BlastShield Software-Defined Perimeter:

Prevent Cyber Attacks Before They Happen

Cybersecurity threats are becoming more complex and sophisticated, and traditional security methods are proving to be insufficient. To tackle these challenges, organizations are turning to the software-defined perimeter (SDP) approach to enhance their security posture and prevent cyberattacks before they even occur.

What is BlastShield?

BlastShield is a zero-trust network access solution that helps organizations implement a zero-trust architecture.

Instead of relying on enhanced identity governance (EIG), complex layers of micro-segmentation, or cloud-based gateways, BlastShield utilizes a software-defined perimeter (SDP) approach for more granular access controls and reduced risk from stolen credentials and complex management.

BlastShield’s ZTNA Components

BlastShield streamlines security by integrating multiple security controls into a single solution. This is achieved by deploying software agents on end-user devices, host machines, and gateway appliances, which enable security measures like phishing-resistant MFA, data-in-motion encryption, micro-segmentation, granular access controls, device invisibility, and application proxy. These agents and security controls are managed through the BlastShield Orchestrator. The main components of BlastShield include:

Client

The BlastShield Client is downloadable software for Microsoft Windows, macOS iOS, Linux, and Android. The Client is deployed on end user devices that initiate requests to resources protected by BlastShield. Available for download via the BlastWave website, Apple App Store, and Google Play store, the Client is considered a ZTA Policy Enforcement Point (PEP) for user devices.

Authenticator

The BlastShield Authenticator is downloadable software for iOS and Android mobile devices. The Authenticator is used to facilitate phishing-resistant passwordless authentication. The user registers the Authenticator with the Client when the Client is installed on the user device. Subsequently, when logging into the Client, a user can authenticate without a password using the Authenticator or a FIDO2 security key.

Host Agent

The BlastShield Host Agent is a software agent that is installed on any IP-connected physical or virtual machine running Linux, Microsoft Windows, or macOS. The Host Agent Software is considered a ZTA PEP for resources. When the Host Agent is installed on a target device, the administrator must also install a special file generated by the Orchestrator that initiates an authentication process that validates the identity agent and onboards the device by having it generate a new public-private key pair used for authentication and encryption.

Gateway Software Appliance

The BlastShield Gateway Software Appliance provides protection of endpoints that are not protected by a Host Agent. A BlastShield Gateway is created by installing the software appliance on any x86 server, cloud instance (AWS, GCP , or Azure), or VMware hypervisor. Gateways connect to Endpoints using three Addressing Modes: MAC address, VLAN or NAT. The gateway can be configured as Active or Passive, depending upon the use case.

Orchestrator

The BlastShield Orchestrator is a cloud-based application that provides a single pane of glass to manage Users, Agents, Groups, Policies, Services, and Proxies. The Orchestrator generates special files called BlastShield Invitations (.bsi file) that are used during the onboarding of a device with a Host or Gateway Software Appliance. The Orchestrator uses simple concepts to organize Users and Agents into Groups. Policies can be created that allow Groups of Users and Agents to communicate with each other using granular access controls. Furthermore, communication can be filtered by IP protocol (e.g. TCP, UDP, HTT...

What BlastWave’s BlastShield Can Do

Preventing cyber attacks is a critical concern for organizations of all sizes. To address this issue, organizations can benefit from a solution like BlastShield that implements various security measures such as Software-defined Perimeter (SDP) architecture, Phishing-resistant Multi-Factor Authentication (MFA) and Device Invisibility.

Software-defined Perimeter (SDP) Architecture

Blastwave’s BlastShield leverages SDP, a zero-trust security model that assumes that any device, user, or application accessing the network is already compromised. This means that the perimeter is no longer defined by a physical firewall or network boundary but by software that can control access to resources dynamically. SDP provides an additional layer of security that helps to prevent cyberattacks and data breaches.

One of the main advantages of SDP is that it can help to prevent stolen credentials. In a traditional network, if a user's credentials are compromised, the attacker can access sensitive resources on the network. With BlastShield, the attacker will not be able to access these resources, even if they have the user's credentials, as the software will only allow access to those who have been given specific permissions.

Phishing-resistant Multi-Factor Authentication (MFA)

Phishing-resistant Multi-Factor Authentication (MFA) helps prevent cyberattacks by adding an extra layer of security to the login process. It requires users to provide multiple forms of authentication to access sensitive information or systems. This makes it difficult for attackers to impersonate the user and gain access, even if they have obtained the user's password through a phishing attack.

BlastShield enforces phishing-resistant MFA for users logging into the BlastShield network. BlastShield supports two methods of passwordless MFA:

Device Invisibility

Device invisibility refers to a security strategy where devices on a network are made undetectable to attackers. This can be achieved through various methods, such as disabling unnecessary services and ports, making it harder for attackers to discover and target the device. By making devices invisible, it is difficult for attackers to steal credentials or launch lateral attacks, as their available attack surface becomes limited.

BlastShield Host or Gateway Software Appliance does not allow devices to be scanned publicly. These IP addresses make them inaccessible to malicious actors. IP scanning of BlastShield networks by unauthenticated users won't reveal any devices that can be attacked.