Add BlastShield™ Agents and Gateways to protect your servers

Add BlastShield™ Agents and Gateways to protect your servers

Welcome to the BlastShield™ Quick Start Guide. In this series of articles you will learn how to setup your BlastShield™ protected network. To get your BlastShield network up and running, the following workflows are required.

  1. Sign up for a BlastShield™ Enterprise or Professional plan. Once your account has been created, you will receive your .bsi invitation file.
  2. Register and connect to the BlastShield™ Orchestrator.
  3. Add BlastShield™ Agents and Gateways to protect your servers (this article).
  4. Create policy for zero-trust access.
  5. Add new users to your protected network.

Add BlastShield™ Agents to protect your servers

The BlastShield™ Agent is an application installed on your server which enables secure peer-to-peer access from the BlastShield™ protected network. It is faster and more reliable than a conventional VPN solution and automatically combines zero-trust access and micro segmentation with remote access capability. Access is supported not just from remote user to server, but also from server to server. A BlastShield™ Agent is installed on each server which you want to protect.  Access to that server is then secured in the BlastShield™ encrypted mesh.  To connect to the server that is protected with a BlastShield™ Agent, a user must authenticate and join the BlastShield™ network using our multi-factor password-less remote authentication.
With BlastShield™ STARTER you can have up to 100 endpoints connected in a protected network. An endpoint can be a Client/User (Desktop/Laptop/Mobile Device) or Linux Host. To protect more than 100 endpoints, an upgrade is available, via the website, to BlastShield™ PROFESSIONAL.


Adding a new Agent - summary

The process to install and setup the BlastShield™ Agent on a server is summarised here:

  1. Create a new Agent instance in the Orchestrator and copy the registration information
  2. Install the Agent on the server. The agent will auto start and register with the Orchestrator
  3. Configure a policy to authorise access to the Agent.

Currently supported builds

We currently have support for the following operating systems.

If you don't see the operating system which you are using in this list, then please contact us here so that we can help you get the correct build.

Ubuntu

  • Ubuntu 20.10
  • Ubuntu 20.04.2 LTS
  • Ubuntu 18.04 LTS

Debian

  • Debian 11 (Bullseye)
  • Debian 10 (Buster)

Centos

  • Centos 8
  • Centos 7

Amazon

  • Amazon Linux 2

Raspberry Pi

  • Raspbian GNU/Linux 10 (buster)

Windows (Download the Windows Agent installer)

  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012
  • Windows 10

macOS

  • macOS 10.13 and later


Linux Agent Installation

Learn how to add a new BlastShield™ Agent to a Linux server by watching the following video or reading the steps below.

Step 1: Add a new Agent in the Orchestrator

  1. Click on "Agents" in the "Manage" menu in the the left sidebar, and then click the red "Add New Agent" button at the top right.
  2. The New Agent dialogue opens.  Add a name for the Agent and a DNS Hostname. The DNS Hostname is optional and can be used to identify the Agent in the BlastShield™ network as BlastShield runs its own DNS..
  3. Then click on the red "Save and Download Invitation" button and choose the option for "Save and copy Linux/macOS installation command to the clipboard". Click on that option to copy the command.

Step 2: Install and register the Agent

Open a terminal session on the Linux server where you are going to install the Agent.

  1. Paste the command you just copied to the terminal and hit enter. This will start the software download.
  2. The software will automatically install and run. The Agent will then automatically register with the Orchestrator. When the process has completed you will see the following message in the terminal window:

"Installation successful, the agent IP address is <Agent IP address>."

Step 3: View the status of the Agent

Now that the installation and registration processes have completed, your Agent is up and running.

You can check the status of the Agent by typing the following:

sudo systemctl status blastshield

The logs may be viewed as follows:

sudo journalctl -u blastshield.service

The status of the new Agent on your server should appear as "Online" in the Orchestrator as shown in the image below. 

When the status of the Agent is ‘Online’ this shows that the Agent is operational and the Orchestrator can communicate with the Agent.

The BlastShield™ interface that has been created by the Agent on the server will only be accessible to authorised and authenticated BlastShield users.  To access this interface you must set up groups and access policies for your users.  The default behaviour is to block access until a policy has been created. You can learn how to create policies in the following section

Linux Agent manual installation

You can alternatively use the standard package manager commands to install the Agent on Linux. See this section to learn about the manual installation process.

Next Step:

See the next section, Create policy for zero-trust access, to learn how to create policies.

Windows Agent Installation

Learn how to add a new BlastShield™ Agent to a Windows server by watching the following video or reading the steps below.
Use the following download link for the BlastShield Windows Agent installer.
Download the Windows Agent installer

Step 1: Add a new Agent in the Orchestrator

  1. Click on "Agents" in the "Manage" menu in the the left sidebar, and then click the red "Add New Agent" button at the top right.
  2. The New Agent dialogue opens.  Add a name for the Agent and a DNS Hostname. The DNS Hostname is optional and can be used to identify the Agent in the BlastShield™ network as BlastShield runs its own DNS..
  3. Then click on the red "Save and Download Invitation" button and choose the option for "Save and copy invitation contents to the clipboard". Click on that option to copy the invitation.

Step 2: Install and register the Agent

Open a session on the Windows server where you are going to install the Agent.

  1. Download the Windows Agent Installer to the Windows computer and run the installer.
  2. The installer will install and run the Agent software and ask you for the .bsi invitation information which you have already copied from the BlastShield Orchestrator.
  3. Paste the invitation contents which you just copied to the clipboard into the installer and click Start to start the registration process.
  4. When the process has completed the installer displays a "Registration successful." message.

Step 3: View the status of the Agent

Now that the installation and registration processes have completed, your Agent is up and running. The status of the Agent as shown in the Orchestrator will change to Online as shown below.

When the status of the Agent is ‘Online’ this shows that the Agent is operational and the Orchestrator can communicate with the Agent.

The BlastShield™ interface that has been created by the Agent on the server will only be accessible to authorised and authenticated BlastShield users.  To access this interface you must set up groups and access policies for your users.  The default behaviour is to block access until a policy has been created.

Next Step:

See the next section, Create policy for zero-trust access, to learn how to create policies.

macOS Agent Installation

Learn how to add a BlastShield™ Agent on macOS by watching the following video or reading the steps below.

Step 1: Add a new Agent in the Orchestrator

  1. Click on "Agents" in the "Manage" menu in the the left sidebar, and then click the red "Add New Agent" button at the top right.
  2. The New Agent dialogue opens.  Add a name for the Agent and a DNS Hostname. The DNS Hostname is optional and can be used to identify the Agent in the BlastShield™ network as BlastShield runs its own DNS..
  3. Then click on the red "Save and Download Invitation" button and choose the option for "Save and copy Linux/macOS installation command to the clipboard". Click on that option to copy the command.

Step 2: Install and register the Agent

Open a terminal session to the server where you are going to install the Agent.

  1. Paste the command you just copied to the terminal and hit enter. This will start the software download.
  2. The software will automatically install and run. The Agent will then automatically register with the Orchestrator. When the process has completed you will see the following message in the terminal window:

"Installation successful."

Step 3: View the status of the Agent

Now that the installation and registration processes have completed, your Agent is up and running. The status of the Agent as shown in the Orchestrator will change to Online as shown below.

Logs for the Agent may be viewed in the Console.app.

Next Step:

See the next section, Create policy for zero-trust access, to learn how to create policies.


Remove a macOS Agent

Unload the plist file for the Host Agent

sudo launchctl unload -w /Library/LaunchDaemons/io.blastwave.blastshield-agent.plist 

Remove the plist file

sudo rm /Library/LaunchDaemons/io.blastwave.blastshield-agent.plist

Remove the Host Agent files

sudo rm -rf  /Library/Application\ Support/BlastShield\ Agent


Add BlastShield™ Gateways to protect your endpoints

Using the Gateway is optional, and depends on the type of assets you have and the environment which the assets are in. Please talk to us if you have questions about deploying a Gateway. Contact us here.

Gateways are used to protect assets without having to install any software on the asset itself. We call the assets which a Gateway is protecting "endpoints". An endpoint can be any device which has an ethernet network interface, such as a server, IP connected camera, industrial controller (eg PLC) or an IoT device. The Gateway sits immediately upstream of the assets which it is protecting and provides endpoint invisibility, isolation and micro-segmentation and allows secure remote access to endpoints for authenticated users based on a zero-trust policy methodology.

To deploy a Gateway and protect endpoints you must do the following:

  1. Create a Gateway profile and invitation file in the Orchestrator
  2. Deploy the Gateway software and register it with the invitation file
  3. Create the endpoint profiles in the Orchestrator and add them the Gateway

A Gateway is created by installing the Gateway software on an x86 platform, AWS instance or VMware hypervisor.

  • Learn how install a Gateway on on x86 server hardware here.
  • To connect a Gateway running on an x86 server to the network once you have installed it, click here.
  • To learn how to install a Gateway in AWS, Click here
  • Learn about how to install a Gateway on VMware ESXi here.
  • To learn how to add endpoints to a Gateway click here

Next Step:

See the next section, Create policy for zero-trust access, to learn how to create policies.