized as a mesh such that the protected devices are undetectable and un-addressable via the general network by entities external to the mesh. The BlastShield™ network is implemented in software as an overlay on top of the existing network where BlastShield™ packets are tunneled over the underlying network on a peer-to-peer basis between BlastShield™ nodes.

What types of networks can BlastShield™ run over?

BlastShield™ runs over any network (TCP/IP, SCADA, Internet, SD-WAN, etc.). In fact, BlastShield™ can even run over raw ethernet. This flexibility makes BlastShield™ perfect for complex network environments.

BlastShield™ is ideal for hybrid deployments with a mix of on-premises and cloud infrastructure as it can provide a single point of authentication, access control and micro-segmentation, greatly simplifying configuration and management.

How hard is it to deploy?

BlastShield™ is very easy to deploy, and a small network can be up and running in minutes. Each node will automatically discover the presence of the other nodes, determine data communication routes to the other nodes, and establish point-to-point encrypted tunnels between themselves and selected other nodes. If you want to learn how to deploy a BlastShield™ network you can view our Quick Start guide.

How do I access a BlastShield™ network?

You can remotely access a BlastShield™ network using the BlastShield™ Authenticator app or your FIDO2 Compliant Key. Both methods are highly secure and eliminate common threats such as phishing, and lateral attacks.

BlastShield™ uses passwordless multi-factor authentication (MFA). There is no username or password required. This makes BlastShield™ highly resistant to password theft, phishing and replay attacks because there is no password to lose or steal.

During this process the user is cryptographically challenged to prove that it is legitimate, and it must show that it can verify a security challenge sent by the network. In BlastShield™ all users, sessions and devices are identified and authenticated using public-private key-pairs. You can find more information on this in the Knowledge Base section on security.

How does a BlastShield™ Gateway make assets invisible?

A BlastShield™ Gateway (a software instance) that is in-line in front of the protected assets will isolate all those connected assets at the network layer. Any packets which cannot cryptographically authenticate will be dropped at the Gateway external interface. Once the gateway is in place, only authorized and authenticated BlastShield™ Users will be able to access the asset. Unauthorised connections will not be allowed and any network scanning tools will not be able to see the assets.