SDi Alibaba Cloud Instructions
Infrastructure Deployment
Choose a General Purpose or Compute Optimised VM in your cloud admin page if you wish to secure a cloud device or instance. Alternatively, the SDi Alibaba Cloud software can also be deployed on a physical device for on-premise security.
Select Linux Ubuntu as the operating system.
For about <1000 devices across different regions or for text-focused content, pick a machine with approximately 4GB memory.
If dealing with localised endpoints or data-heavy content (like videos), opt for an 8GB machine.
For larger operations, such as managing up to 10,000 endpoints, select a machine with 16-32GB memory and at least 4 vCPUs (for a cloud VM). Adjust based on the type of data being secured. To accommodate more connections, deploy an additional SDi Gateway.
Select SSD storage for the machine. Scale storage based on the amount of connections you expect to receive, for most use-cases around 2-5 GB free space will be sufficient.
Deploy this machine on the same cloud network (vNet, VPC, etc) or physical network as the device you wish to secure.
Make sure the machine is assigned a public IP address (for cloud usage).
If you wish to use a load balancer, make sure that it accommodates session persistence and end-to-end encryption.
Configure Network Security Settings
From the admin page go to the network security settings of the VM or router of the physical machine and designate a port (e.g., 8080) for incoming TCP data. This is where the machine hosting the SDi Alibaba Cloud software will receive data from other SDi instances.
(Optional) Restrict inbound access to specific IPs if you wish, these IPs will be those that you use to connect with remotely and/or the IPs of the other SDi units.
Download SDi
On the newly deployed machine, install the SDi Alibaba Cloud software either via manual methods or by running the command: [curl -L -o SDiAlibaba.zip "https://www.bastionne.com/_files/archives/45b038_c3d40160fc2c40cdbe9810ddd3d094cb.zip?dn=SDiAlibaba.zip"] (remove [ ] to run the command). Then make sure to unzip the package, If the unzip utility is not installed, you can install it with your package manager (e.g., sudo apt-get install unzip).
Configuration
On the VM with SDi installed, open a terminal and type in “screen” and enter. If screen is not installed you can install it by running “sudo apt-get install screen”. This step is only necessary for cloud deployments.
Navigate to where the SDi executable is stored and run “sudo ./BastionneBox”.
You will be prompted to generate or enter a 256 bit encryption key. Keep this key securely stored and make a backup thereof, if the key is compromised or lost you will have to reset the SDi instance and all data on it.
From here you will be asked whether you want to run the SDi unit in Lax or Lockdown Mode. Choose Lockdown for high security use-cases (i.e. most use-cases), this will completely remove connectivity to non-authorised endpoints (i.e., endpoints not secured with a SDi instance).
You will now be presented with 8 options. Type “4” and enter to configure a connection.
Enter the private IP address of the device you want to secure, which should be on the same cloud network or physical network (vNet, VPC, etc.)
Enter the destination IP address, which is the public IP address of the other device you wish to secure. (The client device connecting to the target)
Enter the public IP address of the SDi Accepter instance, it is fine if it is the same as the previously entered IP, however, if they have different public IPs enter appropriately.
Enter the port which you designated in step 2 (Configure Network Settings).
Choose whether to run this configuration in server mode: if the other SDi instance is used to secure remote users select server mode on this Gateway. If the other Gateway is used to secure external resources like servers, etc, enter “no”.
Generate Sovereign MIM Code
You can now generate a MIM code for the configuration. Enter “2” and select the configuration you added in the previous step by entering its index which will be “0”.
Copy the generated code and use a secure method to store it for later.
Start SDi Gateway
If you selected server mode during step 4 (Configure SDi Gateway) you can start the Gateway at this point by entering “3”.
If you did not specify server mode during step 4, the other SDi Gateway must be configured first and assigned as server mode, then started before you can start this unit.
After starting the unit, detach from the screen session (if used) by pressing Ctrl-A followed by D. You can now close the VM session. To reattach to session, connect to the VM using your preferred method and type “screen -r” in the terminal.