Implementation of Enhanced Node Authorisation Features for Increased Security Across All User Tiers

[Ezirius]

Is your feature request related to a problem? Please describe. The current NetBird setup potentially allows insiders or compromised accounts to add unauthorised nodes to networks. This issue raises serious concerns not only for organisations but also for personal users who might store sensitive data or operate home-based IoT setups needing secure, controlled access. For instance, significant breaches in 2023, including those impacting large organisations like T-Mobile and Twitter, highlight the urgent need for enhanced security features to prevent unauthorised access​ (The Independent)​​ (NordLayer)​​ (IdentityIQ)​.

Describe the solution you'd like I propose the introduction of a feature similar to Tailscale's "tailnet lock," but tailored to NetBird's system architecture. This feature would involve a robust node authorisation mechanism requiring explicit approval for each new node's integration into the network through a secure and verifiable process. Ideally, this would use cryptographic signatures verified against a list of pre-approved signatories within the user's network—ensuring no node joins without proper authorisation from a trusted entity. It's crucial that this feature operates independently of the central coordination server, which could be a vulnerability if compromised.

Describe alternatives you've considered While a two-factor authentication system for adding new nodes, requiring secondary admin confirmation, could be an alternative, this system might still depend on the security of the central coordination server, posing a risk if compromised. This method could potentially be less secure than a decentralised signature verification system.

Additional context The necessity for this feature goes beyond enterprise applications and is critical for personal users. The record-breaking number of breaches in 2023, along with the evolution of cyber threats from ransomware to data theft and extortion, shows the urgency of fortifying personal information. By implementing such security measures, NetBird would significantly enhance trust in its platform, ensuring that users at all levels—whether large enterprises or individual users—can maintain control over their networks without fear of internal threats or breaches. This feature is vital for upholding the integrity and security of private networks, protecting them against both external attacks and internal vulnerabilities (CRN)​.