The Next Generation of Network Access and Security
Mobile work is now widespread. For companies, this increases the risk of attackers gaining unauthorized access from outside. How does your solution prevent this?
MIKHAIL BRAGIN: The core idea of NetBird is machine isolation from the outside world and even the inside world (data center or cloud). The NetBird agent runs on machines and creates a "bubble" around them so all incoming connections can be blocked, leaving no open holes for the attackers.
With NetBird, the system administrator can group teams and infrastructure to isolate machines, then create rules to allow connections and access between groups limiting lateral movement in the network. That is all done from a central NetBird cloud panel without touching firewalls, appliances, and network configurations.
What are the challenges of traditional corporate VPNs?
MIKHAIL BRAGIN: In the traditional VPN model, everything converges on a centralized network where all clients connect to a central VPN server. An increasing amount of connections can easily overload the VPN server. Even a short downtime of a server can cause expensive system disruptions and a remote team's inability to work. Centralized VPNs imply all the traffic going through the central server causing network delays and increased traffic usage. Such systems require an experienced team to set up and maintain. Configuring firewalls, setting up NATs, SSO integration, and managing access control lists can be a nightmare. Traditional centralized VPNs are often compared to a castle-and-moat model in which, once accessed, a user is trusted and can access critical infrastructure and resources without any restrictions.
What are you working on right now? And what are your plans for 2024?
MIKHAIL BRAGIN: Currently, NetBird works on Linux, macOS, Windows, OpenWRT routers, docker containers, and Android. We are improving our peer-to-peer connectivity layer to support more platforms and increase the performance and efficiency of the network. We are also adding more business features to the platform as groups sync from the popular identity providers and extensive user management systems.
For the end of 2023 and 2024, we plan to focus on advanced network security features to leverage AI when protecting private networks. This is a collaboration with CISPA as a part of StartUpSecure program.
The first step is to add context-based authentication to the peer-to-peer network functionality. It establishes security and access based on multiple types of context, such as department, location, device, and device status (e.g., managed or unmanaged, recognized or unrecognized, company-issued or employer-supplied, etc.), and many more. For example, a user might be successfully logged in, but she will be blocked if she is accessing resources from a device with an outdated OS or from a black-listed country. This context would result in her being blocked from access.
The second step is to apply machine learning to make network managers aware of what is happening and react to issues as they arise. Such network visibility is partly about noticing anomalies that suggest an attack in real time. For example, with network logging, admins can trace events like Machine A connecting to Machine B or User A connection to Machine B. Logging and monitoring also provide the basis for later forensic analysis of suspicious events and the creation of new access control policies.