Cloudflare TV

ℹ️ CIO Week: Cloudflare One, One Year Later; PII and Selective Logging Controls; Announcing Anycast IPsec; Replace Your Hardware Firewall

Presented by Sam Rhea, Rustam Lalkaka, Achiel van der Mandele, Annika Garbers, Ankur Aggarwal
Originally aired on 

In this CIO Week segment, Cloudflare product managers and engineers will take a deep dive into the products and features we launched today.

Read the blog posts:

Visit the CIO Week Hub for every announcement and CFTV episode — check back all week for more!

CIO Week

Transcript (Beta)

Hello everyone, welcome to Cloudflare TV and welcome to CIO Week. My name is Annika and I'm on the product team here at Cloudflare.

This is Cloudflare last innovation week of the year and we're spending it highlighting new products and features of the Cloudflare One platform that are going to help chief information officers build their next generation networks on cloud players.

I'm super excited to be joined by some of my favorite people on the Cloudflare product team to kick off the week and talk about one of our really big announcements from today, which is going to allow customers to deprecate their hardware firewalls and switch to Cloudflare.

But before we jump into that, I would love to spend just a little bit of time on why CIO Week who are CEOs anyway?

What do they do?

What do they care about? And Rustam, I would love for you to kick it off.

Can you introduce yourself and tell us a little bit about who are CEOs and why are we focusing on them for this week?


So my name is Rustam. I'm a director of product here at Cloudflare.

I focus on our networking and data products.

CIOS are an interesting job title.

It's an interesting job.

And their job has gotten harder recently.

And Cloudflare sort of excited to try and help make their job easier and help them adapt to a changing world.

So CIOs are tasked with running corporate IT departments is a really sort of gross simplification and in general are sort of focused on keeping a company's workforce productive and keeping its information technology systems online and sort of responsive to the business's needs.

And so the job has sort of different flavors at different companies, right?

So you can imagine that CIO at a manufacturing company, for instance, is very focused on keeping assembly lines running and keeping all sorts of systems that support that core manufacturing competency efficient and running properly.

Whereas I used to work at Microsoft, the IT team at Microsoft has a totally different crazy job, right?

They're supporting the people that develop Windows to make sure that Windows can be written properly.

So lots of sort of differences across companies.

But at its core, CIOs are really focused on keeping folks productive and making sure they have access to the tools and technology they need to do their jobs and.

That sort of setup has changed a lot recently, right?

We have sort of broader macro trends that have taken place over the last couple of years with enterprises shifting where they deploy software from company owned and controlled data centers to the cloud.

They're increasingly buying more and more SAS and sort of software that's delivered as a service instead of in a box.

And then over the past two years, this sort of gradual trend we've observed of people going more and more remote has been grossly accelerated by COVID.

And so lots of different things happening at the same time that may make their jobs even more difficult than they were before.

Got it.

So CIOs are responsible for making sure that all of us can do our work. And work means different things at different places.

But across the board, their jobs are getting harder because we have these things happening of applications moving to the cloud and users working from everywhere.

So what is Cloudflare doing to help with this? We have this Cloudflare One platform that is targeted at CIOs.

Sam, could you one introduce yourself, but to give us a little bit of an overview of what's Cloudflare One and how does it help CIOs solve these problems that have been introduced by these changes?


Hi aka my name is Sam. I'm a director.

Of product.

here at Cloudflare.

I focus on our Zero Trust product set, which is really kind of a wonky name, what that implies is if you're a CIO, you want your organization, whether it's the endpoints, the users, the data inside of the tools that you use to zero trust in anyone attempting to connect.


You want to have them prove who they are and who they say they are, which like Christine was mentioning, became a lot harder recently.

And Cloudflare One is our answer to the challenge that keeps a lot of CIOs and CSOs and just generally members of an organization up at night when they want to think about how do I make sure my organization can connect to the things that they need, cannot connect to the things that are potentially harmful to my team.

And we can secure that whole connection and think about what are the rules that apply when users go get the tools that they need to do their jobs.

And it's a really fun group of products because it takes the best of Cloudflare network, which a lot of folks might know.

Cloudflare network as the network that delivers to you some of the largest properties on the Internet and millions of just generally websites and destinations on the Internet, who makes those fast and safe?

And we've, for the last ten plus years, been an organization that have been able to help organizations who wanted to have their Internet facing properties, the things that face their audiences, their customers, their users, to have those be fast and safe, both for them and for their users.

And now we get to take that same network and turn around and point it at the challenges that organizations have inside of the house.

It's a lot like if you were around for the first automobile and you're like, Oh, this can move people.

I wonder if this could also move and transport goods and things like that.

So if we're taking Cloudflare's network and all these customers who have come to us and said, Hey, you made my website way faster and way more secure, could you do that for the internal resources in my team, or could you do that for how my employees connect out to the Internet?

And that's been really fun because it kind of takes two forms, both of which use different superpowers in our network.

The first is how do you get that traffic either from your offices, from your data centers, from your users at home to its destination?

Whether that's that destination is the public Internet, of which a chunk of that already sits on Cloudflare network or internal resources that you need.

Or maybe you have those internal resources on the other side and you want to make sure those can connect to Cloudflare network and to those employees in your in your team.

So we think a lot about how do we give you different options to connect whatever it is, whatever you want to plug into Cloudflare network such that you can have this next level.

And this next level is where we use our network to make it more secure.

And secure looks really different depending on your use case.

For example, if you're thinking about your internal administrator tools, the things that your customer support team uses to manage employee accounts, the things that maybe your project management or your source code repository tools inside of your house, you want those to block all attempts to connect to them by default and only allow certain things.

Maybe I only want people to connect to this admin tool when they're in this group and with this hard key in using a managed device from a specific country.

We let you build those rules in our network and in the same way that our network, because it's deployed in 250 cities around the world, more than 250 cities around the world, we put security decisions really close to the user for all of the largest websites in the world and the content we bring that really close to the user.

We're able to use those same points of presence to enforce these decisions about who should be able to reach the resources in your organization.

But on the flip side, the rest of the Internet is potentially really scary, right?

You've got employees around the world and offices, data centers at home who are just connecting out to the Internet.

And that's potentially terrifying, right?

Because anyone the beauty of the Internet is that anyone can connect into it.

So how do you stop people from accidentally going to phishing websites?

Or you'll learn more from Akeel and Anker later in this conversation about how do you actually secure the traffic that's entering and exiting your network?

How do you take Cloudflare network and make sure that you're building security policies over what's going to happen next?

And that's everything in Cloudflare One.

It's really using our network to replace your.

Corporate network to worry on your behalf about everything that's connecting.

How do we make sure it's fast?

How do we make sure it's reliable?

And ultimately, how do we make sure it's really secure?


That's a great overview. So Cloudflare One this platform, we launched it a year ago and today, Sam, you and Rustam published a blog post about how it's going.

And I wonder if for folks that are watching that maybe didn't get a chance to read the blog post yet, if you wouldn't mind, maybe Sam first and then Rustam just recapping.

Yeah, how is it going? What kinds of problems are customers solving?

How are they using our network to solve problems in new ways?


Come on. It's only 11 pages long in Google Docs. Hasn't read it yet.

It was really fun because we announced this a year ago and we were able to take a step back and think about how our customer is using this.

And we've seen a lot of customers on the Zero Trust side start by protecting the applications that run their business so the internal things that their employees use.

And in the last year, customers have protected over 192,000 applications.

And that protection can look like only my employees can reach it or my employees.

This OCTA group Kieth managed device and that's been really powerful.

But the statistic I like the best is that if you're a small or smaller team, small organization, a lot of the security products that we're talking about today and that other folks on this call are going to go into.

We're only available if you are a big enterprise and you picked up the phone and talk to a sales rep and signed a contract.

And that just means that you've got thousands, tens of thousands, hundreds of thousands of organizations that lacked security just because they weren't big enough.

So in the last year, and that's just not how it should be in the last year, over 10,000 customers have used Cloudflare's network to secure their path to the Internet for their employees and their users.

And that's both really exciting and really humbling that we're able to take our network and solve that problem.

Because also in that blog post, we mentioned that the United States federal government uses our protected DNS resolver to secure their own employees and members of the government for all civilian agencies.

And so we're able to secure what is one of the largest organizations in the world with our network, but also over 10,000 small companies that just used not used to not have this as an option.

And that's been really fun in the last year.

Rustam, I know, has a lot of interesting data on the networking side to share.

Yeah, a lot of sort of interesting use cases.

But I think the other interesting thing we've seen with customers that are deployed, one is, is we frequently get questions of, okay, great, this product sounds good.

The functionality sort of solves my security and access needs.

How do I pick which region to deploy it in or how large an instance do I need to deploy?

And the answer to either of those is you don't have to pick a region and you don't have to size anything.

And I think this is actually the most mindblowing part of the product suite and to be honest, one that we haven't done a great job really explaining, right?

Because what we're doing here is very, very different from how traditional hardware was bought and sized.


You bought a box, you decided how big it was in terms of CPU cores and RAM and network interfaces, and then you deployed that in a specific location.

And then we've seen a lot of what are called cloud firewalls or things like it that are sort of lifting and shifting that hardware box concept into the cloud.

You pick a region to run your device in and you're still picking instance, size and all that.

With Cloudflare, our whole edge is really your firewall, right? And this is kind of a mind blowing concept.

All your traffic, any traffic can touch any part of our network and have the same controls applied to it.

No matter where you are in the world, no matter what carrier you're using, no matter what type of traffic you're using.

And then the other point is that because our whole network is applied to all your traffic, our whole network scale is applied to your workload as well.

And so, no exaggeration, we have customers pushing hundreds and hundreds of gigabits per second of traffic with really, really complex security controls being applied through our edge.

They didn't have to pick how many course or where in the world that filtering was going to happen.

It just worked. So, yeah.

That's awesome.

Yeah. And I think a great segue to, to talking more about the firewall announcement from today.

I wonder.

Anchor Would you mind going over just for our viewers, sort of a brief history of firewalls where some touch on this a little bit with the physical appliances, but there's lots of sort of buzzwords that float around, right?

Like next generation firewalls and cloud firewalls.

Just take us through that.

Like, where do we start and where are we now?


Yeah. By the way, if my name is Agarwal, I'm a product manager here at Cloudflare working on our gateway product.

So with the history of firewalls, it's really kind of just interesting because first it started with you wanted you had a closed network, you wanted to essentially allow one set of users access to say like the accounting mainframe or something, basically just like another floor of the same building.

So it started with basically just like simple layer three and four rules around IP and ports.

But then as kind of things moved on, people needed access to the Internet.

So allowing people to access the Internet.

You also wanted to make sure people weren't able to get in.

So a part with that shift came stateful firewall and deep packet inspection.

So with that, essentially those firewalls would now track every connection going in and out of the network.

And to do that, you also needed, like Rossman was saying, you needed to start thinking about things like your resource consumption for your hardware.

So essentially, do I need two firewalls?

Do I need three?

Do I need primary redundant pairs?

And this only got more complicated as things move to the next generation.

And the reason for that was you could definitely see a user going out to a single IP address, a single port, but you couldn't attribute that to any one single user.

You also couldn't attribute that to any single application. Also what they did within that application.

So in came next generation firewalls and next generation firewalls are still here today.

Many users still have them because they provided all the things of application control.

They started then integrating a bunch of the other kind of boxes that were within that security suite or security enclave like VPN gateways, IDs and IPS.

Biking, but there's a few other ones that got rolled in here.

But as soon as all of those started coming together and that Next-Generation Firewall, that discussion around compute and memory resources became even greater because you now have a single piece of hardware doing all of those functions at once.

So essentially those became a pain to manage. You had to deploy them in the correct regions like Rust and said earlier.

But also every time you set up a new office, you'd have to buy another set.

There were just many kind of hardware issues there.

But as time went on, the thing that also became pretty evident was we got really deep into where the customer or where the users were going, but we didn't have a lot of information of who the user was and a lot of information about what device they're coming from.

So in came in Zero Trust, so Zero Trust helped add a lot of those concepts onto it.

So it gave a way to identify the user and build kind of smaller scope networks as well as verifying things like device posture.

So those things all kind of led into what we now have on Cloudflare One.

And what is that thing?

So we announce the expanded capabilities of our firewall functionality today.

I'd love to give an overview of sort of what's new. Let's start with you on sort of this upgrade to application level functionality that we've been talking about.

And then I'd love to hear also from Akhil on some of the other capabilities that are now available.


So real quick on the upgrade to HL7. So essentially users will be able to essentially identify any 18 four for three traffic or really anything that's TCP or UDP base that they want to upgrade to our Gateway product within Gateway.

Then you can apply all those kind of Zero Trust and application specific rules that you're looking for.

It gives you a good auditability of all of the traffic that's going on, as well as the ability to provide those allows and blocks based on those Zero Trust controls.

Awesome and tequila on your side.

There's a ton of good new stuff in there too.

Do you want to introduce yourself and then tell us more about some of the new features that are available in the firewall?

Yeah, hi.

My name is Akila. I'm a product manager here at Cloudflare and I'm really excited to chat about what we announced today and also give kind of a sneak preview of some of the things we're going to be launching later this week.

So for starters, this morning we put out a blog on what we call Programable packets with SPF software.

That all sounds like really technical.

Basically, what we're doing is.

A lot of people will.

Love our Magic Firewall product suite and our gateway products, but at least for Magic Firewall, it's largely limited on like looking at it on a per packet level.

You can do stuff like look at the source and destination IP, you can match report, you can match on the contents of the packet.

But what if you wanted to do like more complex things?

And the reason we started looking into this is we've seen a large uprise in VoIP providers getting attacked with very specific styles of attacks.

And we knew we wanted to put in more sophisticated mitigations to be able to do that more than just looking at one packet and like, what are the contents?

We want to actually perform more better mitigations.

So that's where SPF comes in, which stands for extended Berkeley packet filtering, which allows you to apply any logic you want to any single packet.

So you can maybe think of it as like Workers on a per packet level.

So for every single packet that comes on, you can run like your little program and then you can afterwards use those things in the Magic Firewall to either allow or block.

And this has been really great and effective for us in being able to block more sophisticated, SIP style attacks.

And we're really excited about what this means because again, you can program anything you want in these.

So for folks listening, if you have an ideas or things that you would love to be able to do at our edge, we'd love to get in contact.

Looking ahead on the other things that we're going to be launching this week.

One thing that I'm personally really, really excited about is threat intel integrations with Magic Firewall.

It's really great if you know exactly which traffic is and isn't allowed.

Like you could say, like, well, anyone.

My branch office is allowed to open a connection to any website on the internet and I know.

These are like my web servers.

And they should only get.

Traffic on port 84 for three.

But what if you want to.

Guard yourself against more unknown unknowns?

There are a lot of malware botnets anonymizing.

As you might want to prevent your employees from visiting those gnarly sites.

Or what if you're getting scanned a lot by anonymizing like anonymize or something like for or a VPN, so someone using that service to kind of mask their thing, you might want to just keep those people out altogether from your network.

Maintaining those types of lists and keeping track of what is IP is a huge annoyance and generally not really feasible at scale.

Like Cloudflare, it's really great.

We see almost 30 million HTTP requests second with us blocking, I think it's 76 billion cyberthreats a day.

We see a lot of novel attacks and we have a really good finger at the pulse for which actors are good and which are bad on the Internet.

And we've turned that into a simple purgative that you can use to police your traffic.

So again, in this example, let's say you have a branch office or remote users, you want to prevent them from accessing known command and control centers.

That's just a click and a rule away. And the same for anonymize is going into your traffic, that type of stuff.

I'm really excited about that and that's going out later this week.

Another really often requested feature.

That we've gotten is how can I police my traffic based on where it's coming from?

And what I mean by that, it's like, which country is this coming from or which is it going to?

And we will have all sorts of reasons for wanting to do so. Figuring out in which country an IP physically resides is again, insanely difficult.

There's no way for you to keep track and it changes all the time as well. So we're exposing that as a first class primitives.

So you can just block let's say you don't like the Dutch, you could just.

Block all traffic from.

The I'm allowed to make this person as a Dutch.


You can just block all traffic from.


Country or let's say you love from another country, you could just automatically always allow it.

That traffic, all of this kept up to date and runs at our edge. All of these kind of builds upon some fundamental technical blocks.

That we've been referring.

To as IP lists, which is just a way for managing large sets of IP lists, and we're exposing that as well.

So if you want to easily manage.

your IP, let's say, you know which web servers all have a need, a certain policy, you can just create a list of IP that match those web servers and the same for sites on the Internet.

If you have like very precise feeling for like, hey, all of these IP are good and these are bad, you can just create your own list to manage that, which greatly simplifies management of all of these rules.

And then another one that I'm really, really excited about is packet captures at the edge.

Packet captures for people that don't really know.

What that means is getting like a snapshot of all of your network traffic that's flowing through a particular box.

Traditionally, routers, firewalls would kind of do these things, but they're a little bit limited in the sense that you could only capture traffic on that one box.

The other tricky part is that the running packet captures at scale is actually pretty heavy.

So you need a pretty beefy box if you want to capture a lot of it with packet captures at the edge at Cloudflare.

We solve that problem.

We run it across our entire network, which gets you two things.

For one.

This gets you visibility into your entire network.

So you can one click create a packet capture that matches on packets across the globe, across your branch offices, data centers, remote users, everything.

The other really cool part about it is that it runs on the super scalable network the rest room was talking about.

Our entire network is used to grab these packet captures so you don't have to worry about capacity anymore.

It's just one click away.

Create your package capture and you get precise visibility into what's going on in your network.

Well, that was a big list.

So recapping new stuff, we have the ability now for customers to connect to our network with whatever onramp they want and upgrade traffic to fine grained secure web gateway filtering policies.

We have the ability to write Programable firewall rules leveraging WPF, which is this really awesome new technology in the Linux kernel to do whatever kind of sophisticated filtering you want.

We have integrations with threat intelligence, we got geo blocking, we got IP lists, and we have this new ability also to capture packets at the edge using sort of same fundamental building blocks, but unlocking a bunch of new use cases.

That's a ton of stuff.

That's really awesome.

So I'm wondering just a 32nd overview. If I was a user and I wanted to deploy this, let's say at my branch offices, I'm going to reopen some offices soon and I want to leverage this technology instead of relying on maybe my classic hardware firewalls that are reaching their end of life.

How would I do that? What does the setup actually look like for that?

Akhil, if you want to walk through that one.

Yeah, that's a great point.

I'll try to keep this short. So what a huge pain anchor also mentioned is like all of a sudden you're forced to ship boxes into new locations, right?

So let's say you're a super fast growing large enterprise.

You're opening branch and sales offices everywhere all the time.

A lot of these organizations, especially in these times of supply chain management, struggle a lot in getting the they might have the physical boxes, but they can't even ship them to wherever they are.

They are opening these offices.

So what's really great with Cloudflare One and our product suite is you need really basic hardware.

Basically, any straightforward router will be able to set up like a tunnel or IPSec tunnel to the complex network, and then all of a sudden you get full access to our entire product suites.

So you can start off simple with something like Magic Firewall, or you can upgrade to advanced features like Gateway and our pipeline for inbound traffic.

So for like a typical branch office, you would probably opt for Gateway that gets you like full inspection of every single HTTP request and connection that's going out.

So that keeps your employees safe. And then for data center, you might opt for a combination of magic firewall, maybe threat intel lists and orange.

What we refer to is orange clouding, so putting your website behind Cloudflare and getting security features that way.


And actually, to piggyback on that, the last kind of traffic flow there is like the users connecting in.

So you essentially have your employees that need to connect into either some resource behind your security enclave in your data center.

You can now use one with the other client deployed on your end users machine.

So then they can log in, be on your network, and you can authenticate them through the IBP of your choice.

This allows you to build really nice kind of Zero Trust rules around locking it down to specific users as well as adding device flasher on top of it.

So you can even check that they're on the latest OS level.

They have the most recent antivirus version.

So then you can be confident that when your users connect into your internal resources, they're doing it from kind of a safe device.

And the other kind of piece to this is you can also layer on things like contractors were to come in and need access to your environment.

You could integrate with their IDPs as well and even enforce them to use things like Remote Browser Isolation.

So if you wanted to have them be able to view items or view your web pages but not be able to copy or print or something like that, you could essentially isolate your sessions.

So there's a lot of good user controls and security controls are allowed around allowing those users into your network.

Nice, so really powerful to have all of these things integrated with tools like Remote Browser Isolation and really helping users move to sort of their Zero Trust network.

That's great. Last thing that I just wanted to end on, sort of the cherry on top of our announcements for today.

In addition to recapping Cloudflare One announcing new capabilities in our firewall, we also launched the O'ahu program, which is going to help customers make the transition from hardware, firewalls and appliances to our Zero Trust Cloud Firewall.

And Oahu includes new capabilities like the ability to import your rules into Cloudflare's platform so you can get the same security controls that you have today but delivered from the edge.

It includes resources like migration guides to walk step by step through how you can actually do that as sort of an IT practitioner today.

And then just to sweeten the deal and make it even more fun, if you send us a picture of yourself unplugging a hardware firewall after you've made the switch, of course, and make sure that everything's good, then you can be entered to actually win a contest to go to Oahu.

So unplug your firewalls, have a good time on vacation in Hawaii and help transition your network to sort of the future in Zero Trust.

Thumbnail image for video "CIO Week"

CIO Week
Relive the exciting announcements from CIO Week! Check out the CIO Week Hub to find all of our announcements and blog posts!
Watch more episodes