๐ What Launched Today - Wednesday, March 6
Presented by: Dan Hall, Ankur Aggarwal, Steve Welham
Originally aired on November 1 @ 5:30 AM - 6:00 AM EDT
Welcome to Cloudflare Security Week 2024!
During this year's Security Week, we'll make Zero Trust even more accessible and enterprise-ready, better protect brands from phishing and fraud, streamline security management, deliver dynamic machine learning protections and more.
In this episode, tune in for a conversation with Cloudflare's Dan Hall, Steve Welham, and Ankur Aggarwal.
Tune in all week for more news, announcements, and thought-provoking discussions!
Read the blog posts:
- Eliminate VPN vulnerabilities with Cloudflare One
- Zero Trust WARP: tunneling with a MASQUE
- Cloudflare treats SASE anxiety for VeloCloud customers
For more, don't miss the Cloudflare Security Week Hub
English
Security Week
Transcript (Beta)
Hey everyone, welcome to Cloudflare TV. My name is Ankur Aggarwal. I'm a product manager here at Cloudflare.
I work on the Gateway product, which is part of our Zero Trust group and I'm based out of San Francisco.
Today, I'm joined by Dan Hall and Steve Welham.
Hopefully, I got that right. And we're going to walk through some of the blog posts that we launched today.
And I'm going to turn it over to Dan to introduce himself and walk us through our first blog post, which is centered around mask.
Well, thank you, Ankur. And by way of introduction, I'm Dan Hall, product manager for our Zero Trust Warp clients here at Cloudflare, part of the same Zero Trust solutions and Cloudflare One as Ankur's Gateway solution.
And I'm located in the Boston, Massachusetts area. So welcome to our TV session.
I wanted to talk about the blog and the announcement we made today about our Zero Trust Warp clients beginning to use the mask protocol and some of underlying protocols there.
Now, we have a long history with Warp. Many of you know, it actually started as a consumer service over five years ago as part of our 1.1.1.1 privacy DNS solutions.
And we added to that over the years and eventually brought it into our Zero Trust solutions as part of Cloudflare One.
And throughout that time, there's been the Warp tunnel.
And the Warp tunnel is really allowing that client, that user to connect to the Cloudflare global network and in a secure and private manner.
And since it's begun, we've been using the WireGuard protocol to secure and actually instantiate that Warp tunnel.
So what we're announcing today is the use of mask, which is really actually going to be using HTTP 3 over QUIC.
And that's going to give us those advantages moving away from WireGuard just a little bit.
And where mask comes in, mask is actually a capability that's going to provide the application layer building blocks that allows us to efficiently tunnel traffic across that HTTP 3 and QUIC connections.
And with kind of that move to mask, what are the kind of things that we improve on or improve upon from WireGuard?
Right.
No, great question, Akbar. And, you know, fundamentally, WireGuard is a stable solution.
It's been around for a while, but we're also not going to move to something that's not proven, right?
HTTP 3 and QUIC, very proven reliability at scale.
In fact, it's been used in many, many different areas since it's come into the marketplace a few years ago.
In 2023, on the Cloudflare network itself, over 30 percent of that traffic was HTTP 3 and QUIC.
In addition to that, mask is used in our iCloud private relay service.
So we're moving to a solution that is proven at scale, very reliable in our own experience.
Now, some specific benefits that our Zero Trust customers are going to get is, you know, that desire as a Zero Trust user, right?
You want to be able to connect from anywhere. And in today's environment, that's usually from outside of an office, right?
You might be at your home or on the road.
And some of the challenges we see with WireGuard in public Wi-Fi spots or, you know, captive portals, areas like that, is because it is using slightly non-standard ports, it can, you know, run into firewall policies.
It can be blocked for various reasons.
As we move to a very standard, you know, protocol and ports, we shouldn't see those issues.
So the ability to connect from anywhere is going to be enhanced.
The other benefit that our Zero Trust customer is going to have is the ability to use FIPS-compliant cipher suites.
Again, WireGuard, it has encryption, it's very secure, but the same types of the encryption profiles and technologies used in WireGuard are not necessarily on that FIPS-approved and compliant list.
And as we move to HTTP3 and QUIC, which actually QUIC encapsulates and includes TLS 1.3, we're able to take advantage of some of the encryption protocols that are in that FIPS-compliant space.
So those are the things we see as we start with our journey with using Mask on Zero Trust Warp Clients.
It's going to be available for beta testing early in Q2, so it's just about to come out for users to begin using.
And then we expect to be able to expand on that. Mask gives us a lot of capabilities that we want to continue innovating with the Zero Trust Warp Client.
Thanks, Dan. This is definitely something that's also near and dear to my heart, the product manager for Gateway, and many of our customers use the Warp Client to proxy their traffic to Gateway and apply those filtering rules.
So getting a faster, more compliant, proven method out there to tunnel that traffic is absolutely amazing.
And there's also one more post that we actually published today related to a Warp Client, and mainly it was around just how we're talking about VPN vulnerabilities, and at least some that have been in the news recently.
Can you tell us more about that, Dan? Right. This is the, you know, as you said, in the news, right?
The CISO organization earlier this year had issued some directives around the Avante solutions and actually led from some vulnerabilities that were discovered in late last year on the Avante appliances, both for the VPN server appliances and the NAC appliances that they have.
And those vulnerabilities, actually, there's a pair of vulnerabilities that attackers or bad actors discovered a way to kind of, you know, use them in sequence to do some pretty nefarious things, right?
So one of the vulnerabilities allowed a bad actor to bypass authentication and gain access to the appliance as an administrator with the administrator, you know, permissions.
And then once they had that access, they were able to exploit the second vulnerability around some of the internal systems of that appliance.
And through that, they were able, you know, unfortunately able to do a number of different things.
They were able to, you know, harvest credentials of users trying to log in.
They were able to launch, you know, remote code execution on that appliance and share some web shells throughout the internal network, the private network of the customers or the enterprise.
So fundamentally, you know, the warnings went out.
People were asking, you know, hey, you should not use these appliances for at least until you get the mitigations in place.
And that happens. Vulnerabilities happen.
But what it does highlight and which we wanted really kind of focus on is it's highlighting the weaknesses of that legacy castle and moat type of security paradigm, right?
The old view where you would have hardware and appliances in your own data center, your own, you know, kind of moat protecting your own castle.
And that's where the issues arise, right? Now you have those appliances there.
Now customers have to not only, you know, configure their services to do what they want them to do and configure it appropriately for their environment.
They have to do, you know, take care of the care and maintenance of the appliance itself, which gives those administrators an awful lot of access to it.
And that's where when the bad actor gained access as an administrator, they not only had access to change, you know, like a service configuration, they also had the access to the inside of that appliance and able to, you know, put their own files in there, manipulate files that were there, do things that they should not have been able to do, right?
And again, that just shows you the the weaknesses of that castle and moat type of security paradigm where, you know, what happens when the attacker takes over the moat, right?
And we want to, you know, kind of compare that or contrast that to that future that we're experiencing now of where security is provided in the cloud.
It is more of a service, a security as a service offer, right?
And in that sense, the enterprise customer, yes, you still need to be able to configure your own services, set up things for your users and your resources and make it fit within your environment, but you don't have responsibility for the care and maintenance of the systems that actually provide those services.
As a matter of fact, you don't have access to those. So that would be, you know, one of the ways that the Cloudflare One solution from Cloudflare is able to, you know, kind of remove that piece of the threat service or the attack service, if you will, right?
The other approach or the other thought about this is, you know, Cloudflare One, it's a Zero Trust solution, and we really follow that principle of least privilege.
A user, when they are authenticated, they're authorized for access to the resources they need to do their job.
They're not actually, you know, given access to kind of, you know, here's access to a network and anything you find on that network is open for you, right?
So the principle of least privilege that comes with Zero Trust really helps to constrain or constrict that blast radius if something does go wrong, right?
There's, you know, we limit that lateral movement.
Users, you know, bad actor if they're able to, you know, break through a user's authentication or masquerade as a user, they do gain access.
They're not able to move laterally within that network environment, whether it's just researching the environment, trying to find out what's there or to carry out actual attacks.
So that's kind of what we wanted to offer up in that blog, a different point of view about, you know, the type of things that we saw in the news, the CETA directives and things related to the Avante, but also comparing that kind of the legacy castle and moat appliance type of, you know, appliance heavy type of solution to a security as a service or, you know, a SASE solution and a SASE platform that we offer from Cloudflare.
Yeah. Thanks for walking us through that.
There's so many things in there in terms of like, we've blogged so many times about, and really tried to get the message out there about how kind of that castle and moat model is, should be dead.
People should be moving to a least privileged model, Zero Trust model, because it truly offers them the most control over their assets, their resources, and protects their environments and their networks.
So it's kind of great that we're seeing this in the wild and we're kind of seeing it proven out.
Of course, it's not great that we're saying this through vulnerabilities, but it is great that, you know, it's another reinforcement of like, hey, moving to at least privileged access is kind of the right thing to do.
And the other thing you mentioned there was like, because we're offering this as a SaaS service, customers don't have to worry about that, like ongoing maintenance of appliances and devices.
And this kind of fits exactly with the theme that Grant Bouzoukis, our CISO, put out there for this week, which is pretty much trying to do more with less.
Because there are many customers coming to us and they're talking about how they're either budget constrained or their security teams are overwhelmed with kind of everything that they're doing.
So having one less thing to manage, to maintain, to update, you know, helps them actually go focus on those things that really matter.
Right. No, that's a great point, Ankur.
That's around, you know, the companies, you know, security teams, IT infrastructure teams, they should focus on their services, their employees, their, you know, what they want to do in their environment and not have to worry about the care and maintenance of the equipment.
So, all right. Thank you, Ankur. Thanks for walking us through that, Dan.
And lastly, I want to turn it over to Steve, who's been waiting patiently.
Please intro yourself and just tell us a little bit about how we're helping out some current VeloCloud customers.
Thanks, Ankur. Yeah. My name is Steve Wan.
I'm based out of Seattle and I'm a product manager for our network services products.
So, whereas you just heard about what client, which is about bringing users into Cloudflare 1, which is our SASE and NAS solution, I am product manager for cloud networking and interconnect, which is more usually at bringing sites and data centers and cloud networks into the same SASE fabric so that you can do self-hosted applications and connect your branch sites.
The product MagicWAN, which is part of Cloudflare 1, is about really branch connectivity.
So, bringing customers that had historically used MPLS or SD-WAN to connect their branch sites to other branch sites, to users and VPN solutions.
We do this with MagicWAN, but we're doing it within a SASE fabric, which I'll touch on in a minute.
Where we started out with this blog was really around some empathy for customers that are with VMware today who are using VeloCloud, which is that SD-WAN solution.
And we start out just by going over some of the news and changes that these customers have endured over the past years, with the most recent being the Broadcom acquisition of VMware.
And I'll come back to that and just start by, like, we first of all set up the story around the evolution of SD-WAN here.
So, SD-WAN as a solution for connecting branches together has really now evolved to SASE, and it's more than a market rebranding exercise for vendors.
It's really a different approach to thinking holistically about how your trusted users are going to access your privileged private data and services, wherever those services are, anywhere in the world, often self-hosted, often SASE.
And so this is like any-to-any connectivity.
And if you were to step back and design the ideal solution for this, without latency hairpins, with a single policy defining the controls, but then with distributed enforcement, what you would get is what we've built with Cloudflare 1.
What you wouldn't get is a solution that's cobbled together from appliances and so on.
I mean, the basis of our global network and backbone delivers any-to-any connectivity between all of these distributed users and services.
We don't host in public cloud because that's a destination, that's not a transit.
So, when we come back to the VeloCloud problem and what customers are facing there, I mean, most customers, IT star, IT organizations, are doing regular vendor reviews or recent announcements like an acquisition will prompt and trigger a vendor review.
And as an IT staff, when you decide to make a technology change from something like SD-WAN or MPLS to a SASE solution, or to replace an existing SASE solution, you're going to be making a cost of change analysis.
And that cost comes in many ways.
There's an incumbency and a gravity to stay where you are due to the time, focus, distraction, professional services you might need to engage, burning down existing license commitments.
And all of that friction to change, what we're announcing is really a number of services that help customers get over that hurdle and build that momentum.
Because in many times when we consider our incumbent solution, we can think forward into the future and know that once we're over that hurdle, we'll be in a better place.
And so what can we do? We've worked with hundreds of organizations to replace SD-WAN and MPLS with Magic-WAN and upgrade to a SASE solution based around Cloudflare 1.
And through that experience of helping customers, we've developed product education.
We have plans to help customers burn down their licenses on existing solutions.
We have reference architectures and accelerated rollout and professional services from our customer support teams.
So this blog is really about saying to customers that are going through this pain and enduring this, talk to us, we can help you through the friction, help you get over the hurdle and get to a better place.
Awesome. That sounds like a great wrap up there.
There's also one thing I did notice in the blog that I want to touch on really quick.
I saw you mentioned coffee shop networking. Could you just tell us a little bit about that?
Yeah. So this is a cool emerging notion that the idea that you can treat your branch sites basically as coffee shops.
So if you've got a large portion or any portion of your staff today that are able to do their job pretty much effectively, working from a coffee shop, Costa, Starbucks, whatever your favorite coffee shop is, I mean, that's effectively a site.
It has open, unsecure access, but you've got staff that are working effectively because they're running a Zero Trust Warp client on their laptop and that's what's protecting them.
So oftentimes that's a really attractive thing.
If I can, as an organization, make my branch sites look more like coffee shops, then they're lighter weight.
There's less to do there.
There's less to manage. I'm centralizing more in my data centers cloud and really centralizing the control down on the laptop client and its security.
So oftentimes it's kind of unachievable because we have these end points in our networks that we can't install the Warp client on.
This is like things like printers and IOT devices, point of sale, building management, CCTV, security, legacy client server apps, VoIP.
There are many. Fax machines even are still being used and run over VoIP networks.
So how do customers deal with those if they can't move those to a SaaS alternative or they can't put a ZTNA client on it?
And this is something that we're really well positioned to do because we have in Cloudflare 1, this model with Magic WAN of a light branch and heavy cloud.
And that means a light branch, very close to a coffee shop, very lightweight functionality happening on site.
All of the rich security, all of the centralized policy happening centrally within the SaaS fabric.
So this really gives customers a transition strategy to that outcome.
We know what the future looks like. We've also got the ability to handle that long tail of kind of traditional legacy endpoints as well.
That's so cool. I remember actually when we deployed Magic WAN to our Cloudflare offices, we went through a bit of this transition of segmenting those devices, especially those IOT devices that you couldn't really install, say, a certificate on or have, say, log in permissions, but you could give them their own path up to the Internet and have it completely segmented off from, say, the rest of everything else.
So it was really nice to see a bit of that coffee shop networking model of essentially controlling access at the point of the resources or the users and not having to worry about really what was flying left or right within the network.
Awesome. Thanks for sharing that, Steve. And with that, I want to actually wrap up our segment here today on Cloudflare TV.
Thank you all for joining and please stay tuned to our blog for our additional blog posts.
We have two more days left and I hope you guys enjoy. Bye. Bye now.