Key Capabilities and Features of Banyan's Netagent
- Updated on Jun 17, 2021
- Supported Linux Distros
- Netagent Features
Netagent is the core component of Banyan’s Access Tier. It is a light-weight identity-aware cloud-managed proxy written in Golang, that runs on Linux servers. Netagent is designed to be similar in deployment to open-source proxies such as Nginx, but is focused on Zero Trust security functionality.
The internal modules that comprise the Netagent are depicted in the diagram below:
Netagent functions primarily as a reverse proxy, intercepting traffic on specified ports on a Linux server. By default Netagent intercepts traffic on the following ports:
- 443/tcp - for web services, accessed via a browser
- 8443/tcp - for infrastructure services, accessed via the Banyan App
- 51820/udp - for service tunnels, that enable network access
Netagent leverages various Linux kernel functionality to manage and forward traffic, including:
Note that Netagent is delivered as a Linux package (and NOT a Virtual Appliance), so it can be easily orchestrated in many varieties of cloud-native deployments.
Supported Linux Distros
The Netagent binary can be installed on Virtual or Physical 64-bit Linux Servers.
Officially Supported: the following distros are supported, when run with an officially released kernel:
- Amazon-Linux (2011.09-2018.03) and Amazon-Linux-2
- CentOS 7.x and RHEL 7.x
- Ubuntu 16.04+
Support Deprecated: the following Linux distros are no longer supported:
- CentOS 6.x
- Ubuntu 12.04, 14.04
If you’re running an unsupported distro or a custom kernel, please contact us for tailored installation instructions.
Health Check, Logs, Metrics
Operations teams can use Netagent’s built-in logs and metrics capabilities to set up high-availability configurations and detailed monitoring.
- Health Check - When functioning correctly, Netagent listens on a TCP port (default:
9998). Monitoring tools can establish a connection to the health check port to confirm Netagent health.
- Logs - Netagent saves logs to both console and file; you can manage the log level via the Netagent Configuration. To change the location (default:
/var/log/banyan/netagent.log), set the environment variable
LOGFILENAME. You can also similarly configure
syslogdaemon to gather Netagent logs.
- Metrics - Netagent uses the statsd format to aggregate and summarize its metrics. Once you set the Netagent Configuration to emit to your
statsddaemon, you can start collecting Netagent metrics including: tx/rx bytes, http response code, http response time, unauthorized attempts, error counts, etc. Metrics are emitted per service id.
Denial of Service (DoS) Protection using the BadActor Module
Because is is deployed internet-facing scenarios, Netagent has built-in DoS protection capability. The DoS capability can be enabled via Netagent Configuration,
bad_actor parameter. The DoS functionality is similar to tools such SSHGuard and Fail2ban.
The DoS feature detects clients that continually make unauthorized accesses to services, and labels them as “bad actors”. If a bad actor surpasses the configured unauthorized request threshold (set by the
infraction_count), Netagent automatically sets a firewall rule to ignore their traffic (via IP address) temporarily (accordingly to
sentence_time), thereby placing them in a “jail”.
Host Agent Mode
In some scenarios, you may wish to deploy the Netagent directly on hosts on which you run workloads, instead of as a gateway. We call this the Host Agent mode.
When Netagent runs in Host Agent mode, it has some additional capabilities, including:
- network visibility into all host networking
- auto-discovery of workloads (processes and Docker containers)
- automatic interception of service traffic
- forward proxy to upgrade service communications to MTLS