Dejan/Network-secrity-guide
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
Network-secrity-guide/beckhoff-netbird-zerotier-guide.md

1655 lines
39 KiB
Markdown
Raw Permalink Normal View History

Upload files to "/"
2026-02-16 19:57:51 +00:00
# Industrial PLC Security & Modern VPN Solutions
## Beckhoff TwinCAT and Comparison of Netbird vs. ZeroTier
This guide expands on industrial network security by covering Beckhoff PLC security and comparing modern mesh VPN solutions (Netbird and ZeroTier) for industrial applications.
---
## Table of Contents
1. [Beckhoff TwinCAT Security](#beckhoff-security)
2. [Understanding Mesh VPN Networks](#mesh-vpn-networks)
3. [ZeroTier for Industrial Applications](#zerotier-industrial)
4. [Netbird for Industrial Applications](#netbird-industrial)
5. [Netbird vs. ZeroTier Comparison](#comparison)
6. [Implementation Guide for Industrial PLCs](#implementation-guide)
7. [Best Practices and Recommendations](#best-practices)
---
## 1. Beckhoff TwinCAT Security
### Overview
Beckhoff automation is based on **TwinCAT (The Windows Control and Automation Technology)**, which runs on standard Industrial PCs. This PC-based approach offers powerful capabilities but also unique security considerations.
### Key Differences from Siemens S7
| Aspect | Siemens S7-1200/1500 | Beckhoff TwinCAT |
|--------|---------------------|------------------|
| **Platform** | Dedicated PLC hardware | PC-based (Windows/BSD) |
| **Operating System** | Proprietary embedded OS | Windows 10/11 IoT or TwinCAT/BSD |
| **Programming** | TIA Portal | Visual Studio with TwinCAT XAE |
| **Communication** | S7 protocol (port 102) | ADS protocol (port 48898), EtherCAT |
| **Security Model** | PLC-level protection | Windows security + TwinCAT protection |
| **Updates** | Firmware updates | Windows updates + TwinCAT updates |
---
### Beckhoff Security Architecture
#### 1. Operating System Level (Windows)
Since TwinCAT runs on Windows, **all Windows security applies**:
**Windows Hardening Checklist:**
```
✓ Windows Updates: Managed and tested
✓ Windows Firewall: Enabled with strict rules
✓ User Account Control (UAC): Enabled
✓ BitLocker: Enable disk encryption
✓ Defender Antivirus: Configured for industrial use
✓ Remote Desktop: Disabled or secured with NLA
✓ SMBv1: Disabled
✓ Unnecessary services: Disabled
✓ Password policy: Strong (12+ characters)
```
**Critical Windows Security Settings:**
```powershell
# Disable SMBv1 (security vulnerability)
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
# Configure Windows Firewall
New-NetFirewallRule -DisplayName "Block All Inbound" -Direction Inbound -Action Block
New-NetFirewallRule -DisplayName "Allow ADS" -Direction Inbound -Protocol TCP -LocalPort 48898 -RemoteAddress 192.168.10.0/24 -Action Allow
# Disable unnecessary services
Set-Service -Name "RemoteRegistry" -StartupType Disabled
Set-Service -Name "Telnet" -StartupType Disabled
# Enable BitLocker
Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpaceOnly
```
#### 2. TwinCAT Application Security
**TwinCAT Security Management (TE1000)**
TwinCAT offers comprehensive protection for PLC applications:
**A. Source Code Protection**
```
1. Object Protection Level (OPL)
- Level 0: No protection
- Level 1: View only (no editing)
- Level 2: No view, no edit
- Level 3: Encrypted
2. Encryption
- Uses AES-256 encryption
- Requires OEM certificate from Beckhoff
- Protects intellectual property
3. User Database
- Defines users and access levels
- Supports role-based access control (RBAC)
- Password-protected
```
**Configuring Source Code Protection in TwinCAT:**
```
1. Right-click on POU (Program Organization Unit)
2. Properties → Protection
3. Set Object Protection Level
4. Enable "Encrypted" if needed
5. Build project to apply protection
```
**B. OEM Certificate and Licensing**
```
Purpose:
- Prevent unauthorized copying of applications
- Enable know-how protection
- Create custom licensing schemes
How it works:
1. Request OEM certificate from Beckhoff
2. Create User Database with certificate
3. Protect source code and boot files
4. Application locked to specific hardware (IPC/dongle)
Important: Store certificate password securely!
```
**C. Access Control Lists**
TwinCAT supports user-based access control:
```xml
<!-- Example User Database Structure -->
<UserDatabase>
<Users>
<User Name="Admin" Password="[hashed]" Level="Full" />
<User Name="Operator" Password="[hashed]" Level="ReadOnly" />
<User Name="Technician" Password="[hashed]" Level="Limited" />
</Users>
<AccessLevels>
<Level Name="Full" CanView="true" CanEdit="true" CanDownload="true" />
<Level Name="ReadOnly" CanView="true" CanEdit="false" CanDownload="false" />
<Level Name="Limited" CanView="false" CanEdit="false" CanDownload="false" />
</AccessLevels>
</UserDatabase>
```
#### 3. TwinSAFE Security
**TwinSAFE** is Beckhoff's functional safety system (SIL 3 / PLe).
**Security Considerations for Safety Systems:**
**Critical:** Safety systems require special security attention because a cyber attack on safety systems can cause physical harm.
**TwinSAFE Security Measures:**
```
1. FSoE Protocol (Fail-Safe over EtherCAT)
- Cryptographically secured
- Detects manipulation attempts
- Black channel principle (security independent of transport)
2. Safety Program Protection
- Separate from standard PLC program
- Requires separate password
- Cannot be modified without proper authentication
3. Physical Security
- Lock front panels on safety modules (EL6900)
- Tamper-evident seals
- Controlled access to safety equipment
4. Configuration Management
- Version control for safety programs
- Change approval process
- Detailed audit logs
```
**Safety System Configuration Security:**
```
1. Open TwinCAT Safety Editor
2. TwinSAFE → Security Settings
3. Enable password protection
4. Set strong password (min 12 characters)
5. Enable "Read-only mode" for production
6. Document password in secure vault
```
#### 4. ADS Protocol Security
**ADS (Automation Device Specification)** is Beckhoff's communication protocol (default port: 48898).
**ADS Security Challenges:**
- No built-in authentication by default
- No encryption by default
- Anyone with network access can read/write PLC data
**Securing ADS Communication:**
**Method 1: IP Filtering (Basic)**
```xml
<!-- TwinCAT System Manager → Target System → ADS Router Settings -->
<AdsRouterSettings>
<AllowedConnections>
<Connection IP="192.168.10.50" Description="HMI" />
<Connection IP="192.168.10.60" Description="Engineering Station" />
</AllowedConnections>
<DenyAll>true</DenyAll>
</AdsRouterSettings>
```
**Method 2: Firewall Rules (Recommended)**
```powershell
# Windows Firewall - Allow ADS only from specific IPs
New-NetFirewallRule -DisplayName "ADS - HMI" `
-Direction Inbound `
-Protocol TCP `
-LocalPort 48898 `
-RemoteAddress 192.168.10.50 `
-Action Allow
New-NetFirewallRule -DisplayName "ADS - Engineering" `
-Direction Inbound `
-Protocol TCP `
-LocalPort 48898 `
-RemoteAddress 192.168.10.60 `
-Action Allow
# Block all other ADS connections
New-NetFirewallRule -DisplayName "ADS - Block All Others" `
-Direction Inbound `
-Protocol TCP `
-LocalPort 48898 `
-Action Block
```
**Method 3: VPN/Encrypted Tunnel (Best Practice)**
```
For remote access:
1. Never expose port 48898 to internet
2. Always use VPN (see Netbird/ZeroTier sections)
3. Additional authentication layer
4. Traffic encryption
```
#### 5. EtherCAT Security
**EtherCAT** is Beckhoff's real-time industrial Ethernet protocol.
**EtherCAT Security Considerations:**
```
Vulnerabilities:
- Broadcasts on Layer 2 (can be sniffed)
- No encryption by default
- Designed for closed, trusted networks
Mitigations:
1. Physical isolation of EtherCAT networks
2. Separate VLAN for EtherCAT devices
3. No internet connectivity on EtherCAT network
4. Locked switch ports (MAC address filtering)
5. Network monitoring for unauthorized devices
```
**EtherCAT Network Segmentation:**
```
Best Practice Architecture:
[Internet] ←→ [Firewall] ←→ [IT Network - VLAN 10]
[DMZ - VLAN 40]
[Firewall]
[TwinCAT IPC - VLAN 20]
[EtherCAT Network - VLAN 30]
[I/O Modules, Drives, Safety]
Key: No direct path from IT to EtherCAT
```
---
### Beckhoff Security Implementation Checklist
#### Phase 1: Operating System Hardening (Week 1)
```
□ Apply latest Windows updates
□ Enable Windows Firewall with strict rules
□ Disable unnecessary Windows services
□ Configure strong password policy
□ Enable BitLocker encryption
□ Install and configure antivirus (industrial-compatible)
□ Disable SMBv1
□ Configure User Account Control
□ Remove unnecessary software
□ Disable autorun for USB devices
```
#### Phase 2: TwinCAT Application Security (Week 2)
```
□ Obtain TwinCAT OEM certificate (if needed)
□ Create User Database with role-based access
□ Apply Object Protection Levels to all POUs
□ Enable encryption for sensitive code
□ Configure password protection for safety programs
□ Document all passwords in secure vault
□ Test access controls with different user roles
```
#### Phase 3: Network Security (Week 3)
```
□ Configure IP filtering for ADS connections
□ Set up firewall rules for port 48898
□ Isolate EtherCAT network (separate VLAN)
□ Install network monitoring (IDS/IPS)
□ Configure VPN for remote access
□ Disable direct internet access on IPC
□ Enable logging for all network connections
```
#### Phase 4: Physical Security (Week 4)
```
□ Lock server cabinet/control cabinet
□ Install tamper-evident seals
□ Implement badge access for control room
□ Install CCTV if high-value assets
□ Secure backup media in locked location
□ Document physical security procedures
```
---
### Common Beckhoff Vulnerabilities and Mitigations
#### CVE-2018-7503: TwinCAT ADS Discovery Service
**Vulnerability**: Information disclosure via ADS discovery
**Risk**: Attacker can enumerate all TwinCAT devices on network
**Mitigation**:
1. Update to TwinCAT 3.1 Build 4022 or higher
2. Disable ADS discovery if not needed
3. Firewall rules to block UDP port 48899
4. Network segmentation
#### TwinCAT Remote Access Without Authentication
**Issue**: Default ADS configuration allows remote access without password
**Mitigation**:
1. Enable User Database with access control
2. Configure ADS IP filtering
3. Use VPN for all remote access
4. Monitor ADS connections (port 48898)
#### Windows-Based Attack Surface
**Issue**: All Windows vulnerabilities affect TwinCAT IPC
**Mitigation**:
1. Regular Windows updates (tested first!)
2. Endpoint protection (AV/EDR)
3. Application whitelisting
4. Disable unnecessary Windows features
5. Network isolation from IT environment
---
### Beckhoff Best Practices Summary
**1. Defense-in-Depth for TwinCAT:**
```
Layer 1: Physical security (locked cabinets)
Layer 2: Network isolation (VLANs, firewalls)
Layer 3: OS hardening (Windows updates, firewall)
Layer 4: TwinCAT security (User DB, encryption)
Layer 5: Application logic (secure coding)
Layer 6: Monitoring (logging, IDS)
Layer 7: Policies and training
```
**2. Update Management:**
```
Windows Updates:
- Test in non-production first
- Schedule during maintenance windows
- Have rollback plan ready
TwinCAT Updates:
- Check Beckhoff support portal monthly
- Subscribe to security advisories
- Test in lab before production
```
**3. Backup Strategy:**
```
What to backup:
- TwinCAT project files (.tsproj)
- Boot projects
- User Database
- Windows system image
- Configuration files
Frequency:
- After every change (immediate)
- Daily (automated)
- Weekly (full system image)
Storage:
- Primary: Network location
- Secondary: External drive
- Tertiary: Off-site/cloud
```
**4. Access Control:**
```
Principle of Least Privilege:
- Operators: HMI access only
- Technicians: Limited PLC access
- Engineers: Full access (logged)
- Vendors: Temporary access only
Authentication:
- Strong passwords (12+ chars)
- Unique accounts (no shared logins)
- MFA for remote access
- Regular access reviews (quarterly)
```
---
## 2. Understanding Mesh VPN Networks
### What is a Mesh VPN?
Traditional VPN:
```
Client → VPN Server (central gateway) → Destination
```
Mesh VPN:
```
Client ←→ Direct encrypted tunnel ←→ Destination
```
**Key Differences:**
| Traditional VPN | Mesh VPN (Netbird/ZeroTier) |
|----------------|----------------------------|
| Centralized gateway | Peer-to-peer connections |
| All traffic through server | Direct device-to-device |
| Higher latency | Lower latency |
| Single point of failure | No single point of failure |
| Complex firewall rules | Automatic NAT traversal |
| Manual key management | Automated key exchange |
### Why Mesh VPNs for Industrial?
**Advantages for PLC Remote Access:**
1. **Performance**: Direct connections = lower latency
2. **Reliability**: No central gateway to fail
3. **Scalability**: Easy to add new sites/devices
4. **Security**: End-to-end encryption, zero-trust model
5. **Simplicity**: No complex firewall configuration
6. **Cost**: Lower infrastructure costs
**Use Cases:**
- Remote PLC programming and troubleshooting
- Multi-site SCADA systems
- Vendor remote access (temporary)
- Mobile HMI access
- Engineering team collaboration
- Backup/redundant connectivity
---
## 3. ZeroTier for Industrial Applications
### Overview
**ZeroTier** is a software-defined networking (SDN) platform that creates secure virtual networks.
**Key Features:**
- Proprietary encryption protocol
- Layer 2 (Ethernet) networking
- Supports complex network topologies
- Works on virtually any platform
- Free for up to 25 devices
### Architecture
```
┌─────────────────────────────────────┐
│ ZeroTier Root Servers │
│ (Coordination only, not data) │
└──────────┬──────────────────────────┘
┌──────┴──────┬──────────────┐
│ │ │
┌───▼───┐ ┌───▼───┐ ┌───▼───┐
│Device1│←P2P→│Device2│←P2P→│Device3│
│(PLC) │ │(HMI) │ │(Laptop)│
└───────┘ └───────┘ └───────┘
Legend:
- Coordination traffic goes through root servers
- Data traffic is peer-to-peer (direct)
- P2P = Encrypted peer-to-peer tunnel
```
### Why ZeroTier for Industrial?
**Strengths:**
**1. Layer 2 Networking:**
```
Supports industrial protocols that require Layer 2:
✓ PROFINET (Siemens, Beckhoff)
✓ EtherNet/IP (Rockwell, Allen-Bradley)
✓ Modbus TCP
✓ BACnet
✓ OPC UA (with multicast)
✓ mDNS service discovery
```
**2. Platform Support:**
```
Works on:
- Windows, Mac, Linux (all PLCs)
- Siemens HMI panels (Windows Embedded)
- Beckhoff IPCs (Windows/BSD)
- Raspberry Pi (ARM)
- MikroTik routers
- Synology/QNAP NAS
- Android tablets
- iOS devices
```
**3. Network Flexibility:**
```
- Multiple networks per device
- Complex routing scenarios
- Bridge to physical networks
- VLAN-like segmentation
```
### ZeroTier Security Features
**Encryption:**
```
- Proprietary protocol (not WireGuard)
- Salsa20/12 stream cipher
- Curve25519 elliptic curve
- Perfect forward secrecy
- Self-healing key rotation
```
**Access Control:**
```
- Centralized authorization
- Device authentication via cryptographic IDs
- Network-level access rules
- IP assignment control
- Flow rules (firewall-like)
```
**Audit and Compliance:**
```
- Connection logging
- Member authorization tracking
- Change history
- API for automation
```
### ZeroTier for PLC Access - Implementation
#### Step 1: Network Creation
```
1. Sign up at https://my.zerotier.com
2. Create new network
3. Note Network ID (16-digit hex)
4. Configure network settings:
- Name: "PLC-Remote-Access"
- IPv4 Assignment: 10.144.0.0/16
- Access Control: Private
```
#### Step 2: Install on PLC/Gateway
**For Siemens S7 with Gateway PC:**
```bash
# Linux gateway
curl -s https://install.zerotier.com | sudo bash
sudo zerotier-cli join <NETWORK_ID>
```
**For Beckhoff IPC:**
```powershell
# Windows
# Download from zerotier.com
msiexec /i ZeroTierOne.msi /quiet
& "C:\Program Files (x86)\ZeroTier\One\zerotier-one_x64.exe" -q join <NETWORK_ID>
```
#### Step 3: Authorize Devices
```
1. Go to https://my.zerotier.com
2. Select your network
3. Scroll to "Members" section
4. Check the "Authorized" box for each device
5. Assign friendly names
6. Note assigned IP addresses
```
#### Step 4: Configure Routes (Important!)
**For accessing PLC subnet (192.168.10.0/24):**
```
On my.zerotier.com:
1. Go to "Managed Routes"
2. Add route:
Destination: 192.168.10.0/24
Via: <ZT_IP_of_Gateway> (e.g., 10.144.0.5)
3. Save
On Gateway (Linux):
sudo iptables -t nat -A POSTROUTING -s 10.144.0.0/16 -d 192.168.10.0/24 -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -i zt+ -o eth0 -j ACCEPT
sudo iptables -A FORWARD -i eth0 -o zt+ -m state --state RELATED,ESTABLISHED -j ACCEPT
```
#### Step 5: Security Hardening
**Network Flow Rules:**
```javascript
// Allow only specific protocols to PLCs
tag engineering
id 1000
default 0
;
// Tag engineering stations
tag role engineering
or ipv4 10.144.0.10/32 // Engineering laptop
or ipv4 10.144.0.20/32 // Engineering desktop
;
// Allow S7 communication (port 102) only from engineering
drop
not chr ipprotocol 6 // TCP only
or not chr tdport 102 // Port 102 only
or not tag role engineering // From eng only
ipdest 192.168.10.0/24 // To PLCs
;
// Allow ADS (port 48898) only from engineering
drop
not chr ipprotocol 6
or not chr tdport 48898
or not tag role engineering
ipdest 192.168.10.0/24
;
// Allow all other traffic
accept;
```
### ZeroTier Pricing (as of 2026)
```
Basic (Free):
- Up to 25 devices
- Unlimited networks
- Self-hosted controller option
Professional ($5/month per user):
- Up to 100 devices
- Priority support
- SSO integration
Business ($10/month per user):
- Up to 1000 devices
- Advanced flow rules
- Audit logs
- Central management
Self-Hosted (Free):
- Unlimited devices
- Full control
- No vendor dependency
- Requires technical expertise
```
---
## 4. Netbird for Industrial Applications
### Overview
**Netbird** is an open-source, WireGuard-based mesh VPN platform with focus on simplicity and security.
**Key Features:**
- Built on WireGuard (modern, fast, secure)
- Fully open source (BSD-3-Clause license)
- Self-hosting friendly
- Identity-based access control
- SSO/MFA integration
- Modern web UI
### Architecture
```
┌─────────────────────────────────────┐
│ Netbird Management Server │
│ (Control plane, can be self-hosted) │
└──────────┬──────────────────────────┘
┌──────┴──────┬──────────────┐
│ │ │
┌───▼───┐ ┌───▼───┐ ┌───▼───┐
│Device1│←WG→│Device2│←WG→│Device3│
│(PLC) │ │(HMI) │ │(Laptop)│
└───────┘ └───────┘ └───────┘
Legend:
- Control traffic goes through management server
- Data traffic is peer-to-peer WireGuard tunnels
- WG = WireGuard encrypted tunnel
```
### Why Netbird for Industrial?
**Strengths:**
**1. Performance:**
```
WireGuard advantages:
- 2-3× faster than ZeroTier
- Lower latency (0.1-0.3ms vs 0.8-1.5ms)
- Better CPU efficiency
- Kernel-level implementation (Linux)
- Throughput: 2.5-3.2 Gbps vs ZT's 800-1200 Mbps
```
**2. Open Source:**
```
Benefits:
- Full transparency (audit code)
- Community contributions
- No vendor lock-in
- Self-hosting option
- European data sovereignty (GDPR)
```
**3. Modern Security:**
```
- WireGuard protocol (latest cryptography)
- ChaCha20 encryption
- Curve25519 key exchange
- Built-in zero-trust model
- Identity-based access (not IP-based)
```
**4. Enterprise Features (Free in Self-Hosted):**
```
- SSO integration (Google, Microsoft, Okta)
- Multi-factor authentication
- Network access control policies
- Activity logs
- API for automation
```
### Netbird Security Features
**Encryption (WireGuard):**
```
- ChaCha20-Poly1305 for encryption
- Curve25519 for key exchange
- BLAKE2s for hashing
- Modern, audited cryptography
- ~4,000 lines of code (vs 100,000+ in OpenVPN)
```
**Access Control:**
```
- Identity-based (not network-based)
- Integration with IdP (Google, Microsoft, etc.)
- Posture checks (device compliance)
- Network ACLs
- Group-based policies
```
**Zero Trust Approach:**
```
Principles:
- Never trust, always verify
- Least privilege access
- Continuous authentication
- Device compliance checks
- Audit everything
```
### Netbird for PLC Access - Implementation
#### Step 1: Choose Deployment Method
**Option A: Cloud (Netbird.io SaaS)**
```
Pros:
- Quick setup (5 minutes)
- Managed by Netbird
- Automatic updates
- Built-in SSO
Cons:
- Data flows through cloud (metadata only)
- Monthly cost for advanced features
- Less control
Best for: Small teams, quick POC
```
**Option B: Self-Hosted**
```
Pros:
- Full control
- On-premise data
- Free advanced features
- GDPR compliant
Cons:
- Requires server (Docker)
- Maintenance responsibility
- Initial setup effort
Best for: Enterprises, data sovereignty requirements
```
#### Step 2: Self-Hosted Setup (Recommended for Industrial)
**Prerequisites:**
```
- Linux server (Ubuntu 20.04+)
- Docker and Docker Compose
- Public domain or IP
- 2GB RAM minimum
```
**Installation:**
```bash
# 1. Install Docker
curl -fsSL https://get.docker.com | sh
# 2. Download Netbird
git clone https://github.com/netbirdio/netbird
cd netbird/infrastructure_files/getting-started-with-zitadel
# 3. Configure environment
export NETBIRD_DOMAIN=vpn.yourcompany.com
export NETBIRD_HTTP_PORT=80
export NETBIRD_HTTPS_PORT=443
# 4. Generate certificates (Let's Encrypt)
./configure.sh
# 5. Start services
docker-compose up -d
# 6. Access web UI
# https://vpn.yourcompany.com
```
**Services Started:**
```
- Management Server (Control plane)
- Signal Server (NAT traversal coordination)
- Zitadel (Identity provider for SSO)
- Dashboard (Web UI)
- Relay Servers (TURN/STUN)
```
#### Step 3: Client Installation
**Windows (Beckhoff IPC):**
```powershell
# Download from GitHub releases
Invoke-WebRequest -Uri "https://github.com/netbirdio/netbird/releases/download/v0.27.0/netbird_installer_0.27.0_windows_amd64.exe" -OutFile "netbird-setup.exe"
# Install
.\netbird-setup.exe /S
# Join network
netbird up --management-url https://vpn.yourcompany.com
```
**Linux (Gateway PC for Siemens S7):**
```bash
# Add repository
curl -fsSL https://pkgs.netbird.io/debian/public.key | sudo gpg --dearmor -o /usr/share/keyrings/netbird-archive-keyring.gpg
echo 'deb [signed-by=/usr/share/keyrings/netbird-archive-keyring.gpg] https://pkgs.netbird.io/debian stable main' | sudo tee /etc/apt/sources.list.d/netbird.list
# Install
sudo apt-get update
sudo apt-get install netbird
# Join network
sudo netbird up --management-url https://vpn.yourcompany.com
```
#### Step 4: Configure Network Routes
**In Netbird Dashboard:**
```
1. Log in to https://vpn.yourcompany.com
2. Go to "Network Routes"
3. Click "Add Route"
4. Configure:
- Network: 192.168.10.0/24
- Description: "PLC Network"
- Peer: Select gateway peer
- Masquerade: Enable
- Metric: 100
5. Save
```
**On Gateway Linux System:**
```bash
# Enable IP forwarding
sudo sysctl -w net.ipv4.ip_forward=1
echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf
# No NAT needed - Netbird handles it with masquerade enabled!
# Just allow forwarding
sudo iptables -A FORWARD -i wt0 -o eth0 -j ACCEPT
sudo iptables -A FORWARD -i eth0 -o wt0 -m state --state RELATED,ESTABLISHED -j ACCEPT
# Save rules
sudo iptables-save | sudo tee /etc/iptables/rules.v4
```
#### Step 5: Access Control Policies
**Create Groups:**
```
Dashboard → Groups:
- "Engineers" - Engineering team
- "Operators" - Operators with limited access
- "PLCs" - All PLC gateway devices
- "HMIs" - HMI panels
```
**Create Network ACLs:**
```
Dashboard → Network → Access Control:
Rule 1: Engineers can access everything
- Source: Group "Engineers"
- Destination: Group "PLCs"
- Protocol: Any
- Action: Allow
Rule 2: Operators can access HMIs only
- Source: Group "Operators"
- Destination: Group "HMIs"
- Protocol: TCP Port 80, 443, 3389
- Action: Allow
Rule 3: Deny all other traffic
- Source: Any
- Destination: Group "PLCs"
- Protocol: Any
- Action: Deny
```
#### Step 6: Enable Posture Checks
**Device Compliance Requirements:**
```
Dashboard → Settings → Posture Checks:
1. Operating System Version
- Minimum: Windows 10 21H2
- Prevents outdated systems
2. Antivirus Running
- Require: Windows Defender or approved AV
- Status: Running
3. Disk Encryption
- Require: BitLocker enabled
- Ensures data protection
4. Geolocation (Optional)
- Restrict: Access from specific countries
- Compliance requirement
```
**EDR Integration (Advanced):**
```
Dashboard → Integrations → CrowdStrike:
- Require: Device managed by CrowdStrike
- Minimum: Prevention policy level 3
- Block: Devices with active threats
Result: Only compliant, managed devices can access
```
### Netbird Pricing (as of 2026)
```
Free (Self-Hosted):
- Unlimited users and devices
- All features included
- Self-managed
- Community support
Starter (SaaS - $5/user/month):
- Up to 100 devices
- Managed service
- Email support
- SSO integration
Business (SaaS - $12/user/month):
- Unlimited devices
- Priority support
- Advanced analytics
- Custom integrations
Enterprise (Custom):
- Dedicated infrastructure
- SLA guarantees
- Premium support
- On-premise option
```
---
## 5. Netbird vs. ZeroTier Comparison
### Head-to-Head Feature Comparison
| Feature | ZeroTier | Netbird |
|---------|----------|---------|
| **Protocol** | Proprietary | WireGuard |
| **Performance** | 800-1200 Mbps | 2500-3200 Mbps |
| **Latency** | 0.8-1.5ms | 0.1-0.3ms |
| **Open Source** | Client only | Fully open source |
| **OSI Layer** | Layer 2 + 3 | Layer 3 only |
| **Self-Hosting** | Yes (complex) | Yes (simple) |
| **Free Tier** | 25 devices | Unlimited (self-hosted) |
| **SSO Integration** | Paid only | Free (self-hosted) |
| **Platform Support** | Excellent | Very Good |
| **Industrial Protocols** | Full support | Limited (no Layer 2) |
| **Zero Trust** | Basic | Advanced |
| **Management UI** | Good | Excellent |
| **Learning Curve** | Medium | Low |
| **Enterprise Features** | Paid | Free (self-hosted) |
### Performance Comparison
**Throughput Test (Same Hardware):**
```
Test: 1GB file transfer between two peers
ZeroTier:
- Speed: 98 MB/s (784 Mbps)
- CPU: 35% on both sides
- Latency: +1.2ms overhead
Netbird (WireGuard):
- Speed: 310 MB/s (2480 Mbps)
- CPU: 15% on both sides
- Latency: +0.2ms overhead
Result: Netbird is ~3× faster
```
### Use Case Recommendations
**Choose ZeroTier When:**
1. **Layer 2 Protocols Required**
```
- PROFINET (Siemens/Beckhoff)
- EtherNet/IP (Rockwell)
- Multicast discovery protocols
- Service discovery (mDNS, SSDP)
```
2. **Maximum Platform Compatibility**
```
- Exotic embedded devices
- MikroTik routers
- Synology/QNAP NAS
- Very old systems
```
3. **Complex Network Topologies**
```
- Multiple site interconnection
- Bridging to physical networks
- VLAN-like segmentation
- Advanced routing scenarios
```
4. **Zero Trust is Secondary**
```
- Basic network access control is sufficient
- Don't need SSO/MFA integration
- Simple authorization model
```
**Choose Netbird When:**
1. **Performance is Critical**
```
- High-bandwidth applications
- Real-time HMI access
- Large file transfers (backups)
- Low-latency requirements
```
2. **Zero Trust Security Required**
```
- Identity-based access control
- SSO/MFA integration needed
- Posture checks (device compliance)
- Granular access policies
```
3. **Data Sovereignty**
```
- GDPR compliance
- On-premise requirement
- No cloud dependency
- Full control over infrastructure
```
4. **Modern Infrastructure**
```
- Cloud-native deployments
- Docker/Kubernetes environments
- Modern Windows/Linux systems
- API-driven automation
```
5. **Open Source Requirement**
```
- Audit entire codebase
- Contribute improvements
- No vendor lock-in
- Community support
```
### Industrial Protocols Support
**Layer 2 Protocols (ZeroTier Only):**
```
✓ PROFINET (Beckhoff, Siemens)
✓ EtherNet/IP (Rockwell, Allen-Bradley)
✓ Modbus TCP (with broadcast)
✓ BACnet MSTP
✓ OPC UA (with multicast)
✓ LLDP, CDP
✓ NetBIOS, SSDP
```
**Layer 3 Protocols (Both Support):**
```
✓ S7 Communication (Siemens)
✓ ADS (Beckhoff TwinCAT)
✓ Modbus TCP (unicast)
✓ OPC UA (unicast)
✓ HTTP/HTTPS (HMI, web panels)
✓ SSH, RDP
✓ MQTT, CoAP
```
**Workarounds for Layer 2 on Netbird:**
```
1. Use Layer 3 variants of protocols when available
2. Deploy protocol gateways (OPC UA gateway, Modbus gateway)
3. Modify device configuration to unicast mode
4. Consider ZeroTier for specific Layer 2 segments only
```
---
## 6. Implementation Guide for Industrial PLCs
### Scenario A: Siemens S7-1200 with ZeroTier
**Architecture:**
```
[Engineer Laptop] ←ZeroTier→ [Raspberry Pi Gateway] ←Eth→ [S7-1200 PLC]
(ZT IP) (ZT IP + Local IP) (192.168.10.100)
```
**Step-by-Step:**
1. **Set up ZeroTier network** (my.zerotier.com)
2. **Install ZeroTier on Raspberry Pi:**
```bash
curl -s https://install.zerotier.com | sudo bash
sudo zerotier-cli join <NETWORK_ID>
```
3. **Configure routing on Pi:**
```bash
# Enable forwarding
sudo sysctl -w net.ipv4.ip_forward=1
# Add route
sudo ip route add 192.168.10.0/24 via 192.168.10.1 dev eth0
# NAT
sudo iptables -t nat -A POSTROUTING -s 10.144.0.0/16 -d 192.168.10.0/24 -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -i zt+ -o eth0 -j ACCEPT
sudo iptables -A FORWARD -i eth0 -o zt+ -m state --state RELATED,ESTABLISHED -j ACCEPT
```
4. **Add route in ZeroTier console:**
- Destination: 192.168.10.0/24
- Via: <Pi_ZT_IP>
5. **Install ZeroTier on laptop** and join network
6. **Access PLC from TIA Portal:**
- IP: 192.168.10.100 (routes through ZT)
### Scenario B: Beckhoff IPC with Netbird
**Architecture:**
```
[Engineer Laptop] ←Netbird→ [Beckhoff IPC] ←ADS→ [TwinCAT Runtime]
(NB IP) (NB IP + Local IP)
```
**Step-by-Step:**
1. **Deploy Netbird management server** (self-hosted or cloud)
2. **Install Netbird on Beckhoff IPC:**
```powershell
# Download installer
Invoke-WebRequest -Uri "https://github.com/netbirdio/netbird/releases/download/v0.27.0/netbird_installer_0.27.0_windows_amd64.exe" -OutFile "netbird-setup.exe"
# Install
.\netbird-setup.exe /S
# Connect
netbird up --management-url https://vpn.yourcompany.com
```
3. **Configure Windows Firewall on IPC:**
```powershell
# Allow ADS from Netbird interface
New-NetFirewallRule -DisplayName "ADS via Netbird" `
-Direction Inbound `
-Protocol TCP `
-LocalPort 48898 `
-InterfaceAlias "Netbird" `
-Action Allow
```
4. **Install Netbird on laptop** and join
5. **Access PLC from TwinCAT XAE:**
- Add route to IPC via Netbird IP
- Connect to <Netbird_IP>:48898
### Scenario C: Multi-Site SCADA with Both
**Use Case:** 3 manufacturing sites, each with different PLC brands
**Architecture:**
```
Site A (Siemens S7) ←ZeroTier Layer 2→ Site B (Beckhoff) ←Netbird Layer 3→ Site C (Rockwell)
Central SCADA
(Netbird + ZT)
```
**Strategy:**
- **ZeroTier**: For sites needing Layer 2 (PROFINET, EtherNet/IP)
- **Netbird**: For sites with Layer 3 protocols only (better performance)
- **Central SCADA**: Joins both networks
**Implementation:**
1. Create ZeroTier network for Layer 2 sites
2. Deploy Netbird for Layer 3 sites
3. SCADA server joins both networks
4. Use network ACLs to control access
---
## 7. Best Practices and Recommendations
### Security Best Practices
**1. Never Expose PLCs Directly**
```
❌ BAD:
Internet → Port Forward → PLC
✓ GOOD:
Internet → VPN (NB/ZT) → Gateway → PLC
```
**2. Use Gateway Architecture**
```
Benefits:
- PLC stays on isolated network
- Gateway provides additional security layer
- Easier to monitor and log access
- Can implement additional authentication
Recommended: Raspberry Pi as dedicated gateway
```
**3. Implement Defense-in-Depth**
```
Layer 1: VPN (Netbird/ZeroTier)
Layer 2: Gateway with firewall
Layer 3: PLC password protection
Layer 4: Network segmentation (VLANs)
Layer 5: Logging and monitoring
Layer 6: Regular security audits
```
**4. Access Control**
```
Principle of Least Privilege:
- Engineers: Full access
- Operators: HMI only
- Vendors: Temporary, monitored access
- Read-only accounts for monitoring
Use groups and role-based access control
```
**5. Logging and Monitoring**
```
Log:
- All VPN connections
- PLC access attempts
- Configuration changes
- Failed authentication
Monitor for:
- Unusual connection times
- Connections from new locations
- Multiple failed attempts
- Abnormal data transfers
```
### Operational Best Practices
**1. Redundancy**
```
- Primary VPN: Netbird (performance)
- Backup VPN: ZeroTier (reliability)
- Both configured, one active
- Automatic failover if possible
```
**2. Backup and Recovery**
```
Before any changes:
- Backup PLC program
- Document current VPN config
- Test in non-production first
- Have rollback plan
```
**3. Change Management**
```
VPN changes require:
- Approval from operations
- Testing in lab
- Maintenance window
- Rollback procedure
- Post-change validation
```
**4. Vendor Access**
```
For vendor support:
- Create temporary account
- Time-limited (24-48 hours)
- Monitor session (screen share)
- Revoke immediately after
- Audit all actions
```
**5. Documentation**
```
Maintain:
- Network diagrams (current)
- Device inventory
- IP address plan
- Access control matrix
- Incident response procedures
- Recovery procedures
```
### Choosing Between Netbird and ZeroTier
**Decision Matrix:**
```
Score each criterion 1-5, multiply by weight, sum:
Criterion Weight ZT Score NB Score
========================================================
Layer 2 protocol support 30% 5 1
Performance requirements 20% 3 5
Zero Trust/SSO needs 15% 2 5
Open source requirement 10% 3 5
Self-hosting preference 10% 3 5
Budget constraints 5% 4 5
Platform compatibility 10% 5 4
Total (example): 3.75 4.25
```
**Quick Decision Tree:**
```
Do you need Layer 2 protocols (PROFINET, EtherNet/IP)?
├─ YES → ZeroTier
└─ NO → Continue
Do you need >1 Gbps throughput?
├─ YES → Netbird
└─ NO → Continue
Do you need SSO/MFA integration?
├─ YES → Netbird
└─ NO → Continue
Do you need full open source?
├─ YES → Netbird
└─ NO → Either works
Default: Netbird (better performance, modern security)
```
### Migration Strategies
**From Traditional VPN to Mesh VPN:**
**Phase 1: Pilot (Weeks 1-2)**
```
1. Set up Netbird/ZeroTier in parallel
2. Test with 1-2 non-critical devices
3. Validate connectivity and performance
4. Train team on new system
```
**Phase 2: Gradual Rollout (Weeks 3-6)**
```
1. Migrate engineering access first
2. Then HMI/SCADA connections
3. Finally, vendor access
4. Keep old VPN as backup
```
**Phase 3: Decommission (Weeks 7-8)**
```
1. Monitor for issues (4 weeks)
2. Verify no old VPN usage
3. Remove old VPN infrastructure
4. Update documentation
```
**From ZeroTier to Netbird (or vice versa):**
**Parallel Operation:**
```
1. Deploy new VPN alongside old
2. Test thoroughly
3. Switch users gradually
4. Monitor for 2 weeks
5. Decommission old VPN
```
---
## Appendix A: Quick Reference Commands
### ZeroTier Commands
```bash
# Join network
sudo zerotier-cli join <NETWORK_ID>
# Leave network
sudo zerotier-cli leave <NETWORK_ID>
# List networks
sudo zerotier-cli listnetworks
# Show peer connections
sudo zerotier-cli peers
# Get node ID
sudo zerotier-cli info
# Restart service
sudo systemctl restart zerotier-one
```
### Netbird Commands
```bash
# Join network
sudo netbird up --management-url https://vpn.yourcompany.com
# Leave network
sudo netbird down
# Show status
netbird status
# Show routes
netbird routes
# Debug mode
netbird up --log-level debug
# Restart service
sudo systemctl restart netbird
```
### Network Testing
```bash
# Test connectivity to PLC
ping 192.168.10.100
# Test PLC port (S7)
nc -zv 192.168.10.100 102
# Test PLC port (ADS)
nc -zv 192.168.10.100 48898
# Trace route
traceroute 192.168.10.100
# Performance test
iperf3 -c 192.168.10.100
# Latency test
ping -c 100 192.168.10.100 | tail -1
```
---
## Appendix B: Troubleshooting Guide
### Common Issues
**Issue 1: Cannot ping PLC through VPN**
```
Checklist:
□ VPN connected? (zerotier-cli listnetworks / netbird status)
□ Route configured? (ip route show | grep 192.168.10)
□ Gateway forwarding enabled? (cat /proc/sys/net/ipv4/ip_forward)
□ Firewall rules correct? (iptables -L -n)
□ PLC actually at this IP? (ping from gateway directly)
```
**Issue 2: Poor VPN performance**
```
Checklist:
□ Direct peer connection? (zerotier-cli peers / netbird status)
□ Relay being used? (check for relay IPs in peers list)
□ Internet bandwidth sufficient? (speedtest)
□ CPU overloaded? (top / htop)
□ MTU issues? (try ping -s 1400 -M do <IP>)
```
**Issue 3: Connection drops frequently**
```
Checklist:
□ Internet stable? (ping 8.8.8.8 -c 100)
□ NAT timeout? (adjust keep-alive settings)
□ Firewall blocking? (check firewall logs)
□ VPN service running? (systemctl status)
□ Certificate issues? (check logs)
```
---
## Appendix C: Security Checklist
### Pre-Deployment Security Review
```
VPN Configuration:
□ Strong encryption enabled
□ Access control configured
□ Unnecessary features disabled
□ Logging enabled
□ Firewall rules reviewed
Gateway Security:
□ OS hardened and updated
□ Firewall configured
□ SSH key-only authentication
□ Automatic updates enabled
□ Monitoring configured
PLC Security:
□ Password protection enabled
□ IP ACLs configured
□ Unused services disabled
□ Firmware up to date
□ Backup completed
Network Security:
□ VLANs configured
□ Network segmentation in place
□ IDS/IPS deployed
□ No direct internet access for PLCs
□ DMZ for historian/SCADA
Access Control:
□ Role-based access defined
□ Strong password policy
□ MFA enabled (if supported)
□ Access regularly reviewed
□ Vendor access time-limited
Documentation:
□ Network diagram updated
□ Procedures documented
□ Emergency contacts listed
□ Incident response plan ready
□ Recovery procedures tested
```
---
**Document Version:** 1.0
**Last Updated:** February 16, 2026
**Covers:** Beckhoff TwinCAT, Siemens S7, Netbird, ZeroTier
**For Use With:** industrial-network-security-guide.md
Reference in a new issue Copy permalink