Zero Trust Week: New Product Demo — Cloudflare Gateway
Presented by: David Harnett, Pete Zimmerman, Kyle Krum
Originally aired on November 18, 2020 @ 8:30 AM - 9:00 AM EST
This is a session to demonstrate a new product release that will be announced the morning of this Cloudflare TV slot. Don't miss out because this will be hot off the presses!
Read the Blog Posts:
English
Zero Trust Week
Transcript (Beta)
Welcome to Zero Trust Week. This is a product demo session today and we're really excited to be able to launch two products today.
Zero Trust Week at Cloudflare is a really exciting week.
We've got product launches all week. Yesterday we had a product launch of Access for SAS and we have a demo session just like this recorded for people to see.
On Monday we had a really exciting announcement of Cloudflare One.
Cloudflare One is a comprehensive platform for companies and remote teams providing them security and connectivity.
It's a really exciting platform.
Go to Cloudflare's blogs and you can see that the announcement there from Matthew Prince and lots of other great blogs at blog .Cloudflare.com for that announcement.
And then tomorrow we've got a demo of the browser, Cloudflare's new browser offering which is really exciting.
And then on Friday we've got Magic Transit and Cloudflare Network Interconnect launches just to round out the whole week.
So today we have an exciting lineup. I'm going to stop sharing this slide right now and we can see Pete Zimmerman is joining us here.
He is the product manager for Gateway and Kyle Crum is joining us.
He's the product manager for Clients which is our work client and he's going to talk to you about the announcements that we have today.
So I'm going to start with you Pete. Also just a quick intro for myself.
I'm David Harnett and I am director of product management for Teams.
So starting with you, Pete, can you tell us about the announcement today?
What launched? What did you announce? And why is it exciting? And then we can go into more context and demos later but just what did you launch?
Yeah, so really exciting day today.
Two big things for Gateway. So first is that Cloudflare Gateway now integrates with the Cloudflare work client which Kyle will go more into.
But the cool thing about that is enterprises can take security, you know, users can take security wherever they are.
And then secondly that, you know, integration with the work client is really important because it facilitates the second cool release which is that Gateway now extends beyond DNS filtering and now performs HTTP traffic filtering with the cloud layer 7 firewall to protect users as they browse the web.
That's awesome. So exciting. Kyle, what launched today from clients?
Yeah, so we have two really exciting announcements today. The first is following the popularity of our applications on mobile.
We've had the 1.1 .1 with faster Internet apps on iOS and Android for the last year or so.
Today we are bringing those to desktop for Windows and Mac OS users as the Cloudflare warp app.
You can download that right now off of the 1.1.1 page. And then as Pete mentioned, we are extending the functionality of all of those apps across iOS, Android, Mac OS, and Windows to support Cloudflare for Teams.
And so this brings Warp Plus and the clients that we've built out that are used by millions of folks today, bringing that to all of Cloudflare for Teams customers and supporting the Pete's going to cover in a minute.
That is awesome. What huge new capabilities for our customers.
Really, really exciting. Okay, Pete, give us some context behind this and just walk us through all the way up to what launched, why it's important, how it fits with what Gateway already had in the market today.
So over to you.
Yeah, so to kind of put these Gateway releases into context, maybe it's helpful to have kind of a quick rollup of what Cloudflare 1 is and why this is exciting.
And so going back to the origin story of Cloudflare, it's that over the last 10 years, Cloudflare has built this network with a scale and availability to support any customer from a single developer to the largest enterprises.
And the first wave of products like WAF and CDN allowed our customers to put their web properties behind our network and then toss out those network boxes that they would typically have to use to do things like defend against DDoS attacks or accelerate content to their own audience.
And then the cool thing is in the last couple of years, we launched a series of products to point our network in the other directions.
We inverted that model. And that began with the launch of 1.1.1.1, Cloudflare's public DNS resolver.
And that became the first Cloudflare product that someone could use without owning a website, which is really cool for Cloudflare.
And today, that public resolvers now the world's fastest DNS resolver.
And we kind of kept thinking about how could we make a user's connection to the Internet better?
How can we make it faster? How can we make it more secure?
And so a year after that, we launched the Cloudflare work plan, which files the product manager for it.
And that's our mobile application that keeps users' Internet traffic private with an encrypted connection to the Cloudflare edge.
And that's used by millions of users globally today. And that's awesome because it gives us a chance to learn about running a service like that at scale, and then improve it for everyone.
And the same time we were doing that, we started thinking, how could we apply that same idea of providing a fast, secure connection to the Internet, but apply it to data centers and offices as well?
So last year, we announced Magic Transit in order to provide a secure, performant, reliable IP layer connection to the Internet.
And then earlier this year, we extended that and launched Cloudflare Network Interconnect, which allows our customers to interconnect branch offices and data centers directly through Cloudflare.
And the cool part is we have all the pieces. So Cloudflare One just brings all those options together into a single platform.
So regardless of how your teams operate, they can use the Cloudflare Network as their accelerated on-ramp to the Internet.
But the next step, however, is to unify an organization's security posture, regardless of how their traffic reaches Cloudflare.
So back in January of this year, we launched Cloudflare for Teams.
And that was a new way to protect organizations and their employees without sacrificing performance.
Teams centers around two core products, Cloudflare Access and Cloudflare Gateway.
And Access starts by introducing identity in the Cloudflare Network.
So teams can apply filters based on identity or context, like device posture, to both inbound and outbound connections.
Cloudflare Gateway, on the other hand, keeps connections to the rest of the Internet safe.
And back in March, we launched the first feature of Cloudflare Gateway, which was the DNS filtering capability powered, again, by the world's fastest public resolver, 1.1.1 .1.
That's the underlying technology for Cloudflare Gateway.
And DNS filtering, for those that aren't aware, that keeps users safe by blocking DNS queries to potentially harmful destinations that might be associated with things like malware or phishing or ransomware.
But then think back to March.
And of course, what happened back then was the pandemic happened.
So shortly after that launch, entire companies began leaving their offices.
So in this mad dash to get everyone home, you have what was originally makeshift home offices.
Those turned into more or less permanent in the last several months.
But now you have this distributed workforce over potentially thousands of locations.
And so that left this DNS filtering capability with some challenges for our customers.
So one was customers needed to register the source IP address of all the locations that sent queries to Gateway.
And that's problematic, obviously, if you're spread out across thousands of locations.
You're not going to register all those locations.
Their IP addresses might change. You just don't know what they are.
DNS policies are also relatively coarse. So it's kind of an all or nothing approach.
And it's at the domain level. So you can't, you can't block things, you know, the concept of a URL or a path doesn't exist in the world of DNS.
And then organizations that register IP addresses, frequently use network address translation.
So they'll share the same public IP address across all their users in order to obviously only have to burn a single public IP address.
But what you lose there is the per user visibility into the activity of each user, because you just see that all these queries are just coming from that public IP address.
So today, the cool thing is we're addressing those challenges with the two features I mentioned earlier.
So we're integrating with the work client. So it doesn't matter where users are, they can take that security with them.
And then we can perform filtering beyond just the DNS layer by filtering traffic at the HTTP layer with our cloud layer seven firewall.
Awesome, awesome. And so Kyle, over to you.
As you said in your in your intro about what launched today, people know the 1.1.1.1 apps for mobile.
So what's what's different today? And and how does it integrate with cloud for teams and with with with Cloudflare one.
So over to you. Yeah, thanks, David.
The biggest difference today is the build out. I'd say there's two big things.
The first one is bringing them to Mac OS and Windows. And so we've spent the last few months doing a lot of heavy lifting and getting sort of a combined back end infrastructure built up.
So we kind of have a single unifying daemon and service that controls the warp connections between Mac OS and between Windows.
And then we've been building the respective GUIs on top of that for Mac OS and Windows.
And so that was a huge part of the last, I'd say, four to six months or something like that, getting those things going.
And then the second big part, obviously, as teams mentioned, or as Pete mentioned, is the teams integration.
And so allowing you to really do two things with the client.
The first is that you can connect your client to your team's organization.
So we'll show you a demo in a moment where you're able to input the off domain for your organization and require all of your users on their devices to deploy the client, log into their team's organization with the same access policies that you have today.
And then, as Pete mentioned, you can apply the L7 firewall rules and filters on all of their traffic.
And you also get the benefit of not just the L7 firewall functionality that Pete mentioned, but every user's device now is going to be protected by warp.
So we use a custom implementation of WireGuard called Borington, which you can read about on our blog post today if you happen to miss the Borington blog post when we talked about it, I think, earlier in the year.
So all of your user's traffic is now encrypted.
It's sent over the firewall and the DNS filtering rules are applied.
And then just like you've been able to do on iOS or Android for a while now, if all you care about is simple DNS filtering, that stuff is also on macOS and Windows.
That's awesome. So when are we going to see a demo? Who's going first to show us the product?
Yeah, Kyle, you want to poke around the client? Yeah. All right.
Let's find our screen sharing button here. All right. So standard Windows desktop here.
I've already gone ahead and installed the Cloudflare warp client.
I've done it in a managed environment. So if you are somebody who's familiar with Intune or you're familiar with scripting MSIs, I've gone ahead and deployed the client in that scenario and I've already connected it to my organization.
So in this example, I'll open the Teams client and look for the little Cloudflare icon in the Windows system tray.
And here's our Cloudflare warp application.
Users who are familiar with 1.1.1 with warp on iOS and Android today will note that it looks almost identical and we've tried to do that across all of the platforms that we support.
In this mode, like I mentioned, I'm already connected inside Teams.
Because I did a managed deployment, I have some options that are disabled and some things that are still enabled for me based on choices that the IT administrator could make ahead of time.
In this example, I have decided to send all traffic through gateway on top of a warp connection because I want to do the L7 firewall in this particular demo.
I could have instead deployed gateway with DOH which essentially would use gateway just for DNS filtering and not have traffic going over warp.
If I pop into preferences, I can see all the things that you're used to seeing on the iOS and Android client today.
You can see the co-location center that you're connected to verify that my connection is over warp plus and the DNS is obviously going through DOH with or sorry going through warp with the L7 firewall.
You'll also notice that all of the other functionality inside the app, especially if you've been a beta user of us or you're familiar with our mobile clients, it's all been disabled again because I'm in managed mode.
I'm connected to my Teams organization. I can't really do anything here and then there's some simple stats.
One of the other things that we do is we make it an option in managed mode to also send all feedback through your IT department.
You'll see here I have that happen to be configured to support.Cloudflare.com but that could be your organization.
Now I'll toss it back to Pete and he'll show you that once you have the client deployed, how you can create rules that will eventually be enforced on the client.
Just a quick question before you do that, Kyle. You're talking a lot just to give people some background on managed mode.
You're talking about having the client deployed through MDM and then as an end user, you will have certain things that you can do with the UI but then there are certain things that are just controlled by your IT department.
Can you give us a little bit more background on that?
If you head off to developer docs today, you'll see a whole list of manageability parameters that you can pass either through a plist on macOS or management control panels for iOS or Android devices or through command line options on MSI where an IT administrator can choose ahead of time how they want the client set up.
They can pre -configure an organization that it needs to connect to, a gateway DOH subdomain if that's what they're using.
They can choose to lock down the UI so a user cannot turn off the switch and the client must be connected or they can choose to allow users to be in a little bit more control and turn it off if they ever need to.
On top of supporting installation mechanisms like Intune or Jamf or Google Enterprise Manager, we've also worked really hard to make it very, very easy for folks to either do manually or if you're a smaller shop to script installs and so you could deploy this through a PowerShell script or a Bash script or anything like that.
And then we also have UI that you can walk your users through how they can do this yourself, especially if you're just a five person shop, 10 person shop or something like that.
That's awesome. That's awesome. Thanks. It's so exciting because in March, and Pete, you referred to this, we had so many companies, thousands of companies that we onboarded to access.
And now with everybody working at home, now we have this awesome product with clients and agents that can now secure all the traffic of people working at home.
Okay, Pete, so show us Gateway. Yeah, cool.
So let's look at the Gateway side. So some prerequisites to this. So Kyle's client that he just showed, we've enrolled them.
We've enrolled Kyle's client in our organization.
We've enabled the Gateway L7 firewall for this organization.
We have some locations and DNS policies configured, but I'll kind of walk through as an administrator.
Hey, I have this running. I've got Kyle in my organization.
We're a two-man shop. And so I'll show you kind of what this looks like.
So the first thing here is the devices page, which will be new to folks. These are devices that have enrolled in the organization.
And you have this device settings button here where you can configure the access policy for users and devices to be able to enroll.
So from Kyle's side, he has to use his Cloudflare .com email address in order to authenticate, to be able to enroll in this Gateway organization.
That's all done through their client. So that's where you would set this policy here, devices enroll.
And then you see them populate here with who the user is, and then the friendly name of the device, if it's available.
And then we also have this ability to revoke. So if I decide to say goodbye to Kyle, I can remove his access, the ability to use our connection to the Cloudflare Edge by just revoking his device from our organization.
You're hovering over the revoke button for my iPhone.
So maybe don't do that one, Pete. Subconsciously, right?
So on the locations, so I configured this particular location.
But the thing to note here is that the idea of locations isn't new to customers.
They've done this already for, say, their home or a branch office. They've configured a location.
There's an IP address associated with it, an IPv6 address that they can send queries to, or they already have a DOH subdomain.
And in here, they align policies to it.
After they create a policy, they align it to a location so that queries going to this IPv6 address or from a source IP address that they've configured have that policy.
And in this case, end-to-end test policy will be applied to queries coming from that organization's location.
Same with this DOH subdomain.
So all the queries to this particular endpoint, this unique endpoint, will have this particular policy applied.
So we align these DNS over HTTPS unique endpoints to locations.
So I've taken that idea and I've created this location called roaming clients.
So I can just hand out this DNS over HTTPS subdomain to Kyle.
He can input that or it can be automatically input by an MDM into the client so that policies associated with this location, which is the roaming clients policy, will be applied to DNS queries coming from the clients.
So if we go to the roaming clients policy that I aligned to that roaming clients location, we can see what DNS policies I've chosen.
So I definitely want to show them a block page if we decide to enforce a policy on a DNS query.
And I selected all the DNS, all the categories that are available.
And this is not new to folks. The one thing that probably will be new is the DNS tunneling category.
So this is still in beta, but the idea is we have threat intelligence and heuristics that will tag DNS queries that are associated with DNS tunneling.
And once we identify that in an organization's activity log, if they choose to enable DNS tunneling, from that point on where we've identified a particular domain or query as associated with DNS tunneling, we'll block it from that point forward.
So it happens automatically for them, gets added to the category of DNS tunneling.
And then in their activity logs from that point where we've identified, hey, those queries are potentially DNS tunneling, those queries will get tagged in the activity logs from that point forward.
So we'll be able to tell I have something interesting going on here.
And then policies.
So here, so that's all DNS policies onto the layer seven firewall policies.
So there's a new tab here, again, marked beta, but this is where you'll create a series of rules to match against HTTP traffic.
So we already have some test rules in here that we've been playing with.
But an organization can choose to add a rule, and then they select what criteria to match against.
So what about the HTTP traffic do you want to match against?
Or if you don't care, you just want to say, whatever, match against whatever, but I just want to block security threats, you can just select the category and choose all security threats, just like I did with DNS, and choose to block it.
I create the rule. And then you can see it here, I already had one configured.
But you can see here, you know, these are all the categories that I've chosen to block.
And the particular rule is enabled.
But we support a whole bunch of different things. So, you know, let's say I want to, you know, there's several useful parts of say, Reddit, if I want to block, particularly unsavory parts of Reddit, I can use regular expressions.
So this goes back to this thing I was talking about where I don't want to block Reddit writ large, I want to allow the portions of it that are useful, but I want to block things that, you know, very specific things within the path, this this idea of a URL path, it's not it doesn't exist in the DNS world.
So my regex isn't that great.
But if I'm doing this correctly, I can say match against reddit .com.
And then for the URL, I want to block the not safe for work subreddit.
That's it.
And then you can see the rule gets added to the bottom of the list.
We also have the ability for organizations to enable or disable the layer seven firewall on demand.
So, you know, if, you know, just like, you know, the hardware appliances you have in your security boundary today, you know, you can always bypass, you know, maybe you just want to take take the security points out of the stack for maybe debugging, or if it's causing problems or whatever.
But anyway, it's a it's a it's a pattern that that administrators are familiar with, they have the ability to enable or disable the firewall at their choosing.
In the future, we'll support this on a per device level.
So, you know, if there's a series of users that I just don't want to inspect any of their traffic, you can just opt out their individual devices as well.
Cool.
That's awesome. One other thing I didn't mention was the actions. So we have allows, you know, depending on what you're matching against, we have the ability to allow block, you know, in the future, we're going to support audit isolate by sending traffic to the Cloudflare remote browser.
And then this this concept of bypassing traffic.
So on a on a per host level. So in this case, you know, traffic associated with zoom might use certificate pending, for example.
And so intercepting that traffic at the layer seven firewall, intercepting encrypted traffic would potentially break that application.
So you can configure a bypass rule, you know, in those instances.
And when something's bypassed, it's it's not inspected, the TLS connection obviously isn't intercepted either.
And then no traffic is logged about that particular session.
So that that becomes useful for say, financial institutions, organizations that don't want to collect information or log information about a user's financial transactions, for example, organizations sometimes bypass those things.
So just I don't want to know anything about users traffic to say, well, Spargo don't log it either, just bypass it and let them directly connect.
They have that option here. That's great.
That's great. Okay. Awesome demo. Great to see how easy it is. And I'm really looking forward to seeing browser in there as well.
You alluded to that, that you'll have an integrated solution where you use the authentication of access, you apply your rules with gateway, you can send traffic off to remote browser isolation with our browser solution, all in one place.
It's really cool. And then of course, with Cloudflare One, that extends to on ramping your data centers and your offices with Magic Transit and with Cloudflare Network Interconnect.
So it's a really nice, comprehensive solution for companies.
Kyle, back to you to show us more about policy enforcement on the client and continue our client demo.
Yes. As Pete showed off, the ability to create rules.
So I wanted to show you what the experience looks like then on the client.
So one of the sites that you might've noticed that he has blocked off is example .com, which you notice if I go to immediately is blocked by the gateway profile.
But if I pick another site, like I had up before, like Cloudflare.com, obviously, that works perfectly.
Kyle, can you show the certificate for that, just so there's no demo magic that folks might think we're doing here?
Oh, yeah. On the Cloudflare page, so you can show that we're actually intercepting the traffic.
The certificate, yeah.
And you can tell that it's our internal gateway certificate, which is one of the things you definitely want to make sure that you set up when you configure this.
So I talked about, it's probably worth mentioning on here, especially it's in our documentation as well, but you do need to make sure that when you deploy the clients, that you also deploy the certificate that enables all of this functionality as well.
And all of this stuff is up on developer docs for folks to see.
That's great.
That's awesome. Okay. So this is your demo session, Pete and Kyle. What else do you want to cover about the announcements today?
Pete, I know you want to talk a little bit more about the holistic picture of how this all fits together, but I'll hand it back to both of you to show everybody watching whatever you want to do to wrap up.
And we've got about two minutes left. Yeah. I would be remiss if I didn't bring up where to find more info.
So you can sign up for a Cloudflare for Teams account at this URL here, dash.Cloudflare.com.
You can Google it so you can find it, but there's a product page.
Your first 50 users are free. You can download the work client at 1.1.1.1.
And we just put up, with our public release, we updated all our developer docs and continue to update them, but those can be found at developers .Cloudflare.com.
That's awesome. And then Kyle, where do people go to download the client?
Just to remind everybody. 1.1.1.1, our website, either numerically or typing in the words 1.1.1.1 if you're an IPv6 only customer.
And they're up there right now.
So we're excited for everyone to try it out. That's awesome. That's great. And Cloudflare.com forward slash teams.
You can see all of our pricing plans up there. Pete mentioned them.
There's a free plan for under 50 users. There's a standard plan.
You can find a gateway and use gateway for $5 per user per month. You can use access for $3 per user per month.
All available through our pay-as-you-go self -service models.
Thank you everybody for joining us. We've got, like I mentioned at the beginning, some exciting announcements coming up for the rest of the week.
We've got a browser isolation demo tomorrow that we'll be doing at the same time.
And then at 10 o'clock Pacific time on Friday, we'll be doing an announcement of an exciting new Magic Transit capability.
So with that, thank you, Pete Zimmerman. And thank you, Kyle.
And on to the next session.
