Add BlastShield™ Agents and Gateways to protect your servers
Created:
Dec 21, 2021
Updated:
June 24, 2022
Welcome to the BlastShield™ Quick Start Guide. In this series of articles you will learn how to setup your BlastShield™ protected network. To get your BlastShield network up and running, the following workflows are required.
The BlastShield™ Agent is an application installed on your server which enables secure peer-to-peer access from the BlastShield™ protected network. It is faster and more reliable than a conventional VPN solution and automatically combines zero-trust access and micro segmentation with remote access capability. Access is supported not just from remote user to server, but also from server to server. A BlastShield™ Agent is installed on each server which you want to protect. Access to that server is then secured in the BlastShield™ encrypted mesh. To connect to the server that is protected with a BlastShield™ Agent, a user must authenticate and join the BlastShield™ network using our multi-factor password-less remote authentication. With BlastShield™ STARTER you can have up to 100 endpoints connected in a protected network. An endpoint can be a Client/User (Desktop/Laptop/Mobile Device) or Linux Host. To protect more than 100 endpoints, an upgrade is available, via the website, to BlastShield™ PROFESSIONAL.
Adding a new Agent - summary
The process to install and setup the BlastShield™ Agent on a server is summarised here:
Create a new Agent instance in the Orchestrator and copy the registration information
Install the Agent on the server. The agent will auto start and register with the Orchestrator
Configure a policy to authorise access to the Agent.
Currently supported builds
We currently have support for the following operating systems.
If you don't see the operating system which you are using in this list, then please contact us here so that we can help you get the correct build.
Learn how to add a new BlastShield™ Agent to a Linux server by watching the following video or reading the steps below.
Step 1: Add a new Agent in the Orchestrator
Click on "Agents" in the "Manage" menu in the the left sidebar, and then click the red "Add New Agent" button at the top right.
The New Agent dialogue opens. Add a name for the Agent and a DNS Hostname. The DNS Hostname is optional and can be used to identify the Agent in the BlastShield™ network as BlastShield runs its own DNS..
Then click on the red "Save and Download Invitation" button and choose the option for "Save and copy Linux/macOS installation command to the clipboard". Click on that option to copy the command.
Step 2: Install and register the Agent
Open a terminal session on the Linux server where you are going to install the Agent.
Paste the command you just copied to the terminal and hit enter. This will start the software download.
The software will automatically install and run. The Agent will then automatically register with the Orchestrator. When the process has completed you will see the following message in the terminal window:
"Installation successful, the agent IP address is <Agent IP address>."
Step 3: View the status of the Agent
Now that the installation and registration processes have completed, your Agent is up and running.
You can check the status of the Agent by typing the following:
sudo systemctl status blastshield
The logs may be viewed as follows:
sudo journalctl -u blastshield.service
The status of the new Agent on your server should appear as "Online" in the Orchestrator as shown in the image below.
When the status of the Agent is ‘Online’ this shows that the Agent is operational and the Orchestrator can communicate with the Agent.
The BlastShield™ interface that has been created by the Agent on the server will only be accessible to authorised and authenticated BlastShield users. To access this interface you must set up groups and access policies for your users. The default behaviour is to block access until a policy has been created. You can learn how to create policies in the following section
Click on "Agents" in the "Manage" menu in the the left sidebar, and then click the red "Add New Agent" button at the top right.
The New Agent dialogue opens. Add a name for the Agent and a DNS Hostname. The DNS Hostname is optional and can be used to identify the Agent in the BlastShield™ network as BlastShield runs its own DNS..
Then click on the red "Save and Download Invitation" button and choose the option for "Save and copy invitation contents to the clipboard". Click on that option to copy the invitation.
Step 2: Install and register the Agent
Open a session on the Windows server where you are going to install the Agent.
The installer will install and run the Agent software and ask you for the .bsi invitation information which you have already copied from the BlastShield Orchestrator.
Paste the invitation contents which you just copied to the clipboard into the installer and click Start to start the registration process.
When the process has completed the installer displays a "Registration successful." message.
Step 3: View the status of the Agent
Now that the installation and registration processes have completed, your Agent is up and running. The status of the Agent as shown in the Orchestrator will change to Online as shown below.
When the status of the Agent is ‘Online’ this shows that the Agent is operational and the Orchestrator can communicate with the Agent.
The BlastShield™ interface that has been created by the Agent on the server will only be accessible to authorised and authenticated BlastShield users. To access this interface you must set up groups and access policies for your users. The default behaviour is to block access until a policy has been created.
Learn how to add a BlastShield™ Agent on macOS by watching the following video or reading the steps below.
Step 1: Add a new Agent in the Orchestrator
Click on "Agents" in the "Manage" menu in the the left sidebar, and then click the red "Add New Agent" button at the top right.
The New Agent dialogue opens. Add a name for the Agent and a DNS Hostname. The DNS Hostname is optional and can be used to identify the Agent in the BlastShield™ network as BlastShield runs its own DNS..
Then click on the red "Save and Download Invitation" button and choose the option for "Save and copy Linux/macOS installation command to the clipboard". Click on that option to copy the command.
Step 2: Install and register the Agent
Open a terminal session to the server where you are going to install the Agent.
Paste the command you just copied to the terminal and hit enter. This will start the software download.
The software will automatically install and run. The Agent will then automatically register with the Orchestrator. When the process has completed you will see the following message in the terminal window:
"Installation successful."
Step 3: View the status of the Agent
Now that the installation and registration processes have completed, your Agent is up and running. The status of the Agent as shown in the Orchestrator will change to Online as shown below.
Logs for the Agent may be viewed in the Console.app.
Add BlastShield™ Gateways to protect your endpoints
Using the Gateway is optional, and depends on the type of assets you have and the environment which the assets are in. Please talk to us if you have questions about deploying a Gateway. Contact us here.
Gateways are used to protect assets without having to install any software on the asset itself. We call the assets which a Gateway is protecting "endpoints". An endpoint can be any device which has an ethernet network interface, such as a server, IP connected camera, industrial controller (eg PLC) or an IoT device. The Gateway sits immediately upstream of the assets which it is protecting and provides endpoint invisibility, isolation and micro-segmentation and allows secure remote access to endpoints for authenticated users based on a zero-trust policy methodology.
To deploy a Gateway and protect endpoints you must do the following:
Create a Gateway profile and invitation file in the Orchestrator
Deploy the Gateway software and register it with the invitation file
Create the endpoint profiles in the Orchestrator and add them the Gateway
A Gateway is created by installing the Gateway software on an x86 platform, AWS instance or VMware hypervisor.
Learn how install a Gateway on on x86 server hardware here.
To connect a Gateway running on an x86 server to the network once you have installed it, click here.
To learn how to install a Gateway in AWS, Click here
Learn about how to install a Gateway on VMware ESXi here.
To learn how to add endpoints to a Gateway click here
