GEN is transitioning from traditional IPSec-based site-to-site and client-to-site VPNs to NetBird, a modern, zero-trust networking platform built on WireGuard, to enhance security, reduce risk, and improve operational efficiency. This shift supports a more dynamic, secure, and scalable approach to remote access and infrastructure connectivity.

Key Reasons for the Migration:

1. On-Demand, Zero-Trust Access

Traditional IPSec tunnels often maintain persistent connections, increasing the attack surface. NetBird enables on-demand tunnel establishment—tunnels are only created when staff or systems require access. This reduces the window of exposure and minimises the risk of unauthorised access.

1. Fine-Grained Access Control via ACLs and Policies

NetBird allows administrators to define role-based access controls (RBAC) using:

• Access Control Lists (ACLs) to restrict traffic between devices.
• User and device groups to assign permissions based on roles (e.g., HelpDesk, Engineers, Contractors).
• Posture checks to verify device compliance (e.g., up-to-date OS, active security software) before allowing access.

This ensures that users and systems can only access the specific tools and services they need—no broader network access.

1. Improved Security Posture

• WireGuard is a modern, lightweight, and auditable encryption protocol with fewer lines of code than IPSec, reducing the potential for vulnerabilities.
• NetBird uses end-to-end encryption and automated key management, eliminating the need for manual certificate handling or complex key exchanges.
• Integration with posture assessment ensures only compliant devices can connect, reducing the risk of compromised systems entering the network.

1. Redundancy and Failover for Mission-Critical Support

NetBird’s infrastructure provides built-in redundancy and failover across multiple data centres. This ensures:

• High availability of remote access services.
• Automatic failover if a node or network path fails.
• Minimal downtime for critical support operations.

1. Simplified Management and Scalability

• Centralised management via NetBird’s dashboard allows for easy configuration, monitoring, and auditing of all connections.
• No need to manage complex routing, NAT, or firewall rules for each site or user.
• Scales easily as the organisation grows or changes.

1. Auditability and Compliance

NetBird provides detailed logs of:

• Who connected.
• When and from where.
• What resources were accessed.
• Device compliance status.

This supports compliance with internal policies and external regulations (e.g., GDPR, ISO 27001).

What This Means for You:

• HelpDesk: Quick on-demand access to systems as needed, as defined by senior managers at GEN using the NetBird Platform. If an engineer needs to access a webserver, then only the webserver they shall access.
• Oversight: Only the oversight server group has access to infrastructure, and on demand as needed. If a service only needs monitoring hourly, that connection will spin up hourly as needed.
• Clients: Your systems will be protected by a zero-trust model, with access granted only when necessary and legacy always-on VPN tunnels will be withdrawn.
• Managed: Yes, if you want a managed zero-trust VPN solution for remote workers, or sites, we can leverage that on the same system. 

Next Steps:

Contact your account manager to discuss the migration, it's not mandatory but highly recommended. We'll work with you to do all the work and there will of course be no charge for that. 

For technical details, refer to the NetBird official documentation or contact the GEN support team.

Summary:

GEN is moving to NetBird to:

• Reduce risk by enabling on-demand, zero-trust access.
• Enforce fine-grained access policies using ACLs, groups, and posture checks.
• Improve redundancy and failover for mission-critical services.
• Simplify management and enhance security and auditability.

This change aligns with GEN’s long-standing commitment to innovation and security; building on over 30 years of experience in delivering secure, reliable IT services.