Skip to main content

BlastShield Documentation

Inline Gateway with MAC or VLAN addressing mode installation on x86 hardware

Use an inline active Gateway if you want to protect your assets against unauthorized lateral movement inside the network and make them invisible and isolated from unauthorized users.

vlan-and-mac-gateway.png

All protected Endpoints downstream from an Active Gateway will be rendered invisible to the network underlay, and access control will be managed by BlastShield™ policy. The Gateway provides isolation at the network layer, providing a virtual-air gap and inhibiting unauthorised lateral movement between the protected endpoints. The endpoints will be unable to communicate with non-BlastShield nodes.

An active inline Gateway with control of lateral movement between endpoints is configured by setting the Gateway addressing mode to MAC or VLAN and it can be installed on hardware with two or more NICs. You can optionally use a managed Ethernet switch downstream of the Gateway to allow multiple endpoints to be connected. If the Gateway is using MAC addressing mode, the Ethernet switch must be configured to work in port isolation mode, so that all downstream packets are forwarded to the Gateway. If the Gateway is using VLAN addressing mode, the Ethernet switch must be configured to assign a unique VLAN ID to each connected endpoint.

Summary
  1. Install and provision the Gateway.

  2. Deploy the Gateway onto your network.

  3. Create endpoints on the Gateway for the protected devices.

  4. Configure an access policy and microsegmentation.

Prerequisites

Please be aware of the following requirements before you start:

  1. You will require read / write access to your BlastShield™ Orchestrator.

  2. Download the Gateway firmware. You can download it from here.

  3. You will require a USB flash drive to boot your hardware from, and a monitor and keyboard to connect to your server during the installation process.

  4. By default, the Gateway expects to receive an IP address from the network via DHCP for its public side interface.  Manual assignment is also supported during the installation process.

  5. You must have a suitable x86 hardware platform to install the Gateway software onto. Refer to the table of x86 Gateway hardware requirements for the minimum specifications.

x86 Gateway hardware requirements

Parameter

Value

CPU

Minimum Intel Atom with AES-NI support or Intel Celeron with AES-NI support. Note that more powerful CPUs with AES-NI support such as Core i3 or Xeon are also supported.

RAM

Minimum 4GB

HDD/SSD

Minimum 8GB

NICs

Two NICs required. Most NICs made by Intel, Broadcom and Mellanox are supported.

Note: a USB interface is required to connect the boot media.

You can either provision and register the Gateway directly from the Orchestrator UI if your workstation has port 80 access to the Gateway, or you can provision the Gateway using the .BSI file if you do not have port 80 access to the Gateway from your workstation.

Use this method if you have port 80 access to the Gateway from your workstation.

  1. Download the Gateway firmware and flash it to a USB.

  2. Install the Gateway firmware on the x86 platform.

  3. Provision the Gateway from the Orchestrator.

  1. Download the Gateway firmware  here.

  2. Unzip the Installer Package (Do NOT run the Installer file).

  3. Write the Installer Image to a USB drive using any available image writer

    Note: there are several free utilities available for writing images to USB drives. We recommend the balenaEtcher software, but you can use any utility.

In this step you will be booting the x86 platform from the USB image created in the previous step. 

Connect your x86 platform as shown here, or use a serial console if you prefer.

x86-installer-2.png

Watch the following video or read the steps below to learn how to boot the x86 platform from the USB image.

  1. Making sure the x86 server is connected as shown above, power it on and exit the boot sequence using the break key that applies to your hardware, then select the boot setup menu.

  2. Re-boot your server from the USB image, once the image boots you will begin the setup process.

  3. Select the uplink (network) interface for the Gateway from the displayed list.

  4. Select the address configuration (DHCP / manual configuration).

  5. Wait for the Gateway network interface to come up.

  6. You will see an alert prompting that there is no .BSI file on the USB and the Gateway will have to be provisioned post-install. Click OK.

  7. Select the endpoint interface(s) from the displayed list. You may select more than one endpoint interface, depending on your hardware.

    1. Use the up / down arrow keys to find each endpoint interface you want.

    2. Press the space-bar to select an interface. An asterisk will appear next to the selected interface.

    3. Press enter to confirm the selected interface(s).

  8. Select the target device (hard drive).

  9. Confirm that all data will be erased and the image will be installed on the server

  10. When the installation is complete you will be prompted to remove the USB media. at this point, and the server will re-boot. You can disconnect the monitor and keyboard from the Gateway hardware now.

    1. Remove the USB.

    2. Click on OK

    3. The Gateway will gracefully restart.

  11. When the Gateway has restarted, the appliance provisioning menu will be displayed on the console. The Gateway is now ready to be provisioned from the Orchestrator.

    vm-psv-gw-instal-rel1-6-gw-CONSOLE-unprovisioned-appliance-menu.png

This section explains how to provision an x86 Gateway directly from the Orchestrator UI without the need for a .BSI file. Do this after you have installed the Gateway firmware on the x86 hardware.

Important

Before you start, you must have already installed the Gateway image on your x86 hardware. You will need the Gateway IP address and provisioning PIN code which is displayed on the Gateway console menu as shown below.

vm-psv-gw-instal-rel1-6-gw-CONSOLE-unprovisioned-appliance-menu.png

Note the Gateway IP address and provisioning PIN code from the Gateway console menu.

To learn how to do this watch the following video or read the steps below. You will need the IP address and provisioning PIN code which is displayed on the Gateway console menu at the completion of the firmware installation (shown on the right hand side of the screen in this video). This method requires port 80 access to the Gateway from your workstation.

Provisioning the Gateway from the Orchestrator
  1. From the Orchestrator, select "Gateways" from the left Menu.

  2. Select "Add New Gateway" from the Gateway List.

  3. Enter a Name for the new Gateway.

    active-gw-name.png
  4. Set the Addressing Mode for the Gateway:

    1. Chose either MAC Address or VLAN as the Addressing Mode, depending on your requirements.

      active-gw-addressing-mode-mac-address.png
  5. Select Save and Download Invitation.

  6. Select the option Provision running gateway appliance to start the Gateway provisioning process.

    active_gw-save-copy-invite-rel-1-6.png
  7. The Provision Gateway window will open. Use the provisioning PIN code and Local IP Address that was displayed on the console menu at the end of the firmware installation process.

    1. IP Address of Gateway: enter the IP address of the Gateway that is displayed in the Gateway console menu.

    2. Provisioning PIN code: enter the provisioning PIN code that is displayed in the Gateway console menu.

      vm-psv-gw-instal-rel1-6-gw-provision-gw-ui.png
    3. Click the Provision button to continue.

    4. When the Gateway provisioning has completed, the Registration successful message will be displayed.

      vm-psv-gw-instal-rel1-6-gw-registration-sucessful.png
    5. The Gateway status in the Orchestrator will show Online.

      new_Active_Gatewy_online_rel1-6.png

Use this method if you do not have port 80 access to the Gateway from your workstation.

Summary
  1. Create a new Active Gateway in the Orchestrator and download the .BSI file.

  2. Download the Gateway firmware and flash it to a USB. Copy the .BSI file to the USB.

  3. Install the Gateway firmware on the x86 platform using the USB.

To learn how to do this watch the following video or read the steps below.

  1. From the Orchestrator, select "Gateways" from the left Menu.

  2. Select "Add New Gateway" from the Gateway List.

  3. Enter a Name for the new Gateway.

    active-gw-name.png
  4. Set the Addressing Mode for the Gateway:

    1. Chose either MAC Address or VLAN as the Addressing Mode, depending on your requirements.

      active-gw-addressing-mode-mac-address.png
  5. Select Save and Download Invitation.

    1. Select the option Save Invitation to disk to download the .BSI invitation file to your local computer. You will need this file later when you flash the Gateway software to your x86 hardware.

      active-gw-save-copy-invite-to-disk.png
  1. Download the Gateway firmware  here.

  2. Unzip the Installer Package (Do NOT run the Installer file).

  3. Write the Installer Image to a USB drive using any available image writer

    Note: there are several free utilities available for writing images to USB drives. We recommend the balenaEtcher software, but you can use any utility.

  4. Once you have written the image to USB, copy the invitation (.bsi) file in the root folder of this image on the USB.

In this step you will be booting the x86 platform from the USB image created in the previous step. 

Connect your x86 platform as shown here or use a serial console if you prefer.

gateway-installation-step3.png

Please watch the following video or read the steps below to learn how to boot the x86 platform from the USB image.

  1. Making sure the x86 server is connected as shown above, power it on and exit the boot sequence using the break key that applies to your hardware, then select the boot setup menu.

  2. Re-boot your server from the USB image, once the image boots you will begin the setup process.

  3. Select the uplink (network) interface for the Gateway from the displayed list.

  4. Select the address configuration (DHCP / manual configuration).

  5. Wait for the Gateway network interface to come up.

  6. Select the endpoint interface(s) from the displayed list. You may select more than one endpoint interface, depending on your hardware.

    1. Use the up / down arrow keys to find each endpoint interface you want.

    2. Press the space-bar to select an interface. An asterisk will appear next to the target interface.

    3. Press enter to confirm the selected interface(s).

  7. Select the invitation (.bsi) file.

  8. Select the target device (hard drive).

  9. Confirm that all data will be erased and the image will be installed on the server

  10. When the installation is complete you will be prompted to remove the USB media. at this point, and the server will re-boot.

    1. Remove the USB.

    2. Click on OK

    3. The Gateway will gracefully restart.

  11. Go to your Orchestrator, and verify the Gateway status is now Online.

The BlastShield™ Gateway should be placed immediately upstream from the endpoint devices to be protected. If the endpoint devices connect to an ethernet switch, the BlastShield™ Gateway should be upstream of the ethernet switch.

To provide endpoint isolation and protection against unauthorized lateral movement, a Gateway may be with provisioned with the endpoint addressing mode set to either MAC address or VLAN. The two deployment cases are explained below.

Gateways configured in "MAC Address" addressing mode.

In this mode, the gateway will identify endpoints by their MAC address. The BlastShield™ Gateway should be placed immediately upstream of the endpoint devices to be protected. If the endpoint devices connect to the Gateway via an ethernet switch, the BlastShield™ Gateway should be upstream of the ethernet switch and the switch should be configured to operate in port isolation mode.

MAC-GW-deployment.png

Endpoints are added by configuring the endpoint's MAC address into the Orchestrator. The Orchestrator will then allocate them an IP address in the secure overlay which may be used to address the endpoint.

Gateways configured in "VLAN" addressing mode.

In this mode, the gateway will identify endpoints by their VLAN ID. The BlastShield™ Gateway should be placed immediately upstream of the endpoint devices to be protected. If the endpoint devices must connect to the Gateway via a VLAN capable ethernet switch, and the switch must mark each endpoint with a unique VLAN ID.

VLAN-GW-deployment.png

Endpoints are added by configuring the endpoint's VLAN ID into the Orchestrator. The Orchestrator will then allocate them an IP address in the secure overlay which may be used to address the endpoint.

  1. From within the Orchestrator, select "Gateways" from the left Menu

  2. Select the desired Gateway from the Gateway List

  3. Select "Add New Endpoint"

  4. Enter a name for the new endpoint

  5. Check "Endpoint Enabled" to Enable it when done.

  6. The IP address is auto-populated.

  7. Set the Endpoint Destination identifier.

    1. If the Gateway is using MAC address addressing mode, add the endpoint as follows:

      1. Enter the MAC Address for the endpoint device into the Destination (MAC Address) box in the Endpoint configuration on the Orchestrator.

      2. Select Save Changes to confirm.

      3. If the endpoint is reachable from the Gateway the the status of the endpoint will show as ONLINE.

      4. If it does not show as online, then check the connectivity between the Gateway and the endpoint device.

    2. If the Gateway is using VLAN addressing mode, add the endpoint as follows:

      1. Enter the VLAN ID for the endpoint device into the Destination (VLAN) box in the Endpoint configuration on the Orchestrator.

      2. Select Save Changes to confirm.

      3. If the endpoint is reachable from the Gateway the the status of the endpoint will show as ONLINE.

      4. If it does not show as online, then check the connectivity between the Gateway and the endpoint device.

About Groups

Groups allow you to micro-segment users and endpoints. A group is a logical collection of endpoints and/or users that are grouped together. Groups are connected via policies, which form the foundation for BlastShield access control and segmentation management.

  • Any combination of endpoints and/or users can be grouped together.

  • There is no limit to the number of endpoints and/or users that can be in a group.

  • Endpoints and users can be in one or multiple groups simultaneously.

  • Groups are linked together via policies to provide access between endpoints.

  • By default, endpoints/users cannot access or have visibility to other endpoints/users unless they are granted access via a policy

About Policies

A policy defines how groups can interact. Groups are connected via policies, which form the foundation for BlastShield access control and segmentation management.

  • Each policy will have two sets of groups - "From" and "To".

  • The "From" set is one or more source groups.

  • The "To" set is one or more destination groups.

  • There is no limit to the number of groups in a given policy.

  • "From" Groups will have access to "To" Groups within the policy.

  • "To" Groups will not have access to "From" Groups within the policy.

  • Groups can be in one or multiple policies simultaneously.

groups1.png

Create Groups
  1. From the Orchestrator, select "Groups" from the left menu.

  2. Select "Add New Group" from the Group List.

  3. Enter a name for the new Group.

  4. To add members to the new group, click the "Add Members" button.

    1. If you adding users to the group then select the desired Users which you want to be associated with the Group from the "Users" box.

    2. If you are adding Agents to the group then select the desired Agents which you want to be associated with the Group from the "Agents" box.

    3. If you are adding Gateway Endpoints then select the desired Endpoints from the "Endpoints" box.

    4. Alternatively, you can leave the members list empty and add/modify new members later.

  5. Click "Add Members" to save the members.

  6. Click "Save" to save the new group.

  7. Repeat, if required, to ensure you have one group for your endpoints and one group for your users, which is the minimum you will need in order to define the access policy.

Please refer to the following video, which is an example of creating one group for your users and one group for Host Agents.

Create a Policy to link your Groups
To connect your user groups and protected servers groups, you must link them with a policy as described here:

Note

Users and Agents must be a member of a group for them to be used in a policy.

  1. Select "Policies" from the left menu.

  2. Select "Add New Policy" from the Policy List.

  3. Enter a name for the new Policy.

  4. Select desired "From" Groups to be associated with the new Policy.

  5. Select desired "To" Groups to be associated with the new Policy.

  6. Save the new Policy.

Policies are directional, so that you can control the direction in which connections may be initiated. Typically for remote access use-cases your policy would be from the "user group" to the "server group" so that users may start connections to the servers, but servers cannot start connections to users. You can create bi-directional permissions by using two policies.

The following video shows an example of creating an access Policy between a group of remote workers and a group of servers. The policy gives the remote workers authorisation to access the server group.