Cloudflare TV

Ask A Product Specialist

Presented by AJ Gerstenhaber, Chris Scharff
Originally aired on 

Get ready for a live Q&A session with Cloudflare's Product Specialist team, who will be ready with answers, expertise — and unparalleled whiteboarding skills. Send technical questions about Cloudflare products (or the Internet in general!) to


Transcript (Beta)

We are live. My name is AJ. I'm here with Chris Scharff. I am the product specialist responsible for talking to customers about Cloudflare One.

I do about 350 customer calls per year.

Chris Scharff is my technical counterpart, technical product specialist for Cloudflare One as well.

He does far more customer conversations than I do, but we're here to ask a product specialist.

We want to hear your questions about Cloudflare One and some of the new announcements, maybe Cloudflare for Teams, some of our corporate security products, or, and if no one has any questions, we'll just riff for a little while.

Chris, how you doing today? I'm good, AJ. So like you didn't even tell everybody the answer to the burning question, which is how do you pronounce your last name?

That's my secret. My last name is pronounced Gerstenhaber.

It's really exciting when somebody ever gets it right on the first try.

Backwards, it's pronounced Rebinetzreg. That is awesome.

You know what? Backwards, it might actually be easier to pronounce than forward.

That is awesome. Yeah. So for those of you that are watching us live, there's an email alias down there that you can email us here live.

It's, I don't know, questions at Cloudflare TV or something.

So feel free to ask us questions.

AJ mentioned I'm a product specialist, so I work almost exclusively on Cloudflare One and the Cloudflare for Teams products.

And AJ and I, I get the pleasure of talking to them at least two or three times a week and hanging out on customer calls.

And so, you know, we very much want to answer your questions, but if you don't come up with any good questions, well, they don't have to be good questions.

They could be bad questions. If you don't ask us any questions, AJ is just going to make a bunch up.

So save us all from having AJ's made up questions. That's exactly right.

My made up questions are hard. You don't want to field those. I guess I figured that we could kick off a little bit by talking about, actually, first off, Chris, has anybody written in the community forum?

I know you posted in there.

I have, well, they posted certain things. I don't think I'm allowed to say any of them on live TV, but no questions that I've seen in the community forum yet.


So let's do this. How about we just talk for a little bit about what Cloudflare One is, why Cloudflare One is.

I'll spend five minutes maybe talking about it the way that I would with a customer, and then we can just see how we're feeling.

So the way that we think about Cloudflare One is kind of interesting.

So Cloudflare got started about 10 years ago as a security and performance tool, primarily for public facing applications and websites.

And it's grown into the world's largest reverse proxy network on which we serve millions and millions of customer properties and have hundreds of thousands of customers.

And that's a cool stat now that we officially passed 100,000 customers paying customers.

But what we've learned by talking to customers about their corporate security environments is that a lot of security developed for corporate users is still kind of developed to adhere to a model of perimeter-driven corporate security.

So this idea that you have a headquarters, a data center, and a branch office.

And from there, depending on where a user is physically, and depending on where your hardware stack lives, you make policy decisions.

And that makes a lot of sense if all your applications and your workloads and your people are still within the bounds of that kind of traditional corporate security perimeter.

But in the last couple of years, most of the compute and most of the applications have drifted outside of the walls of that corporate perimeter, either with the adoption of SaaS tools or cloud compute workloads.

And then in the last 10 months, almost every user has left their corporate perimeter as well.

So Cloudflare One is here to answer the question of what should the corporate network of the future look like?

And I think I'll even share.

What do you think? Should I share a diagram? You get a maximum of two PowerPoint slides.

So if you want to use one up now, go for it. I'll take what I can get.

Chris, anything you'd like to add to what I just said? Yeah, no, I think that's definitely it.

This is kind of our vision of the zero trust network access or SASE, the secure software edge.

How do we address a distributed compute, distributed workloads, distributed applications, along with distributed users?

And AJ mentioned we spent 10 years building out this amazing distributed network.

We thought that that opened up some really interesting possibilities for us to provide services and solutions for customers in this space.

So if you've got a diagram, AJ. I think that's well said. Can you see my screen?

I can. Cool. Can you only see the diagram on my screen? I can still see you, AJ, but I can see the diagram very cleanly.

So we published this alongside Matthew's excellent blog post on the topic, but effectively, most Internet traffic comes from one of three places, right?

From the data center, from the offices, or from individual roaming users.

Cloudflare 1 seeks to answer the question, how do we take all that Internet traffic and get it out to Cloudflare's edge in order to take some sort of policy action on it?

So today, a lot of this would be delivered by mobile users connecting back to a corporate network via a VPN, branch offices going out to the Internet through hardware firewalls and data centers connecting either to offices or to users via some form of wide area networking.

And the way that we think about this is, how do we take all that traffic, either via network interconnection through Cloudflare network interconnect through transit, our magic transit product, which is primarily based on GRE tunneling, and our remote user client work, and how do we just send all that traffic to our edge so that we can be the firewall single pane of glass for all your Internet filtering, and the policy aggregator to make logical Zero Trust access policies so that your users can access the things they need to do their job?

I think that's kind of a rough overview of the solution, right?

Yeah, yeah, yeah, absolutely. And I think, you know, a lot of the things that we, a lot of the conversations we're having with customers, at least you and I, in the last few weeks have really focused on a couple of the of the items that you touched on.

So tell me more about that. The secure web gateway, Zero Trust access and the warp client, right, are really things that we've been talking to a lot of folks about.

And because I think that those are really things that that folks are thinking about, because all these users have gone remote in the last 10 months.

You know, there's still plenty of people that have leases on buildings with nobody in them.

Totally, absolutely. And so, yes, there are some network problems that we have.

And interconnect is interesting. And Magic Transit, we certainly have, you know, a lot of customers and a lot of interest there.

But really, that, at least for my customers that I've been talking to, it's very much been those three things, the roaming agent, secure web gateway, and the access piece.

I think that's really well said. So fair to say then, and I would probably agree with this, that like the remote user cloud security component of the conversation is most relevant to a lot of businesses right now.

Yeah, yeah, yeah, absolutely.

Absolutely. So go ahead. I was gonna say, and the cloud for access, what you know, like, well, that's part of teams and the kind of newly minted Cloudflare one.

It was it was actually something that we, that has been in the market from Cloudflare for three years.

And I've been at Cloudflare for four. And it was actually the primary reason that I joined Cloudflare in the first place, is that I was working with the product strategy team.

And they showed me a quick demo of what they were planning to build in Cloudflare access.

And I said, yeah, okay, sign me up.

Like, literally, this is amazing, or has a potential to be amazing.

And I want to be a part of it. So the rest is super cool.

If I were a business that was kind of evaluating a shift to remote work, let's say we had to leave the office, March 11, just like a lot of other customers that we work with.

And we still weren't sure about what our return strategy was going to look like.

How would you start that conversation with a customer in lieu of any real customer questions?

How would you start to evaluate?

Yeah, I mean, there's a lot of things to consider here. And one of the reasons that I limited you to only two slides in this conversation is throwing a bunch of slides up and telling a customer how they ought to solve their problems without actually understanding what the problems are that they're having or that they're thinking about.

You have to understand the problems they're trying to solve, right?

And so part of this, I think, is thinking about where do the gaps exist in my current security strategy.

I used to have all these endpoints on my network, and I could manage them.

And I had better visibility into what the users were doing when they were on the Internet, because the Internet traffic was going out through my network, right?

And my performance for my applications, even if I had moved the workload somewhere remotely, everybody in my office pretty much had the same workload performance characteristics, because we were accessing the same thing over the same WAN links.

And now these users are remote. So are there things that I can do to protect these applications and make them more accessible to my end users so that they can...

When I was down visiting some friends earlier this summer, I was on a satellite link.

Yeah. And connecting anywhere. And I varied anywhere from 600 millisecond ping time to 1.2 second ping times.

Performance was an issue.

So understanding where that area of problems is, and then figuring out are there places Cloudflare can help, or are there other solutions?

As much as I love Cloudflare, we don't solve every problem on the planet.

Not yet. Not yet, right? So where could potentially Cloudflare be of help?

And so one of the things that I love about the Cloudflare One solution is for things like access, you don't have to make an overnight change to your entire infrastructure.

You could choose, are there some low-hanging fruit applications that I could put behind Cloudflare, web -based apps that my users are utilizing?

Which applications might I think about doing that with?

Are there some that have particularly sensitive information where I need to potentially put some additional layers of protection in?

Or is there an app that's used by my development teams where one, they might be open to experimenting, and two, they might have some other services that can be put behind access as well, since we support SSH and RDP as well.

So a lot of it is where do I want to start?

Where are my biggest pain points? And can I pick off pieces of that incrementally and roll it out to our organization?

You know, it's really funny that you say that.

I'm going to share an anecdote that's somewhat related to that. It's still in lieu of any actual questions from customers.

But one of the common ways that conversations go when we're starting to talk about architecture with customers when they want to evaluate some changes to the way that they handle either remote access or Internet access for users.

Let's see. It looks like we are still having a problem with our system.

Yeah, I think they're going to reboot the system. You all may just get the replay.

Yeah, sorry, everybody. Hopefully, you'll still enjoy it.

And you can skip this part. So it's a net positive. But so when we talk to a lot of customers who say, hey, we're looking to do better Internet-based filtering or better remote user Internet security for roaming users.

When we start that conversation, I always like to ask about how they handle things today, which are typically over a VPN or backhauling traffic to some central location and sending that traffic out through a firewall.

And then I like to ask, you know, what else does that VPN do for you?

And 99% of the time, they say, well, we have some applications that still live on premise, or we have some site-to-site VPN connection with AWS where our resources live or with some allow listing for some other third-party service based on our internal IPs, whatever that may be.

And so then I say, OK, that's great.

But if we get you a way to get out of backhauling for your Internet-bound traffic, what do you think is going to happen to that traffic that needs to go back to on -premise?

They're like, oh, well, you know, we wouldn't be able to access it anymore.

That's right. So what's funny is that a lot of these conversations that I'm having, the remote cloud security or the remote Internet access use cases or secure web gateway kind of adjacent use cases, they really can't be accomplished until you have a good answer for what happens to your on-premise applications or anything that is accessed today over a VPN.

So in a lot of cases, the conversation may start by being about Cloudflare gateway or a secure web gateway solution of some kind, but it actually turns backwards towards talking about remote access first.

So I think what you said is exactly right. Like if you're evaluating where to start on this process, it really seems like things start with remote access.

You can deliver better remote access to your employees and reduce reliance on any sort of functional or job-related need to go back to the corporate network for any reason.

Then you can start thinking about what to do with your Internet-bound traffic.

What do you think about that? Yeah, no, I think that's very fair.

You know, when I worked at a previous company, one of the biggest challenges I had was our CMO, chief marketing officer, there was some information that he wanted to be able to access from his mobile phone when he was sitting, you know, on the tarmac waiting to take off.

Back when we all used to be able to travel places.

It's a nice memory. Trapped in our houses, yes. Let's not talk about airline miles expiring, please.

But it was very difficult to do that because, you know, you needed to put a VPN client maybe on mobile phones and it's maybe not even a device that you manage.

And nobody wants to have to fire up the VPN software to, like, and to only do the installation piece for, like, the potentially some of the least technical employees who need the most access to internal systems.


I mean, nothing against chief marketing officers, but they're not the people who want to be managing a VPN appliance on their phone or VPN client on their phone.

But they are also the people that need to be able to report on the highest amount of stuff.

So it makes sense that that kind of inverse relationship with technicality to need to access is very, very reversed.

Yes. Yes, exactly. And so, I mean, we found a solution for him.

We made it available at the time, but it wasn't a particularly elegant solution.

And it certainly didn't follow any security best practices, right?

All users are equal, but some are more equal than others.

And when they tell you, you will solve this problem for me. Sometimes you may, in the past, I've had to put in some less than ideal security related changes in order to accommodate, you know, business justified use cases.

Sure. At prior companies, of course, the big definition, but not at Cloudflare.

Well, first of all, at Cloudflare, nobody lets me touch a production system.

I can't tell you how happy that makes me.

I advise others, but yes. So we're able to publish apps securely using, you know, the Zero Trust network access, Zero Trust, whatever set of buzzwords, ZTNA, you know, put your acronym of choice.

But really, the nice thing there is not, it's not only authentication, right?

So you're making sure that the user with your existing identity provider and those types of things has the right username and password and two factor auth or whatever it is.

But then it's that authentication, but then it's also authorization.

So, you know, features that we've added in the last few months that like really excite me is now we can geo restrict you.

So you're an administrator, right? We're going to make sure that you don't connect from any ITAR listed countries.

Yeah. You know what? Most of my sysadmins, if they are hanging out in an ITAR related country, I probably don't want them accessing the system.

At Cloudflare anyway, your company may vary, but I can put in restrictions like that and I can use my existing investment, used to be an administrator, a Windows systems administrator.

So we spent a lot of time building Active Directory groups.

Sure. Right. And so if I can leverage that same group information for authentication, for consistencies purposes, it just, it's not yet another place to manage my groups of users.

They already exist in enough places.

Yeah, exactly. Exactly. That actually brings up something that I think is really fascinating about the direction that our product set is going in.

The way that I've kind of been explaining it as Cloudflare itself has value in the network that we provide and the services that we can provide on that network.

But I think one of our most compelling pieces of value is in our commitment to agnosticism as it relates to other technologies that may exist in someone's stack.

So being able to pull out 80 groups is a perfect example of that and use 80 groups for policies related to other internal tools or external SaaS tools, whatever it may be.

And then eventually use those same groups to control your Internet-based activity and logging certain policies for Internet users based on group and tracking based on group, that sort of thing.

And that's really the tip of the iceberg from my perspective because the way I've been explaining it to customers is that if we can be that aggregator of agnostic signal, Cloudflare can be the best possible point for you to make policy determination because we will know the absolute most about whatever request is happening.

A great example of that on our roadmap is some of the endpoint security vendor features that we're integrating.

And I think that there's a future in which Cloudflare provides some really phenomenal contextual access clues that can help administrators make logical, sound policy decisions for their users without having to think too much about why someone needs access to what system.

If anything's sketchy, if the endpoint has a problem, if there's no certificate on it, if it's not coming through inspecting, being inspected by gateway, if it's out of group, out of range, out of country, whatever it may be, it's easy to deny policy until proven guilty until proven innocent, I guess is the way that Zero Trust works.

I'd never thought about it like that before. The justice system may not love it, but I think it's definitely relevant here.

Well, and I think, I admit it, I have zero actual security certifications, you know, as much as I...

Same, that's an important caveat. You know, as much as I would like to claim that I'm some cool, leet, black hat hacker, you know, I do occasionally like sniffing my people using my guest Wi -Fi just because I find it entertaining.

There's no password on it.

So, if you joined it and I've sniffed the traffic, I figure I'm allowed.

But I think that's really the case. And the fundamental change in the way that people have thought about Zero Trust security, if you look at, there's a great O'Reilly book on Zero Trust networks.

And that is exactly the assumption that they start from is every network connection, every bite of data going across the network is considered suspect and untrusted unless you have done both authentication and authorization.

And then every single request needs to be authenticated and authorized.

And that's really the difference when you, you know, just at a even bigger architectural level, when you say, what's the difference between Zero Trust network security or SASE versus the perimeter model?

Well, you know, perimeter model is best when I think about how to best exploit it, a VPN, right?

It's the most amazing backdoor that nobody ever thought of. Once you get access via VPN, suddenly you've had access to the entire network because it was the idea that you were, that somehow the threat wasn't inside.

You know, there's insider trading.

There's all kinds of nefarious insider activities. I love hanging out with you, AJ.

And I would probably give you the keys to my car so you could drive around town.

I would not give you my credit card details. So there's a certain level of trust that you want to have for your employees.

You don't want to make it so onerous they can't do their jobs.

My opportunity for lateral movement within your life would be limited is what you're saying.

Exactly, exactly. And so these tools to your point, right?

When I can look at all these things and I can apply all these signals, I can have a default deny, but very easy, pull these aggregated signals with my existing identity provider.

We mentioned Azure, that could be G Suite, Okta, any OIDC or SAML provider, and even third-party things like GitHub.

LinkedIn, yeah.

LinkedIn, yeah. You know, there's all kinds of interesting use cases, but you want to make it very easy for the users who need to use the apps to be able to use the apps while the security folks actually get the info.

All right. I'm ranting.

I'm ranting. No, no. I think that makes total sense. I mean, our own CIO, Juan Rodriguez, told us in a meeting just shortly after he started that, from his perspective, the end user's experience is absolutely central.

Like the CIO of any business is the steward of the end user's experience.

And that's a really powerful idea because people should be building security tools that people want to use, right?

That people aren't negatively impacted by using, which is one reason that I feel pretty confident about how our ability to connect to Cloudflare Gateway, our secure web gateway functionality was built on our consumer use case for Cloudflare Warp and 1.1 that has over 10 million consumer users.

And consumer users aren't going to use anything that isn't performant.

How would that ever benefit them?

So that's something that I personally feel is really, really, really important.

It's good to hear, obviously, that CIOs feel the same way because I'm not the one making these decisions.

But I think that was a really interesting little anecdote there.

You mentioned, I want to cover one more thing. We've got about seven minutes left here.

You mentioned that you allow no password on your Wi-Fi, right?

On my guest Wi-Fi. Guest Wi-Fi. Guest Wi-Fi. And then you have the right, as the owner of that Wi-Fi, to sniff that traffic and see what those people are doing.

If I was just a consumer user and I was dabbling in Cloudflare's free plan, is there a way that I could use Cloudflare to stop you from sniffing that DNS traffic?


Yes, there is. There's actually several ways. And so you mentioned we have these consumer apps, right?

So if you're watching this and you got your phone in your hand and you don't already have the Cloudflare app on it, go to the app store of choice.

It's the Cloudflare app. Or go to our website, conveniently named, either numerically, type that in, or type in the words 1 followed by a period.

Do we do it alphabetically too? I didn't know we owned that. We don't own the one domain, but the one person who owns the one domain was nice enough to set up a C name for us.

Oh, that's very cool. It's the Internet. We all love each other. We're all friends, right?

We're all friends. Exactly. So go visit. There's links to get the app.

You can put it on your personal device. Always ask corporate IT before you go installing random software on your corporate device, please.

And there's a few options there.

So there is our service, which is our recursive resolver available for everybody on the Internet for free.

It is a DNSSEC validating resolver.

You can read our privacy statement around the data that we collect.

And we basically try to collect as little as possible. We're not making money selling your data.

Our CEO has written a statement on that, on our commitment to your privacy.

And you can absolutely use that. We also have a family version of that, that and .3, which you can easily configure in the app or on your router to use those.

And one of them blocks things like malware.

And then the other one blocks what is classified as adult content.

And I have a journalism degree. I believe in the freedom of speech and freedom of expression.

I also have a child. He's now 30, so he can browse whatever he wants on the Internet.

But if I had a five-year -old, I understand being a parent.

So those options there. But you can also take advantage of Cloudflare Gateway, this consumer business version that we've been talking about.

It takes a little bit more savvy. I don't think you have to be terribly technical to implement this.

But you can set up a gateway DNS account. And then the advantage there is you can put in the same malware filtering categories if you want to protect yourself from phishing and other malicious command and control websites, for example.

But then you can also whitelist specific domains or blacklist domains that you want to and have more control of the policies as opposed to just using what Cloudflare provides.

So depending on how much you'd like to tweak those knobs and dials, you could do that.

And by having that, when you get on my guest Wi-Fi, if you're using the client, it will either do DNS over HTTPS, which is encrypted HTTP connection to our edge where the queries are made and returned.

Or you can set it up to do DNS over TLS. And then that TLS is transport layer security for my mom, who is probably watching this.

My mom is going to be the only one that watches this, AJ. Well, hopefully she likes me.

Yeah, exactly. She'll be like, he has very pretty hair. Love, man.

So yeah, so you could totally set that up. And then you could use mine. And I wouldn't at least see your DNS queries.

And then if you enable the warp portion, you can have an encrypted connection to Cloudflare's edge that all of your traffic is being proxied through.

And then I couldn't even sniff your traffic because it would be protected from people like me.

Well, I think that should be the major takeaway for our 30 minutes here.

If you stay at Chris Sharf's house or do you want a moment to plug your Airbnb property or?

No, no, no, no, no. It's fine.

Because people might think I'm sniffing the guest Wi-Fi down there and I'm definitely not.

Okay, well, so if you stay at one of Chris Sharf's properties, you have the opportunity to download the warp client, install or start running either the warp agent or DNS over HTTPS or DNS over TLS so that your traffic can't be sniffed.

The same thing goes for ISPs and hotels and other many public Wi-Fi networks.

So it's a good way to stay secure on consumer devices. Yes. And I know we're running short on time.

I just want to share something real quick with the audience and not a PowerPoint slide.

But you can see my desktop here. What I wanted to show you is, please go away video panel.

Yes, the Cloudflare for Teams client is running on my machine right now.

So one of the concerns that people have around tools like this is how does this impact the performance in my environment?

What am I going to see for things like video calls?

I just wanted to point out that this is actually on and running right now and I'm connected via warp.

AJ, I can't tell how this looked on your side, but generally the feedback I've gotten from folks is, well, thank you so much.

But yeah, so I'm running the warp client while we're having this conversation.

And this is my default profile during the day is all of my traffic runs out through this in part because I sell it.

That means that all your traffic is running through the Cloudflare edge right now and you have the ability to inspect it if you wanted to.

If I enable, so there's an optional feature for HTTP filtering, URL filtering.

You can do things like block attachment types, block paths of websites.

That is an option on Cloudflare for Teams. And if you have that feature enabled for your end users, then yes, you can absolutely inspect that traffic.

It's not required. Certainly on the end user consumer version, let's be very clear.

We are just a forward proxy. We are sending that traffic. We are not breaking your HTTPS traffic.

It is going out to the Internet unfettered. Well, there's the fettering in that it's going through us, but yes.

Yeah. We're not the arbiter of what is or isn't fettered in that sense, I suppose.

Correct. But even when you've set up the business version, unless as the IT administrator, you one, install a certificate and two, set it up to inspect that traffic, we don't do that by default.

As an administrator, you make a conscious choice to do that.

And I know we're up against time. Good point. Yeah. Thank you, everybody, for joining us today.

It was great to talk to you. Chris, thank you for spending some time with me.

Take care, everybody.