SDi Installation Walkthrough
Deployment Information
The following walkthrough will cover a sample SDi use-case and deployment to secure the interaction between a client device and a remote server. This walkthrough will use the standard SDi MS Azure or Alibaba Cloud to SDi Accepter configuration; however, it is possible to run the configuration by connecting two SDi MS Azure or Alibaba Cloud instances too.
Cloud or remote facility:
Target server private IP: 10.0.0.5
Target server public IP: 85.222.1.100
SDi MS Azure or Alibaba Cloud Linux host machine private IP: 10.0.0.4
SDi MS Azure or Alibaba Cloud Linux host machine public IP: 85.222.1.200
Both of the above devices on the same local or cloud network (vNet, VPC, etc).
Designated port to allow traffic: 8080
Client device environment:
Client device private IP: 192.168.1.80
SDi MS Azure or Alibaba Cloud Linux host machine private IP: 192.168.1.90
Both of the above devices on the same local or network.
Network public IP: 87.111.1.300
Designated port to allow traffic: 8080
SDi MS Azure or SDi Alibaba Cloud
Download and Install SDi Ms Azure or Alibaba Cloud to the designated Linux (Ubuntu) machine. This device can be either a VM or physical computer.
Make sure the target device on the same network can reach this machine via your intranet, ideally via ethernet cables and wifi turned off on the target device for on-premise scenarios. If wifi must be used on the target device, make sure to update the device firewall rules, of the target device, to allow data only from the private IP address of the SDi unit.
Navigate to where the SDi software is installed, and run it with the command "sudo ./BastionneBox".
Provide a 256 bit key or generate one as per the on-screen instructions. Keep this key securely stored and make a backup thereof.
Run the SDi unit in "Lockdown Mode" by entering "1".
Enter "4" to configure a new connection.
Enter the local private IP, 10.0.0.5, of the target you want to secure, i.e. the server.
Enter the destination IP, i.e. the public IP address, of the client device that needs to connect with the target server: 87.111.1.300.
Enter the public IP address of the other SDi instance: 87.111.1.300. It is fine if the public IP is the same as previously entered, however, it is possible to designate a unique public IP for the client environment's SDi unit too, for more elaborate configurations.
Enter 8080 when asked for the port.
Choose server mode when prompted.
Enter "2" to generate a code for the connection. You will now be asked for a subscription ID/ License Code, which is obtainable from either the MS Azure Marketplace or Alibaba Cloud Marketplace.
Enter the subscription ID/ License Code.
The SDi instance will now generate a long code, copy the value of this code. eg: g5H7l086........., then press enter.
Enter "3" to start the security process.
Disable all inbound public IP access to the target server. This device should now only be reachable via the SDi unit deployed on the same private network.
SDi Accepter
Download and Install SDi to the designated Linux (Ubuntu) Machine. This device can be either a VM or physical computer.
Make sure the target device on the same network can reach this machine via your intranet, ideally via ethernet cables and wifi turned off on the target device. If wifi must be used on the target device, make sure to update the device firewall rules, of the target device, to allow data only from the private IP address of the SDi Accepter unit.
Navigate to where the SDi software is installed, and run it with the command "sudo ./BastionneBox".
Provide a 256 bit key or generate one as per the on-screen instructions. Keep this key securely stored and make a backup thereof.
Run the SDi unit in "Lockdown Mode" by entering "1".
Enter "4" to configure a new connection.
Enter the local private IP, 192.168.1.80, of the client device you want to secure.
Enter the destination IP, i.e. the public IP address, of the target server: 85.222.1.100.
Enter the public IP address of the other SDi instance: 85.222.1.200. It is fine if the public IP of the other SDi unit is the same as the destination, however, specifying unique ones, allows you to create more elaborate connections and build in redundancy.
Enter 8080 when asked for the port.
Choose no when asked if you want to run this connection in server mode.
Enter "1" then enter the code we previously generated, i.e, g5H7l086.........
Enter 3 to start the security process.
Head to the client device and set the default gateway to that of the SDi unit deployed on the same local network, i.e.: 192.168.1.90
Testing and Additional Considerations
Head to the client device, 192.168.1.80, and try to ping the target server: 85.222.1.100. If it is works, everything is up and running and deployment was successful! You can now run whatever processes you wish between the client and target server.
Note, this was a test deployment and security processes will halt when you exit the terminal sessions. To keep SDi running in the background make sure to use "screen" as per instructions on the SDi Manuals.
SDi works best if each client and each target device has its own SDi instance protecting it, as this creates a micro-segmented network, which is superior for security. However, due to budget constraints this will not always be possible, as such there are two options:
If there are duplicate configurations (same client environment public IP to the same target server public IP/SDi public IP) the SDi unit will issue a warning saying this is not allowed. When this happens you can designate an additional port like 9000, for this configuration. This will allow the SDi processes to work as usual while offering some segmentation, there are ~65 000 ports at your disposal for scenarios like this.
Alternatively, if the above does not fit the use-case, instead of a target server the SDi unit can first forward to another device which can masquerade the traffic and then disperse it to the various targets. (Another device is placed between the SDi unit and the target server.) This setup will also work on the client side. Note that this is not as secure as having individual connections or connections on diffrent ports, although, it is possible to have high-security individual connections on a SDi unit in tandem with forwarding some traffic to an intermediary device which can then send traffic to other endpoints.