MPLS to Zero Trust in 30 days
Employees returning to the office are experiencing that their corporate networks are much slower compared to what they’ve been using at home. It’s partly due to outdated line speeds, and also partly due to security requirements that force all traffic to get backhauled through centralized data centers. While 44% of the US currently has access to fiber-based broadband Internet with speeds reaching 1 Gbps, many MPLS sites are still on old 1.5 Mbps circuits. This is a reality check and a reminder that the current MPLS based networks are unable to support the shift from centralized applications in the datacenter to a distributed SaaS and hybrid multi-cloud world.
In this post, we are going to outline the steps required to take your network from MPLS to Zero Trust. But, before we do — a little about how we ended up in this situation.
Enterprise networks today
Over the past 10 years, most enterprise networks have evolved from perimeter hub and spoke networks into franken-networks as a means to solve connectivity and security issues. We have not had a chance to redesign them holistically for distributed application access. The band-aid and point solutions have only pushed the problems further down Continue reading
Announcing the Cloudflare One Partner Program
This post is also available in 简体中文, 日本語, Deutsch, Français.
Today marks the launch of the Cloudflare One Partner Program, a program built around our Zero Trust, Network as a Service and Cloud Email Security offerings. The program helps channel partners deliver on the promise of Zero Trust while monetizing this important architecture in tangible ways – with a comprehensive set of solutions, enablement and incentives. We are delighted to have such broad support for the program from IT Service companies, Distributors, Value Added Resellers, Managed Service Providers and other solution providers.
This represents both a new go-to-market channel for Cloudflare, and a new way for companies of all sizes to adopt Zero Trust solutions that have previously been difficult to procure, implement and support.
The Cloudflare One Partner Program consists of the following elements:
- New, fully cloud-native Cloudflare One product suites that help partners streamline and accelerate the design of holistic Zero Trust solutions that are easier to implement. The product suites include our Zero Trust products and Cloud Email Security products from our recent acquisition of Area 1 Security.
- All program elements are fully operationalized through Cloudflare's Distributors to make it easier to evaluate, quote Continue reading
How To Reference Nested Python Lists & Dictionaries
This post originally appeared in the Packet Pushers’ Ignition site on March 10, 2020. When getting data back from API queries in Python, the data is often delivered in JSON format. Python libraries such as requests will convert that JSON data structure into a Python-native data structure you can work with. That Python data structure […]
The post How To Reference Nested Python Lists & Dictionaries appeared first on Packet Pushers.
VLAN Module in netsim-tools Is Complete
One of the last things I did before starting the 2022 summer break was to push out the next release of netsim-tools.
It includes support for routed VLAN subinterfaces (needed to implement router-on-a-stick) and routed VLANs (needed to implement multi-hop VRF lite), completing the lengthy (and painful) development of the VLAN configuration module. Stefano Sasso added VLAN support for Mikrotik RouterOS and VyOS, and Jeroen van Bemmel completed VLAN implementation for Nokia SR Linux. Want to see VLANs on other platforms? Read the contributor guidelines and VLAN developer docs, and submit a PR.
I’ll be back in September with more blog posts, webinars, and cool netsim-tools features. In the meantime, automate everything, get away from work, turn off the Internet, and enjoy a few days in your favorite spot with your loved ones!
Getting Started with a Zero-Trust Security Network Model
In an increasingly perilous world, complete network user verification is more than just a good idea–it's essential.Day Two Cloud 152: How To Right-Size Access With strongDM (Sponsored)
Welcome to Day Two Cloud. In this episode we take on the problem of over-provisioning access to resources. Sponsor strongDM joins the conversation to share how to properly manage roles and access in our IT systems, focusing heavily on the process of discovery. Who has access to what, and why do they have that access? Our guest from strongDM is Britt Crawford, Director of Product.Embedding Client IP In DNS Requests: EDNS Client Subnet (ECS)
This post originally appeared on the Packet Pushers Ignition site on December 10, 2019. DNS is sometimes used to optimize traffic between client and server. That is, a client needs to connect to a server. Resolving the IP address of the server’s hostname is the first thing the client must do before making the […]
The post Embedding Client IP In DNS Requests: EDNS Client Subnet (ECS) appeared first on Packet Pushers.
Hedge 135: Simon Sharwood, China, and IPv6
Over the last several years various Chinese actors (telecom operators and vendors) have been pushing for modifications to IPv6 to support real-time applications and other use cases. Simon Sharwood wrote an article over at the Register on their efforts and goals. While this effort began with big IP, moved into new IP, and has been called many other names. These efforts are being put forward in various venues like the IETF, the ITU, etc. Simon Sharwood, who writes for the Register, joins Tom Ammon and Russ White to discuss these efforts.
Here is a recent article where Simon is discussing these issues.
Verify Apple devices with no installed software
One of the foundations of Zero Trust is determining if a user’s device is “healthy” — that it has its operating system up-to-date with the latest security patches, that it’s not jailbroken, that it doesn’t have malware installed, and so on. Traditionally, determining this has required installing software directly onto a user’s device.
Earlier this month, Cloudflare participated in the announcement of an open source standard called a Private Attestation Token. Device manufacturers who support the standard can now supply a Private Attestation Token with any request made by one of their devices. On the IT Administration side, Private Attestation Tokens means that security teams can verify a user’s device before they access a sensitive application — without the need to install any software or collect a user’s device data.
At WWDC 2022, Apple announced Private Attestation Tokens. Today, we’re announcing that Cloudflare Access will support verifying a Private Attestation token. This means that security teams that rely on Cloudflare Access can verify a user’s Apple device before they access a sensitive application — no additional software required.
Determining a “healthy” device
There are many solutions on the market that help security teams determine if a device is “healthy” and Continue reading
How to augment or replace your VPN with Cloudflare
“Never trust, always verify.”
Almost everyone we speak to these days understands and agrees with this fundamental principle of Zero Trust. So what’s stopping folks? The biggest gripe we hear: they simply aren’t sure where to start. Security tools and network infrastructure have often been in place for years, and a murky implementation journey involving applications that people rely on to do their work every day can feel intimidating.
While there’s no universal answer, several of our customers have agreed that offloading key applications from their traditional VPN to a cloud-native Zero Trust Network Access (ZTNA) solution like Cloudflare Access is a great place to start—providing an approachable, meaningful upgrade for their business.
In fact, GartnerⓇ predicted that “by 2025, at least 70% of new remote access deployments will be served predominantly by ZTNA as opposed to VPN services, up from less than 10% at the end of 2021.”1 By prioritizing a ZTNA project, IT and Security executives can better shield their business from attacks like ransomware while simultaneously improving their employees’ daily workflows. The trade-off between security and user experience is an outmoded view of the world; organizations can truly improve both if they go Continue reading
Introducing Private Network Discovery
With Cloudflare One, building your private network on Cloudflare is easy. What is not so easy is maintaining the security of your private network over time. Resources are constantly being spun up and down with new users being added and removed on a daily basis, making it painful to manage over time.
That’s why today we’re opening a closed beta for our new Zero Trust network discovery tool. With Private Network Discovery, our Zero Trust platform will now start passively cataloging both the resources being accessed and the users who are accessing them without any additional configuration required. No third party tools, commands, or clicks necessary.
To get started, sign-up for early access to the closed beta and gain instant visibility into your network today. If you’re interested in learning more about how it works and what else we will be launching in the future for general availability, keep scrolling.
One of the most laborious aspects of migrating to Zero Trust is replicating the security policies which are active within your network today. Even if you do have a point-in-time understanding of your environment, networks are constantly evolving with new resources being spun up dynamically for various operations. This results Continue reading
Your First REST API Call In Python
This post originally appeared on the Packet Pushers’ Ignition site on June 10, 2020. Introduction In many automation scripts, you’ll be retrieving information via some sort of interface and then doing something with the data. The interface is often an API–application programmatic interface. For folks new to APIs, they might seem daunting, but they need […]
The post Your First REST API Call In Python appeared first on Packet Pushers.
Cloudflare recognized by Microsoft as a Security Software Innovator
This post is also available in 简体中文, Deutsch, Français, Español and 日本語.
Recently, Microsoft announced the winners for the 2022 Microsoft Security Excellence Awards, a prestigious classification in the Microsoft partner community. We are honored to announce that Cloudflare has won the Security Software Innovator award. This award recognized Cloudflare's innovative approach to Zero Trust and Security solutions. Our transformative technology in collaboration with Microsoft provides world-class joint solutions for our mutual customers.
Microsoft Security Excellence Awards
The third annual Microsoft Security awards celebrated finalists in 10 categories spanning security, compliance, and identity. Microsoft unveiled the winners of the Microsoft Security Partner Awards, voted on by a group of industry veterans, on June 6, 2022.
Through this award, Microsoft recognizes Cloudflare’s approach to constantly deliver the most innovative solutions for joint customers. Together with Microsoft, we have supported thousands of customers including many of the largest Fortune 500 companies on their Zero Trust journey, enabling customers to simply and easily support their security needs with faster performance.
Cloudflare has built deep integrations with Microsoft to help organizations take the next step in their Zero Trust journey. These integrations empower organizations to make customer implementations operationally efficient while Continue reading
MLAG Deep Dive: Layer-3 Forwarding
The layer-2 forwarding and flooding in an MLAG cluster are intricate but still reasonably easy to understand. Layer-3 gets more interesting; its quirks depend heavily on layer-2 implementation. While most MLAG implementations exhibit similar bridging behavior, expect interesting differences in routing behavior.
We’ll have to expand by-now familiar network topology to cover layer-3 edge cases. We’ll still work with two switches in an MLAG cluster, but we’ll have an external router attached to both of them. The hosts connected to the switches belong to two subnets (red and blue).