Skip to main content

BlastShield Documentation

AWS Virtual Gateway Installation - source + destination NAT mode

This article explains how to install the BlastShield™ Gateway AMI in AWS EC2 where the Gateway is configured with IP Address (Source+Destination NAT) addressing mode.

  • Using source + destination NAT mode will allow you to connect AWS endpoints to the Gateway without modifying the routing of the AWS endpoints.

  • Remote users will be able to connect in to the AWS endpoints over the BlastShield™ network.

  • The AWS endpoints will not be able to initiate connections out over the BlastShield™ network.

Summary of BlastShield™ Source + Destination NAT mode Gateway Installation in AWS EC2

Installing a Blastshield™ Gateway involves the following steps:

  1. Install the Gateway AMI in AWS.

    In this step you will create a Gateway instance in the Orchestrator and copy the invitation information. You then launch the Gateway AMI in your AWS EC2 account and paste the invitation information into the AMI's user data field.

  2. Create endpoints in the Orchestrator.

    For each asset to be protected by the Gateway, you will create an endpoint instance in the Orchestrator. The endpoint configuration identifies the EC2 instance by its private IPv4 address. The Gateway will NAT the BlastShield™ IP address to the EC2 private IPv4 address.

  3. Modify the EC2 endpoint security group rules.

    The security group rules for the EC2 endpoints are modified to allow inbound access from the BlastShield™ Gateway. This will allow authorized BlastShield™ users to access the endpoints over the protected network.

  4. Configure an access policy.

    BlastShield™ is a zero trust solution and without policy authorization, users or other nodes will not be allowed to access a protected endpoint. Add the endpoint(s) to a group (or multiple groups) and then add that Group to a Policy to enable access to the endpoint.

Install the Gateway AMI in AWS

  1. Create a new Gateway in the Orchestrator.

    1. Connect to the Orchestrator and select Gateways from the left Menu.

    2. Select Add New Gateway.

    3. Enter a name for the new Gateway.

    4. Select the Addressing Mode for the Gateway to be IP Address (Source+Destination NAT).

      gw_addressing_mode--source_destination_nat.png

    5. Click the 'Save and download  invitation' button and choose the option to 'Save and copy invitation contents to the clipboard'.

    6. The copied invitation information will be needed later during the configuration of the gateway AMI.

      copy-bsi-info-orchestrator.png

  2. Launch the BlastShield AMI instance.

    1. Go to the AWS EC2 Dashbord >> Instances.

    2. Choose 'Launch instance' and add a name for the instance.

    3. Then go to the 'Application and OS Images (Amazon Machine Image)' box.

    4. Search for the name 'blastshield' in the search function and choose the latest available BlastShield™ Orchestrator/Gateway instance.

    5. Click on 'Select'.

      Choose-blastshield-ami.png

  3. Choose an instance type and key pair.

    1. Next, go to the 'Instance type' box.

    2. Select a t3.small instance.

    3. Set your key pair as required.

      t3-small-ami.png

  4. Configure the network settings.

    1. Go to the network settings box and configure the following

      1. Network: Choose your desired VPC.

      2. Subnet: Choose your desired subnet.

      3. Auto-assign public IP: Enable.

    2. From the security group section, configure as follows:

      1. No inbound rules are required.

      2. For outbound, ensure all traffic is allowed to all destinations.

        Network-settings-AWS-GW.png

  5. Configure Storage

    1. Add Storage: leave as default

    2. Click next

  6. Add the registration information into the user data field

    1. In the 'Advanced details' box, scroll to the 'User data' section at the bottom.

      1. Select User Data.

      2. Paste the invitation information which you copied from the Orchestrator in step 1 into the User data window.

      3. Leave the 'User data has already been base64 encoded' box unchecked.

        user-data-bsi-info.png

  7. Review and Launch the instance.

    1. Click launch to launch the AMI.

    2. Monitor your instance in the EC2 console until it has launched successfully.

    3. Once the Gateway is online, the online status will be shown in the Orchestrator.

      Gateway-is-online.png
Create endpoints in the Orchestrator

  1. In the Orchestrator, select the AWS Gateway and click on the Endpoints tab.

  2. Click the 'Add New Endpoint' button and click on the 'Endpoint Enabled' button.

  3. Enter a name for the Endpoint in the Name field.

  4. In the DNS Hostname field, enter a hostname for the BlastShield Network.

  5. In the Destination field, enter the EC2 instance's Private IPv4 address or hostname.

  6. Click on 'Save Changes'.

  7. The status of the Endpoint will show as 'Online'.

    add-new-endpoint.png
Modify the EC2 endpoint security group rules

  1. Select the Endpoint instance's Security Tab. From the 'Security details' table select the Security Group.

  2. Click on the 'Inbound rules' tab and then click on 'Edit inbound rules'.

  3. Add a new rule to allow all traffic from the BlastShield™ Gateway Security Group and click on 'Save rules'.

    Endpoint-inbound-security-group.png
Configure an access policy and microsegmentation

BlastShield™ policy works by creating two groups, typically one which defines a user group and a second group which defines a group of protected assets. The groups are used to microsegment the assets and the users. The two groups are linked together with a policy which defines the connectivity permissions between the two groups. The following section explains how to create a group and add members to it. You may create multiple policies and groups.

Create Groups

  1. From the Orchestrator, select "Groups" from the left menu.

  2. Select "Add New Group" from the Group List.

  3. Enter a name for the new Group.

  4. To add members to the new group, click the "Add Members" button.

    1. If you adding users to the group then select the desired Users which you want to be associated with the Group from the "Users" box.

    2. If you are adding Agents to the group then select the desired Agents which you want to be associated with the Group from the "Agents" box.

    3. If you are adding Gateway Endpoints then select the desired Endpoints from the "Endpoints" box.

    4. Alternatively, you can leave the members list empty and add/modify new members later.

  5. Click "Add Members" to save the members.

  6. Click "Save" to save the new group.

  7. Repeat, if required, to ensure you have one group for your endpoints and one group for your users, which is the minimum you will need in order to define the access policy.

Please refer to the following video, which is an example of creating one group for your users and one group for Host Agents.

Create a Policy to link your Groups
To connect your user groups and protected servers groups, you must link them with a policy as described here:

Note

Users and Agents must be a member of a group for them to be used in a policy.

  1. Select "Policies" from the left menu.

  2. Select "Add New Policy" from the Policy List.

  3. Enter a name for the new Policy.

  4. Select desired "From" Groups to be associated with the new Policy.

  5. Select desired "To" Groups to be associated with the new Policy.

  6. Save the new Policy.

Policies are directional, so that you can control the direction in which connections may be initiated. Typically for remote access use-cases your policy would be from the "user group" to the "server group" so that users may start connections to the servers, but servers cannot start connections to users. You can create bi-directional permissions by using two policies.

The following video shows an example of creating an access Policy between a group of remote workers and a group of servers. The policy gives the remote workers authorisation to access the server group.

In this section: