I’m always able to tell what a particular cloudflare product does/is in the first paragraph.
However for this one, I’m unable to even after reading the entire blogpost.
(edit) is this like zerotier, tailscale, beyondcorp etc?
The most important thing to understand about Cloudflare One is that the name is marketing fluff. It does a bunch of things with a number of confusingly similar products. (Some of its features are provided by third-party "partners.")
The products are designed to be compatible, which is what the name "Cloudflare One" is designed to reflect, but there isn't just one product/feature being offered here. It's more of a vision statement than anything else.
What they're announcing is the compatibility of three previously released features:
Note that despite being a "VPN," when WARP launched, it wasn't designed to connect to any company's internal corporate network. WARP is/was a "public VPN," the sort of thing an ordinary user would use to hide their IP address from web sites for privacy reasons. (Cloudflare claimed that WARP would also improve your network performance.)
2. Cloudflare Magic Transit, which is basically a reverse VPN product for on-premise datacenters, providing DDOS protection and packet filtering.
Magic Transit is kinda like Cloudflare's HTTP CDN product, but for all of a datacenter's traffic, geared toward IT professionals.
3. Cloudflare Network Interconnect (CNI), which lets you connect corporate offices to each other over Cloudflare's backbone infrastructure. Like Magic Transit, it was designed to allow IT staff to do traffic management and packet filtering.
Perhaps you'd have thought that these products would work together in some way, but they didn't, and now they kinda do.
Another bit of fluff that may have confused you is that they refer to this as a "Zero Trust" architecture, which sounds a little bit like BeyondCorp. IMO, this is basically a lie. BeyondCorp lets users connect to corporate resources behind a proxy, without a VPN.
If you squint and think of a VPN as a giant proxy, even traditional VPN solutions can seem like "Zero Trust," but that is not at all what anybody meant by that term.
What they are hoping to mitigate is the problem where anybody inside your VPN can access anything else they want inside your VPN, which is how most corporate VPNs work today. That sucks, but they're fixing this with a centralized configurable cloud-based VPN solution, in which you have to trust.
>BeyondCorp lets users connect to corporate resources behind a proxy, without a VPN.
BeyondCorp is about trusting nothing and allowing what is allowed. It's an inversion of being Inside or Outside the network, in that everyone is outside. When they say "without a VPN" what they mean is that you arent connecting to inside the trust and then gaining access to everything.
This product from cloudflare, by integrating with an identity manager, is offering that same kind of deny by default, and allow the allowlist type paradigm. Whether or not it is VPN tech is a bit irrelevant, and misses the point of BeyondCorp. Googles implementation was a proxy by choice, but it's not the only way to accomplish the same idea. I get that you get that, but drawing the beyondcorp/not-beyondcorp line at vpn/proxy is missing the forest for the trees.
> Another bit of fluff that may have confused you is that they refer to this as a "Zero Trust" architecture, which sounds a little bit like BeyondCorp. IMO, this is basically a lie. BeyondCorp lets users connect to corporate resources behind a proxy, without a VPN.
I thought this was referring to the combination of Access (identity constraints on connections) and the tunnel system and your app servers only connect outbound to the CDN nodes, forcing all connections to be made through Access. That seems like zero-trust to me, doesn’t it?
> What they are hoping to mitigate is the problem where anybody inside your VPN can access anything else they want inside your VPN, which is how most corporate VPNs work today. That sucks, but they're fixing this with a centralized configurable cloud-based VPN solution, in which you have to trust.
This can also be accomplished with rules and micro-segmentation of various types.
ZeroTier is a true "global LAN," basically SD-WAN everywhere, emulates layer 2, and has a rules engine, but does not yet have the IAM integrations that some others have. Guts are very powerful but GUI is more minimal and less mature (as of now).
Tailscale is a Wireguard configurator and P2P hole puncher with IAM integrations and a nice GUI. Runs at layer 3 so it can't do some things that ZeroTier can do, but most stuff runs over IP so only some segments of the market care.
BeyondCorp is more of a concept. Google has their own implementation of it and so do many others.
I too have trouble wrapping my head around this technically speaking. I get the sense that it's basically something that puts your WAN over Cloudflare's network and lets you do access control everywhere in the cloud, which would make it closer to the now-defunct Pertino or some cloud-backhaul-based SD-WAN solutions... but that's probably only a part of it. "One" here seems to refer to "one" bundle of a whole bunch of things.
SASE is the new buzzword for a SaaS Threat, Identity, Firewall, SD-WAN, Access Rights, Remote Access bundle. The picture in this article illustrates everything I would expect the suite/bundle to cover eventually. https://www.sdxcentral.com/security/sase/definitions/what-is...
It's a bit of a messy space for a couple reasons. Every vendor who made any one of these products is quickly racing to become a kitchen sink through development and/or acquisition. At the same time, they are splitting up what was once bundled into components you can buy separately to piece into a larger puzzle. Because most companies already have relationships with multiple vendors providing these services, they are fighting each other to both create walled gardens AND SIMULTANEOUSLY interoperable compatible components for larger multi vendor buildouts. (Palo Alto buying CloudGenix SD-WAN, while at the same time being the leading supplier of on Edge firewall VM's for Velocloud devices. Velocloud will both tell you you can run Palo Alto, ZScaler, or Checkpoint, but also that they have in house Carbon Black. What risk are you taking by integrating two vendors that are both trying to crush each other, despite the best in breed solution being part of each of their products.) "We have Cisco for this, so maybe Duo makes sense, but then that overlaps Okta, and that overlaps what we already get from Microsoft, which overlaps what we get from VMWare, which is starting to overlap what we have from Palo Alto.
On the topic of Cloudflare. They have a leg up over EVERYBODY because they are building on top of Wireguard, and everybody else is stuck with legacy IPSEC that they cant leave anytime soon. From a future proofing perspective, if you don't already have commitments elsewhere, this is likely a VERY ATTRACTIVE bundle. One of the killer products buried in this is Cloudflare for Teams Access. No more need for AnyConnect. And like I said, most/all the other ZeroTrust Access gateways either a) only come in a bundle with other products 2) are a me-too product offered by a vendor that specializes in something else 3) are ipsec. https://www.cloudflare.com/teams/access/
So like everything else in the networking space it's a mess of overloaded terms with multiple meanings and tangled concepts all trying to hit as many buzzwords as possible...?
dfabulich|5 years ago
The products are designed to be compatible, which is what the name "Cloudflare One" is designed to reflect, but there isn't just one product/feature being offered here. It's more of a vision statement than anything else.
What they're announcing is the compatibility of three previously released features:
1. Cloudflare WARP, their public VPN product for end users https://blog.cloudflare.com/1111-warp-better-vpn/
Note that despite being a "VPN," when WARP launched, it wasn't designed to connect to any company's internal corporate network. WARP is/was a "public VPN," the sort of thing an ordinary user would use to hide their IP address from web sites for privacy reasons. (Cloudflare claimed that WARP would also improve your network performance.)
2. Cloudflare Magic Transit, which is basically a reverse VPN product for on-premise datacenters, providing DDOS protection and packet filtering.
Magic Transit is kinda like Cloudflare's HTTP CDN product, but for all of a datacenter's traffic, geared toward IT professionals.
3. Cloudflare Network Interconnect (CNI), which lets you connect corporate offices to each other over Cloudflare's backbone infrastructure. Like Magic Transit, it was designed to allow IT staff to do traffic management and packet filtering.
Perhaps you'd have thought that these products would work together in some way, but they didn't, and now they kinda do.
Another bit of fluff that may have confused you is that they refer to this as a "Zero Trust" architecture, which sounds a little bit like BeyondCorp. IMO, this is basically a lie. BeyondCorp lets users connect to corporate resources behind a proxy, without a VPN.
If you squint and think of a VPN as a giant proxy, even traditional VPN solutions can seem like "Zero Trust," but that is not at all what anybody meant by that term.
What they are hoping to mitigate is the problem where anybody inside your VPN can access anything else they want inside your VPN, which is how most corporate VPNs work today. That sucks, but they're fixing this with a centralized configurable cloud-based VPN solution, in which you have to trust.
basch|5 years ago
BeyondCorp is about trusting nothing and allowing what is allowed. It's an inversion of being Inside or Outside the network, in that everyone is outside. When they say "without a VPN" what they mean is that you arent connecting to inside the trust and then gaining access to everything.
This product from cloudflare, by integrating with an identity manager, is offering that same kind of deny by default, and allow the allowlist type paradigm. Whether or not it is VPN tech is a bit irrelevant, and misses the point of BeyondCorp. Googles implementation was a proxy by choice, but it's not the only way to accomplish the same idea. I get that you get that, but drawing the beyondcorp/not-beyondcorp line at vpn/proxy is missing the forest for the trees.
acdha|5 years ago
I thought this was referring to the combination of Access (identity constraints on connections) and the tunnel system and your app servers only connect outbound to the CDN nodes, forcing all connections to be made through Access. That seems like zero-trust to me, doesn’t it?
api|5 years ago
This can also be accomplished with rules and micro-segmentation of various types.
api|5 years ago
Tailscale is a Wireguard configurator and P2P hole puncher with IAM integrations and a nice GUI. Runs at layer 3 so it can't do some things that ZeroTier can do, but most stuff runs over IP so only some segments of the market care.
BeyondCorp is more of a concept. Google has their own implementation of it and so do many others.
I too have trouble wrapping my head around this technically speaking. I get the sense that it's basically something that puts your WAN over Cloudflare's network and lets you do access control everywhere in the cloud, which would make it closer to the now-defunct Pertino or some cloud-backhaul-based SD-WAN solutions... but that's probably only a part of it. "One" here seems to refer to "one" bundle of a whole bunch of things.
basch|5 years ago
GoblinSlayer|5 years ago
basch|5 years ago
It's a bit of a messy space for a couple reasons. Every vendor who made any one of these products is quickly racing to become a kitchen sink through development and/or acquisition. At the same time, they are splitting up what was once bundled into components you can buy separately to piece into a larger puzzle. Because most companies already have relationships with multiple vendors providing these services, they are fighting each other to both create walled gardens AND SIMULTANEOUSLY interoperable compatible components for larger multi vendor buildouts. (Palo Alto buying CloudGenix SD-WAN, while at the same time being the leading supplier of on Edge firewall VM's for Velocloud devices. Velocloud will both tell you you can run Palo Alto, ZScaler, or Checkpoint, but also that they have in house Carbon Black. What risk are you taking by integrating two vendors that are both trying to crush each other, despite the best in breed solution being part of each of their products.) "We have Cisco for this, so maybe Duo makes sense, but then that overlaps Okta, and that overlaps what we already get from Microsoft, which overlaps what we get from VMWare, which is starting to overlap what we have from Palo Alto.
https://www.sdxcentral.com/articles/news/sase-acquisitions-d...
Anyone in the "Zero Trust" space is likely rebranding bundles as SASE. https://telegra.ph/ZeroTrust-Vendors-04-23
On the topic of Cloudflare. They have a leg up over EVERYBODY because they are building on top of Wireguard, and everybody else is stuck with legacy IPSEC that they cant leave anytime soon. From a future proofing perspective, if you don't already have commitments elsewhere, this is likely a VERY ATTRACTIVE bundle. One of the killer products buried in this is Cloudflare for Teams Access. No more need for AnyConnect. And like I said, most/all the other ZeroTrust Access gateways either a) only come in a bundle with other products 2) are a me-too product offered by a vendor that specializes in something else 3) are ipsec. https://www.cloudflare.com/teams/access/
api|5 years ago
tenebrisalietum|5 years ago