BlastShield Software-Defined Perimeter

Secure Remote Access, Network Segmentation, and Cloaking

Start a free trial
BlastShield Software Screenshot

Cybersecurity threats

Cybersecurity threats are becoming more complex and sophisticated, and traditional security methods are proving to be insufficient. To tackle these challenges, organizations are turning to the software-defined perimeter (SDP) approach to enhance their security posture and prevent cyberattacks before they even occur.

What is BlastShield?

BlastShield is a zero-trust network access solution that helps organizations implement a zero-trust architecture.

Instead of relying on enhanced identity governance (EIG), complex layers of micro-segmentation, or cloud-based gateways, BlastShield utilizes a software-defined perimeter (SDP) approach for more granular access controls and reduced risk from stolen credentials and complex management.

Start a free trial

BlastShield’s ZTNA Components

BlastShield streamlines security by integrating multiple security controls into a single solution. This is achieved by deploying software agents on end-user devices, host machines, and gateway appliances, which enable security measures like phishing-resistant MFA, data-in-motion encryption, micro-segmentation, granular access controls, device invisibility, and application proxy. These agents and security controls are managed through the BlastShield Orchestrator. The main components of BlastShield include:

BlastShield's ZTNA Components In OT Security Illustration

The Main Components of BlastShield


The BlastShield Client is downloadable software for Microsoft Windows, macOS iOS, Linux, and Android. The Client is deployed on end user devices that initiate requests to resources protected by BlastShield. Available for download via the BlastWave website, Apple App Store, and Google Play store, the Client is considered a ZTA Policy Enforcement Point (PEP) for user devices.

BlastShield Client Screen
BlastShield Authenticator Screens


The BlastShield Authenticator is downloadable software for iOS and Android mobile devices. The Authenticator is used to facilitate phishing-resistant passwordless authentication. The user registers the Authenticator with the Client when the Client is installed on the user device. Subsequently, when logging into the Client, a user can authenticate without a password using the Authenticator or a FIDO2 security key.

Host Agent

The BlastShield Host Agent is a software agent that is installed on any IP-connected physical or virtual machine running Linux, Microsoft Windows, or macOS. The Host Agent Software is considered a ZTA PEP for resources. When the Host Agent is installed on a target device, the administrator must also install a special file generated by the Orchestrator that initiates an authentication process that validates the identity agent and onboards the device by having it generate a new public-private key pair used for authentication and encryption.

BlastShield Host Agent Screen
BlastShield Gateway Agent Screen

Gateway Agent

The BlastShield Gateway Software Appliance provides protection of endpoints that are not protected by a Host Agent. A BlastShield Gateway is created by installing the software appliance on any x86 server, cloud instance (AWS, GCP , or Azure), or VMware hypervisor. Gateways connect to Endpoints using three Addressing Modes: MAC address, VLAN or NAT. The gateway can be configured as Active or Passive, depending upon the use case.

  • Active
    The gateway is set up inline to protect downstream Endpoints that are registered with the gateway. To reach the Endpoints, traffic must flow inline through the gateway. This model is effective at protecting Endpoints from internal attackers.
  • Passive
    The gateway is set up on the network and not inline. Clients can only connect to Endpoints that are registered with the gateway. This model is effective for secure remote access to legacy infrastructure without impacting other devices communicating on the network.


The BlastShield Orchestrator is a cloud-based application that provides a single pane of glass to manage Users, Agents, Groups, Policies, Services, and Proxies. The Orchestrator generates special files called BlastShield Invitations (.bsi file) that are used during the onboarding of a device with a Host or Gateway Agent. The Orchestrator uses simple concepts to organize Users and Agents into Groups. Policies can be created that allow Groups of Users and Agents to communicate with each other using granular access controls.

BlastShield Orchestrator Screen

Furthermore, communication can be filtered by IP protocol (e.g. TCP, UDP, HTTPS, etc.). Finally, the Orchestrator can be used to set up Proxies that allow administrators to proxy traffic to specifically configured domains enabling conditional access to cloud applications. The Orchestrator participates in registration and session establishment. The Orchestrator is not an in-line gateway that proxies all traffic like many other SDPs and cloud-based SASE solutions.

The Orchestrator is cloud-based; however, BlastWave enables customers to deploy and self-manage the Orchestrator on-premise to support air-gapped networks and highly-confidential data. The Orchestrator performs the functions of the ZTA Policy Engine (PE) and Policy Administrator (PA).

Together the BlastShield Client, Authenticator, Host Agent, Gateway Agent, and Orchestrator enable security controls that make it easy to set up explicit access between users that have been authenticated using phishing-resistant MFA and agents that have been registered using public key cryptography that meets the highest levels of authentication assurance as defined by NIST SP 800-63.

BlastShield is suitable for implementation on a variety of target devices in IT, OT, and IoT environments. Devices that cannot be installed with a BlastShield Agent can sit behind a BlastShield Gateway, enabling organizations to protect IoT devices, IP cameras, legacy infrastructure, and other constrained devices.

Simple Installation

Ubuntu Linux

Game-changing ICS/SCADA Protection

Remote Access Security

Elevate your defense strategy by securing all remote access points, ensuring your industrial control systems stay out of reach from unauthorized users.

As digitalization advances, securing remote access points in your network becomes crucial to keep your industrial control systems (ICS) safe from unauthorized access. BlastWave's approach to Remote Access Security centers around stringent access controls and advanced authentication protocols. It ensures that only authorized users and secure devices are granted access to your network. This robust security measure significantly reduces the risk of cyber-attacks and data breaches, thereby safeguarding the integrity of modern industrial systems.

Network Segmentation

Boost your network's resilience by splitting it into secure, isolated segments, reducing the potential impact of a cyber threat.

Network segmentation bolsters your network's resilience by dividing it into isolated segments, limiting the potential impact of a cyber threat. By restricting the movement of potential threats across the network, the damage can be contained within a specific segment. The practice of network segmentation enhances visibility and control over traffic, ensuring secure and legitimate communication across the network. This strategic measure is integral to ensuring security and integrity in the IT and OT environment.

Network Cloaking

Enhance your security perimeter by rendering your network invisible to outsiders, making it difficult for potential attackers to detect and exploit.

Network cloaking, a potent cybersecurity measure, makes your network invisible to outsiders, significantly reducing the chance of potential attacks. It works by obscuring your system's public-facing IP addresses, rendering your network undetectable to external entities. Network cloaking provides an additional layer of security by reducing the attack surface, and protecting against automated attacks and bots. This proactive approach to cybersecurity ensures that your ICS/SCADA systems are consistently ahead of potential threats.

Getting started with BlastShield is easy and free

Start a free trial

What BlastWave’s BlastShield Can Do

Preventing cyber attacks is a critical concern for organizations of all sizes. To address this issue, organizations can benefit from a solution like BlastShield that implements various security measures such as Software-defined Perimeter (SDP) architecture, Phishing-resistant Multi-Factor Authentication (MFA) and Device Invisibility.

Software-defined Perimeter (SDP) Architecture

Blastwave’s BlastShield leverages SDP, a zero-trust security model that assumes that any device, user, or application accessing the network is already compromised. This means that the perimeter is no longer defined by a physical firewall or network boundary but by software that can control access to resources dynamically. SDP provides an additional layer of security that helps to prevent cyberattacks and data breaches.

One of the main advantages of SDP is that it can help to prevent stolen credentials. In a traditional network, if a user's credentials are compromised, the attacker can access sensitive resources on the network. With BlastShield, the attacker will not be able to access these resources, even if they have the user's credentials, as the software will only allow access to those who have been given specific permissions.

SDP can also help prevent the targeting of resources with visible public IPs. In a traditional network, these resources are often the first to be targeted by attackers, as they are easily identifiable and accessible. With SDP, however, attackers face difficulty targeting these resources as the perimeter is defined dynamically by software, and access to the resources is restricted to those with specific permissions.

Finally, SDP can also help to prevent lateral attacks. In a traditional network, once an attacker has gained access to one resource, they can often move laterally to other resources, compromising the entire network. But with SDP, each resource is protected by its own unique perimeter, making lateral movement and network-wide compromise more challenging for attackers.
The software-defined perimeter (SDP) approach of BlastShield is an effective solution to prevent cyberattacks like stolen credentials, targeting resources with visible public IP addresses, and lateral attacks. By adopting an SDP model, organizations can enhance their security posture and protect against a wide range of cyber threats.

Phishing-resistant Multi-Factor Authentication (MFA)

Phishing-resistant Multi-Factor Authentication (MFA) helps prevent cyberattacks by adding an extra layer of security to the login process. It requires users to provide multiple forms of authentication to access sensitive information or systems. This makes it difficult for attackers to impersonate the user and gain access, even if they have obtained the user's password through a phishing attack.

BlastShield enforces phishing-resistant MFA for users logging into the BlastShield network. BlastShield supports two methods of passwordless MFA:

  1. BlastShield Authenticator plus a biometric (something you have and something you are)
  2. FIDO2 security key plus a passcode (something you have and something you are)

When a user installs the BlastShield Client on their user device, they confirm their identity using one of the passwordless MFA methods. A public key generated by the Authenticator App or FIDO2 security key is registered with the Orchestrator to confirm the identity of the user each time they log in.

Future logins use a challenge-response method that uses the public key of the user’s Authenticator or FIDO security key, so that only that device can attest to its identity. What makes BlastShield’s MFA method phishing-resistant is that both factors of authentication are unique to the user and cannot be stolen, used, or derived remotely.

Device Invisibility

Device invisibility refers to a security strategy where devices on a network are made undetectable to attackers. This can be achieved through various methods, such as disabling unnecessary services and ports, making it harder for attackers to discover and target the device. By making devices invisible, it is difficult for attackers to steal credentials or launch lateral attacks, as their available attack surface becomes limited.

BlastShield Host or Gateway Agent does not allow devices to be scanned publicly. These IP addresses make them inaccessible to malicious actors. IP scanning of BlastShield networks by unauthenticated users won't reveal any devices that can be attacked.

All hardware-based VPNs and cloud-based proxy server solutions, as well as secure access service edge (SASE) solutions, expose public IP addresses. This makes them easy targets of DDoS attack and surveillance. SASE solutions also decrypt traffic as payloads must be in plaintext to allow data to be scanned before it is re-encrypted and sent to its destination.

BlastShield can protect against external and internal attackers through device invisibility. Zero trust assumes there is a breach, and an attacker is already inside your network. BlastShield will prevent an attacker from compromising assets on your network.

Frequently Asked Questions

BlastShield uses a software-defined perimeter approach (SDP) that allows for granular access controls and avoids the risk of stolen credentials and complex management.

What is BlastShield?

BlastShield™ is a secure private network solution that protects assets and data by making them invisible to everyone except authenticated users. Unlike SSL-VPN based solutions that have known exploits, BlastShield uses a patent-pending encrypted transport methodology that is immune to SSL-VPN exploits.

How does BlastShield™ make assets invisible?

BlastShield™ Gateways (software instances) are placed in-line in front of assets you want to protect. Once the gateway is in place, only authorized authenticated BlastShield™ Users will be able to access the asset. BlastShield™ Agents are installed on the server you want to protect.  Like the Gateway, once the Agent has been enabled, only authorized authenticated BlastShield™ Users will be able to access the asset. Access control to protected systems is controlled by policy.

How do I access a BlastShield™ network

You can remotely access a BlastShield™ network using your FIDO2 Compliant Key, or the BlastShield™ Authenticator app. Both methods are highly secure and eliminate common threats such as phishing, and lateral attacks.

How hard is it to deploy?

BlastShield™ is very easy to deploy, and a small network can be up and running in minutes. If you want to learn how to deploy a BlastShield™ network you can view our Quick Start Guide.

Have more questions? Click here.

Getting started with BlastShield is easy and free.

Getting started with BlastShield is easy and free. Follow the three steps below and get up and running fast.

Create a Free Trial

Download the BlastShield Authenticator & Client

Make Your Host Invisible
In Minutes

Start a Free Trial