护城河与零信任 - 网络安全架构大对决
Presented by: Chris Wang
Originally aired on July 8, 2020 @ 2:00 AM - 2:30 AM EDT
远程办公时代的你还在烦恼保护内网用户?零信任安全架构彻底打破网络边界!
English
Transcript (Beta)
Hello, everyone. Welcome to the first Chinese -language live stream in the history of Cloudflare.
My name is Chris. I am a project engineer at Cloudflare.
Today, I would like to talk to you about mutual trust and Zero Trust.
I have chosen an interesting sub-topic which is network security.
I would like to share with you that in our daily life, before the outbreak of COVID -19, many of our work at Cloudflare is facing some users from other websites or applications.
But with the outbreak of COVID-19, we found that many users from outside of Cloudflare have become our internal users, including our own employees or contract workers.
So in this situation, we need to protect not only external users.
We need to consider how to protect our own network security So today, I would like to share why we think zero -trust as a new network security architecture is a good solution for network security.
First, we use the word mutual trust.
I would like to explain why we mention mutual trust.
In the physical world, the combination of mutual trust and wall is a very common structure in many cultures and many places.
I will give you an example of the most famous mutual trust in the Chinese region, which is the Forbidden City in Beijing.
I believe you all have a strong impression of the wall in the Forbidden City in Beijing.
In addition, you may have some impression of the wall in the Forbidden City in Beijing.
Why do we have mutual trust?
The existence of mutual trust solves two classic problems. First, how do we prevent unauthorized visitors from entering the Forbidden City?
Second, how do we protect your most precious life and property so that they cannot leave the Forbidden City without permission?
So in this structure, we can see some very common modules.
For example, the mutual trust box I just mentioned.
In addition, there is a high wall. In some castles, there are several layers of the wall and mutual trust structure.
You can see this in the Forbidden City.
In addition, in addition to the wall and mutual trust, you also need an entrance.
These entrances are usually heavily guarded. In these places, there will be some security inspections or so-called checkpoints.
Of course, today, as security engineers, we also have mutual trust in our daily lives.
I believe that those of you watching this program online may be familiar with this type of picture or structure.
This is actually a very classic structure that separates internal and external networks.
So at the two ends of this picture, the outside is the unreliable Internet, the so -called external network.
And inside, there are some intermediaries or servers within the company.
Usually, these intermediaries have some sensitive or high -value data.
These are the so-called assets that we usually want to protect. In the middle, we also have a network border to isolate the so-called internal and external network.
In this network border, it usually exists in the form of DMZ.
On this border, there are some common network security devices, such as VPN, firewalls, IDS, IPS, and even some filtering devices, such as WebGateway, or DLP to prevent data leakage.
So this concept is actually the core concept of this structure.
We want to isolate the internal and external network to prevent external attacks and to prevent the internal assets from being stolen.
Of course, the security model of mutual integration is not perfect, just like all other security structures.
So mutual integration basically has a weakness For example, if the attacker has a way to bypass your firewall, or if the attacker has a way to access your email many times, the attacker or the hacker can make a horizontal movement in your credible network.
Here, I refer to a very famous security incident in 2010.
In the public analysis and sharing of this security incident, we can see a very classic model.
What is this model?
In many cases, some targeted attacks are divided into the following steps.
The first step is to send some customized attacks to some specific individuals, such as fishing emails.
Then, many times, these users may not notice that after they click on a link in the email, this link will usually download some malicious software.
This malicious software will further infect some software on the user's terminal device.
So in this incident in 2010, Microsoft IE, Microsoft IE, had a loophole that was used.
After the loophole was used, the attacker or the hacker can open the back door of the user's system In this description, the infected individuals are not the ultimate target of the attacker or the hacker.
What is their ultimate target? It is to use these infected individuals and specific individuals as a jump board.
Through these jump boards, they can further identify high-value targets and steal the most valuable data.
So, through this incident, many entrepreneurs will think about this problem.
We actually spent a lot of time to prevent hackers from entering the Internet.
But the question is, can we trust all the users in the Internet? Is it trustworthy?
Especially now, many people work from home or use their own devices. In this case, the company can't directly affect the devices.
So in this case, if all the users can't be trusted, will the traditional Internet security model or structure still exist?
In the past few years, there have been a lot of standards or solutions to solve the problem of how to break the trust in the Internet.
So, in the past few years, many industry strategies focus on transferring the trust in the network to the users themselves or to the users' devices.
In this way, the company can have a more detailed control So, I listed four more famous proposals.
The earliest one is Zero Trust proposed by Forrest in 2010.
In 2014, Cyber Security Alliance also proposed the concept of software-defined network boundaries.
In 2014, it was SDP. Then, Google was more famous. In 2014, Google proposed the concept of BeyondCorp.
BeyondCorp is like its name. It means cyber security goes beyond the corporate network.
It is the same thing for the outside network.
I will explain what BeyondCorp is later.
Also, last year, Gartner proposed the concept of SASE. Zero Trust can be combined from the network to the CASB level.
I want to talk about BeyondCorp because I think it is more representative.
So, in the most classic white paper of BeyondCorp, it mentioned a few points.
First, it mentioned to replace the privilege network visit, which is a default trust relationship for the inside network.
Then, to replace it depends on the network as a device and user.
Its goal is no matter where the user is, all visits to corporate resources will be fully authorized and encrypted.
In this way, the boundary between the outside and the inside network will be completely blurred.
On this basis, there is a good point especially for users.
In this case, no matter where the user uses any device, the network experience or the remote office experience will be the same without any VPN.
In this case, especially for highly operational employees or companies that don't want to control the device, this method is very convenient for users.
In the end, it also mentioned the user experience.
It means it is not like a traditional VPN or remote desktop service that has a big impact on the user experience.
I have just mentioned the security issue of the support box.
The next question about the support box is about the performance.
The first performance issue is the long-duration phenomenon.
It refers to the suboptimal routing. Why is it called the long-duration phenomenon?
It refers to an instrument like this. I don't play the long-duration, but I know that the long-duration comes from your performer.
It has to go through many cycles In fact, traditional support boxes are usually centralized in the company's data center or a specific cloud area.
If the user is far away from the physical deployment of the infrastructure, there will be more network delay in this period.
Especially when the user has a wide geographical distribution, if the user is on a business trip abroad, the network delay in the company's internal network may not be acceptable.
This is from the perspective of network delay.
Another issue related to network delay is the quality of the network.
Especially now, everyone is working from home. Consumers usually use a consumer-level network or ISP.
As an IT department, we can't directly affect the ISP of the user.
So if the ISP encounters a blockage or if the ISP has some maintenance behavior, we can do very little So this part is uncontrollable.
This will have a big impact especially for services that require high network quality such as VOIP, voice, video, live streaming, or remote RDP, remote desktop services.
This will affect the user's performance and experience.
The third part is also the last part.
I want to highlight that the ISP has certain complexity Especially the traditional VPN deployment is usually realized through a specific customer level.
When it comes to customer level, it usually means as an IT department, you need to be responsible for deploying the customer level to the user's environment whether it is a desktop environment or a mobile environment.
Secondly, you need to be responsible for maintenance and management.
For example, if a new employee or an old employee leaves, the IT department will have to integrate and manage the new employee.
In terms of the server, there are some considerations. Especially during the pandemic, I personally talked to some users and some customers found that due to the virus, most employees need to work from home and their VPN or remote desktop hardware is not enough.
At this time, they will expand their existing testing and technical testing.
The problem is traditional deployment is usually realized through hardware.
As you know, during the pandemic, the supply chain and logistics system were greatly affected.
In this case, there are a lot of logistical and practical considerations that make the rapid and flexible expansion not so practical.
This is also a difficulty in traditional integration.
I mentioned integration and network security structure.
In the next part, I will talk about Cloudflare and why we think Cloudflare for teams is an effective solution to this problem.
First of all, I want to talk about Cloudflare for teams from the perspective of products.
There are two parts of Cloudflare for teams.
One is Access. Access protects internal applications such as internal HR systems or some systems that employees visit daily.
Gateway protects users' visits to external programs. For example, some companies may use email services for external management, such as Office 365 or Gmail.
In this case, users can't third -party SaaS services. The only thing you can control is the client side.
Access and Gateway focus on the client side while Access focuses on the server side.
Cloudflare for teams is a SaaS cloud platform.
Cloudflare has a global network of addresses.
Have you heard of 1.1.1.1? 1.1 .1.1 has two meanings.
First, it is an IPv4 address. Second, it is a product name This product is a consumer DNS analysis service of Cloudflare.
Its address is 1.1 .1.1.
In addition to DNS analysis service, we also have a client side. You can see it in the various application markets.
It is free to download. It is worth mentioning. You are welcome to try it.
As for Access and Gateway, I would like to give you a high-level general explanation.
Compared to traditional solutions, instead of deploying all remote offices in a specific data center, Cloudflare has moved the logic of remote visits to the cloud platform.
From a cloud perspective, customers don't need to deploy hardware or virtual environments or VMs.
What customers need to do is to integrate Cloudflare Access with existing identity providers such as AD, OIDC, or some SAML identity providers Then Cloudflare can obtain identity to decide whether to allow or prevent user visits.
Cloudflare is the access proxy in the middle. It is a anti -theft based on identity.
As for Gateway, as I mentioned in the beginning, we protect users' external visits.
Traditionally, many external network offices or identity proxies are usually deployed in data centers.
Cloudflare is the same logic. We move the entire filtering service to the cloud platform.
So far, we have supported DNS filtering.
Next, we will have other filtering solutions. Specifically, some features of the Cloudflare for Teams solution.
From a security perspective, we have a model based on Zero Trust.
If you visit my test domain, access.chriswandel .me, you will be redirected to an identity verification page.
This page is for zero -trust user identity verification.
In addition, we are also gradually expanding the integration of many device security styles.
For example, Tanium can integrate this part of Cloudflare's security into Cloudflare's Cloudflare for Teams security engine.
In addition, Cloudflare for Teams can integrate Cloudflare's security models such as one-off, DDoS, and firewall.
The last one is worth mentioning.
It is different from our engineering team.
So no matter if there is any security loophole, we will actively fix it.
We don't need the user to do anything. This is different from traditional VPN.
This is different from From the perspective of IT, Cloudflare Access is a software-based service platform, so it doesn't need any infrastructure services.
It is a software -based service platform based on so it is suitable for users who are traveling.
The experience will be much better than traditional VPN because it is based on the Internet.
Secondly, Cloudflare doesn't need for web traffic because all browsers support As long as the user uses a normal browser, many web verification or single sign-on can be supported by Cloudflare.
From the perspective of in addition to user's own 1 .1.1 DNS analysis, we also have We also mentioned that the user experience will be better The last point is related to the performance we mentioned before.
We mentioned the long-term phenomenon.
The long-term phenomenon is due to the fact that the data center or the deployment of Cloudflare is hard to be done globally because of the scale effect.
From the perspective of Cloudflare, we have our nodes in more than 200 cities in the world.
So when any user connects to the Cloudflare for Teams application, it will connect to Cloudflare's nearest data center.
From the perspective of the user, there will not be any additional delay.
So this is what I want to share today.
To sum up, the security model of mutual integration and the security model of zero -trust are different.
What is our solution for Cloudflare?
What do we think it can solve? If you have any questions, please send them to the link on the page.
Let me see if there are any questions. OK. I don't see any questions.
I have three minutes left. Let me answer a question that I usually receive.
This question is about the deployment of Zero Trust network.
Some customers can fully understand the concept of Zero Trust network.
However, they have some concerns about the actual operation.
Especially some traditional companies have spent a lot of time and energy and budget on the deployment of So, how can we effectively deploy Zero Trust network?
Actually, this question doesn't have a simple answer.
However, I want to describe NIST's Zero Trust security architecture standard.
Actually, there is an explanation for this question. There are a few points that I want to highlight.
First, Zero Trust is not a firewall or an email filter.
It is a structure. It takes a lot of time and effort to deploy zero -trust network.
It is a journey rather than an explosion.
I think you need to think about We like to discuss this issue with our customers.
Of course, I think as the industry grows and more and more companies start to use Zero Trust network, we will have more successful cases to share with you.
Okay. Alright. I think my time is 2.30 p.m.
That's all for today. Thank you for watching. Bye-bye.