Manage access with posture checks

NetBird helps administrators control who can access their network by creating policies. These policies decide which groups of peers are allowed to interact with one another, based on criteria like port, protocol and traffic direction.

Administrators can further refine access control through posture checks to enhance their existing policies. For example, they can verify whether a peer is using a specified version of NetBird, has the necessary version of an operating system, and is located within a permitted location before allowing it to join the network.

By adding these posture checks to the policies, NetBird makes sure only devices that meet certain security requirements can access the network. This helps keep the network safe and follows the Zero Trust approach, which means not trusting any device by default.

Concepts

While we plan to expand the range of posture checks, these are the checks currently available for you to enforce:

NetBird Client Version Check
Country & Region Check
Operating System Check
Peer Network Range Check

high-level-dia

NetBird Client Version Check

The NetBird client version check ensures that only devices with the specified version of NetBird installed can connect to the network, preventing security risks from outdated or incompatible versions.

Geolocation (Country & Region) Check

The geolocation check examines the connecting device's geographical location based on its IP address. This check allows to either block or allow access from certain geographic regions, offering country-wide and city-level granularity.

When allowing access from specific locations in the network settings, all other locations are automatically blocked. Conversely, blocking certain locations means only those are blocked, while access remains open for all other locations.

Operating System Check

The operating system version check evaluates the operating system (OS) version running on the connecting device. This check allows for enforcing minimum OS requirements, ensuring that only devices with up-to-date and secure operating systems can access network resources.

The Operating System Check requires NetBird version 0.26.0 or newer.

The check evaluates the actual OS version for Android, macOS, and iOS, while for Linux and Windows, it assesses the kernel version.

Below are some examples of OS versions for each operating system:

Android 14 Upside Down Cake: 14, 14.3
macOS 13 Ventura: 13, 13.6.4
macOS 14 Sonoma: 14, 14.3.1
iOS 16 / iPadOS 16: 16, 16.7.5
Linux kernel: 6, 6.7.5
Windows 10, version 22H2: 10.0.19045
Windows 11, version 23H2: 10.0.22631
Windows Server 2022, Version 21H2: 10.0.20348

Peer Network Range Check

The peer network range check verifies if a device is in certain IP ranges before it can connect. This check is useful when wanting to control access based on the network location of a peer. For example, disabling a connection to a routing peer when the peer is connecting from the office network range.

Managing posture checks

Posture checks are dynamic, and you can create a policy with multiple posture checks. A single posture check can also be applied across multiple policies. When managing posture checks, you can update them as per your requirements.

Deleting a posture check is only possible if it's not currently used in any policy. If a posture check is in use, you need to unassign it from the respective policy before you can delete it. This precaution ensures the continuity and integrity of your security setup.

Here are some steps to help you create and manage your posture checks effectively:

In the example below, we are creating a posture check that will only allow clients running NetBird version 0.25.0 or higher to connect and access network resources.