Skip to main content

BlastShield Documentation

Gateway Addressing Modes

The addressing mode of a Gateway defines how the Gateway will identify and communicate with its endpoints. The type of addressing mode depends on the use case and level of isolation required and is set in the Orchestrator when the Gateway is created. The different addressing modes are described below.

IP Address (Source and Destination NAT)

In Source+Destination NAT mode the Gateway is deployed out of line. It can be deployed with minimal changes to the network (no changes to the routing or IP addressing of endpoints are required). The Gateway rewrites destination addresses for all endpoint packets; the packets from the user will have the destination address rewritten from the address configured in the overlay to the IP address entered as the destination. The Gateway also rewrites the source address+port to the gateway's local IP address, such that it appears as if the packet came from the gateway directly. The destination IP address of each endpoint is configured in the Orchestrator.

  1. Source+Destination NAT addressing mode allows the Gateway to be deployed without changing the local IP addressing of the endpoints.

  2. A Source+Destination NAT Gateway does not require any changes to the local routing.

  3. Endpoints are not able to connect out on the BlastShield™ overlay network.

  4. A Source+Destination NAT Gateway does not provide local segmentation or isolation of endpoints.

  5. A typical use case is secure remote access to endpoints for maintenance and monitoring and securing devices in remote locations.

IP Address (Destination NAT)

In Destination NAT mode the Gateway is usually deployed inline to provide endpoint isolation, but it can also be deployed out of line if required (in the latter case it will not provide local isolation or segmentation).  The Gateway rewrites destination addresses for all endpoint packets; the packets from the user will have the destination address rewritten from the address configured in the overlay to the IP address entered as the destination.  The destination IP address of each endpoint is configured in the Orchestrator.

  1. Destination NAT addressing mode allows the Gateway to be deployed without changing the local IP addressing of the endpoints. 

  2. A routing change is required for the endpoints to be able to communicate out on the BlastShield™ overlay network, where the Gateway endpoint interface address should be configured as the default gateway on the endpoints, or provisioned as a static route to the BlastShield™ overlay network prefix..

  3. A Destination NAT Gateway can be configured and deployed to provide local segmentation and isolation of endpoints or to allow local communication between endpoints, as described below.

    1. To provide local separation of endpoints, the Destination NAT Gateway should either be connected to the endpoints using a managed switch with port isolation mode enabled, or the Gateway appliance should have multiple downstream ports, with one endpoint connected per port.

    2. To allow connectivity between endpoints on the local network, the Destination NAT Gateway should be deployed using an unmanaged switch or a managed switch with port isolation disabled.

    3. Combinations of the above two scenarios are also supported , where strict separation per interface could be applied at the Gateway level between two or more downstream network segments, but within each connected downstream segment the switches allow the endpoints to communicate freely with each other.

  4. Typical use cases include securing and isolating an OT network from an IT network, secure remote access for external users and securing devices in remote locations.

VLAN addressing mode

In this mode, the gateway is deployed inline and will identify endpoint devices by their VLAN ID. Each endpoint must be assigned a dedicated VLAN ID via a connected downstream managed switch, or directly on the Gateway appliance by using a Gateway appliance with multiple downstream NICs. In the latter case, each interface will be assigned it's own VLAN id, starting from 1, where each endpoint will be connected to a dedicated interface. The VLAN ID of each endpoint is configured in the Orchestrator.

In VLAN addressing mode, all endpoint packets are forwarded via the Gateway, even if the endpoint is communicating with another endpoint on the local network.  The Gateway makes a decision on whether to forward a packet or not based on the applied policy.  Unauthorized packets will be dropped and any corresponding connection reset.

  1. VLAN addressing mode will change the endpoint IP addresses, and endpoints will only be reachable via the BlastShield™ overlay.

  2. The VLAN addressing mode Gateway does not require any changes to the local routing for endpoints to communicate out on the BlastShield™ overlay network.

  3. A Gateway in VLAN addressing mode will provide isolation and local segmentation of endpoints.

  4. If there is more than one endpoint, then the Gateway must be either connected to the endpoints using a managed switch which sets a unique VLAN ID for each endpoint, or the Gateway appliance should have multiple downstream ports, with one port per endpoint.

  5. Typical use cases include securing OT devices, secure remote access for external users and securing devices in remote locations.

MAC addressing mode

In this mode, the gateway is deployed inline, and will identify endpoints by their MAC address where the MAC address of each endpoint is configured in the Orchestrator.

In MAC addressing mode, all endpoint packets are forwarded via the Gateway, even if the endpoint is communicating with another endpoint on the local network.  The Gateway makes a decision on whether to forward a packet or not based on the applied policy.  Unauthorized packets will be dropped and any corresponding connection reset.

If an Ethernet switch is required to aggregate multiple endpoints to a Gateway running in MAC Address addressing mode, the switch must be a managed switch with port separation (port isolation mode) enabled. This ensures that all packets from endpoints are always forwarded up to the Gateway.  The Gateway makes a decision on whether to forward a packet or not based on the applied policy.  Unauthorized packets will be dropped and the corresponding connection reset. The port separation on the Ethernet switch ensures that ARP requests from endpoints are forwarded to the Gateway so that the Gateway will respond with it's own MAC address, instead of the endpoint responding. For this reason is is not recommended to use an unmanaged switch.

An alternative deployment option is to use a Gateway appliance hardware which has multiple downstream physical interfaces, so that each endpoint is connected to a dedicated interface, so as to achieve local segmentation.

  1. MAC addressing mode will change the endpoint IP addresses, and endpoints will only be reachable via the BlastShield™ overlay.

  2. The MAC addressing mode Gateway does not require any changes to the local routing for endpoints to communicate out on the BlastShield™ overlay network.

  3. A Gateway in MAC addressing mode will provide isolation and local segmentation of endpoints.

  4. If there is more than one endpoint, then the Gateway must be either connected to the endpoints using a downstream managed switch in port isolation mode, or the Gateway appliance should have multiple downstream ports, with one port per endpoint.

  5. Typical use cases include securing OT devices, secure remote access for external users and securing devices in remote locations.

In this section: