Skip to content

Commit

Permalink
Setup keys access internal resources autoscaled env (#242)
Browse files Browse the repository at this point in the history
  • Loading branch information
damasosanoja authored Oct 11, 2024
1 parent 42a4342 commit 0f1ca88
Show file tree
Hide file tree
Showing 38 changed files with 479 additions and 0 deletions.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
4 changes: 4 additions & 0 deletions src/components/NavigationDocs.jsx
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,10 @@ export const docsNavigation = [
title: 'Add Servers to the Network',
href: '/how-to/setup-keys-add-servers-to-network'
},
{
title: 'Access from Kubernetes',
href: '/how-to/access-internal-resources-from-autoscaled-environments'
},
]
},
{
Expand Down

Large diffs are not rendered by default.

144 changes: 144 additions & 0 deletions src/pages/how-to/peer-approval-for-remote-worker-access.mdx
Original file line number Diff line number Diff line change
@@ -0,0 +1,144 @@
# Peer Approval for Remote Worker Access with NetBird

For organizations embracing remote work, ensuring secure network access for distributed teams is a paramount challenge. Traditionally, VPNs and remote desktop solutions have been the standard for granting access to company resources. However, these methods often fall short in today's dynamic work environment, especially when dealing with freelancers and temporary workers.

The conventional approach to remote worker access presents several security and operational challenges:

* **Increased Security Risks**: Granting blanket access to network resources can expose sensitive data to potential breaches, especially when dealing with external collaborators.
* **Device Management Complexity**: Ensuring that only authorized and secure devices connect to the network becomes increasingly difficult as the number of remote workers grows.
* **Lack of Granular Control**: Traditional solutions often lack the flexibility to implement fine-grained access policies based on user roles and device trust levels.
* **Scalability Issues**: As teams expand and contract, managing access for a fluctuating workforce can become a time-consuming and error-prone process.

This guide introduces NetBird's Peer Approval as a robust solution for secure remote worker access by:

* **Implementing Zero-Trust Principles**: Ensuring that every device and user is verified before granting network access, regardless of their location.
* **Simplifying Device Trust Management**: Providing a streamlined process for approving and managing trusted devices within the network.
* **Enhancing Access Control**: Offering granular control over network resources, allowing organizations to tailor access based on user roles and device status.
* **Improving Scalability**: Facilitating easy onboarding and offboarding of remote workers, including freelancers, without compromising network security.

Let's explore the step-by-step process of implementing [Peer Approval with NetBird](https://docs.netbird.io/how-to/approve-peers) to ensure that only trusted devices can access your network.

## Prerequisites

To replicate this use case, you'll need the following prerequisites:

* An main [NetBird account](https://app.netbird.io/) with administrative privileges.
* A secondary email address not linked to any NetBird account to simulate the freelancer's email.
* [NetBird installed](https://docs.netbird.io/how-to/installation) on the main device.

With these prerequisites in place, you're ready to simulate granting network access to a temporary remote worker using NetBird's Peer Approval feature by:

1. Setting up NetBird's access control policies for enhanced security
2. Enabling peer approval
3. Inviting users to join your network
4. Installing NetBird on the remote worker device
5. Approving peers
6. Automating peer approval with EDR integration (optional)

## 1. Setting Up NetBird's Access Control Policies For Enhanced Security

Before onboarding remote workers, ensure your organization has appropriate [access control policies](https://docs.netbird.io/how-to/manage-network-access) in place. Adhering to zero-trust principles, create or modify policies to grant new users access only to necessary resources.

Navigate to `Access Control > Policies` in the NetBird admin console, then click `Add Policy` or edit an existing one to define these restrictions. Here's a sample policy that grant any member of the `Freelancers` group access to the resources in the group `On-Premise-DB`.

![NetBird Freelancer Access Control Policy](/public/docs-static/img/how-to-guides/peer-approval-for-remote-worker-access/peer-0-01.png)

If necessary, you can also set [posture checks](https://docs.netbird.io/how-to/manage-posture-checks) for this policy.

![NetBird Freelancer Posture Check](/public/docs-static/img/how-to-guides/peer-approval-for-remote-worker-access/peer-0-02.png)

Moreover, it is a best practice to disable the `Default` policy to enforce only restrictive, custom-defined access controls.

![NetBird Access Policy View](/public/docs-static/img/how-to-guides/peer-approval-for-remote-worker-access/peer-0-03.png)

With appropriate access policies in place, you're ready to enable NetBird's Peer Approval feature.

## 2. Enabling Peer Approval

To enable peer approval, go to `Settings > Authentication` and activate the `Peer approval` toggle, then click `Save Changes`.

![NetBird Freelancer Device Dashboard](/public/docs-static/img/how-to-guides/peer-approval-for-remote-worker-access/peer-a-02.png)

With `Peer Approval` activated, new members will see an `Approval required` message when joining. Administrators must grant access, ensuring only vetted users enter the NetBird network, thus enhancing overall security.

## 3. Inviting Users to Join Your Network

To invite a new user to join your NetBird network, go to `Team > Users` and click the `Invite User` button.

![NetBird Invite Users](/public/docs-static/img/how-to-guides/peer-approval-for-remote-worker-access/peer-a-03.png)

A pop-up window appears for new user registration. Enter the user's name, email address, and select the `Freelancers` group from the dropdown menu. NetBird's auto-assignment feature instantly links the new user to the `Freelancers` group upon network entry, automatically applying the associated access policy you just created.

![NetBird Invite User Pop Up](/public/docs-static/img/how-to-guides/peer-approval-for-remote-worker-access/peer-a-04.png)

After clicking `Send Invitation`, you'll return to the `Users` dashboard. Here, the new user appears with a `Pending` status, awaiting their acceptance of the invitation and any required approvals.

![NetBird New User Pending](/public/docs-static/img/how-to-guides/peer-approval-for-remote-worker-access/peer-a-05.png)

## 4. Installing NetBird On The Remote Worker Device

Access the secondary email account used to mimic the freelancer. In the inbox, locate the invitation email from NetBird. This email contains a secure link to join your organization's NetBird network, initiating the freelancer's onboarding process.

![Email NetBird Invitation](/public/docs-static/img/how-to-guides/peer-approval-for-remote-worker-access/peer-a-06.png)

After clicking the invitation link, you'll be directed to NetBird's secure account creation page. Follow the on-screen instructions to create a new password.

![NetBird Login](/public/docs-static/img/how-to-guides/peer-approval-for-remote-worker-access/peer-a-07.png)

Upon logging in, you'll arrive at NetBird's Peers dashboard. Locate and click the `Add Peer` button to initiate the [Getting Started](https://docs.netbird.io/how-to/getting-started) Wizard, which guides you through the process of adding a new device to the network.

![NetBird Freelancer Peers Dashboard](/public/docs-static/img/how-to-guides/peer-approval-for-remote-worker-access/peer-a-08.png)

The wizard will detect your operating system and provide detailed step-by-step instructions on how to [install NetBird](https://docs.netbird.io/how-to/installation).

![NetBird Freelancer Install Client](/public/docs-static/img/how-to-guides/peer-approval-for-remote-worker-access/peer-a-09.png)

During your initial connection to NetBird, a system dialog will appear requesting authorization. This prompt asks for permission to access your profile and email information, which is necessary for NetBird to establish your account and network access.

![NetBird Authorize App](/public/docs-static/img/how-to-guides/peer-approval-for-remote-worker-access/peer-a-10.png)

After completing the installation, your device will appear in the Peers dashboard. Hover over the `+1` in the `Assigned Groups` column to confirm the device has automaticaclly assigned to the `Freelancers` group as expected.

![NetBird Freelancer Peers Listed](/public/docs-static/img/how-to-guides/peer-approval-for-remote-worker-access/peer-a-11.png)

## 5. Approving Peers

Back to your primary account, you'll notice the newly added user's status is now displayed as `Active` in the `Users` dashboard. This status update confirms that the device has successfully added to the NetBird network and is ready for secure communication.

![NetBird Peers Dashboard](/public/docs-static/img/how-to-guides/peer-approval-for-remote-worker-access/peer-a-12.png)

However, your approval is required before the user's device can fully connect to the NetBird network. To grant network access:

* Navigate to the `Peers` dashboard
* Locate the newly added device
* Click the `Approve` button next to the device
* Confirm the action when prompted

![NetBird Approve New Peer](/public/docs-static/img/how-to-guides/peer-approval-for-remote-worker-access/peer-a-13.png)

After approval, the device is granted full access to network resources allocated to the `Freelancers` group. The freelancer can now view all accessible network resources in their `Peers` dashboard:

![NetBird Freelancer Peers View](/public/docs-static/img/how-to-guides/peer-approval-for-remote-worker-access/peer-a-16.png)

Likewise, as an administrator, you can click on the user's device to see which resources and peers the freelancer has access to.

![NetBird Main Account Peers View](/public/docs-static/img/how-to-guides/peer-approval-for-remote-worker-access/peer-a-17.png)

## 6. Automating Peer Approval with EDR Integration (optional)

NetBird's EDR (Endpoint Detection and Response) integration enhances network security by restricting access to devices managed by your organization's IT department. This feature synchronizes the list of devices managed by the EDR platform via API and verifies the presence of the EDR agent on each device. If the agent is not installed, access to the network is blocked.

Key aspects of NetBird's EDR integration:

* Supports [CrowdStrike Falcon](https://www.crowdstrike.com/products)
* Allows selective application of EDR checks to specific device groups
* Automates peer approval process for trusted devices
* Available only in the cloud version of NetBird

To activate this feature, navigate to `Integrations > EDR` and activate the CrowdStrike integration toggle.

![NetBird EDR Integration](/public/docs-static/img/how-to-guides/peer-approval-for-remote-worker-access/peer-a-18.png)

For more information regarding NetBird's EDR integration, refer to the [documentation](https://docs.netbird.io/how-to/endpoint-detection-and-response)


0 comments on commit 0f1ca88

Please sign in to comment.