A stronger bridge to Zero Trust

A stronger bridge to Zero Trust
A stronger bridge to Zero Trust

We know that migration to Zero Trust architecture won’t be an overnight process for most organizations, especially those with years of traditional hardware deployments and networks stitched together through M&A. But part of why we’re so excited about Cloudflare One is that it provides a bridge to Zero Trust for companies migrating from legacy network architectures.

Today, we’re doubling down on this — announcing more enhancements to the Cloudflare One platform that make a transition from legacy architecture to the Zero Trust network of the future easier than ever: new plumbing for more Cloudflare One on-ramps, expanded support for additional IPsec parameters, and easier on-ramps from your existing SD-WAN appliances.

Any on- or off-ramp: fully composable and interoperable

When we announced our vision for Cloudflare One, we emphasized the importance of allowing customers to connect to our network however they want — with hardware devices they’ve already deployed, with any carrier they already have in place, with existing technology standards like IPsec tunnels or more Zero Trust approaches like our lightweight application connector. In hundreds of customer conversations since that launch, we’ve heard you reiterate the importance of this flexibility. You need a platform that meets you where you Continue reading

Using Cloudflare Tunnel and Access with Postgres

Using Cloudflare Tunnel and Access with Postgres
Using Cloudflare Tunnel and Access with Postgres

For a long time we used the traditional method of accessing internal database clusters by SSHing to a bastion host. Due to the overhead and limitations of maintaining the SSH configuration, we’ve moved to using Cloudflare Tunnels combined with Cloudflare Access to dramatically improve the user experience and onboarding times related to database access.

How we used to work

Internally we rely heavily on PostgreSQL to power many services at Cloudflare – including Stream, Images and the Cloudflare Dashboard itself. We run our Postgres clusters on our own hardware within our data centers, and they are not accessible to the public Internet, including employee laptops.

When an employee requires access to one of these databases – be it for staging environments, incident management, or supporting production services – an SSH user account is required. This SSH account has limited access on a bastion host, purely for querying databases within the data center.

Using Cloudflare Tunnel and Access with Postgres

The pain we experienced

Provisioning an SSH account to these bastion hosts requires submitting a pull request to our main Infrastructure-as-Code git repository. For engineers this is a cumbersome process, and for non-engineers it is either an unnecessary learning experience, or a burden to whomever they have to Continue reading

Cloudflare integrates with Microsoft Intune to give CISOs secure control across devices, applications, and corporate networks

Cloudflare integrates with Microsoft Intune to give CISOs secure control across devices, applications, and corporate networks
Cloudflare integrates with Microsoft Intune to give CISOs secure control across devices, applications, and corporate networks

Today, we are very excited to announce our new integration with Microsoft Endpoint Manager (Intune). This integration combines the power of Cloudflare’s expansive network and Zero Trust suite, with Endpoint Manager. Via our existing Intune integration, joint customers can check if a device management profile such as Intune is running on the device or not and grant access accordingly.

With this expanded integration, joint customers can identify, investigate, and remediate threats faster. The integration also includes the latest information from Microsoft Graph API which provides many added, real-time device posture assessments and enables organizations to verify users' device posture before granting access to internal or external applications.

"In today’s work-from-anywhere business culture, the risk of compromise has substantially increased as employees and their devices are continuously surrounded by a hostile threat environment outside the traditional castle-and-moat model. By expanding our integration with Cloudflare, we are making it easier for joint customers to strengthen their Zero Trust security posture across all endpoints and their entire corporate network."
– Dave Randall, Sr Program Manager, Microsoft Endpoint Manager

Before we get deep into how the integration works, let’s first recap Cloudflare’s Zero Trust Services.

Cloudflare Access and Gateway

Cloudflare Access determines if Continue reading

Cloudflare Gateway dedicated egress and egress policies

Cloudflare Gateway dedicated egress and egress policies
Cloudflare Gateway dedicated egress and egress policies

Today, we are highlighting how Cloudflare enables administrators to create security policies while using dedicated source IPs. With on-premise appliances like legacy VPNs, firewalls, and secure web gateways (SWGs), it has been convenient for organizations to rely on allowlist policies based on static source IPs. But these hardware appliances are hard to manage/scale, come with inherent vulnerabilities, and struggle to support globally distributed traffic from remote workers.

Throughout this week, we’ve written about how to transition away from these legacy tools towards Internet-native Zero Trust security offered by services like Cloudflare Gateway, our SWG. As a critical service natively integrated with the rest of our broader Zero Trust platform, Cloudflare Gateway also enables traffic filtering and routing for recursive DNS, Zero Trust network access, remote browser isolation, and inline CASB, among other functions.

Nevertheless, we recognize that administrators want to maintain the convenience of source IPs as organizations transition to cloud-based proxy services. In this blog, we describe our approach to offering dedicated IPs for egressing traffic and share some upcoming functionality to empower administrators with even greater control.

Cloudflare’s dedicated egress IPs

Source IPs are still a popular method of verifying that traffic originates from a known organization/user when Continue reading

MPLS to Zero Trust in 30 days

MPLS to Zero Trust in 30 days
MPLS to Zero Trust in 30 days

Employees returning to the office are experiencing that their corporate networks are much slower compared to what they’ve been using at home. It’s partly due to outdated line speeds, and also partly due to security requirements that force all traffic to get backhauled through centralized data centers. While 44% of the US currently has access to fiber-based broadband Internet with speeds reaching 1 Gbps, many MPLS sites are still on old 1.5 Mbps circuits. This is a reality check and a reminder that the current MPLS based networks are unable to support the shift from centralized applications in the datacenter to a distributed SaaS and hybrid multi-cloud world.

In this post, we are going to outline the steps required to take your network from MPLS to Zero Trust. But, before we do — a little about how we ended up in this situation.

Enterprise networks today

Over the past 10 years, most enterprise networks have evolved from perimeter hub and spoke networks into franken-networks as a means to solve connectivity and security issues. We have not had a chance to redesign them holistically for distributed application access. The band-aid and point solutions have only pushed the problems further down Continue reading

Announcing the Cloudflare One Partner Program

Announcing the Cloudflare One Partner Program

This post is also available in 简体中文, 日本語, Deutsch, Français.

Announcing the Cloudflare One Partner Program

Today marks the launch of the Cloudflare One Partner Program, a program built around our Zero Trust, Network as a Service and Cloud Email Security offerings. The program helps channel partners deliver on the promise of Zero Trust while monetizing this important architecture in tangible ways – with a comprehensive set of solutions, enablement and incentives. We are delighted to have such broad support for the program from IT Service companies, Distributors, Value Added Resellers, Managed Service Providers and other solution providers.

This represents both a new go-to-market channel for Cloudflare, and a new way for companies of all sizes to adopt Zero Trust solutions that have previously been difficult to procure, implement and support.

The Cloudflare One Partner Program consists of the following elements:

  • New, fully cloud-native Cloudflare One product suites that help partners streamline and accelerate the design of holistic Zero Trust solutions that are easier to implement. The product suites include our Zero Trust products and Cloud Email Security products from our recent acquisition of Area 1 Security.
  • All program elements are fully operationalized through Cloudflare's Distributors to make it easier to evaluate, quote Continue reading

How To Reference Nested Python Lists & Dictionaries

This post originally appeared in the Packet Pushers’ Ignition site on March 10, 2020. When getting data back from API queries in Python, the data is often delivered in JSON format. Python libraries such as requests will convert that JSON data structure into a Python-native data structure you can work with. That Python data structure […]

The post How To Reference Nested Python Lists & Dictionaries appeared first on Packet Pushers.

Private 5G growth stymied by pandemic, lack of hardware

Private 5G networks promise to offer low latency, high reliability, and support for massive numbers of connected devices, but enterpise deployment has been slower than expected, experts say, due to the pandemic and a slow-to-evolve device ecosystem.IDC reports that the global private LTE and 5G wireless infrastructure market totaled $1.8 billion in revenue in 2021 and will increase to $8.3 billion by 2026, but that spending will grow "slower than expected" in the next couple of years.To read this article in full, please click here

Private 5G promising for enterprises, but growth stymied by pandemic, lack of hardware

Private 5G networks promise to offer low latency, high reliability, and support for massive numbers of connected devices, but enterpise deployment has been slower than expected, experts say, due to the pandemic and a slow-to-evolve device ecosystem.IDC reports that the global private LTE and 5G wireless infrastructure market totaled $1.8 billion in revenue in 2021 and will increase to $8.3 billion by 2026, but that spending will grow "slower than expected" in the next couple of years.To read this article in full, please click here

netlab VLAN Module Is Complete

One of the last things I did before starting the 2022 summer break was to push out the next netlab release.

It includes support for routed VLAN subinterfaces (needed to implement router-on-a-stick) and routed VLANs (needed to implement multi-hop VRF lite), completing the lengthy (and painful) development of the VLAN configuration module. Stefano Sasso added VLAN support for Mikrotik RouterOS and VyOS, and Jeroen van Bemmel completed VLAN implementation for Nokia SR Linux. Want to see VLANs on other platforms? Read the contributor guidelines and VLAN developer docs, and submit a PR.

I’ll be back in September with more blog posts, webinars, and cool netlab features. In the meantime, automate everything, get away from work, turn off the Internet, and enjoy a few days in your favorite spot with your loved ones!

VLAN Module in netsim-tools Is Complete

One of the last things I did before starting the 2022 summer break was to push out the next release of netsim-tools.

It includes support for routed VLAN subinterfaces (needed to implement router-on-a-stick) and routed VLANs (needed to implement multi-hop VRF lite), completing the lengthy (and painful) development of the VLAN configuration module. Stefano Sasso added VLAN support for Mikrotik RouterOS and VyOS, and Jeroen van Bemmel completed VLAN implementation for Nokia SR Linux. Want to see VLANs on other platforms? Read the contributor guidelines and VLAN developer docs, and submit a PR.

I’ll be back in September with more blog posts, webinars, and cool netsim-tools features. In the meantime, automate everything, get away from work, turn off the Internet, and enjoy a few days in your favorite spot with your loved ones!

Linux Foundation works toward improved data-center efficiency

Organizations exploring the use of data-processing units (DPU) and infrastructure processing units (IPU) got a boost this week as the Linux Foundation announced a project to make them integral to future data-center and cloud-based infrastructures.DPUs, IPUs, and smartNICs are programmable networking devices designed to free-up CPUs for better performance in software-defined cloud, compute, networking, storage and security services.To read this article in full, please click here

Linux Foundation works toward improved data-center efficiency

Organizations exploring the use of data-processing units (DPU) and infrastructure processing units (IPU) got a boost this week as the Linux Foundation announced a project to make them integral to future data-center and cloud-based infrastructures.DPUs, IPUs, and smartNICs are programmable networking devices designed to free-up CPUs for better performance in software-defined cloud, compute, networking, storage and security services.To read this article in full, please click here

Lawrence Livermore’s “El Capitan” To Take AMD’s Instinct APU Mainstream

In March 2020, when Lawrence Livermore National Laboratory announced the exascale “El Capitan” supercomputer contract had been awarded to system builder Hewlett Packard Enterprise, which was also kicking in its “Rosetta” Slingshot 11 interconnect and which was tapping future CPU and GPU compute engines from AMD, the HPC center was very clear that it would be using off-the-shelf, commodity parts from AMD, not custom compute engines.

Lawrence Livermore’s “El Capitan” To Take AMD’s Instinct APU Mainstream was written by Timothy Prickett Morgan at The Next Platform.

Day Two Cloud 152: How To Right-Size Access With strongDM (Sponsored)

Welcome to Day Two Cloud. In this episode we take on the problem of over-provisioning access to resources. Sponsor strongDM joins the conversation to share how to properly manage roles and access in our IT systems, focusing heavily on the process of discovery. Who has access to what, and why do they have that access? Our guest from strongDM is Britt Crawford, Director of Product.

Embedding Client IP In DNS Requests: EDNS Client Subnet (ECS)

This post originally appeared on the Packet Pushers Ignition site on December 10, 2019.   DNS is sometimes used to optimize traffic between client and server. That is, a client needs to connect to a server. Resolving the IP address of the server’s hostname is the first thing the client must do before making the […]

The post Embedding Client IP In DNS Requests: EDNS Client Subnet (ECS) appeared first on Packet Pushers.

Hedge 135: Simon Sharwood, China, and IPv6

Over the last several years various Chinese actors (telecom operators and vendors) have been pushing for modifications to IPv6 to support real-time applications and other use cases. Simon Sharwood wrote an article over at the Register on their efforts and goals. While this effort began with big IP, moved into new IP, and has been called many other names. These efforts are being put forward in various venues like the IETF, the ITU, etc. Simon Sharwood, who writes for the Register, joins Tom Ammon and Russ White to discuss these efforts.

Here is a recent article where Simon is discussing these issues.

download

Verify Apple devices with no installed software

Verify Apple devices with no installed software
Verify Apple devices with no installed software

One of the foundations of Zero Trust is determining if a user’s device is “healthy” — that it has its operating system up-to-date with the latest security patches, that it’s not jailbroken, that it doesn’t have malware installed, and so on. Traditionally, determining this has required installing software directly onto a user’s device.

Earlier this month, Cloudflare participated in the announcement of an open source standard called a Private Attestation Token. Device manufacturers who support the standard can now supply a Private Attestation Token with any request made by one of their devices. On the IT Administration side, Private Attestation Tokens means that security teams can verify a user’s device before they access a sensitive application — without the need to install any software or collect a user’s device data.

At WWDC 2022, Apple announced Private Attestation Tokens. Today, we’re announcing that Cloudflare Access will support verifying a Private Attestation token. This means that security teams that rely on Cloudflare Access can verify a user’s Apple device before they access a sensitive application — no additional software required.

Determining a “healthy” device

There are many solutions on the market that help security teams determine if a device is “healthy” and Continue reading

1 436 437 438 439 440 3,794