Cloudflare One Design Guide

1 888 99 FLARE | [email protected] | www.cloudflare.com

Cloudflare One Design Guide

WHITE PAPER

2

INDEX


About this Guide

Secure Access for Web Applications LegacyDesign-FirstGlance LegacyDesign-SecurityFlaws LegacyDesign-RequiredSecurityAdd-ons CloudflareOneDesign DiagramComparison TableComparison

DNS Filtering LegacyDesign-FirstGlance LegacyDesign-OperationalFlaws LegacyDesign-RequiredNetworkModifications CloudflareOneDesign DiagramComparison TableComparison

3

45678910

11121314151617


CLOUDFLARE ONE DESIGN GUIDE

About this Guide

ThisdesignguidedescribeshoworganizationscansimplifyandstrengthentheirnetworkandsecurityarchitecturewithCloudflareOne,ourSASEplatform.CloudflareOnecombinesnetworkconnectivityserviceswithZeroTrustsecurityservices—alldeliveredonourglobalnetwork.Unifyingthesenetworkingandsecurityservicesunderoneconsistent,cloud-basedarchitectureaddressesmanyofthechallengesoftraditional,perimeter-based,on-premisedeployments.

Eachsectionofthisdesignguidewalksthroughacommontechnicalusecase—first,howthatproblemistypicallysolvedwithalegacyapproach,andthen,howCloudflareOnesolvesthesameproblemwithgreaterefficiencyandheightenedsecurity.

Thisguidecoversthefollowingusecases:• Secureaccessforprivateandpublicwebapplications• DNSfilteringforon-premandremoteemployees

Theseinitialusecaseswereprioritizedbasedontheirpopularityamongcustomers,buttheybynomeansrepresentthefullscopeofCloudflareOne’scapabilities.Wewillcontinuetoexpandthisguidewithadditionalusecases,includingsecureaccesstoprivatenetworks,advancedthreat/dataprotection,andmore.

Thisdesignguideisintendedfortechnically-mindedpractitionerstoprovideillustrativeexamplesofhowCloudflareOne,asaSASEplatform,canbeimplementedtoholisticallytransformandmodernizeanorganization’snetworkandsecurityarchitecture.


Secure Access for Web Applications



Thisgraphicrepresentsatraditionalmethodofprovidingremoteaccesstowebapplications.Here,aremoteemployeeaccessescorporateresources,specificallybothaprivate(self-hosted)andpublic(cloud-based)webapplication.Wehaveincludedafewofthemostcommonsecuritymeasuresanyreasonableorganizationwouldhaveinplace,includinganedgefirewall,aninternalfirewallforsegmentation,andaVPN.Fromlefttoright,thisscenarioillustratesthelifeofasessionasauserlogsinfromapubliclocation—ascenariothatsubsequentdesigngraphicswillbuildupon.Note:Thisgraphiconlydepictsthedevices,appliances,andtrafficflowsinvolvedinthisspecificnetworktransactionanddoesnotrepresentacomprehensivesnapshotofalltechnologiesthatwouldbepresentinalegacynetworkarchitecture.

Legacy Design - First Glance


Network/Security Action

1 AremotedeviceconnectstocorporateresourcesviapublicWifi

2 TheremotedevicereachescorporateedgeviaVPNclient,butsplittunnelsothertraffic

3 VPNterminatesatEdgeFirewallorVPNConcentratorbehindfirewall

4 Firewallpolicygrantsremoteuseraccesstosubnetwithprivatewebapplication

5 UseraccesseswebappviaprivateIP/URL[5a]orPublicURL[5b]afterauthenticatingtoIDP

Coffee Shop

Split tunnel

Malicious site Cloud Data Center / HQ

Web App

RemoteEndpoint

Public Wifi VPNEdge Firewall

VPN Conc.

Internal DNS

Internal Firewall

Subnet

Web App

Load balancer

Identity Provider (IDP)

VPN Conc.

1

2

3 4

5a5b



Legacy Design - Security Flaws

Network/Security Action Relevant Legacy Solution Legacy Design Flaw

1 AremotedeviceconnectstocorporateresourcesviapublicWifi CorporateVPNClient Anunsecureddeviceonpublicwi-fiisatarget

forbadactors

2 TheremoteendpointreachescorporateedgeviaVPNclient,butsplittunnelsothertraffic CorporateVPNClient VPN-specificsecuritywillnotprotectsplit-

tunneledtraffic


LoadbalancerEdgeFirewallVPNConcentrator

InboundFW/VPNRulesmayexposeports/protocolstotheinternet,expandingpotentialattacksurface

4 Firewallpolicygrantsremoteuseraccesstosubnetwithprivatewebapplication InternalFirewall Theuserhasaccesstoresourcesoutside

theirjobfunction

5UseraccesseswebappviaprivateIP/URL[5a]orPublicURL[5b]afterauthenticatingtoIDP

ActiveDirectoryInternalDNS(Private)

Iftheendpointiscompromised,companyapp/networkisatrisk

Thisgraphicaddsanothercolumntothetablebelowhighlightingsecurityflawsissuesthatareassociatedwitheachspecificstepinthisscenarioandthatleaveanorganizationvulnerable.

Coffee Shop

Split tunnel

Malicious site Cloud Data Center / HQ

Web App

RemoteEndpoint

Public Wifi VPNEdge Firewall

VPN Conc.

Internal DNS

Internal Firewall

Subnet

Web App

Load balancer


VPN Conc.

1

2

3 4

5a5b



Legacy Design - Required Security Add-ons

Network/Security ActionRelevant Legacy Solution

Legacy Design FlawRequired Security Add-on

1 AremotedeviceconnectstocorporateresourcesviapublicWifi CorporateVPNClient Anunsecureddeviceonpublicwi-fiisatargetforbadactors

EndpointProtectionPlatform(EPP)

2TheremotedevicereachescorporateedgeviaVPNclient,butsplittunnelsothertraffic

CorporateVPNClient VPN-specificsecuritywillnotprotectsplit-tunneledtraffic DisableSplitTunnel




IntrusionDetectionSystem(IDS)

4Firewallpolicygrantsremoteuseraccesstosubnetwithprivatewebapplication

InternalFirewall Theuserhasaccesstoresourcesoutsidetheirjobfunction WebProxy




MobileDeviceMgmt(MDM)Server

Toaddressthedesignflawshighlightedinthepreviouspage,theorganizationnowneedstomodifytheirexistingnetworkarchitecture.Thisgraphicaddsanothercolumntothetablebelow,detailingtypicalsolutionstoprotectusersandresources.Layeringeachsecurityadd-onaddscomplexityandongoingmanagementcostsacrosslikelymultiplevendorstothelegacyenvironment.

Coffee Shop

Cloud Data Center / HQ

Web App

RemoteEndpoint

Public Wifi VPN

Edge Firewall

Internal DNS

Internal Firewall

SubnetLoad balancer


VPN Conc.1

23 4

5b

Malicious site

Web Proxy

VPN Conc.

MDM Server

IDS

Split Tunnel

Web App

5a



Coffee Shop

Cloudflare, device client

1 CloudflareTunnel

3a

1.1.1.1 DNS resolver

SWG policy

Browser isolation

Zero Trustpolicy

Compromised site

Subnet

Web app

Identity provider

Web app

Cloud

Data Center / HQ

SAML Connector

Public Wifi

23b

Cloudflare One DesignThisbelowgraphichighlightshowanorganizationcanadoptasimpler,moreefficientapproachtosecureapplicationaccessbyimplementingCloudflareOne.Here,muchofthelegacynetworkarchitectureshownbeforehandisoffloadedtoCloudflare,andmanyoftheexistingdesignflawsarecorrectedwithouttheneedforadditionalsolutions.WithCloudflareOne,thetrafficbetweentheremoteuserandtheorganization’sresourcesrunsalongCloudflare’sglobalnetworkwithsingle-passinspection.AllservicesshownbelowruninallofCloudflare’sdatacenters,locatedin250+citiesinover100countries.

Network/Security Action Relevant Cloudflare One Element Design Flaw Correction

1 AremotedeviceconnectstocorporateresourcesandtheinternetviaCloudflare

Cloudflare Device Client

Secure Web Gateway policy

Browser Isolation

LocalSecureWebGatewayclientletsCloudflareOnefilterDNS/HTTP/Networktraffictouser’sdeviceviagatewaypolicyBrowserIsolationabsorbs/isolatesimpactofsuccessfulmalwareattacksfromwebsites

2 UserundergoesIDPanddeviceposturechecksinCloudflare Zero Trust policy

ZeroTrustpolicyperformsdeviceposturecheckbeforepermittingaccess,mitigatingriskofcompromiseddevicesZeroTrustpolicyauthenticatesusertotheresourceinsteadoftheunderlyingnetwork,preventinglateralmovement

3 Access[Private|Public]webappdirectlyvia[CloudflareTunnel|SAMLConnector]

Cloudflare Tunnel 1.1.1.1 DNS resolver

CloudflareTunnelsecurelybrokersaconnectiontothewebapplicationandeliminatestheuseofexplicitFWrules




Cloudflare One Design

Coffee Shop

Cloudflare, device client

1 CloudflareTunnel

3a


SWG policy

Browser isolation

Zero Trustpolicy

Compromised site

Subnet

Web app

Identity provider

Web app

Cloud

Data Center / HQ

SAML Connector

Public Wifi

23b

Coffee Shop

Cloud Data Center / HQ

Web App

RemoteEndpoint

Public Wifi VPN

Edge Firewall

Internal DNS

Internal Firewall

SubnetLoad balancer


VPN Conc.1

23 4

5b

Malicious site

Web Proxy

VPN Conc.

MDM Server

IDS

Split Tunnel

Web App

5a





Network/Security ActionRelevant Legacy Solution

Legacy Design FlawRequired Security Add-on

1 AnremotedeviceconnectstocorporateresourcesviapublicWifi CorporateVPNClient Anunsecureddeviceonpublicwi-fiisatargetforbadactors

EndpointProtectionPlatform(EPP)

2TheremotedevicereachescorporateedgeviaVPNclient,butsplittunnelsothertraffic

CorporateVPNClient VPN-specificsecuritywillnotprotectsplit-tunneledtraffic DisableSplitTunnel




IntrusionDetectionSystem(IDS)

4Firewallpolicygrantsremoteuseraccesstosubnetwithprivatewebapplication

InternalFirewall Theuserhasaccesstoresourcesoutsidetheirjobfunction WebProxy




MobileDeviceMgmt(MDM)Server

Network/Security Action Relevant Cloudflare One Element Design Flaw Correction

1 AremotedeviceconnectstocorporateresourcesandtheinternetviaCloudflare

Cloudflare Device Client

Secure Web Gateway policy

Browser Isolation

LocalSecureWebGatewayclientletsCloudflareOnefilterDNS/HTTP/Networktraffictouser’sdeviceviagatewaypolicyBrowserIsolationabsorbs/isolatesimpactofsuccessfulmalwareattacksfromwebsites

2 UserundergoesIDPanddeviceposturechecksinCloudflare Zero Trust policy

ZeroTrustpolicyperformsdeviceposturecheckbeforepermittingaccess,mitigatingriskofcompromiseddevicesZeroTrustpolicyauthenticatesusertotheresourceinsteadoftheunderlyingnetwork,preventinglateralmovement

3 Access[Private|Public]webappdirectlyvia[CloudflareTunnel|SAMLConnector]

Cloudflare Tunnel 1.1.1.1 DNS resolver

CloudflareTunnelsecurelybrokersaconnectiontothewebapplicationandeliminatestheuseofexplicitFWrules


DNS Filtering



Legacy Design - First Glance


DNS-Related Event

1AnonsiteuserhastheirDNSrequestscontentfilteredforsecuritybythebuilt-infeatureontheEdgeFirewall

2 AremoteuserhastheirDNSrequestsfilteredafterconnectingtotheorganization’sfulltunnelVPN

3 OutboundDNSrequestsaretransmittedintheclear.

Office

Employee Subnet

Edge Firewall

Internet

Recursive DNS

Unacceptable site

Malicious siteRemote user

VPN

1

2

3

ThisgraphicrepresentshoworganizationsimplementDNSfilteringforonsiteandremoteemployeesinalegacyenvironment.Typically,DNSfilteringfororganizationsisaccomplishedviabuilt-infeaturesofon-premsolutionslikeafirewall.Remoteuserssendrequeststhroughthisfirewallbyfirstbackhaulingtrafficthroughafull-tunnelVPN.TToresolvewebsites,theorganizationsendsitsDNSqueriestoarecursiveDNS(likeGoogle’s8.8.8.8).Note: Justaswithothersectionsinthisguide,thislegacyenvironmentdoesnotrepresenteverytechnologyinsideanoffice,butonlytheonesinvolvedinthisspecificusecase.


Legacy Design - Operational Flaws


DNS-Related Event Relevant Elements Design Flaw


EdgeFirewallRelyingontheEdgeFWfortoomanyessentialoperationscandegradeperformanceacrosstheorganization

2AremoteuserhastheirDNSrequestsfilteredafterconnectingtotheorganization’sfulltunnelVPN

VPNConcentrator

EdgeFirewall

Afull-tunnelVPNcreatesa‘doubletax’ofinternetpackets,whichcancreateaperformancebottleneckfortheentireorganizationtunneledtraffic

3 OutboundDNSrequestsaretransmittedintheclear. UDP53

DNSoverUDPport53isunencryptedandthereforenotprivate.Anyonewhoseesthatcanreconuserwebbehavior

Office

Employee Subnet

Edge Firewall

Internet

Recursive DNS

Unacceptable site


VPN

1

2

3

Thisnextgraphicaddsacolumntothetablebelowarticulatingthechallengesassociatedwiththistraditionaldesign.ThemostpressingchallengeisthatrelyingonlocalhardwaretoperformDNSfilteringat-scalewilleventuallybottleneckperformanceforallusers,especiallywhenthathardwareisresponsibleforothercriticalservicesaswell(suchasterminatingtheremote-userVPN).Inaddition,sendingDNSquerieswithoutencryption(whichoccursbydefault)createsanewattackvectorwithunknownrisk.


Legacy Design - Required Network Modifications


DNS-Related Event Relevant Elements Design Flaw Non-Cloudfare Solution



DiscreteDNSFilter


VPNConcentrator

EdgeFirewall


IncreaseISPbandwidthHardwareupgradeEnableSplitTunnel*



DNSoverTLS/HTTPS

Office

Employee Subnet

Edge Firewall

Internet

Recursive DNS

Unacceptable site


VPN

1

2

3

Toaddressthedesignflawshighlightedinthepreviouspage,theorganizationnowneedstomodifytheirexistingnetworkarchitecture.Thisgraphicaddsanothercolumntothetablebelow,highlightingcommonsolutionswiththeirowndrawbacks.Here,buyingnewhardwaretohandlemoreusersorincreasebandwidthconsumptionwillleadtohighercapitalandoperationalexpensesovertime.Organizationsthatattempttoscalethisapproachthemselvesoftenencounterconsiderablegrowingpains,andinfact,manyorganizationsavoidDNSfilteringentirelybecauseoftheseoperationalconcerns.




Office

Employee Subnet

Edge Firewall

Internet

Unacceptable site

Malicious site


Gateway DNS policy

Browser isolation

Zero Trust policy

1 2

Remote user

OrganizationsthatadoptCloudflareOnepointtheirtraffictoCloudflare’sglobalnetworkandcanperformDNSfilteringfortheentireworkforcewithoutworryingabouttheoperationallimitsoftheirlocalhardware.

Cloudflare’sDNSfilterediseasytodeployforbothon-premandremoteusers:• TrafficfromofficeusersissenttoCloudflarebasedontheoutboundIPfromtheedgefirewall

• TrafficfromremoteusersissenttoCloudflarefromourdeviceclient

Inaddition,Cloudflare’s1.1.1.1DNSresolversupportsDNSoverTLS/HTTPs,whichresolvesthesecurityissuedetailedinthelegacyenvironment.

DNS-Related Event Relevant Cloudflare One Element Design Flaw Correction

1BothonsiteandremoteusershavetheirDNSrequestscontentfilteredbyCloudflare

Secure Web Gateway GatewayDNSpoliciesoffloadsDNSfilteringfromlocalhardware(orprovidesitforthefirsttime)

2Theorganization’sDNSrequestsareencryptedbeforebeingsentout.

1.1.1.1 DNS resolverCloudflare’s1.1.1.1 DNS resolversupportsDNSoverTLS/HTTPs,encryptingDNSrequestsandhinderinghostilereconnaissance


Legacy Design


Cloudfare One Design

Office

Employee Subnet

Edge Firewall

Internet

Recursive DNS

Unacceptable site


VPN

1

2

3

Office

Employee Subnet

Edge Firewall

Internet

Unacceptable site

Malicious site


Gateway DNS policy

Browser isolation

Zero Trust policy

1 2

Remote user


Legacy Design


Cloudfare One Design

DNS-Related Event Relevant Elements Design Flaw Non-Cloudfare Solution



DiscreteDNSFilter


VPNConcentrator

EdgeFirewall


IncreaseISPbandwidthHardwareupgradeEnableSplitTunnel*



DNSoverTLS/HTTPS

DNS-Related Event Relevant Cloudflare One Element Design Flaw Correction

1BothonsiteandremoteusershavetheirDNSrequestscontentfilteredbyCloudflare

Secure Web Gateway GatewayDNSpoliciesoffloadsDNSfilteringfromlocalhardware(orprovidesitforthefirsttime)

2Theorganization’sDNSrequestsareencryptedbeforebeingsentout.

1.1.1.1 DNS resolverCloudflare’s1.1.1.1 DNS resolversupportsDNSoverTLS/HTTPs,encryptingDNSrequestsandhinderinghostilereconnaissance

REV:BDES-2096.2021SEPT201 888 99 FLARE | [email protected] | www.cloudflare.com

WHITE PAPER

©2021CloudflareInc.Allrightsreserved.TheCloudflarelogoisatrademarkofCloudflare.Allothercompanyandproductnamesmaybetrademarksoftherespectivecompanieswithwhichtheyareassociated.

Documents

Cloudflare One Design Guide