Configure the AWS security groups

Configure the AWS security groups

The BlastShield Gateway is an in-line protection instance that will be deployed in front of protected assets or applications. The gateway software may be deployed on x86 platforms, VMware, or selected cloud infrastructures such as AWS.

Installation of a new gateway instance in AWS requires the following primary workflows:

  1. Create the AWS networking infrastructure.
  2. Create the BlastShield Gateway instance and launch it in AWS.
  3. Configure the AWS security groups.

This article covers step (3) and describes how to configure the security groups AWS to allow the BlastShield Gateway to control unwanted lateral movement between protected endpoints. You must complete steps (1) and (2) before starting step (3).

Purpose

You should now configure the AWS security groups on your BlastShield™ instances so that BlastShield™ will manage the micro-segmentation and invisibility of endpoints. You will control access between endpoints and remote access to endpoints using policy in the BlastShield™ Orchestrator.

Preparation

You must have completed steps (1) and (2) as described in the introduction above.

You must also have one or more available EC2 instances which you are going to protect with the BlastShield™ Gateway. Note that when you create a new EC2 instance that is going to be protected then the new EC2 instance must be on the BlastShield™ VPC and the instance must also be in the BlastShield™ protected subnet. Refer to step (1) in the introduction above for details on creating the VPC and protected subnet.

Summary

There are three main steps required to implement this, as shown below.

  1. Configure a security group for your protected instances which allows inbound traffic from from the BlastShield™protected subnet. Add this security group to each protected endpoint.
  2. Add a second security group for the protected interface of your BlastShield™ gateway which allows inbound traffic from the protected instances security group.
  3. Configure access policy for zero trust access and micro-segmentation in the Orchestrator.

Step 1: Configure a security group for your protected EC2 instances

Performed by the AWS Administrator.

This security group will allow inbound traffic from the BlastShield™ protected subnet to the protected instances on the AWS infrastructure if BlastShield policy allows it. Please note that because the BlastShield™ Gateway is zero-trust, it will not allow any traffic to be forwarded between protected endpoints (EC2 instances or users) unless you have created a policy in the Orchestrator.

From the EC2 console:

  • Click on Security Groups, then choose Create security group.
  • Complete the basic details.  Name the new security group, give it a description and ensure the configured VPC is that of the BlastShield Gateway.
  • Configure the rules of the Security Group as follows:
  • Create an inbound rule which allows all traffic from the BlastShield™ protected subnet.  In this example the BlastShield™ protected subnet is 172.16.0.0/16, hence the inbound rule allows All traffic from 172.16.0.0/16.
  • The outbound rule should allow all traffic.
  • Click on Create security group once you have configured the rules.
  • See the diagram below for details.

Add the new security group to your protected instances

  • From the EC2 console, choose Instances, then select your protected instance by clicking on its ID.  The instance summary will open.
  • Right click on the instance and select Security and then select Change security group.
  • The Change security group window will open.
  • In the Associated security groups section, choose the security group for your protected instances which you created earlier.
  • Click Add security group.
  • Remove any old security groups by clicking on the Remove button.
  • Finally, click on Save.
  • Repeat this process for all the EC2 instances which you want to protect on your BlastShield protected subnet.

Step 2: Configure a security group for the protected interface of your BlastShield™ gateway

The purpose of this security group is to allow traffic from the protected EC2 instances to the protected interface of the BlastShield Gateway. This is done by allowing inbound traffic from the 'BlastShield Protected Instances' security group which we created in the preceding step.

Performed by the AWS Administrator.

From the EC2 Console:

  • Click on Security Groups, then choose Create security group.
  • Complete the basic details.  Name the new security group, give it a description and ensure the configured VPC is that of the BlastShield Gateway.
  • Configure the inbound rules of the Security Group as follows:
  • Allow "All traffic from <protected instances security group>".
  • Configure the outbound rules of the Security Group to allow All traffic.  This is typically the AWS default configuration.  See below.
  • Then click on Create security group at the bottom of the screen.

Now you will add this security group to the protected interface of the BlastShield™ Gateway.

From the EC2 console:

  • Choose Instances, then select your BlastShield™ Gateway instance by clicking on its ID.  The instance summary will open.
  • Select the Networking Tab at the bottom and navigate to the Network interfaces section.  Locate the protected interface and click on it to open the Network interfaces view.
  • From the Network interfaces view, right click on the interface and choose the Change security groups option.
  • The Change security groups window opens. Navigate to Associated security groups.
  • In the Select security groups box, search for the new security group which you created for the BlastShield™ Gateway protected interface and add the security group to the network interface.
  • Remove any old security groups by clicking on the Remove button.
  • Click Save. The updated security group configuration on the BlastShield™ protected interface should now look like this:

Step 3: Configure access policy

Performed by the BlastShield Orchestrator Administrator.

Once this configuration is in place, access between protected AWS endpoints on the protected subnet may be controlled by policy on the BlastShield Orchestrator. If access is required between protected endpoints the be sure to set up an appropriate policy in the Orchestrator.

From the BlastShield Orchestrator you can now add endpoints for the EC-2 instances you wish to connect to the BlastShield protected network and then configure groups and add policy to allow connectivity.

When you add new AWS instances that you want to be protected by the BlastShield Gateway, they must be configured to be on the BlastShield VPC and in the BlastShield Protected Subnet.

See the following articles for further information on groups and policies, managing groups and managing policies. To find out about adding endpoints, see this article.

This article is always evolving and being updated when our product is being developed. Be sure to keep track of this article so you'll stay updated with the last version of it!