π A Bridge to Zero Trust + WARP Sessions GA
Presented by: Annika Garbers, Kenny Johnson
Originally aired on June 7, 2023 @ 8:00 PM - 8:30 PM EDT
Join Cloudflare's Product Management team to learn more about the products announced today during Security Week.
Read the blog posts:
- A bridge to Zero Trust
- Cloudflare partners with Microsoft to protect joint customers with a Global Zero Trust Network
- Introducing SSH command logging
- Zero Trust client sessions
- Managing Clouds - Cloudflare CASB and our not so secret plan for whatβs next
Tune in daily for more Security Week at Cloudflare!
SecurityWeek
English
Security Week
Transcript (Beta)
Hello. Good morning. Good afternoon or good evening, depending on where you're joining us in the world.
Thank you guys all for joining out there.
My name is Kenny Johnson.
I'm the product manager here at Cloudflare, I'm joined by Annika if you want to introduce yourself as well.
I'm Annika, also on the product team here at Cloudflare.
Kenny and I both work on solutions under the Cloudflare one product portfolio, helping customers build their next generation networks and embrace Zero Trust security.
Excellent.
And we are coming to the tail end of Security Week 2022. It's been a pretty wild week for us.
Hopefully you guys have been following the blog and watched all the different product announcements that we've made.
We had lots of cool things come out this week, so I definitely recommend going and checking that out today.
We're really excited to take you to through two different new features announced this week.
The first one is on Onyx side. It's new bridges to our zero trust solution as well as then I'm going to cover the concept or the idea of being able to enforce sessions from a from a networking perspective using the zero trust client on the device.
So to quickly kind of set the scene and Onyx, I'm really excited to hear about your new feature.
What we see with our products is within Zero Trust is that we have two components.
There's an identity and access management component of us sitting as a front gate in front of applications.
This can be done with software on the device or without software on the device using DNS and reverse proxy.
The side that almost always requires some form of network on ramping is our secure web gateway basically filtering a user's traffic out to the public internet and either restricting what they can and can't go to or just protecting them from outbound internet threats as well as doing VPN style routing into private networks.
The client that's deployed out on to fleets of laptops or individual users machine works great for a lot of use cases, but if you're in the process of still migrating away from a VPN or you have a branch office that you want to do the same thing and onramp to Cloudflare and you're not able to go through the process of deploying a client out to individual devices.
That's where we've built out other potential onramp solutions and onyeka.
I think it'd be awesome if you were able to talk us through some of these, these on ramping solutions, kind of what we've launched, what's coming.
I'm excited to hear more about it as well.
Yeah, for sure.
So I mentioned Cloudflare one is kind of the combination of our Zero Trust security and our network services products.
And the reason that we decided to put these together is because when we were talking to customers about what the journey of transforming their network architecture has looked like over time, really they'll describe kind of a lot of different architectures, but some that fit really into kind of three buckets.
Overall, there's customers that talk about this generation, one network architecture.
This tends to be older companies, people that have been around for a while and created their original corporate network back, maybe even before the Internet existed.
And this is sort of a called castle-and-moat or a perimeter style network architecture.
And a lot of people have sort of migrated away from this to more modern architectures.
But a lot of customers are still here today and trying to figure out what next steps look like for them.
There's this sort of middle of the road generation to where most organizations that we talk to are today.
And with this network architecture, they're kind of maybe embracing a combination of on premise and cloud, both storage and compute, and then also security and networking function solutions.
And then there's generation three, this Zero Trust network, which is where we want to help customers build toward again with that combination of zero trust and network connectivity.
And so if we dig into these a little bit deeper and kind of explore what do these look like and how does the architecture that we're heading toward in the future solve some of the problems of these legacy architectures?
Really, this is a high level network diagram of what maybe a corporate network could have looked like 10 to 20 years ago.
And actually, many organizations still look like today there's some centralized location or in this case, in this diagram, we have a couple of locations where the customer is hosting a lot of their internal applications.
So anything that users need to get access to do their work, that could be anything from like an ERP system to an email server to just like really anything that they need to get access to get their job done.
HR Systems, etc.
And these are hosted in these kind of centralized locations often on hardware that these companies own, and administer.
They need to think about capacity planning for those.
They need to think about redundancy, resiliency plans, and they also need to think about security for them.
And the way that they traditionally have approached security in this model is by.
Deploying appliances that sit at the perimeter, that the network edge of those physical locations or at the edge of the network.
So there would be a firewall box, maybe something like an IDF intrusion detection system and other security appliances that's sitting at the edge, kind of like a drawbridge in a castle and moat analogy and looking at everything that comes in and goes out and making sure that all of that traffic stays secure.
And you're not letting anyone bad in.
You're not letting your users get to any malicious resources that are sitting on the outside.
So we got these headquarters, maybe a data center connected to a location with lots of employees on a local area network.
And then you have the wide area network or way in, which includes connectivity from maybe further more geographically distributed locations, things like branch offices or stores or retail locations.
And often traditionally these were connected back to the central locations with forms of private connectivity like MPLS or private fiber connections.
And then the other piece here is the access to the Internet.
When that sort of showed up on the scene, company said, okay, we need to make sure that we can again secure access from these traffic flows out to the Internet.
And so we're going to essentially backhaul the traffic from these remote locations through the central location and then out to the Internet so that we can enforce security all in one place.
So this is kind of what that initial generation, one network looked like.
But things have changed a lot since the beginning of corporate network architectures.
The first thing that happened was applications left the cloud and so or excuse me, left the data center and moved to the cloud.
So now you have these additional at least one cloud property.
Lots of organizations are adopting a hybrid or poly cloud strategy where they need to manage multiple of these.
And then also users left the office especially this has been accelerated in the past few years with the proliferation of work from home caused by the COVID-19 pandemic.
And so now applications and users can live anywhere. And that means that there's traffic flows really fragmented and all of these different places and lots of technologies have emerged to try to solve for this problem, these fragmented traffic flows, and this idea that there is no longer one strict corporate perimeter and one box that all traffic flows through that's enforcing security.
But those solutions are largely really fragmented and can leave organizations with more gaps in visibility and security and more problems with management and overhead.
And also just a total cost of ownership that's higher for their network than they had before in traditional network architecture.
So we went through gen one, gen two, and then the sort of Generation three network architecture that we want to help customers build.
Here we have the Cloudflare Global Edge, but this is sort of just an architecture paradigm, right, that we're helping customers get to with our network and using our network as an extension of theirs.
The idea here is you can connect any source or destination to your network with whatever sort of onramp mechanism made sense to you to use a net use case.
And can you talk a little bit about this earlier and I'll touch in more depth on the new on ramps that were that were announced today that are now available to customers.
But connect any of these sources or destinations to your network and then enforce security.
They're actually at the edge, the global edge at a location really close to your customer in software that's actually developed from the ground up to be able to run on commodity hardware.
And what that allows is things like Single-pass inspection all of your traffic, a single packet that's going to a destination application can go through all of the layers of security policies that you would want on one machine, on one server that it lands at the Cloudflare network without having to bounce around to different locations in order to get those policies applied.
And it means a faster experience and an easier experience for all of your users versus something like a traditional VPN where you're back calling traffic again from those remote locations through centralized places that have a VPN gateway deployed.
So this is kind of the arc that we've seen General Engine two and three Kathleen modes more complexity in this patchwork of security solutions and then this new architecture that we want to help customers adopt.
But one of the things that we heard really consistently from customers who are making that transition is the kid do it all at once.
They're having a really challenging time trying to figure out what's the path from where they are today to where they're going in the future.
And that's what today's announcement is really focused on.
Awesome.
That's very exciting. Glad to.
Glad to hear it. Annika.
I think it's really going to help move forward and make it a lot easier for customers to users of our platform to more simply move from their VPN architecture to a true Zero Trust networking approach, which is great.
Yeah.
Specifically, what we're really excited about with announcing today is connectivity between our device client.
So if you're sitting at home and you have a laptop or a phone, you can install the Cloudflare device client and then get access to any, any application or any network that's connected to Cloudflare with a network layer on ramp.
So an example of that could be something like a GRI, which stands for generic routing encapsulation or IP SEQ or maybe a direct connection.
So these IP layer network layer tunnels are going to get traffic from your network, maybe a data center, a branch office to Cloudflare network.
And then you can now get to those with with your device.
So from a laptop with the word client installed, you can send traffic to any of those connected private networks.
So from an architecture perspective, this looks really similar to kind of a traditional VPN, right?
There's like a client that sits on your device, you enable it in order to get access to the things on the private network.
And from the user perspective, that's kind of very familiar.
And so the transition from something like a traditional VPN client to this model is very smooth, but from a security perspective, you can then enforce zero trust policies on top of that traffic and then also do things like a service discovery, which is a use case that really excited to add more to in the in the coming weeks and months where you can choose to selectively upgrade specific applications to a more Zero Trust model on the application side.
So for example, you could connect your whole network all at once from a router at a data center and then say, okay, I have the majority of my traffic is to these ten applications.
I'm going to prioritize upgrading those with application level connectivity to Zero Trust and then be able to really enforce that idea of authenticating and authorizing every single customer request and only allowing access to the applications that users are explicitly allowed to get to.
And so then you're you're removing that problem of the kind of lateral movement that was available in the previous generation of network architecture.
So really excited about this, excited to see more customers, especially those with legacy networks, adopting Zero Trust with this kind of gradual path that we're giving.
And yeah, we hope that this feature overall makes all of the networks and all of the customers that we're working with able to have a plan and a path to get to sort of a more secure setup for their network overall.
That's excellent and it couldn't be a better time to talk through the feature that my team is announcing today around client based sessions.
Because as you mentioned, the extension that we made within our client based on ramp to Cloudflare and then into your corporate network is that we needed the ability to expand and actually provide a session style approach for routing coming from a user device up to Cloudflare and then into your infrastructure.
So I've got some, some info I can share and I'm actually going to be able to show a live demo of this feature as well.
So just taking a quick step back to the spot that we started out with a client on a user device is it was for our Secure web gateway, which the Secure Web Gateway allows you to do single-pass inspection and enforcement on user traffic going out to the Internet.
Basically what the client is doing is it's forwarding forward Proxying all traffic or a select portion of a user's traffic to Cloudflare as a first hop out to the Internet, and then you're able to enforce both identity and just general networking and HTTP level policies on that user's traffic.
This is already really powerful because you get to protect the user from malware, no threats.
You can enforce what the user can and can't go to as well as you get a log of the user's traffic.
Typically to identify the user, we have them go through a one time authentication flow, which again for outbound Internet access, that's totally fine.
We just need to associate the user with a given machine.
That's not going to change too frequently.
This level of security and kind of threat level changes when you start to access things behind your private firewall or your private network, when you use tools like Onyx to expose your private network using an IPsec tunnel, that starts to become more sensitive and you need to actually have some method of step up authentication or the ability to re authenticate a user in the event of shared workstations, a stolen laptop, a compromised laptop.
You want to have this ability to re prompt the user and have them go through a sign in flow, very similar to what you'd have them do with any web app like logging into Salesforce or if you have hosted JIRA or something like that.
So we wanted to create that same experience and that's what we've now done.
So any secure web gateway policy that I create, I'm now able to enforce a session on those specific policies.
And this is especially important when you're going to things like internal IPS and hostnames.
So if you have a particular service at an internal IP, you can then configure a policy to enforce that.
A user, if they have an out in the last 15 minutes, they have to go through an authentication with your single sign on provider and go through any MFA requirements that you've configured as well.
We can also enforce device posture policies.
So has the laptop been patched is disk encryption on?
Is it running CrowdStrike?
All of those checks that we've made available for web apps can now be done for things traditionally only available over a VPN.
So let's go ahead and take a quick look at how this is actually configured.
I'm going to go ahead and pull up my demo account.
The important thing and all I need is a user is I need to be running the Zero Trust client and then I've associated this zero trust client with an individual account.
So I've, I've authenticated myself as Kay Johnson at Cloudflare onto this Kenny ATX demo account.
And then all that I need to do from this point is I can create policies either at the layer four network level or the Layer seven application level because we're doing just a basic demo today, I've kind of come up with a trivial example.
What I'm going to do is I'm going what I've configured.
Let me grab the one I've configured.
Is the session is piano in here.
So I've configured a secure web gateway policy that what this is doing is anytime I go to espn.com, I'm going to allow that traffic.
But I want to require that I re authenticate every 15 minutes and I haven't authenticated for a while.
So this is basically going to prompt me as a user that I need to go through a session authentication in order to access ESPN.com.
So let me go ahead and pull in a new browser.
I'll go to try to go to espn.com.
What this then does is I get a blocked message.
I can customize this message, basically prompting the user that they need to write off.
And then I'm presented with a login screen to go ahead and write off my account.
So I then have the ability to go through my login flow. I'm going to go ahead and sign back in to my Cloudflare account.
This will prompt me for actor credentials.
I can type my password.
Right. Let's do that one more time.
Anything can and will happen on a demo.
That's the rules of the road.
There we go.
And we have it configured at Cloudflare. Everybody uses a yubikey.
So I had to go through Hartke MFA here as well to access this resource.
This will go ahead and authenticate me.
I'm now authenticated and then I can go ahead and go through and I should be able to access ESPN because I've got to got a live session.
So that's kind of a trivial example just to show you the idea of this.
This starts to this starts to become really powerful.
Hopefully, I didn't ruin anybody's bracket here in terms of if you had the games taped for March Madness.
Sorry about that.
If I did, this starts to become really powerful when you think about routing into private IP space or private IP addresses or private hostnames.
So what I can do instead of a network or just a basic block like ESPN, what I can do is I can configure something like I think I have a policy in here, like at this site, at this private IP address, I have a Gravano server exposed.
And then what I'm able to do is I can enforce that a specific only a specific group of users can access that Gravano server.
And additionally, I can configure things like did I pass a particular device posture check?
So do I have carbon black running on the device before allowing access or am I is the user in a specific group in Okta?
Are they in the developers group?
And then finally I can enforce that client session duration so that I'm prompting re prompting them for off for just the sensitive things that I'm exposing in my infrastructure via the agent on the device.
The beauty here is that this doesn't stop filtering from malware.
It doesn't stop general protections and logging.
It only triggers on the specific policies that I configure that that check for.
And then even better, we were able to then see within gateway granular logs of users making those requests.
So I should there's tons of logs in here, but you would actually see that, see that view of when I had to re authenticate as a user, when I re authenticated why I was allowed or why I was blocked.
So I have a really granular information on kind of user traffic and what a user was doing on that particular site or into that particular private resource that you've exposed.
So again, we're really excited about this feature. It's just getting started here.
We want to make this even better.
We want to make these controls smoother and more clear.
And I guess the other piece I'll call out is that this works for both browser and non browser based applications, so you can trigger these types of authentication events for things like SQL Server and RDP or really anything at a network level can be triggered from the machine.
So it's not just limited to browser, which is especially powerful.
So again, thank you guys for listening here.
We're excited to get to launch this piece.
I don't know if you had anything else you wanted to touch on before we sign off for today and let everybody go enjoy their Fridays.
How can customers get access to this if they want to use it?
That was so awesome.
This is live.
This is in the dashboard. It's not even data anymore.
It's generally available.
So you can go into your Zero Trust dashboard today and it's available within the Secure web gateway setups.
Just go ahead and configure a network policy or an HTTP policy and you should see it there live in the in the dashboard.
The only caveat is that you want to have a beta version of the Warp client or the Zero Trust client deploy on your device.
That's the only piece that we're still kind of hanging on where you have to upgrade to the latest version of Warp.
But other than that, it's just broadly, generally available.
Nice.
That's so exciting to hear. Yeah.
So as a as a member of the audience, if you have questions about this or anything else that you'd like to see or excited about roadmap for either of these feature areas or you want to learn more.
There's tons of information on the Cloudflare website and our developer docs and also through your account for enterprise customers as well, if you want to get a custom demo or more information about any of these features.
But I think at that point, at this point, that's that's all I have.
I think we can let some folks get back to their Fridays.
Yeah, I think the last thing is there's blogs live for both of these.
If you go to the blog Cloudflare dot com, you'll find blogs if you want to find more information.
And those have really good info of how to get started as well as if you have a Cloudflare account team, don't hesitate to reach out.
They've been briefed on these things.
We're happy to they're happy to kick off those conversations as well.
And with that, I think we can go ahead and wrap up.
Thank you, everybody, for joining and have a wonderful weekend out there.
All right.
Thanks. The real privilege of working at Mozilla is that we're a mission driven organization.
And what that means is that before we do things, we ask what's good for the users as opposed to what's going to make the most money.
Mozilla's values are similar to Cloudflare service.
They care about enabling the web for everybody in a way that is secure, in a way that is private, and in a way that is trustworthy.
We've been collaborating on improving the protocols that help secure connections between browsers and websites.
Mozilla and Cloudflare collaborate on a wide range of technologies.
The first place we really collaborated with the new TLS 1.3 protocol, and then we followed it up with quick and DNS over HTTPS and most recently the new Firefox private network.
Dns is core to the way that everything on the internet works.
It's a very old protocol and it's also in plain text, meaning that it's not encrypted.
And this is something that a lot of people don't realize. You can be using SSL and connecting securely to websites, but your DNS traffic may still be unencrypted.
When Mozilla was looking for a partner for providing encrypted DNS, Cloudflare was a natural fit.
The idea was that Cloudflare would run the server piece of it and Mozilla won the client piece of it.
And the consequence would be that we'd protect DNS traffic.
For anybody who used Firefox.
Cloudflare was a great partner with this because they were really willing early on to implement the protocol, stand up a trusted recursive resolver and create this experience for users.
They were strong supporters of it.
One of the great things about working with Cloudflare is their engineers are crazy fast.
So the time between we decide to do something and we write down the barest protocol sketch and they have it, running in their infrastructure is a matter of days to weeks, not a matter of months to years.
There's a difference between standing up a service that one person can use or ten people can use, and a service that everybody on the Internet can use.
When we talk about bringing new protocols to the Web, we're talking about bringing it not to millions, not to tens of millions.
We're talking about hundreds of millions to billions of people.
Cloudflare has been an amazing partner in the privacy front.
They've been willing to be extremely transparent about the data that they are collecting and why they're using it.
And they've also been willing to throw those logs away.
Really.
Users are getting two classes of benefits out of our partnership with Cloudflare.
The first is direct benefits. That is, we're offering services to the user that make them more secure and we're offering them via Cloudflare.
So that's like an immediate benefit that users are getting.
The indirect benefit that users are getting is that we're developing the next generation of security and privacy technology, and Cloudflare is helping us do it, and that will ultimately benefit every user, both Firefox users and every user with Internet.
We're really excited to work with an organization like Mozilla that is aligned with the user's interests and in taking the Internet and moving it in a direction that is more private, more secure, and is aligned with what we think the Internet should be.
Nonprofits are made for crisis to step in and help in whatever sector you're in.
And so this is that moment for them to lean into it and provide that relief.
Did you ever think you'd be doing an interview this way?
No.
My name is Chris Mixner, and I'm one of the founding members of raised donors. We work closely with nonprofits to give them a flexible, yet very simple fundraising platform.
That way, they have the funding to go out and achieve their mission.
What types of threats.
And security risks to your customers face?
These bad actors, these hackers just purchased 10,000 stolen credit cards.
Well, they're probably not going to go to a major online retailer and go through a checkout process and input these cards to see if they work.
They want to find a very low barrier type of a system, i.e.
a donation page that is intentionally designed to be simple to use.
And so how do we lessen those attacks?
Because all of those declines also cost the nonprofit money.
Cloudflare has been amazing in helping us identify these threats.
So as threats are happening in real time, we can then be aware of what country they're originating from, what kind of threat that is, and then share that information with our customers.
The beauty in that is it's not taking up bandwidth or resources on our side.
How does race donors help make things easier for your customers?
Just last week we had a customer send out a massive newsletter, but they put it in the wrong URL.
So what are they going to do about that?
Well, in that case, we use the edge Workers so that when the request comes in, we could actually manipulate that URL and have it actually complete as it was intended to.
They were so thankful that raised donors, was able to step in and help quickly and easily, and we were able to do that all because of Cloudflare, which was phenomenal.
What advice would you give to all the nonprofits that are out.
there.
Coping and trying to stay afloat right now?
If it is something you love to do and you're failing, well, you're learning and it's only going to help you even more so.
So be bold.
Don't be shy.
Jump in headfirst and go for it.
What is a WAF?
A WAF is a security system that uses a set of rules to filter and monitor HTTP traffic between web applications and the Internet.
Just as a tollbooth allows paying customers to drive across a toll road and prevents nonpaying customers from accessing the roadway.
Network traffic must pass through a firewall before it is allowed to reach the server.
Wharfs use adaptable policies to defend vulnerabilities in a web application, allowing for easy policy modification and faster responses to new attack vectors.
By quickly adjusting their policies to address new threats.
WAFs protect against cyber attacks like cross-site forgery, file inclusion, cross-site scripting and SQL injection.