ℹ️ CIO Week: How to connect your offices to Cloudflare using SD-WAN and How We Used eBPF to Build Programmable Packet Filtering in Magic Firewall
Presented by: Neil Patel, Chris Arges
Originally aired on May 5, 2022 @ 12:30 AM - 1:00 AM EDT
In this CIO Week segment, Cloudflare product managers and engineers will take a deep dive into the products and features we launched today.
Read the blog posts:
- How to connect your offices to Cloudflare using SD-WAN
- How We Used eBPF to Build Programmable Packet Filtering in Magic Firewall
Visit the CIO Week Hub for every announcement and CFTV episode — check back all week for more!
English
CIO Week
Transcript (Beta)
Hey everyone, welcome to the CIO Week segment on Cloudflare TV. So today we're going to be going into a deep dive discussion on two of our blogs that ship today.
First, how you connect your offices to Cloudflare using SD win.
And second, how we use BPF to build programable packet filtering and Magic Firewall.
So some really cool topics to talk about before we get into it. Quick introductions.
My name is Neil Patel.
I'm a technical marketing engineer here at Cloudflare. I love building demos.
I love talking about all the cool stuff that Cloudflare does and then sharing it with the world.
I'm joined here by my colleague, Chris.
Hey, Chris.
Hey, how's it going?
I'm Chris Arges, and I'm an engineering manager here at Cloudflare.
I work on Magic Firewall and really excited to bring new technologies into Cloudflare and it's really exciting space.
Awesome.
All right, Chris, so let's go right into this. You wrote this awesome blog on how we use BPF and to get into it a little bit before we kind of talk deep about EPF on the technical topics, let's level settle.
All right.
So for those who aren't familiar, what is Magic Transit? Magic Firewall a quick overview.
How does it work?
Just get us all on the same page. Sure, sure.
Yeah.
We have a lot of magic products here at Cloudflare, so it's good to go over this.
Yeah, Magic Transit is our technology that allows IP traffic to be routed through Cloudflare's global data centers.
So we have data centers, 200 plus data centers all over the world, and that data can benefit from a host of network functions that we have.
So this is like DDoS protection as well as things like Magic Firewall.
So it's a super cool infrastructure superhighway where your packets can utilize all these products.
So yeah.
What's Magic Firewall? Magic Firewall is a distributed network firewall and it operates on packets at the network layer from a technical, technical perspective.
The way that we have this working is that each on each metal we have a machine, we have a network namespace.
So this is a Linux technology that allows for isolation of network traffic.
And inside of that special network namespace for an account, we can apply firewall functions such as using technologies such as NF tables.
So it's really cool, it's really flexible, and each account can make their own custom configuration.
So these can be configured via Cloudflare dashboard as well as API calls.
And applying those things means those changes roll out across all of our infrastructure a really quick speed.
So it's a really flexible, awesome single pane of glass to be able to configure your firewall.
Awesome, awesome.
So level setting that kind of understanding what Magic and Magic Firewall are.
If we take it, take it into the technical now take us take us deeper. So what is EVP just as an accurate and what does it stand for?
What does it mean and how do we actually use it when it comes to Magic Firewall?
Sure.
Yeah. Bpf is I feel like I've said that acronym so many times. It's like now it's just a word rather than an acronym.
It stands for extended Berkeley packet filter.
So there was actually an original Berkeley packet filter, I think now referred to as BPF or classic.
The extended version was introduced into the Linux kernel and allows the inserting of programs that can be inserted, that can be executed at the kernel level.
Now, not just any programs either.
These are kind of special programs that execute a specialized virtual machine that are kind of limited.
So there's some protections to make sure that whatever we put in the kernel doesn't crash things.
Functionally, what's cool is initially it was really focused on networking, but today BPF also supports things like tracing and debugging in the Linux kernel.
So it's grown a lot of different functionality and interesting applications.
So very cool. How do you program this thing?
So BPF can actually you can actually write a program and see, which is pretty awesome.
I mean, a lot of firewalls are written in like a custom description language.
So it's cool about writing this and see is that you can program it, you can do what you want to do in terms of like you think of some interesting function you need for loops, you need conditionals, you can, you can write a program for it.
So that's a very exciting thing to do. Now, why do we want to use this?
Well, we thought that you've given a lot of the things that we're seeing and wanted to actually use our firewall for.
We were really pushing the limits of what nftables could do.
And nftables is awesome, it does a wonderful job.
It's a great, I mean, I'm totally happy we made that technical decision to use that, but we need a little bit more power.
But the challenge for us is that BPF doesn't work natively with nftables.
So those two technologies, there's some overlap but not really readily usable.
So what we had to do for part of our work was actually figure out how to get to talk to the kernel to say, hey, there's this nftables firewall, plug this BPF program in and match a packet and do something with it.
Once we figured out how to get those two technologies to work together, then we could actually use our Magic Firewall program, the servers, to actually then use that BPF program to do the matching.
So there's a couple of dots that we had to connect there to kind of summarize, but we were able to create these custom C programs that could do these advanced matches.
We could use what we had, which was nftables and this really awesome, awesome configuration for customers.
And then we could put them together and make even more advanced rules and detections.
Nice.
So weaving really well into the next part of this is the question here is like, what does it do to make it Magic Firewall so much better?
How does it how does it protect the network better?
Right.
We can write these more advanced kind of rules. How does it what is the real use case for a customer?
How does it make it make it better for them?
Yeah.
So I think how it makes it better for them is that we know there's more and more sophisticated attacks and more and more sophisticated things that users want to be able to match on.
So part of Magic Firewall value is that customers can decide what they want to do with it and how you want to configure it.
So we want to give those kind of building blocks to our users so they can put together the rules they think are powerful enough.
And what we're identifying is some of those building blocks need to actually be fairly sophisticated given the things that we're seeing.
And what's cool is this opens a big door to do more advanced packet detections and and sorts of rules that we can provide.
So another big benefit of BPF to Magic Firewall is also scaling.
So this is another thing that we also found.
So we're we're running in a lot of data centers.
We're we're processing a lot of data itself.
And we're finding more and more that other features that we have in Magic Firewall, like very big lists of IPS at some point don't scale as well with the existing technology.
So we're actually looking at using BPF to help us with some of that.
So there's kind of like there's a lot of benefits to using this technology, not only matching but also scaling.
And we're just starting out too.
So this is kind of we've broken new ground in the last couple of months.
So we're we'll probably see a lot of really interesting features and functions come out of this.
Awesome.
Awesome. Thanks for us. I mean, like that gave me a much better understanding of BPF and kind of how we're using it.
I think it was great for everyone to kind of get it, get some run down in detail on that.
Awesome.
Thanks, Neil. Okay.
So I get to ask you some questions. All right, Let's do it.
Cool.
So, yeah, I read your blog post and really appreciate it. Really awesome.
Definitely. We're in an interesting environment.
I've been working remotely for the last, I don't remember, a couple of years, it feels like, but I've worked in offices and definitely different challenges in each of those things.
It's nice being highly mobile, but I'm sure for I.T. personnel, it's it's definitely a very big challenge, right?
Based on traditional I.T.
infrastructure.
So what problems do I.T. teams typically face with this new hybrid workforce situation?
I'm in the same boat, Chris.
We've been working remote for so long. And what tends to happen is before when when everyone's in an office or everyone's kind of centralized in a location, I.T.
teams have full kind of control over the stack.
They know the endpoints.
They know where they're connected.
They know what access point it is.
They know what Ethernet cable they're plugged into.
There's all this kind of control under the covers that gives you kind of full visibility and understanding of how users and devices are accessing applications, the Internet, other parts of the network.
As kind of things have bifurcated and people are hybrids.
Sometimes they're in the office, sometimes or not.
Sometimes they're permanently remote.
What tends to happen is all of that underlying connective tissue that Internet working has kind of phased away.
It's really just you're connected via the Internet, you're connected via a VPN, someone's over here behind a branch office, someone's here in the data center or the main office.
All of that stuff makes the management and the configuration and the security controls so much more complicated.
To keep it consistent, I want to make sure that whether someone is in the office or remote, they have the same user experience.
They're not having, you know, different policy.
They're not, you know, unable to access it when they're offsite.
They're not, you know, getting blocked when they shouldn't be.
All these kinds of considerations come into place when the connective tissue from a user to the applications and the stuff they need to do their work changes on office or on premise.
So the challenge there is really how do you how do you connect all that together effectively?
That's awesome.
One thing in your article, your articles title mentions sd-wan and I don't think ever again like another acronym that we probably should dissect a little bit.
What is it and how is it helpful in solving these types of problems?
Yeah, so SD kind of evolved from that problem statement, right?
When you have a bunch of different locations, different sites, you're building a wide area network A when, where you're trying to connect everything together.
And that's traditionally done in a number of different ways. You connect the edges of these branches and data centers to each other via maybe leased lines that you purchased from your service provider or MPLS, where you have some optimized paths to get to your destination.
It's dedicated.
All these different things are challenging to maintain and upkeep, especially as you scale, as you grow.
You know, let's say you bring on a new a new site.
Bringing that site online requires a lot of time, a lot of effort.
And, you know, prior you want to move fast.
Everybody wants to move fast.
I want to make sure that that branch is online immediately or within a week.
But all of these other points of connectivity make it challenging.
So the kind of approach was, well, how do we use software to kind of overlay some of this so we can use software to orchestrate these pieces together?
So things like configuration of edge routes, configuration of access, policy and rules are pretty much orchestrated from a, from a higher level, kind of like a puppeteer controlling, controlling configuration and the edges.
And what this allows it to do is it helps them manage it a little bit easier.
There's still a lot of underpinning and a lot of networking that has to be maintained, but it makes the overhead and the kind of orchestration a little simpler.
But it's still it's still doing the same thing under the cover, right? It's still keeping the connectivity in the same way.
It's still building the connections via MPLS or establishing those lease line links with the with the service provider.
And that's still that's still a challenge that teams and organizations have to have to solve or face.
It's something that hasn't been. Approach in a different way just yet.
Very cool.
All right. Let's say I think this is interesting and I wanted to work with Cloudflare and Connect my SD Wan.
What do I have to do?
How does that.
Work?
Yeah, and this is this is what helps solve that problem that I just mentioned. Right.
Cloudflare what do we do? So Cloudflare, you alluded to this.
I'm going to say it again.
The core of Cloudflare is our resilient, our global, our anycast network, all of that connective tissue across the Internet that we optimize routes across the performance, packet delivery, all of that stuff.
And with Cloudflare's magic win and connecting your edges into Cloudflare, you get to benefit them from that.
So now your backbone, your connective tissue between your sites and your locations is Cloudflare you're no longer having to deal with or manage.
Is packet delivery from A to B performant?
Is it optimal?
Is there is there something that you do to change that? Has it failed?
Is there a failover link? You're kind of leveraging everything that Cloudflare does for your purposes.
And that's that's what we're trying to do, are trying to make it better and easier for you.
So using SD-Win to connect into that is a logical step, right?
You've already you've already got this platform that's kind of puppeteering some configuration and edge devices and how they're connected to each other.
What you can do with that is leverage that to configure and manage and connect your devices and your branches and your edge into Cloudflare's magic win and use Cloudflare as that central hub.
So now the way that's done is extremely simple.
Just like everything we do, we make it universal.
We make it easily adoptable.
Cloudflare uses standard network tunneling protocols in an innovative way.
We use the power of anycast and Standard Network tunnels so that you can connect up a branch in the Cloudflare with a single tunnel, and then you're connected to all of Cloudflare.
And then for another branch. Like I said before, you want to bring a new branch up because of marketing or mergers and acquisitions or because you're you're expanding to a new geo location.
Build that tunnel and boom, you're ready to go. You're connected into Cloudflare.
So not only does that give you that performance, backbone and connectivity, but it extends the capabilities you have now.
Right.
So, Chris, you talked about all the great things we're doing with Magic Firewall.
All of that can now be leveraged in your organization just seamlessly and you can prevent and control traffic as it flows between between branches, as flows from the Internet inside.
All of that stuff is now just configurable.
It's just there, it's available.
And we're talking about the networking side of things where you're connecting devices and branches and sites together.
But there's also the other side about users.
All of this is to enable folks like you and me, the people working in the organization and the team to connect to what they need to.
So with this kind of using Cloudflare as your central network, not only are you making sure that your sites and your branches and everything is connected effectively, your users are now connected through the same network to all of their resources.
So that means consistent Zero Trust policy. That means consistent web filtering policy, it means consistent application policy.
Whether a user is connecting in from some coffee shop or some remote location or they're sitting in an office, they're having the same experience, they're connecting the same, same network, and they're connecting it to the applications in the same way.
So that's really bringing it all together, where Cloudflare is really tying all of these pieces and then giving the ability to control and filter with security, with Magic Firewall, with Zero Trust.
And then you're also getting all of the benefits of the performant network that we have built across the Internet.
Very cool.
So I'm guessing also as a customer, you're going to have existing hardware or systems that you will be working with.
Have we partnered with any of these vendors to make it easier to have that on ramp to Cloudflare?
Yeah, exactly.
And that's the big piece here, right? We know that there's going to be different vendors and different organizations all around, you know, all around the world.
So we work with leading SD-Win vendors, VMware, Velo Cloud, Rubin Networks, Info Vista.
And what we're trying to do is get it so that you as an organization or as an IT team have a boom easy button, right?
There's just a way to really quickly configure and connect and there you go.
You're off to the races now. If you check out the blog and check some more of our dev docs, we have listed just kind of a summary of how to get going, how to get configured, how to get deployed again.
Made it very simple standard tunneling protocols, standard network connectivity into Cloudflare.
And that's that's the goal, right?
Making it easier for everyone to onramp and get into a Cloudflare network and then enable all the grade security and performance and capabilities that we have to offer.
Very cool.
Yeah that's that really helps paint that whole picture and I think I think it's awesome.
So thank you for going into that detail. Yeah, it was there any other questions that you had for me?
So just a few things.
You know, thinking, thinking back on, on the blog and the content, what do you what do you think the next step is for the BPF?
Right.
You talked about some of the things that you've been able to prove out and test and write rules against.
But what do you think, like the next big step is for the product or for the capability?
Yeah, I think kind of near term it's really prioritizing what we've done so far, making it easy for a user to select the types of detections they would like, whether that be protocol detections or other things like that.
Also help us with scaling.
We're gaining customers at a wonderfully amazing pace.
And so we have to make sure our technology can pace that.
So using things like BPF help us with that long term, there's there's some really exciting possibilities we could think about and trying to make that the flexibility more available for users as well.
So but we're still in that kind of like thinking of interesting idea stage of the whole lifecycle of products here.
So right now, getting off the ground I think is where we're at.
Awesome.
And the technology is super cool. Folks listening.
I'm sure people want to get closer to it. I'm sure if you want to know more, I'm sure people would be interested in help working on this stuff.
We're always looking for what I was looking for, for a cool people to come here and work at Cloudflare.
Are you guys hiring?
What are you looking for?
If someone's interested. Yes, yes, definitely.
So not only are we scaling our technology, we're scaling our team too, right?
We have a lot of interesting problems to solve. So, yeah, if you're interested in writing SPF programs.
Right, and go working with network filtering and firewalls and things like that, Kubernetes, Kafka, data pipelines, I mean, there's, there's a lot of things that we do as a team.
So it's a really fun experience. But if you're interested, feel free, I think.
Just go to Cloudflare, slash careers and go ahead and apply.
Awesome.
Awesome.
So, I mean, to wrap things off, right, I'll, I'll give a bit of a summary and kind of if you're interested in jumping on to, to SD-Win, using it as a method to connect into Cloudflare, really this is where organizations that are looking for that integration, that easy, easy way to connect the branches and sites together, right?
I think that's everyone. Nobody's going to say, I want to work a little harder to connect my branches and sites together.
Nobody's going to say I want it to be complicated or expensive.
So anybody really looking to integrate their sites, integrate their data centers and their branches and their other offices in a really quick, easy, scalable and secure way.
Check it out.
Just look at the dev dogs. Look at some of the SUN resources that we have out there.
Talk to it to an account rep, talk to a partner, anybody.
And you know, we're happy to help.
We're here.
We're always here. Anybody? Anybody here where we have to talk to you.
In the same vein, Chris, who do you think would be able to leverage some of those more advanced capabilities in the Magic Firewall?
Sure.
Yeah. So I think one use case that we've been exploring is attacks that have been leveraged against providers.
So these are attacks against protocols like CIP.
So we've been looking at that specifically.
So if you're interested in that, we are looking at that as a technology to pursue.
But also I think we're looking at other use cases too. So I think if there are things that you can think of as like I would love to have this to protect my network, we're open and we'd love to hear from you.
Yeah, that's a great point.
You know, if there are some creative ideas that you guys have thought of and you want to share them, we're always happy.
Always happy to take some cool new intake.
All right.
I don't have anything else to share. I just want to say thanks to everybody.
Chris, anything else you want to want to add or talk about?
No, but just thank you, Neil.
It's really, really great talking with you.
Yeah, likewise.
It's been it's been a lot of fun.
And thanks, everyone, for joining.
Happy CIO Week.
We're we're all excited for all the new announcements and great stuff to come.
Optimizely is the world's leading experimentation platform.
Our customers come to Optimizely, quite frankly, to grow their business.
They are able to test all of their.
Assumptions and make more decisions based on insights and data.
We serve some of the largest enterprises in the world, and those enterprises have quite high standards for the scalability and performance of the products that optimize Lee is bringing into their organization.
We have a JavaScript snippet that goes on customer's website that executes all the experiments that they have configured, all the changes that they have configured for any of the experiments.
Now JavaScript takes time to download, to pass and also to execute, and so customers have become increasingly performance conscious.
The reason we partnered with Cloudflare is to improve the performance aspects of some of our core experimentation products.
We needed a way to push this Type of decision making and computation out to the edge.
And Workers ultimately surfaced as the no brainer.
Tool of choice.
There.
Once we started using Workers, it was really fast to get up to speed. It was like, "Oh, I can just go into this playground and write JavaScript, which I totally know how to do," and then it just works.
So that was pretty cool.
Our customers will be able.
To run 10x, 100x the number of experiments, and from our perspective, that ultimately means they'll get more value out of it.
And the business impact for our bottom line and our top line.
Will also start to mirror that as.
Well.
Workers has allowed us to accelerate our product velocity around performance innovation, which I'm very excited about, but that's just the beginning.
There's a lot that Cloudflare is doing from a technology perspective that we're really excited to partner on so that we can bring our innovation to market faster.
We're betting on the technology for the future, not the technology for the past.
So having a broad network, having global companies now running at full enterprise scale gives us great comfort.
It's dead clear that no one is innovating in this space as fast as Cloudflare is.
With the help of Cloudflare, we were able to add an extra layer of network security control by alliance, including WAF, DDoS, Cloudflare users as CDM also allow us to keep costs under control and caching and improve speed.
Cloudflare has been an amazing partner in the privacy front.
They've been willing to be extremely transparent about the data that they are collecting and why they're using it, and they've also been willing to throw those logs away.
I think one of our favorite features of Cloudflare has been the worker technology.
Our origins can go down and things will continue to operate perfectly.
I think having that kind of a safety net provided by Cloudflare goes a long ways.
We were able to leverage Cloudflare to save about.
250,000 within about a day.
The cost savings across the board is measurable, it's dramatic, and it's something that actually dwarfs the yearly cost.
Of our service.
With Cloudflare, it's really amazing to partner with a vendor who's not just providing a great enterprise service, but also helping to move forward the security on the Internet.
One of the things we didn't expect to happen is that the majority of traffic coming into our infrastructure would get faster response times, which is incredible.
Like Zendesk just got 50% faster for all of these customers around the world because we migrated to Cloudflare.
We chose Cloudflare over other existing technology vendors so we could provide a single standard for our global footprint and sharing world class capabilities and bot management and web application firewall.
To protect our large public facing digital presence, we ended up building our own fleet of proxy servers such that we could easily lose one and then it wouldn't have a massive effect.
But it was very hard to manage because we kept adding more and more machines.
As we grew with Cloudflare, we were able to just scrap all of that because Cloudflare now sits in front and does all the work for us.
Cloudflare helped us to improve the customer satisfaction.
It removed the friction with our customer engagement, its very low maintenance and are very cost effective and are very easy to deploy and it improves the customer experiences big time.
And Cloudflare is amazing.
Cloudflare is such a relief.
It is very easy to use its first Cloudflare to replace the first level of defense for us.
Cloudflare has given us peace of mind. They've got our backs.
Cloudflare has been fantastic.
I would definitely recommend Cloudflare.
Cloudflare is providing an incredible service to the world right now.
Cloudflare has helped save lives through Project Fair Shot.
We will forever be grateful for your participation in getting the vaccine to those who need it most in an elegant, efficient and ethical manner.
Thank you.
We built our e-commerce platform from scratch.
There is a lot of security requirements from processing credit cards to just making sure that the site loads quickly and is responsive so that people don't get deterred or lose trust in us since they are trusting us with their personal information.
Believe it or not, we've actually had customers write in and tell us that they have gone into their browser and viewed the source code to the web page to find out what's happening with their personal information.
Twice in the last year that I can remember, we came to work and we couldn't work because Amazon was down.
We couldn't log into our support panel.
We couldn't manage our shipments through our third party logistics provider, but our site was still working and being able to stay online through to Amazon downtimes has been amazing.
In fact, there's some of the highest, highest sales days of the past year in terms of bandwidth savings.
We have gotten amazing bandwidth savings from Cloudflare.
Over 95% of the bandwidth that we use is cash.
Now, most of that are large static images which are getting optimized to marriage.
And so we know that they're just loading so quickly and the best that they possibly can.
Also, the web application firewall is really great because it allows us to make sure that people aren't compromising our system through any known attack vectors or browser vulnerabilities.
We're a really small engineering team.
We only have about one and a half technical people that write code on a day to day basis.
So any time that we have the opportunity to use a service that reduces our need to write code, it really means a lot to us.
We've had zero security breaches the entire time that we've been online and Cloudflare has been there with us every step of the way.