Security
This section provides a description of the security aspects of the BlastShield™ secure network.
BlastShield™ is an in-line IP sub-network within an open IP network that creates a zero-trust protective shield around critical infrastructure assets and data by rendering them undetectable by modern network scanning and traffic analysis tools.A BlastShield network consists of multiple nodes, a node being either a user, Gateway or Agent where each of which is configured for secure, encrypted communication of data over a general network. Each node can automatically discover the presence of the other nodes, determine data communication routes to the other nodes, and establish point-to-point encrypted tunnels between themselves and selected other nodes. The nodes and protected devices are thus organized as a mesh such that the protected devices are undetectable and un-addressable via the general network by entities external to the mesh.
BlastShield™ uses several different security techniques and these are summarized below. They are described more fully in the rest of the document
Users, sessions and devices are identified and authenticated using a public-private key-pairs.
Traffic between nodes is encrypted using AES-256-GCM encryption.
No passwords are used in any part of the system.
Protected end-devices can be rendered un-addressable by unauthorised entities and hence invisible.
The network supports self-opening of connections through NAT devices, which minimises the attack surface. No inbound ports are required to be opened on the firewall.