Cybersecurity threats are becoming more complex and sophisticated, and traditional security methods are proving to be insufficient. To tackle these challenges, organizations are turning to the software-defined perimeter (SDP) approach to enhance their security posture and prevent cyberattacks before they even occur.
BlastShield is a zero-trust network access solution that helps organizations implement a zero-trust architecture.
Instead of relying on enhanced identity governance (EIG), complex layers of micro-segmentation, or cloud-based gateways, BlastShield utilizes a software-defined perimeter (SDP) approach for more granular access controls and reduced risk from stolen credentials and complex management.Start a free trial
BlastShield streamlines security by integrating multiple security controls into a single solution. This is achieved by deploying software agents on end-user devices, host machines, and gateway appliances, which enable security measures like phishing-resistant MFA, data-in-motion encryption, micro-segmentation, granular access controls, device invisibility, and application proxy. These agents and security controls are managed through the BlastShield Orchestrator. The main components of BlastShield include:
The BlastShield Client is downloadable software for Microsoft Windows, macOS iOS, Linux, and Android. The Client is deployed on end user devices that initiate requests to resources protected by BlastShield. Available for download via the BlastWave website, Apple App Store, and Google Play store, the Client is considered a ZTA Policy Enforcement Point (PEP) for user devices.
The BlastShield Authenticator is downloadable software for iOS and Android mobile devices. The Authenticator is used to facilitate phishing-resistant passwordless authentication. The user registers the Authenticator with the Client when the Client is installed on the user device. Subsequently, when logging into the Client, a user can authenticate without a password using the Authenticator or a FIDO2 security key.
The BlastShield Host Agent is a software agent that is installed on any IP-connected physical or virtual machine running Linux, Microsoft Windows, or macOS. The Host Agent Software is considered a ZTA PEP for resources. When the Host Agent is installed on a target device, the administrator must also install a special file generated by the Orchestrator that initiates an authentication process that validates the identity agent and onboards the device by having it generate a new public-private key pair used for authentication and encryption.
The BlastShield Gateway Software Appliance provides protection of endpoints that are not protected by a Host Agent. A BlastShield Gateway is created by installing the software appliance on any x86 server, cloud instance (AWS, GCP , or Azure), or VMware hypervisor. Gateways connect to Endpoints using three Addressing Modes: MAC address, VLAN or NAT. The gateway can be configured as Active or Passive, depending upon the use case.
The BlastShield Orchestrator is a cloud-based application that provides a single pane of glass to manage Users, Agents, Groups, Policies, Services, and Proxies. The Orchestrator generates special files called BlastShield Invitations (.bsi file) that are used during the onboarding of a device with a Host or Gateway Agent. The Orchestrator uses simple concepts to organize Users and Agents into Groups. Policies can be created that allow Groups of Users and Agents to communicate with each other using granular access controls.
Furthermore, communication can be filtered by IP protocol (e.g. TCP, UDP, HTTPS, etc.). Finally, the Orchestrator can be used to set up Proxies that allow administrators to proxy traffic to specifically configured domains enabling conditional access to cloud applications. The Orchestrator participates in registration and session establishment. The Orchestrator is not an in-line gateway that proxies all traffic like many other SDPs and cloud-based SASE solutions.
The Orchestrator is cloud-based; however, BlastWave enables customers to deploy and self-manage the Orchestrator on-premise to support air-gapped networks and highly-confidential data. The Orchestrator performs the functions of the ZTA Policy Engine (PE) and Policy Administrator (PA).
Together the BlastShield Client, Authenticator, Host Agent, Gateway Agent, and Orchestrator enable security controls that make it easy to set up explicit access between users that have been authenticated using phishing-resistant MFA and agents that have been registered using public key cryptography that meets the highest levels of authentication assurance as defined by NIST SP 800-63.
BlastShield is suitable for implementation on a variety of target devices in IT, OT, and IoT environments. Devices that cannot be installed with a BlastShield Agent can sit behind a BlastShield Gateway, enabling organizations to protect IoT devices, IP cameras, legacy infrastructure, and other constrained devices.
Authenticate before connection
Replaces complex firewall ACL rules
Makes devices undiscoverable
Getting started with BlastShield is easy and freeStart a free trial
Preventing cyber attacks is a critical concern for organizations of all sizes. To address this issue, organizations can benefit from a solution like BlastShield that implements various security measures such as Software-defined Perimeter (SDP) architecture, Phishing-resistant Multi-Factor Authentication (MFA) and Device Invisibility.
Blastwave’s BlastShield leverages SDP, a zero-trust security model that assumes that any device, user, or application accessing the network is already compromised. This means that the perimeter is no longer defined by a physical firewall or network boundary but by software that can control access to resources dynamically. SDP provides an additional layer of security that helps to prevent cyberattacks and data breaches.
One of the main advantages of SDP is that it can help to prevent stolen credentials. In a traditional network, if a user's credentials are compromised, the attacker can access sensitive resources on the network. With BlastShield, the attacker will not be able to access these resources, even if they have the user's credentials, as the software will only allow access to those who have been given specific permissions.
SDP can also help prevent the targeting of resources with visible public IPs. In a traditional network, these resources are often the first to be targeted by attackers, as they are easily identifiable and accessible. With SDP, however, attackers face difficulty targeting these resources as the perimeter is defined dynamically by software, and access to the resources is restricted to those with specific permissions.
Finally, SDP can also help to prevent lateral attacks. In a traditional network, once an attacker has gained access to one resource, they can often move laterally to other resources, compromising the entire network. But with SDP, each resource is protected by its own unique perimeter, making lateral movement and network-wide compromise more challenging for attackers.
The software-defined perimeter (SDP) approach of BlastShield is an effective solution to prevent cyberattacks like stolen credentials, targeting resources with visible public IP addresses, and lateral attacks. By adopting an SDP model, organizations can enhance their security posture and protect against a wide range of cyber threats.
Phishing-resistant Multi-Factor Authentication (MFA) helps prevent cyberattacks by adding an extra layer of security to the login process. It requires users to provide multiple forms of authentication to access sensitive information or systems. This makes it difficult for attackers to impersonate the user and gain access, even if they have obtained the user's password through a phishing attack.
BlastShield enforces phishing-resistant MFA for users logging into the BlastShield network. BlastShield supports two methods of passwordless MFA:
When a user installs the BlastShield Client on their user device, they confirm their identity using one of the passwordless MFA methods. A public key generated by the Authenticator App or FIDO2 security key is registered with the Orchestrator to confirm the identity of the user each time they log in.
Future logins use a challenge-response method that uses the public key of the user’s Authenticator or FIDO security key, so that only that device can attest to its identity. What makes BlastShield’s MFA method phishing-resistant is that both factors of authentication are unique to the user and cannot be stolen, used, or derived remotely.
Device invisibility refers to a security strategy where devices on a network are made undetectable to attackers. This can be achieved through various methods, such as disabling unnecessary services and ports, making it harder for attackers to discover and target the device. By making devices invisible, it is difficult for attackers to steal credentials or launch lateral attacks, as their available attack surface becomes limited.
BlastShield Host or Gateway Agent does not allow devices to be scanned publicly. These IP addresses make them inaccessible to malicious actors. IP scanning of BlastShield networks by unauthenticated users won't reveal any devices that can be attacked.
All hardware-based VPNs and cloud-based proxy server solutions, as well as secure access service edge (SASE) solutions, expose public IP addresses. This makes them easy targets of DDoS attack and surveillance. SASE solutions also decrypt traffic as payloads must be in plaintext to allow data to be scanned before it is re-encrypted and sent to its destination.
BlastShield can protect against external and internal attackers through device invisibility. Zero trust assumes there is a breach, and an attacker is already inside your network. BlastShield will prevent an attacker from compromising assets on your network.
Getting started with BlastShield is easy and free. Follow the three steps below and get up and running fast.
Create a Free Trial
Download the BlastShield Authenticator & Client
Make Your Host Invisible