Cloudflare has added two new main features to its Cloudflare One web-as-a-service platform. Magic WAN enables organizations to connect their branch offices, data centers, cloud assets, and remote workers to their global network and use it as their own software-defined WAN. Magic Firewall is a firewall as a service that allows organizations to implement security policies on this new virtual network.
Changing network boundaries
Cloudflare One was initially launched in October. The platform follows a new network security model, which Gartner describes as the Secure Access Service Edge (SASE), in which traditional network security functions are implemented as cloud services in a unified way rather than internally through multiple methods. . Hardware box and virtual device. This is a direct result of the increasing adoption of cloud-based services and cloud computing infrastructure in the past few years. Recently, this shift has greatly challenged the traditional network architecture and shifted from working at home.
Cloudflare One has combined zero-trust access to the cloud and local applications through Cloudflare Access, web traffic filtering through Cloudflare Gateway, DDoS protection through Magic Transit, and a private fiber link that enters Cloudflare’s network through Cloudflare Network Interconnect . Magic WAN is now beginning to expand on this basis and allow the company to use Cloudflare’s network as a central hub and backbone network in its hub-and-spoke network architecture, where branch offices are offices, data centers, virtual private clouds (VPC) and A world of employees scattered everywhere.
Traditionally, organizations have used a mesh routing technology called MPLS (Multiprotocol Label Switching) to link all of their sites and data centers through the telecommunications provider’s network. This is not cheap and easy to deploy, and it adds a lot of management complexity because it still needs to apply network security policies and traffic filtering at each location through a combination of firewalls and other security devices.
What is Magic WAN?
With Magic WAN, Cloudflare aims to simplify this process. Cloudflare’s global Anycast network has been established to provide high performance and availability to serve its core CDN business. The company has data centers in more than 200 cities in more than 100 countries/regions and conducts local peering at Internet exchange points. No matter where the branch or employee is located, it is highly likely that it will always be connected to a nearby server, and then the traffic will be routed through Cloudflare’s private network, thanks to its performance optimization, intelligent routing and security.
With Magic WAN, organizations only need to establish an Anycast GRE tunnel from their office or data center to Cloudflare, and then they can define their private network and routing rules in the central dashboard. Cloudflare’s existing Argo tunnel, network interconnection, and the upcoming IPsec can also be used to connect data centers and VPCs to its network, while roaming employees will use Cloudflare WARP (a secure tunnel solution built on the high-performance Wireguard VPN protocol) to connect .
This also solves the scalability and performance issues that organizations face when traditional VPN gateways and concentrators suddenly face a large number of remote employees due to the pandemic. Since Cloudflare has become a VPN gateway for organizational users, there is no need to split tunneling. As before, due to the bandwidth capacity or concurrent connection limitations of the company’s VPN gateway, only part of the device traffic will be routed through Office VPN. Once in the Cloudflare network, traffic can be further filtered, and zero-trust access control policies can be implemented to verify the identity, security status and location of the device before allowing it to connect to various company resources or applications.
What is a magic firewall?
Magic WAN allows to define private company networks within Cloudflare and connect existing sites, employees and assets to it, while Magic Firewall allows network administrators to control what types of traffic are allowed in and out of the network. For example, the network may include web servers that need to be accessed from the Internet through ports 80 (HTTP) and 443 (HTTPS), but only SSH connections from inside the company network or certain devices in the company to these servers should be allowed to the network for management purposes .
Magic firewall (available for Magic WAN by default) is designed to replace all individual firewall boxes deployed in branch offices or data centers with a cloud-based dashboard, simplifying management and compliance audits. In the future, Cloudflare plans to launch cloud-based IDS/IPS and DLP solutions as part of Cloudflare One to allow companies to also replace these types of security devices.
Currently, in order to support the integration of Magic WAN with existing SD-WAN deployments that some organizations may already have, the company has established partnerships with portal and data center providers such as Arista Networks, Aruba SilverPeak, Digital Realty, and CoreSite.
If you realize that the world is no longer about entering the office and connecting to the corporate network, then Cloudflare One is about how employees who can be located anywhere connect to the services they need to connect to and how to ensure traffic security. On the Internet, Cloudflare’s CTO John Graham-Cumming told CSO. “It’s about putting together virtual networks in some way so that people, as well as devices and servers, use our network as a corporate network to communicate with each other in a secure way. It’s a combination of different things, part of which is the network aspect., but It also involves how to control access to the application, from where and from what device, how to authenticate and how to filter the work of these people. Therefore, it uses many of the original hardware devices and the like and transfers them through the company network Put it on the Internet as a service.”