护城河与零信任 - 网络安全架构大对决
Hello, everyone. Welcome to the first Chinese -language live stream in the history of Cloudflare.
My name is Chris. I am a project engineer at Cloudflare.
Today, I would like to talk about the topic of mutual trust and Zero Trust.
I have chosen a self-contained and interesting sub-topic which is network security.
I would like to share with you that in our daily life, before the outbreak of COVID-19, many of our work at Cloudflare is facing some users from other websites or applications.
But with the outbreak of COVID-19, we found that many users from outside of Cloudflare have become our internal users, including our employees or contract workers.
So in this situation, we need to protect not only external users.
We need to consider how to protect the network security of our own enterprise while everyone is working from home.
So today, I would like to share why we think Zero Trust as a new network security architecture is a good solution to network security.
First, we use the word mutual trust.
I would like to explain why we mention mutual trust.
In the physical world, the combination of mutual trust and wall is a very common structure in many cultures and many places.
I will give you an example of the most famous mutual trust in the Chinese region, which is the Forbidden City in Beijing.
I believe you all have the impression that the Forbidden City is a wall of red walls and yellow tiles.
Besides that, you may also have some impression Why do we have mutual trust?
The existence of mutual trust solves two classic problems.
The first one is how to prevent unauthorized visitors from entering your city.
The second problem is how to protect your most precious life and property and prevent them from leaving your city without permission.
So in this structure, we can see some very common modules.
For example, the mutual trust I just mentioned.
It is located at the outermost part of the structure. Besides that, there is a high wall.
Even in some castles, you can see that there are several layers of such a wall and mutual trust structure.
In fact, you can also see it in the Forbidden City.
In addition to the wall and mutual trust, you also need an entrance like this.
These entrances are usually heavily guarded. There will be some security inspections or so-called checkpoints here.
Of course, today, as security engineers, we also have mutual trust in our daily lives.
I believe that those of you who are watching this program online may be quite familiar with this type of picture or structure.
This is actually a very classic structure that separates internal and external networks.
So at the two ends of this picture, the outside is the unreliable Internet, the so -called external network.
And inside, of course, there are some intermediaries or servers within our company.
These intermediaries usually have some sensitive or high-value data.
These are usually the so-called assets that we want to protect. And of course, in the middle, we also have a network border to isolate the so-called internal and external network.
In this network border, it usually exists in the form of DMZ.
On this border, there are usually some common network security devices, such as VPN, firewalls, IDS, IPS, and even some filtering devices, such as WebGateway, or DLP to prevent data leakage.
So this is a concept.
In fact, the core concept of this structure is that we want to make an internal and external network border.
We want to prevent external attacks and to prevent the internal assets from being stolen.
Of course, the security model of mutual integration is not perfect, just like all other security structures.
So mutual integration basically has a weakness in terms of security.
For example, if the attacker has a way to bypass your firewall, through email or other means, and then interferes with the terminal, many times the attacker or hacker can make a horizontal movement in your credible network.
Here, I refer to a very famous security incident in 2010.
In the public analysis and sharing of this security incident, we can actually see a very classic model.
What is this model?
In many cases, there are some targeted attacks that are divided into the following steps.
The first step is to send some customized emails to the attacker.
Many times, if the user doesn't pay attention, after clicking on a link in the email, this link will usually download some malicious software.
This malicious software will further affect the user's terminal devices.
So in this incident in 2010, Microsoft IE, Microsoft's Microsoft IE, a loophole was used.
After the loophole was used, the attacker or hacker can gradually open the back door of the entire user system.
In this description, the target individuals are not the attacker or hacker's ultimate goal.
What is their ultimate goal? It is to use the terminal devices of these infected individuals as a jump board.
Through these jump boards, they can further determine high-value targets and then extract the most valuable data.
So through this incident, many entrepreneurs in the industry will think about a problem.
We actually spent a lot of time to prevent hackers from entering the Internet.
But the question is, can we trust all the users in the Internet? Is it trustworthy?
Especially now, many people work from home or use their own devices. In this case, the company can't directly affect the devices.
So in this case, if all the users can't be trusted, can the traditional Internet security model or structure still be established?
So this is actually a lot of standards in the past years or some solutions to solve the problem of how to break the default trust in the Internet.
So in the past few years, many industry strategies are focused on trusting the network and trusting the users themselves or the users' devices.
So this allows the enterprise to have a more detailed control on the network, users, and interrupts.
So I listed four more famous proposals.
The earliest one is Zerotrust proposed by Forrest in 2011.
In 2014, Cybersecurity Alliance or CSA proposed the concept of software-defined network boundary or SDP in 2014.
Then Google proposed BeyondCorp in 2014.
BeyondCorp is like its name. It means that cybersecurity goes beyond the corporate network.
It is the same thing for the outside network.
I will explain what BeyondCorp is later. And last year, Gartner proposed the concept of SASE to integrate Zero Trust from the network and CASB.
I want to talk about BeyondCorp because I think it is more representative.
BeyondCorp's most classic white paper mentioned a few points.
First of all, it is to replace the privilege network visit.
It is a default trust relationship for the inside network.
Then, it is to replace the visit control that depends on the device and user identity.
Its goal is that no matter where the user is, all visits to corporate resources will be fully authorized and encrypted.
In this way, the boundary between the outside network and the inside network is completely blurred.
On the basis of this, it also has a special advantage In this case, no matter where the user uses the device, the network experience and the remote office experience are exactly the same without any VPN.
In this case, especially for many highly operational employees or some companies that don't want to control the device, this method is very convenient for the user.
Finally, I want to talk about the user experience.
It is not like the traditional VPN or remote desktop service.
It has a greater impact on the user experience. So I just mentioned the security issue of the support box.
The next question about the support box is about the performance issue.
The first performance issue is the long-duration phenomenon I mentioned.
Long -duration phenomenon actually means a suboptimal routing.
Why is it called a long-duration phenomenon? It refers to a musical instrument.
I don't know how to play the long-duration phenomenon, but I at least know that the long-duration phenomenon is actually from the player to the instrument.
It has to go through a lot of cycles In fact, the traditional support box network is usually centralized in the company's data center or a specific cloud area So if the user is far away from the physical deployment of the infrastructure, there will usually be more network delays Especially when the user has a wide geographical distribution, if the user happens to be on a business trip abroad, or somewhere else, and he has to connect to the company's Internet, the delay may not be very acceptable.
So this is from the perspective of network delays. Another issue related to network delays is the quality of the network.
Because everyone is working from home now, consumers usually use a consumer-level network or ISP.
As the IT department of the company, we can't directly affect the user's ISP. So if the ISP has a high peak, or if there is a blockage, or if the ISP has some maintenance activities, as the IT department, we can't do much about it.
So this part is actually uncontrollable.
So this will actually have a big impact especially for some services that require high network quality, such as VOIP, voice or video streaming, or remote RDP, or remote desktop services.
So this will affect the user's performance and experience.
The third part, which is also the last part, I want to highlight, is the complexity of the process.
Especially the traditional BPM deployment, it is usually realized through a specific client.
When it comes to the client, it usually means that as the IT department, you are responsible for deploying the client to the user's environment, whether it is a desktop environment or a mobile environment.
Secondly, you have to be responsible for maintenance and management in the later stage.
For example, if new employees come, or old employees leave, the IT department will be responsible for integrating and managing the active directory AD of the user and the company.
In terms of the server, there are also some related considerations.
Especially during the virus period, I personally discussed this with some clients.
They found that due to the virus, most of the employees need to work from home.
They found that their VPN or remote office didn't have enough hardware.
At this time, they will expand their existing hardware. The problem is traditional deployment is usually realized through hardware.
As you know, during the virus period, the supply chain of the world and the logistics system have been greatly affected.
In this case, there are a lot of logistics or realistic considerations that make the rapid and flexible expansion not so practical.
This is also a difficulty we observe in the traditional mutual integration model.
I mentioned the mutual integration and network security architecture.
In the next part, I will talk about Zero Trust.
Why do we think Zero Trust in Cloudflare? We think our Zero Trust solution, Cloudflare for Teams, is an effective solution to this problem.
First of all, I want to talk about Cloudflare for Teams from a product perspective.
Currently, Cloudflare for Teams has two parts, two products. One is Access.
Access protects internal applications, such as internal HR systems or systems that the network employees visit daily.
Gateway protects users' visits to external applications.
For example, some companies may use external email services such as Office 365 or Gmail.
In this case, users can't affect of third-party SaaS services.
The only way to control is from the client side.
Access and Gateway are different. One focuses on the client side, and the other focuses on the server side.
It's worth mentioning that Cloudflare for Teams is a completely SaaS, cloud-based software platform.
It's realized by Cloudflare, a global network that we have.
Have you heard of 18.104.22.168? 22.214.171.124 has two meanings.
First, it's an IPv4 address. Second, it's Cloudflare's product name. This product is Cloudflare's consumer -level DNS analysis service.
Its address is 126.96.36.199.
We also have a client side that is related to DNS analysis service. You can see it in the major app markets.
It's free to download. It's worth mentioning.
You are welcome to try it. I want to give you a high-level overview Compared to traditional plans, instead of deploying all remote office in a specific data center, Cloudflare has moved the logic of remote visit to the data center.
From Cloudflare's perspective, customers don't need to deploy any hardware or virtual environments or VMs.
What customers need to do is to integrate Cloudflare Access with existing identity providers such as AD, OIDC or some internal SAML identity providers.
Then Cloudflare can decide whether to allow or prevent user visits Cloudflare is the access proxy in the middle.
We verify the identity of the user with Cloudflare.
As I mentioned at the beginning, we protect users' external visits.
Traditionally, a lot of external visitors are deployed in the data center.
Cloudflare has the same logic.
We migrate the entire filtering service to the cloud platform.
So far, we have supported DNS filtering. Next, we will have other filtering solutions.
Specifically, some features of the Cloudflare for Teams solution.
From a security perspective, we have a model based on Zero Trust.
If you visit my test domain, access.chriswandel.me, you will be redirected to an identity verification page.
This page is for Zero Trust identity verification. In addition, Cloudflare is gradually expanding the integration of many device security styles.
For example, Tanium can integrate Cloudflare's security style into Cloudflare's Cloudflare for Teams security engine.
In addition, Cloudflare for Teams can integrate Cloudflare's security styles such as one -off, DDoS, and firewall.
Lastly, Cloudflare has a team of engineers to provide security updates for any security vulnerabilities or any improvements that we find necessary.
There is no need for the user to do anything.
This is different from traditional IT services.
Cloudflare Access is a software-based service platform, so there is no need for any infrastructure services.
Since Cloudflare Access is a software-based service platform based on it is much better than traditional services for users Second, Cloudflare doesn't need web traffic.
Because all browsers support web verification as long as the user has a regular browser.
Many web verification or single sign-on can be supported by Cloudflare.
From the perspective of besides the 1.1.1 DNS analysis, we also have native clients that can improve the user experience.
The last point is about performance.
We mentioned the long-term phenomenon. It is because it is difficult for the data center or the deployment to be global because there is a problem of scale effect.
From the perspective of Cloudflare, we have nodes in more than 200 cities around the world.
So when any user connects to Cloudflare for Teams, it will connect to Cloudflare, which is the closest data center to the user.
So from the user's perspective, there will be no additional delay.
So, this is what I want to share today.
To sum up, the security model of mutual integration and Zero Trust are different.
What is our Cloudflare solution? What do we think it can solve?
If you have any questions, please send them to the link on the page.
Let me see if there are any questions. Okay. I don't see any questions.
I have three minutes left. Let me answer a question I usually receive.
This question is about the deployment of Zero Trust network.
Some customers can fully understand the concept of Zero Trust network.
However, they have some concerns about the actual operation.
Especially some traditional companies have spent a lot of time and energy and budget on the deployment of So, how can we effectively deploy Zero Trust network?
Actually, this question doesn't have a simple answer.
However, I want to describe NIST's Zero Trust security architecture standard.
Actually, there is an explanation for this question. There are a few points I want to highlight.
First, Zero Trust is not a firewall or an email filter.
It is a structure. It takes a long time to deploy.
Zero Trust network is a journey and not a big explosion. I think you need to think about We also like to discuss this issue Of course, with the growth of this industry and more and more companies start to use Zero Trust network, we will have more successful cases to share with you.
Okay, it's 2.30pm That's all for today.
Thank you for watching.