Netagent is the core component of Banyan’s Access Tier. It is a light-weight identity-aware cloud-managed proxy written in Golang, that runs on Linux servers. Netagent is designed to be similar in deployment to open-source proxies such as Nginx, but is focused on Zero Trust security functionality.
The internal modules that comprise the Netagent are depicted in the diagram below:
Netagent functions primarily as a reverse proxy, intercepting traffic on specified ports on a Linux server. By default Netagent intercepts traffic on the following ports:
Netagent leverages various Linux kernel functionality to manage and forward traffic, including:
Note that Netagent is delivered as a Linux package (and NOT a Virtual Appliance), so it can be easily orchestrated in many varieties of cloud-native deployments.
The Netagent binary can be installed on Virtual or Physical 64-bit Linux Servers.
Officially Supported: the following distros are supported, when run with an officially released kernel:
Support Deprecated: the following Linux distros are no longer supported:
If you’re running an unsupported distro or a custom kernel, please contact us for tailored installation instructions.
Operations teams can use Netagent’s built-in logs and metrics capabilities to set up high-availability configurations and detailed monitoring.
9998). Monitoring tools can establish a connection to the health check port to confirm Netagent health.
/var/log/banyan/netagent.log), set the environment variable
LOGFILENAME. You can also similarly configure
syslogdaemon to gather Netagent logs.
statsddaemon, you can start collecting Netagent metrics including: tx/rx bytes, http response code, http response time, unauthorized attempts, error counts, etc. Metrics are emitted per service id.
Because is is deployed internet-facing scenarios, Netagent has built-in DoS protection capability. The DoS capability can be enabled via Netagent Configuration,
bad_actor parameter. The DoS functionality is similar to tools such SSHGuard and Fail2ban.
The DoS feature detects clients that continually make unauthorized accesses to services, and labels them as “bad actors”. If a bad actor surpasses the configured unauthorized request threshold (set by the
infraction_count), Netagent automatically sets a firewall rule to ignore their traffic (via IP address) temporarily (accordingly to
sentence_time), thereby placing them in a “jail”.
In some scenarios, you may wish to deploy the Netagent directly on hosts on which you run workloads, instead of as a gateway. We call this the Host Agent mode.
When Netagent runs in Host Agent mode, it has some additional capabilities, including: