Additional Posture Checks

[ez1976]

Hi. after comparing tailscale , headscale and other zero-trust solutions, i really like NetBird (self hosted) but since it is a zero-trust solution, the Posture checks needs to be enhances.

for example:

• limit peers per user - since we use okta SSO, there is no way to limit the amount of peers that a user can connect from resulting in a possibility that the user will just connect from the virus-infected computer at home.

• Software check - our company's laptop have jumpcloud agent installed. it would be great if we can check if the jumpcloud agent is installed and updated

• OS and Antivirus Updates - limit connection unless the OS is updated and the Antivirus/EDR agent is updated.

of course, if any of the posture checks fails, it should display a pop-up / cli notification explaining why he cant connect to minimize IT tickets.

[braginini]

Hey @ez1976

Thank you for the feedback! Your points totally make sense:

limit peers per user - since we use okta SSO, there is no way to limit the amount of peers that a user can connect from resulting in a possibility that the user will just connect from the virus-infected computer at home.

We have it in a roadmap. You can enable the peer approval setting. It will force manual admin approvals to make sure the right ones are joining.

Software check - our company's laptop have jumpcloud agent installed. it would be great if we can check if the jumpcloud agent is installed and updated

We are developing a process check that can be used to check whether a process runs on a machine. This is a simple version of a complete Jumpcloud integration that we will eventually support.

OS and Antivirus Updates - limit connection unless the OS is updated and the Antivirus/EDR agent is updated.

OS is already possible, check the Access Control -> Posture Checks -> Add Posture Check -> Operating System. You can specify OS versions. For Linux and Windows you can force a specific kernel version. https://netbird.io/knowledge-hub/open-source-zero-trust-networking

As for antivirus and EDr, we are currently working on Crowdstrike support. What do you have in mind here?

of course, if any of the posture checks fails, it should display a pop-up / cli notification explaining why he cant connect to minimize IT tickets.

Makes sense!

P.S. Are you trying self-hosted or cloud NetBird?

[ez1976]

I have the self hosted server installed and deployed. So far i love it

On Thu, Mar 21, 2024, 17:26 Misha Bragin @.***> wrote:

Hey @ez1976 https://github.com/ez1976

Thank you for the feedback! Your points totally make sense:

limit peers per user - since we use okta SSO, there is no way to limit the amount of peers that a user can connect from resulting in a possibility that the user will just connect from the virus-infected computer at home.

We have it in a roadmap. You can enable the peer approval setting. It will force manual admin approvals to make sure the right ones are joining.

image.png (view on web) https://github.com/netbirdio/netbird/assets/700848/157da6e4-71a6-4b7a-b74b-e05a208eee6d

Software check - our company's laptop have jumpcloud agent installed. it would be great if we can check if the jumpcloud agent is installed and updated

We are developing a process check that can be used to check whether a process runs on a machine. This is a simple version of a complete Jumpcloud integration that we will eventually support.

OS and Antivirus Updates - limit connection unless the OS is updated and the Antivirus/EDR agent is updated.

OS is already possible, check the Access Control -> Posture Checks -> Add Posture Check -> Operating System. You can specify OS versions. For Linux and Windows you can force a specific kernel version.

of course, if any of the posture checks fails, it should display a pop-up / cli notification explaining why he cant connect to minimize IT tickets.

Makes sense!

P.S. Are you trying self-hosted or cloud NetBird?

— Reply to this email directly, view it on GitHub https://github.com/netbirdio/netbird/issues/1741#issuecomment-2013125159, or unsubscribe https://github.com/notifications/unsubscribe-auth/AANTDD37NCJOLVLYRH3SEPDYZMJ4VAVCNFSM6AAAAABFB2OCZ6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMJTGEZDKMJVHE . You are receiving this because you were mentioned.Message ID: @.***>

[jzadir]

Hey @ez1976

Thank you for the feedback! Your points totally make sense:

limit peers per user - since we use okta SSO, there is no way to limit the amount of peers that a user can connect from resulting in a possibility that the user will just connect from the virus-infected computer at home.

We have it in a roadmap. You can enable the peer approval setting. It will force manual admin approvals to make sure the right ones are joining.

Software check - our company's laptop have jumpcloud agent installed. it would be great if we can check if the jumpcloud agent is installed and updated

We are developing a process check that can be used to check whether a process runs on a machine. This is a simple version of a complete Jumpcloud integration that we will eventually support.

OS and Antivirus Updates - limit connection unless the OS is updated and the Antivirus/EDR agent is updated.

OS is already possible, check the Access Control -> Posture Checks -> Add Posture Check -> Operating System. You can specify OS versions. For Linux and Windows you can force a specific kernel version. https://netbird.io/knowledge-hub/open-source-zero-trust-networking

As for antivirus and EDr, we are currently working on Crowdstrike support. What do you have in mind here?

of course, if any of the posture checks fails, it should display a pop-up / cli notification explaining why he cant connect to minimize IT tickets.

Makes sense!

P.S. Are you trying self-hosted or cloud NetBird?

Thank you for the awesome work! I am on the same boat! Peer approval would be really useful in self-hosted deploys, but any form of limit to the number and type of peer a user can add will do the trick.

[ez1976]

Thank you for your reply Since peer approval is only for cloud host , i have found a workaround: Since users are added per okta group, they can login with any machine

but since the API now allows me to get the serial number of the computer, i run a script every 10 minutes that exports a list of netbird peers, netbird users and via api, a list of computers on jumpcloud.

Then i compare each connected netbird client serial number to the expected computer in jumpcloud.

At first we just notified the users and IT now we actually block the rouge peer in netbird (i put them in a group that has no access to anywhere) and notify the user, IT and his manager.

I think it would be wise to integrate with other MDM To get the serial /antivirus / EDR or anything else that the admin wants to check against. It would be a lot easier for you guys to integrate a general MDM check via api (give the user the option to enter the api of the MDM and he should provide the filters and value mapping). That way you get fully integrated with a lot of MDMs and we get control which peers can log in with what (probably exception of IT or CEO that wants to connect from other devices).

Let me know if you want me to show you the script i made. Thanks

On Sun, Jun 9, 2024, 00:37 José Zadir Ferreira Neto < @.***> wrote:

Hey @ez1976 https://github.com/ez1976

Thank you for the feedback! Your points totally make sense:

limit peers per user - since we use okta SSO, there is no way to limit the amount of peers that a user can connect from resulting in a possibility that the user will just connect from the virus-infected computer at home.

We have it in a roadmap. You can enable the peer approval setting. It will force manual admin approvals to make sure the right ones are joining.

[image: image] https://private-user-images.githubusercontent.com/700848/315559765-157da6e4-71a6-4b7a-b74b-e05a208eee6d.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTc4ODk3NjksIm5iZiI6MTcxNzg4OTQ2OSwicGF0aCI6Ii83MDA4NDgvMzE1NTU5NzY1LTE1N2RhNmU0LTcxYTYtNGI3YS1iNzRiLWUwNWEyMDhlZWU2ZC5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjQwNjA4JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI0MDYwOFQyMzMxMDlaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT1jM2FjOTg4YTg5NThhYThjODA5MmYyMTczYWM1ZDM1NGQ4MWI2MDkyM2NmYzFjMDJmMGY4NjYzOGZjMzBjOGQyJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCZhY3Rvcl9pZD0wJmtleV9pZD0wJnJlcG9faWQ9MCJ9.nto_13JoqSALaE_4Bf3aQavrroj9ATkSJdxfL841b4w

Software check - our company's laptop have jumpcloud agent installed. it would be great if we can check if the jumpcloud agent is installed and updated

We are developing a process check that can be used to check whether a process runs on a machine. This is a simple version of a complete Jumpcloud integration that we will eventually support.

OS and Antivirus Updates - limit connection unless the OS is updated and the Antivirus/EDR agent is updated.

OS is already possible, check the Access Control -> Posture Checks -> Add Posture Check -> Operating System. You can specify OS versions. For Linux and Windows you can force a specific kernel version. https://netbird.io/knowledge-hub/open-source-zero-trust-networking

As for antivirus and EDr, we are currently working on Crowdstrike support. What do you have in mind here?

of course, if any of the posture checks fails, it should display a pop-up / cli notification explaining why he cant connect to minimize IT tickets.

Makes sense!

P.S. Are you trying self-hosted or cloud NetBird?

Thank you for the owsome work! I am on the same boat! Peer approval would be really useful in self-hosted deploys, but any form of limit to the number and type of peer a user can add will do the trick.

— Reply to this email directly, view it on GitHub https://github.com/netbirdio/netbird/issues/1741#issuecomment-2156226688, or unsubscribe https://github.com/notifications/unsubscribe-auth/AANTDDYM5HETXN32J5QMLH3ZGOITZAVCNFSM6AAAAABFB2OCZ6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNJWGIZDMNRYHA . You are receiving this because you were mentioned.Message ID: @.***>