SDi Accepter Instructions
Download and Deployment
Download and Install SDi to Designated Linux (Ubuntu) Machine. This device can be either a VM or physical computer.
​
Computing requirements of the VM or physical computer will ultimately depend on the use-case. Each client device that connects to the target device should ideally have its own SDi unit for enhanced security. Resultantly, much smaller devices can accommodate SDi.
For example a single board computer or micro PC with 1 - 4 GB of memory is sufficient for most tasks. However, as load increases the machine should be scaled.
Go to https://www.bastionne.com/sdi/download to download or run [curl -L -o SDi-Accepter.zip "https://www.bastionne.com/_files/archives/45b038_e16cf9e712e04eb09ed9f6d46f23100a.zip?dn=SDi-Accepter.zip"] from the terminal of the designated machine. (Remove [ ] from the curl command to use it).
Make sure the target device on the same network can reach this machine via your intranet, ideally via ethernet cables and wifi turned off on the target device. If wifi must be used on the target device, make sure to update the device firewall rules, of the target device, to allow data only from the private IP address of the SDi Accepter unit.
Configure Network Security Settings if Device is also on a Cloud Network or on a DMZ, etc.
Designate a port (e.g., 8080) for incoming TCP data on your network firewall. This is where this SDi Gateway will receive data from other SDi units.
Restrict inbound access to specific IPs if you wish, these IPs will be those that you use to connect with remotely and/or the IPs of the other SDi unit(s). This is not strictly necessary as SDi has a built-in whitelisting mechanism.
Configuration
Unzip the downloaded SDi Accepter file if you have not done so already: [unzip SDi-Accepter.zip]. If the unzip utility is not installed, you can install it with your package manager (e.g., [sudo apt-get install unzip]).
On the machine with SDi installed, open a terminal and type in “screen” and enter. If screen is not installed you can install it by running [sudo apt-get install screen]. This step is only required if you connected remotely and intend to close the remote session after setup.
Navigate to where the SDi executable is stored and run “sudo ./BastionneBox”. You will be prompted to generate or enter a 256 bit encryption key. Keep this key securely stored and make a backup thereof, if the key is compromised or lost you will have to reset the SDi unit and all data on it.
From here you will be asked whether you want to run the SDi instance in Lax or Lockdown Mode. Choose Lockdown for most use-cases, this will remove connectivity to non-authorised endpoints (i.e., endpoints not secured with a SDi instance).
You will now be presented with 8 options. Type “4” and enter to configure a connection.
Enter the private IP address of the device you want to secure, which should be on the same network.
Enter the destination IP address, which is the public IP address of the cloud device or the SDi instance in your cloud or remote network. If the SDi units are deployed on the same network, i.e. the destination address is a private IP address, it requires an additional step which will be covered later.
Enter the IP address of the other SDi unit.
Important: accurately enter the port which you designated for the connection configuration. Both configurations on the SDi units must have the same port.
Choose the mode in which to run this SDi instance, it must be client if the other SDi unit connection was configured as server and vice versa. A SDi instance supports multiple connections that can be either server or client mode, but the other SDi unit it connects to must have the configuration in a diffrent mode (eg. SDi instance 1: client mode | SDi instance 2: server mode or SDi instance 1: sever mode | SDi instance 2: client mode). The choice of which mode to run what SDi unit in, will ultimately depend on the use-case; however, it makes sense to configure the SDi unit, protecting the device which needs the most uptime, to be in server mode.
Sovereign MIM Code
Enter “1” and select the configuration you added in the previous step by entering its index which will be “0”.
Enter the code that you generated on the SDi Azure or SDi Alibaba Cloud unit.
Start SDi Accepter
If you selected client mode during configuration make sure that the other SDi unit is already started then enter “3”.
If the configuration was specified as server mode, start the gateway on this unit first by entering “3”.
If you intend to close the remote session to the Linux device hosting the SDi Accepter software: After starting the Gateway, detach from the screen session by pressing Ctrl-A followed by D. You can now terminate the connection. To reattach to the session, once you have connected to the Linux machine again, type “screen -r” in the terminal.
​
After the SDi instance has started, it is advised to remove connectivity for external devices on ports not used in the configurations, on the SDi machine, eg. port 22 etc. You can open the port again when you need to connect to the machine; however, if more readily available connectivity is required, another SDi unit can be deployed on the same network to serve as a secure entry point.
Set Routes
Set the default gateway on the device, protected by the SDi Accepter unit, to the private IP address of the SDi Accepter unit.
​
If both SDi units are located on the same physical or virtual network you must set the network rules, on the device protected by the SDi unit, to forward traffic destined for the target (eg. 10.0.0.7) to the SDi Accepter unit (eg. 10.0.0.5). Command to do this: [sudo iptables -t nat -A PREROUTING -d 10.0.0.7 -j DNAT --to-destination 10.0.0.5]
