Upload
others
View
16
Download
2
Embed Size (px)
Citation preview
2
INDEX
1 888 99 FLARE | [email protected] | www.cloudflare.com
About this Guide
Secure Access for Web Applications LegacyDesign-FirstGlance LegacyDesign-SecurityFlaws LegacyDesign-RequiredSecurityAdd-ons CloudflareOneDesign DiagramComparison TableComparison
DNS Filtering LegacyDesign-FirstGlance LegacyDesign-OperationalFlaws LegacyDesign-RequiredNetworkModifications CloudflareOneDesign DiagramComparison TableComparison
3
45678910
11121314151617
31 888 99 FLARE | [email protected] | www.cloudflare.com
CLOUDFLARE ONE DESIGN GUIDE
About this Guide
ThisdesignguidedescribeshoworganizationscansimplifyandstrengthentheirnetworkandsecurityarchitecturewithCloudflareOne,ourSASEplatform.CloudflareOnecombinesnetworkconnectivityserviceswithZeroTrustsecurityservices—alldeliveredonourglobalnetwork.Unifyingthesenetworkingandsecurityservicesunderoneconsistent,cloud-basedarchitectureaddressesmanyofthechallengesoftraditional,perimeter-based,on-premisedeployments.
Eachsectionofthisdesignguidewalksthroughacommontechnicalusecase—first,howthatproblemistypicallysolvedwithalegacyapproach,andthen,howCloudflareOnesolvesthesameproblemwithgreaterefficiencyandheightenedsecurity.
Thisguidecoversthefollowingusecases:• Secureaccessforprivateandpublicwebapplications• DNSfilteringforon-premandremoteemployees
Theseinitialusecaseswereprioritizedbasedontheirpopularityamongcustomers,buttheybynomeansrepresentthefullscopeofCloudflareOne’scapabilities.Wewillcontinuetoexpandthisguidewithadditionalusecases,includingsecureaccesstoprivatenetworks,advancedthreat/dataprotection,andmore.
Thisdesignguideisintendedfortechnically-mindedpractitionerstoprovideillustrativeexamplesofhowCloudflareOne,asaSASEplatform,canbeimplementedtoholisticallytransformandmodernizeanorganization’snetworkandsecurityarchitecture.
41 888 99 FLARE | [email protected] | www.cloudflare.com
Secure Access for Web Applications
CLOUDFLARE ONE DESIGN GUIDE
51 888 99 FLARE | [email protected] | www.cloudflare.com
Thisgraphicrepresentsatraditionalmethodofprovidingremoteaccesstowebapplications.Here,aremoteemployeeaccessescorporateresources,specificallybothaprivate(self-hosted)andpublic(cloud-based)webapplication.Wehaveincludedafewofthemostcommonsecuritymeasuresanyreasonableorganizationwouldhaveinplace,includinganedgefirewall,aninternalfirewallforsegmentation,andaVPN.Fromlefttoright,thisscenarioillustratesthelifeofasessionasauserlogsinfromapubliclocation—ascenariothatsubsequentdesigngraphicswillbuildupon.Note:Thisgraphiconlydepictsthedevices,appliances,andtrafficflowsinvolvedinthisspecificnetworktransactionanddoesnotrepresentacomprehensivesnapshotofalltechnologiesthatwouldbepresentinalegacynetworkarchitecture.
Legacy Design - First Glance
CLOUDFLARE ONE DESIGN GUIDE
Network/Security Action
1 AremotedeviceconnectstocorporateresourcesviapublicWifi
2 TheremotedevicereachescorporateedgeviaVPNclient,butsplittunnelsothertraffic
3 VPNterminatesatEdgeFirewallorVPNConcentratorbehindfirewall
4 Firewallpolicygrantsremoteuseraccesstosubnetwithprivatewebapplication
5 UseraccesseswebappviaprivateIP/URL[5a]orPublicURL[5b]afterauthenticatingtoIDP
Coffee Shop
Split tunnel
Malicious site Cloud Data Center / HQ
Web App
RemoteEndpoint
Public Wifi VPNEdge Firewall
VPN Conc.
Internal DNS
Internal Firewall
Subnet
Web App
Load balancer
Identity Provider (IDP)
VPN Conc.
1
2
3 4
5a5b
61 888 99 FLARE | [email protected] | www.cloudflare.com
CLOUDFLARE ONE DESIGN GUIDE
Legacy Design - Security Flaws
Network/Security Action Relevant Legacy Solution Legacy Design Flaw
1 AremotedeviceconnectstocorporateresourcesviapublicWifi CorporateVPNClient Anunsecureddeviceonpublicwi-fiisatarget
forbadactors
2 TheremoteendpointreachescorporateedgeviaVPNclient,butsplittunnelsothertraffic CorporateVPNClient VPN-specificsecuritywillnotprotectsplit-
tunneledtraffic
3 VPNterminatesatEdgeFirewallorVPNConcentratorbehindfirewall
LoadbalancerEdgeFirewallVPNConcentrator
InboundFW/VPNRulesmayexposeports/protocolstotheinternet,expandingpotentialattacksurface
4 Firewallpolicygrantsremoteuseraccesstosubnetwithprivatewebapplication InternalFirewall Theuserhasaccesstoresourcesoutside
theirjobfunction
5UseraccesseswebappviaprivateIP/URL[5a]orPublicURL[5b]afterauthenticatingtoIDP
ActiveDirectoryInternalDNS(Private)
Iftheendpointiscompromised,companyapp/networkisatrisk
Thisgraphicaddsanothercolumntothetablebelowhighlightingsecurityflawsissuesthatareassociatedwitheachspecificstepinthisscenarioandthatleaveanorganizationvulnerable.
Coffee Shop
Split tunnel
Malicious site Cloud Data Center / HQ
Web App
RemoteEndpoint
Public Wifi VPNEdge Firewall
VPN Conc.
Internal DNS
Internal Firewall
Subnet
Web App
Load balancer
Identity Provider (IDP)
VPN Conc.
1
2
3 4
5a5b
71 888 99 FLARE | [email protected] | www.cloudflare.com
CLOUDFLARE ONE DESIGN GUIDE
Legacy Design - Required Security Add-ons
Network/Security ActionRelevant Legacy Solution
Legacy Design FlawRequired Security Add-on
1 AremotedeviceconnectstocorporateresourcesviapublicWifi CorporateVPNClient Anunsecureddeviceonpublicwi-fiisatargetforbadactors
EndpointProtectionPlatform(EPP)
2TheremotedevicereachescorporateedgeviaVPNclient,butsplittunnelsothertraffic
CorporateVPNClient VPN-specificsecuritywillnotprotectsplit-tunneledtraffic DisableSplitTunnel
3 VPNterminatesatEdgeFirewallorVPNConcentratorbehindfirewall
LoadbalancerEdgeFirewallVPNConcentrator
InboundFW/VPNRulesmayexposeports/protocolstotheinternet,expandingpotentialattacksurface
IntrusionDetectionSystem(IDS)
4Firewallpolicygrantsremoteuseraccesstosubnetwithprivatewebapplication
InternalFirewall Theuserhasaccesstoresourcesoutsidetheirjobfunction WebProxy
5UseraccesseswebappviaprivateIP/URL[5a]orPublicURL[5b]afterauthenticatingtoIDP
ActiveDirectoryInternalDNS(Private)
Iftheendpointiscompromised,companyapp/networkisatrisk
MobileDeviceMgmt(MDM)Server
Toaddressthedesignflawshighlightedinthepreviouspage,theorganizationnowneedstomodifytheirexistingnetworkarchitecture.Thisgraphicaddsanothercolumntothetablebelow,detailingtypicalsolutionstoprotectusersandresources.Layeringeachsecurityadd-onaddscomplexityandongoingmanagementcostsacrosslikelymultiplevendorstothelegacyenvironment.
Coffee Shop
Cloud Data Center / HQ
Web App
RemoteEndpoint
Public Wifi VPN
Edge Firewall
Internal DNS
Internal Firewall
SubnetLoad balancer
Identity Provider (IDP)
VPN Conc.1
23 4
5b
Malicious site
Web Proxy
VPN Conc.
MDM Server
IDS
Split Tunnel
Web App
5a
81 888 99 FLARE | [email protected] | www.cloudflare.com
CLOUDFLARE ONE DESIGN GUIDE
Coffee Shop
Cloudflare, device client
1 CloudflareTunnel
3a
1.1.1.1 DNS resolver
SWG policy
Browser isolation
Zero Trustpolicy
Compromised site
Subnet
Web app
Identity provider
Web app
Cloud
Data Center / HQ
SAML Connector
Public Wifi
23b
Cloudflare One DesignThisbelowgraphichighlightshowanorganizationcanadoptasimpler,moreefficientapproachtosecureapplicationaccessbyimplementingCloudflareOne.Here,muchofthelegacynetworkarchitectureshownbeforehandisoffloadedtoCloudflare,andmanyoftheexistingdesignflawsarecorrectedwithouttheneedforadditionalsolutions.WithCloudflareOne,thetrafficbetweentheremoteuserandtheorganization’sresourcesrunsalongCloudflare’sglobalnetworkwithsingle-passinspection.AllservicesshownbelowruninallofCloudflare’sdatacenters,locatedin250+citiesinover100countries.
Network/Security Action Relevant Cloudflare One Element Design Flaw Correction
1 AremotedeviceconnectstocorporateresourcesandtheinternetviaCloudflare
Cloudflare Device Client
Secure Web Gateway policy
Browser Isolation
LocalSecureWebGatewayclientletsCloudflareOnefilterDNS/HTTP/Networktraffictouser’sdeviceviagatewaypolicyBrowserIsolationabsorbs/isolatesimpactofsuccessfulmalwareattacksfromwebsites
2 UserundergoesIDPanddeviceposturechecksinCloudflare Zero Trust policy
ZeroTrustpolicyperformsdeviceposturecheckbeforepermittingaccess,mitigatingriskofcompromiseddevicesZeroTrustpolicyauthenticatesusertotheresourceinsteadoftheunderlyingnetwork,preventinglateralmovement
3 Access[Private|Public]webappdirectlyvia[CloudflareTunnel|SAMLConnector]
Cloudflare Tunnel 1.1.1.1 DNS resolver
CloudflareTunnelsecurelybrokersaconnectiontothewebapplicationandeliminatestheuseofexplicitFWrules
91 888 99 FLARE | [email protected] | www.cloudflare.com
CLOUDFLARE ONE DESIGN GUIDE
Legacy Design - Required Security Add-ons
Cloudflare One Design
Coffee Shop
Cloudflare, device client
1 CloudflareTunnel
3a
1.1.1.1 DNS resolver
SWG policy
Browser isolation
Zero Trustpolicy
Compromised site
Subnet
Web app
Identity provider
Web app
Cloud
Data Center / HQ
SAML Connector
Public Wifi
23b
Coffee Shop
Cloud Data Center / HQ
Web App
RemoteEndpoint
Public Wifi VPN
Edge Firewall
Internal DNS
Internal Firewall
SubnetLoad balancer
Identity Provider (IDP)
VPN Conc.1
23 4
5b
Malicious site
Web Proxy
VPN Conc.
MDM Server
IDS
Split Tunnel
Web App
5a
101 888 99 FLARE | [email protected] | www.cloudflare.com
CLOUDFLARE ONE DESIGN GUIDE
Legacy Design - Required Security Add-ons
Cloudflare One Design
Network/Security ActionRelevant Legacy Solution
Legacy Design FlawRequired Security Add-on
1 AnremotedeviceconnectstocorporateresourcesviapublicWifi CorporateVPNClient Anunsecureddeviceonpublicwi-fiisatargetforbadactors
EndpointProtectionPlatform(EPP)
2TheremotedevicereachescorporateedgeviaVPNclient,butsplittunnelsothertraffic
CorporateVPNClient VPN-specificsecuritywillnotprotectsplit-tunneledtraffic DisableSplitTunnel
3 VPNterminatesatEdgeFirewallorVPNConcentratorbehindfirewall
LoadbalancerEdgeFirewallVPNConcentrator
InboundFW/VPNRulesmayexposeports/protocolstotheinternet,expandingpotentialattacksurface
IntrusionDetectionSystem(IDS)
4Firewallpolicygrantsremoteuseraccesstosubnetwithprivatewebapplication
InternalFirewall Theuserhasaccesstoresourcesoutsidetheirjobfunction WebProxy
5UseraccesseswebappviaprivateIP/URL[5a]orPublicURL[5b]afterauthenticatingtoIDP
ActiveDirectoryInternalDNS(Private)
Iftheendpointiscompromised,companyapp/networkisatrisk
MobileDeviceMgmt(MDM)Server
Network/Security Action Relevant Cloudflare One Element Design Flaw Correction
1 AremotedeviceconnectstocorporateresourcesandtheinternetviaCloudflare
Cloudflare Device Client
Secure Web Gateway policy
Browser Isolation
LocalSecureWebGatewayclientletsCloudflareOnefilterDNS/HTTP/Networktraffictouser’sdeviceviagatewaypolicyBrowserIsolationabsorbs/isolatesimpactofsuccessfulmalwareattacksfromwebsites
2 UserundergoesIDPanddeviceposturechecksinCloudflare Zero Trust policy
ZeroTrustpolicyperformsdeviceposturecheckbeforepermittingaccess,mitigatingriskofcompromiseddevicesZeroTrustpolicyauthenticatesusertotheresourceinsteadoftheunderlyingnetwork,preventinglateralmovement
3 Access[Private|Public]webappdirectlyvia[CloudflareTunnel|SAMLConnector]
Cloudflare Tunnel 1.1.1.1 DNS resolver
CloudflareTunnelsecurelybrokersaconnectiontothewebapplicationandeliminatestheuseofexplicitFWrules
121 888 99 FLARE | [email protected] | www.cloudflare.com
Legacy Design - First Glance
CLOUDFLARE ONE DESIGN GUIDE
DNS-Related Event
1AnonsiteuserhastheirDNSrequestscontentfilteredforsecuritybythebuilt-infeatureontheEdgeFirewall
2 AremoteuserhastheirDNSrequestsfilteredafterconnectingtotheorganization’sfulltunnelVPN
3 OutboundDNSrequestsaretransmittedintheclear.
Office
Employee Subnet
Edge Firewall
Internet
Recursive DNS
Unacceptable site
Malicious siteRemote user
VPN
1
2
3
ThisgraphicrepresentshoworganizationsimplementDNSfilteringforonsiteandremoteemployeesinalegacyenvironment.Typically,DNSfilteringfororganizationsisaccomplishedviabuilt-infeaturesofon-premsolutionslikeafirewall.Remoteuserssendrequeststhroughthisfirewallbyfirstbackhaulingtrafficthroughafull-tunnelVPN.TToresolvewebsites,theorganizationsendsitsDNSqueriestoarecursiveDNS(likeGoogle’s8.8.8.8).Note: Justaswithothersectionsinthisguide,thislegacyenvironmentdoesnotrepresenteverytechnologyinsideanoffice,butonlytheonesinvolvedinthisspecificusecase.
131 888 99 FLARE | [email protected] | www.cloudflare.com
Legacy Design - Operational Flaws
CLOUDFLARE ONE DESIGN GUIDE
DNS-Related Event Relevant Elements Design Flaw
1AnonsiteuserhastheirDNSrequestscontentfilteredforsecuritybythebuilt-infeatureontheEdgeFirewall
EdgeFirewallRelyingontheEdgeFWfortoomanyessentialoperationscandegradeperformanceacrosstheorganization
2AremoteuserhastheirDNSrequestsfilteredafterconnectingtotheorganization’sfulltunnelVPN
VPNConcentrator
EdgeFirewall
Afull-tunnelVPNcreatesa‘doubletax’ofinternetpackets,whichcancreateaperformancebottleneckfortheentireorganizationtunneledtraffic
3 OutboundDNSrequestsaretransmittedintheclear. UDP53
DNSoverUDPport53isunencryptedandthereforenotprivate.Anyonewhoseesthatcanreconuserwebbehavior
Office
Employee Subnet
Edge Firewall
Internet
Recursive DNS
Unacceptable site
Malicious siteRemote user
VPN
1
2
3
Thisnextgraphicaddsacolumntothetablebelowarticulatingthechallengesassociatedwiththistraditionaldesign.ThemostpressingchallengeisthatrelyingonlocalhardwaretoperformDNSfilteringat-scalewilleventuallybottleneckperformanceforallusers,especiallywhenthathardwareisresponsibleforothercriticalservicesaswell(suchasterminatingtheremote-userVPN).Inaddition,sendingDNSquerieswithoutencryption(whichoccursbydefault)createsanewattackvectorwithunknownrisk.
141 888 99 FLARE | [email protected] | www.cloudflare.com
Legacy Design - Required Network Modifications
CLOUDFLARE ONE DESIGN GUIDE
DNS-Related Event Relevant Elements Design Flaw Non-Cloudfare Solution
1AnonsiteuserhastheirDNSrequestscontentfilteredforsecuritybythebuilt-infeatureontheEdgeFirewall
EdgeFirewallRelyingontheEdgeFWfortoomanyessentialoperationscandegradeperformanceacrosstheorganization
DiscreteDNSFilter
2AremoteuserhastheirDNSrequestsfilteredafterconnectingtotheorganization’sfulltunnelVPN
VPNConcentrator
EdgeFirewall
Afull-tunnelVPNcreatesa‘doubletax’ofinternetpackets,whichcancreateaperformancebottleneckfortheentireorganizationtunneledtraffic
IncreaseISPbandwidthHardwareupgradeEnableSplitTunnel*
3 OutboundDNSrequestsaretransmittedintheclear. UDP53
DNSoverUDPport53isunencryptedandthereforenotprivate.Anyonewhoseesthatcanreconuserwebbehavior
DNSoverTLS/HTTPS
Office
Employee Subnet
Edge Firewall
Internet
Recursive DNS
Unacceptable site
Malicious siteRemote user
VPN
1
2
3
Toaddressthedesignflawshighlightedinthepreviouspage,theorganizationnowneedstomodifytheirexistingnetworkarchitecture.Thisgraphicaddsanothercolumntothetablebelow,highlightingcommonsolutionswiththeirowndrawbacks.Here,buyingnewhardwaretohandlemoreusersorincreasebandwidthconsumptionwillleadtohighercapitalandoperationalexpensesovertime.Organizationsthatattempttoscalethisapproachthemselvesoftenencounterconsiderablegrowingpains,andinfact,manyorganizationsavoidDNSfilteringentirelybecauseoftheseoperationalconcerns.
151 888 99 FLARE | [email protected] | www.cloudflare.com
Cloudflare One Design
CLOUDFLARE ONE DESIGN GUIDE
Office
Employee Subnet
Edge Firewall
Internet
Unacceptable site
Malicious site
1.1.1.1 DNS resolver
Gateway DNS policy
Browser isolation
Zero Trust policy
1 2
Remote user
OrganizationsthatadoptCloudflareOnepointtheirtraffictoCloudflare’sglobalnetworkandcanperformDNSfilteringfortheentireworkforcewithoutworryingabouttheoperationallimitsoftheirlocalhardware.
Cloudflare’sDNSfilterediseasytodeployforbothon-premandremoteusers:• TrafficfromofficeusersissenttoCloudflarebasedontheoutboundIPfromtheedgefirewall
• TrafficfromremoteusersissenttoCloudflarefromourdeviceclient
Inaddition,Cloudflare’s1.1.1.1DNSresolversupportsDNSoverTLS/HTTPs,whichresolvesthesecurityissuedetailedinthelegacyenvironment.
DNS-Related Event Relevant Cloudflare One Element Design Flaw Correction
1BothonsiteandremoteusershavetheirDNSrequestscontentfilteredbyCloudflare
Secure Web Gateway GatewayDNSpoliciesoffloadsDNSfilteringfromlocalhardware(orprovidesitforthefirsttime)
2Theorganization’sDNSrequestsareencryptedbeforebeingsentout.
1.1.1.1 DNS resolverCloudflare’s1.1.1.1 DNS resolversupportsDNSoverTLS/HTTPs,encryptingDNSrequestsandhinderinghostilereconnaissance
161 888 99 FLARE | [email protected] | www.cloudflare.com
Legacy Design
CLOUDFLARE ONE DESIGN GUIDE
Cloudfare One Design
Office
Employee Subnet
Edge Firewall
Internet
Recursive DNS
Unacceptable site
Malicious siteRemote user
VPN
1
2
3
Office
Employee Subnet
Edge Firewall
Internet
Unacceptable site
Malicious site
1.1.1.1 DNS resolver
Gateway DNS policy
Browser isolation
Zero Trust policy
1 2
Remote user
171 888 99 FLARE | [email protected] | www.cloudflare.com
Legacy Design
CLOUDFLARE ONE DESIGN GUIDE
Cloudfare One Design
DNS-Related Event Relevant Elements Design Flaw Non-Cloudfare Solution
1AnonsiteuserhastheirDNSrequestscontentfilteredforsecuritybythebuilt-infeatureontheEdgeFirewall
EdgeFirewallRelyingontheEdgeFWfortoomanyessentialoperationscandegradeperformanceacrosstheorganization
DiscreteDNSFilter
2AremoteuserhastheirDNSrequestsfilteredafterconnectingtotheorganization’sfulltunnelVPN
VPNConcentrator
EdgeFirewall
Afull-tunnelVPNcreatesa‘doubletax’ofinternetpackets,whichcancreateaperformancebottleneckfortheentireorganizationtunneledtraffic
IncreaseISPbandwidthHardwareupgradeEnableSplitTunnel*
3 OutboundDNSrequestsaretransmittedintheclear. UDP53
DNSoverUDPport53isunencryptedandthereforenotprivate.Anyonewhoseesthatcanreconuserwebbehavior
DNSoverTLS/HTTPS
DNS-Related Event Relevant Cloudflare One Element Design Flaw Correction
1BothonsiteandremoteusershavetheirDNSrequestscontentfilteredbyCloudflare
Secure Web Gateway GatewayDNSpoliciesoffloadsDNSfilteringfromlocalhardware(orprovidesitforthefirsttime)
2Theorganization’sDNSrequestsareencryptedbeforebeingsentout.
1.1.1.1 DNS resolverCloudflare’s1.1.1.1 DNS resolversupportsDNSoverTLS/HTTPs,encryptingDNSrequestsandhinderinghostilereconnaissance
REV:BDES-2096.2021SEPT201 888 99 FLARE | [email protected] | www.cloudflare.com
WHITE PAPER
©2021CloudflareInc.Allrightsreserved.TheCloudflarelogoisatrademarkofCloudflare.Allothercompanyandproductnamesmaybetrademarksoftherespectivecompanieswithwhichtheyareassociated.