Manage access with posture checks

NetBird helps administrators control who can access their network by creating policies. These policies decide which groups of peers are allowed to interact with one another, based on criteria like port, protocol and traffic direction.

Administrators can further refine access control through posture checks to enhance their existing policies. For example, they can verify whether a peer is using a specified version of NetBird, has the necessary version of an operating system, and is located within a permitted location before allowing it to join the network.

By adding these posture checks to the policies, NetBird makes sure only devices that meet certain security requirements can access the network. This helps keep the network safe and follows the Zero Trust approach, which means not trusting any device by default.

Concepts

While we plan to expand the range of posture checks, these are the checks currently available for you to enforce:

  • NetBird Client Version Check
  • Country & Region Check
  • Operating System Check
  • Peer Network Range Check
  • Process Check

high-level-dia

NetBird Client Version Check

The NetBird client version check ensures that only devices with the specified version of NetBird installed can connect to the network, preventing security risks from outdated or incompatible versions.

Geolocation (Country & Region) Check

The geolocation check examines the connecting device's geographical location based on its IP address. This check allows to either block or allow access from certain geographic regions, offering country-wide and city-level granularity.

Operating System Check

The operating system version check evaluates the operating system (OS) version running on the connecting device. This check allows for enforcing minimum OS requirements, ensuring that only devices with up-to-date and secure operating systems can access network resources.

The check evaluates the actual OS version for Android, macOS, and iOS, while for Linux and Windows, it assesses the kernel version.

Below are some examples of OS versions for each operating system:

  • Android 14 Upside Down Cake: 14, 14.3
  • macOS 13 Ventura: 13, 13.6.4
  • macOS 14 Sonoma: 14, 14.3.1
  • iOS 16 / iPadOS 16: 16, 16.7.5
  • Linux kernel: 6, 6.7.5
  • Windows 10, version 22H2: 10.0.19045
  • Windows 11, version 23H2: 10.0.22631
  • Windows Server 2022, Version 21H2: 10.0.20348

Peer Network Range Check

The peer network range check verifies if a device is in certain IP ranges before it can connect. This check is useful when wanting to control access based on the network location of a peer. For example, disabling a connection to a routing peer when the peer is connecting from the office network range.

Process check

The process check verifies whether a specific process is running on the connecting device. This check is useful when you want to control access based on the presence of a specific process on the connecting device. It's applicable to Linux, macOS, and Windows devices.

Managing posture checks

Posture checks are dynamic, and you can create a policy with multiple posture checks. A single posture check can also be applied across multiple policies. When managing posture checks, you can update them as per your requirements.

Deleting a posture check is only possible if it's not currently used in any policy. If a posture check is in use, you need to unassign it from the respective policy before you can delete it. This precaution ensures the continuity and integrity of your security setup.

Here are some steps to help you create and manage your posture checks effectively:

In the example below, we are creating a posture check that will only allow clients running NetBird version 0.25.0 or higher to connect and access network resources.

Creating posture checks

Access the Access Control tab, then the Posture Checks section, and click Create Posture Check.

high-level-dia

This will bring up a screen for configuring posture checks, where you can configure settings.

high-level-dia

Select the NetBird Client Version check option and Type in the desired NetBird version; for this example, we are using :

  • Version: 0.25.0

high-level-dia

Click Save, and the NetBird Client Version check will be enabled.

high-level-dia

Click Continue, fill out the form with the following information, and click Create Posture Check to save:

  • Name of the posture check: NetBird Version > 0.25.0
  • Description: Allow NetBird client with version 0.25.0 or greater

high-level-dia

Adding posture checks to policy

Navigate to the Access Control tab and select the Policies section.

high-level-dia

Choose the policy to which you want to assign the posture check. This will open the policy update screen. Then, select the Posture Checks tab.

high-level-dia

Click Browse Checks and select the posture check we created earlier, NetBird Version > 0.25.0. Then, click Add Posture Checks.

high-level-dia

The NetBird Version check will be assigned to the policy. Click Save Changes to save the policy updates.

high-level-dia