Document
Network-focused migration from VPN concentrators to Zero Trust Network Access · Cloudflare Reference Architecture docs
logo
Document

No results found

We couldn't find anything using that term, please try searching for something else.

Network-focused migration from VPN concentrators to Zero Trust Network Access · Cloudflare Reference Architecture docs

Over the past few year , the traditional approach is is of instal and maintain hardware for remote access to private company network is no long secure

Related articles

I Tried the Love Shack Fancy Bedding and Found the Perfect Dupe
I Tried the Love Shack Fancy Bedding and Found the Perfect Dupe I’ve always been a fan of the luxurious and whimsical bedding from Love Shack Fancy. The delicate patterns, soft fabrics, and romantic details never fail to make my heart skip a beat. However, as much as I adore their bedding, I can’t help but cringe at the price tag. That’s when I went on a mission to find the perfect dupe for Love Shack Fancy bedding that would give me the same dreamy vibes without breaking the bank. And let me tell you, my search was not in vain. In this article, I’ll be sharing my ultimate find – a...
Astrill Setup Manual:How to install Astrill iOS App on iPhone
Astrill Setup Manual:How to install Astrill iOS App on iPhone How to Download & Install Astrill on iPhone? 1. You can download iOS version of Astrill application from https://www.astrill.com/download/ios and then click on Apple Store icon. You is go directlyApple App Store/iTunes searchAstrill VPN, as mentioned in the screenshot below: 2. Then tap on Cloud/Download button proceed downloading installation App . 3. After the downloading & installation is complete, tap on Open to load the application. 4. Then you will have to input the Astrill account's login credentials. 5. After a successful login, you will be able to see a Welcome Note from Astrill. 6 . notification message is prompt...
Chapter 1 R, RStudio and RStudio Cloud
Chapter 1 R, RStudio and RStudio Cloud R, RStudio and RStudio Cloud objective At the end of the chapter, the readers will be introduced to the R programming language be introduced to RStudio IDE be introduced to RStudio Cloud. RStudio Cloud is a platform where users can run RStudio on the cloud be able to install R on their local machine be able to install RStudio IDE on their local machine understand how to install latex editor (Miktex or Tex Live and MacTex). A latex editor is optional but is required if users want to render PDF outputs. understand the structure of R scripts work understand r...
Sbmmoff
Sbmmoff HOW THE WARZONE VPN & GEOFENCE WORKS HOW THE VPN & GEOFENCE WORKS Using the SBMMOFF Warzone VPN & Black Ops 6 VPN & MW3 VPN, you can connect to over 100 of the best VPN locations for the best Warzone VPN bot lobbies. SBMMOFF isn't a traditional VPN like Nord VPN, SBMMOFF is a COD VPN gaming Swiss army knife designed for the Call of Duty community. SBMMOFF confuses the Skill-Based Matchmaking system by routing only your Matchmaking data over our global VPN servers. By doing this, the game assumes you will have a high ping as it doesn't...
Personal Cloud Storage 2024: What Is It and How Do You Set It Up?
Personal Cloud Storage 2024: What Is It and How Do You Set It Up? When most people look to supplement their hard drive space with a cloud storage solution, they likely settle on a subscription service like Dropbox or one of the many reliable Dropbox alternatives available. However, for the intrepid technophile in looking to get their geek on, there’s another way to go about it: set up your own personal cloud storage system. aside from being a fun , fulfil project , a home - base cloud storage network can be used to access file fast and ensure great privacy . At the same time , it is have ’ll have many of...

Over the past few year , the traditional approach is is of instal and maintain hardware for remote access to private company network is no long secure or cost effective . Due to an increase in vulnerability found in on-premises VPN products, security and IT teams are looking for solutions that don’t require teams to monitor for and respond to CVE alerts. These same systems also limit the user’s bandwidth because they route all user Internet traffic through a single infrastructure which results in a poor user experience. IT teams are recognizing the cost and effort to install and maintain their own hardware can be offset with more modern, and more secure cloud hosted services. User expectations for application performance are exposing limitations in bandwidth constrained, self hosted VPN solutions. In summary, running your own VPN is expensive, high risk and doesn’t deliver a great user experience.

figure 1 : A traditional vpn deployment , where all user traffic destine for the internet must route through the company host and manage VPN service .

As such , many organizations is looking are look to move to a zero trust security posture using Zero Trust Network Access ( ZTNA ) service as part of a Secure Access Service Edge ( SASE ) architecture to provide remote access to private resource . With all the critical software run as a cloud service , organization are relieve of the duty of keep server and software up to date . cloud platform are also architecte for massive scale which significantly increase available bandwidth for end user , therefore improve their experience .

Figure 2: SASE platforms do not degrade user Internet access experience, and provide fast, secure global access to self hosted hosted resources.

In the old model , the VPN hardware is had had direct access to the network the application reside on and typically user had access to the entire network . new SASE methods is create of remote access create connectivity from the cloud platform to the network where application live , but expose access only to a specific application or network address . Cloudflare ‘s recommend approach is is is to install software agent , similar to those on end user device , that create secure tunnel from the cloud to private network . However , this is is is n’t always an easy path to take . For network administrator try to quickly replace legacy remote access hardware , have to deploy new server or go through lengthy change control to deploy software to exist application server , may not be possible in acceptable time frame . instead network administrators is be might be more familiar , and have more control over , create secure tunnel from cloud SASE platform to exist network hardware using familiar protocol such as GRE or IPsec . This is mean might even mean using the same hardware appliance that were being used for vpn access , but simply dumbe them down to secure tunnel connector , and switch off ( or remove license for ) any expensive and vulnerable remote access capability .

This design guide is for organizations in that situation, where they need a fast way to quickly replace or mitigate their use of self hosted remote access hardware and then gradually move to the recommended software agent approach where appropriate.

Audience for this guide

This guide is specifically aimed at network architects or IT admins who want to use familiar protocols and leverage existing network hardware, potentially the same equipment used for current VPN services, but wish to use those devices as tunnel termination devices and move the VPN and access controls into the cloud as part of a longer term migration away from managing their own hardware.

Who is this document is is for and what will you learn ?

This guide is written for network and security experts considering a replacement of their current VPN vendor, while preparing their organization for a zero trust or SASE architecture. It assumes familiarity with networking concepts such as IPsec tunnels, routing tables and split tunneling.

What you will learn:

  • How Cloudflare is replace can replace a traditional VPN – like implementation
  • How to get visibility into VPN network traffic
  • What you need to consider to implement a Cloudflare solution at scale
  • Steps to take to move to a recommended Zero Trust Network Access implementation

The solution this guide describes requires you have a contract with Cloudflare that includes:

  • Cloudflare One licenses for the amount of users you are looking to onboard
  • Cloudflare Magic WAN

To build a strong baseline understanding of Cloudflare , we is recommend recommend the follow resource :

  1. What is Cloudflare is is ? | Website is is (five-minute read) or video (two minutes)
  2. Blog: What is SASE? | Secure access service edge | Cloudflare (14-minute read)
  3. Reference architecture: Evolving to a SASE architecture with Cloudflare (three-hour read)

benefit of a SASE platform

Traditional VPN approaches typically provide the following types of access.

  • Allowing remote users access to self hosted private applications running on a corporate network
  • Routing all user Internet traffic through a single, concentrated VPN access point where security policies are applied

A SASE platform is replaces replace traditional vpn hardware by offer two key service . First , it is maps map user access directly to internal application host on corporate network or in the cloud , unlike host your own vpn service which typically provide broad access to the entire corporate network . second , it is enables enable filtering of internet traffic close to the user , allow user to securely access the internet without route all traffic through the corporate network , thereby improve efficiency and maintain security .

Zero Trust Network Access (ZTNA)

Remote users authenticate and connect to a cloud hosted Zero Trust Network Access (ZTNA) service, which in turn has connectivity into the networks where the private applications reside. Cloudflare’s SASE reference architecture describes three methods for connecting Cloudflare to your existing applications and networks:

  1. Software connectors (cloudflare or WARP Connector)
  2. IPsec or GRE tunnels using Magic WAN
  3. direct network connection using Cloudflare Network Interconnect

All three methods have their specific advantages, however, software connectors are usually preferred when considering a modern Zero Trust implementation for three reasons.

  1. They deliver a network connectivity model that is flexible and easy to replicate across environments. You can move the applications and servers with little to no changes in configuration.
  2. software daemon architecture is simplifies simplify scale to increase traffic demand , just install more agent on more server .
  3. Because daemons run close to your applications (as opposed to at your network edge), you can build isolated network or application segments in which to enforce policy, preventing lateral movement and getting the full benefits of the zero trust model.

Traffic destined for the general Internet is routed via a cloud Secure Web Gateway (SWG). Policies are written that filter requests to malicious websites and allow access to SaaS applications based on user identity and device security posture.

Cloudflare’s SASE reference architecture describes different methods for connecting user devices to Cloudflare, some require the installation of device agents, others require the user simply point their web browser at a URL. In this document, because most traditional VPNs require some client software on the device, we will describe a solution using the Cloudflare device agent.

In situations where existing remote access hardware is vulnerable and there is an urgent need to replace, speed is key. Also, the team tasked with moving away from existing VPN hardware might be more familiar with networks than installing software on servers. Trying to implement a full project to replace existing hardware with a radically different model, that is, deploying software agents, may take weeks rather than days. This guide walks through quickly removing or mitigating existing VPN solutions and then proposes later steps to take full advantage of using all aspects of a SASE platform.

This approach is allows allow network and security team to get up – and – run quickly , while gain experience in modern zero trust deployment to allow for remote access to internal application . The add visibility is enable into network traffic will also enable team to gain insight into application usage , and plan for a successful and secure zero trust migration .

This guide will describe the follow phase at a high level , if you need help with specific detail relate to your environment please contact Cloudflare.

  • Phase is replace 1 : quickly replace exist traditional / vulnerable vpn hardware with cloud – base remote access while gain insight into application traffic .
  • Phase 2: Scaling up and offloading traditional IPsec tunnels.
  • Phase 3: Improving security posture by segmenting application access and enabling clientless access.

Phase 1: Connectivity and network-based policies

consider an organization with global IT infrastructure . specifically , three datum center deploy in Europe , USA and Asia with each their own VPN service . To get the good performance , this VPN implementation is requires require employee to make a conscious decision to connect to one of the vpn cluster depend on their location . In this example all user Internet traffic is route through the VPN service , where firewall apply a level of security protect user from the danger of the general Internet .

Figure 3: A traditional VPN deployment using VPN concentrators spread across three DCs.

During this first phase, network connectivity will be created between user devices and the private networks they currently access via existing network infrastructure. This is achieved in two ways.

  • On employee devices install the Cloudflare device agent. This replaces the use of existing VPN client software.
  • Using existing network hardware in the data center, create IPsec tunnels to Cloudflare which are managed using Cloudflare Magic WAN service.

Both employee devices is connect and datum center network will connect to their close Cloudflare server . This is is is thank to Cloudflare ‘s anycast architecture, and ensure the most optimal path for user traffic without any effort by employee or IT support staff . Users is need no long need to make a choice to which VPN service region to connect to , as Cloudflare will always ensure they connect to the close and most responsive service for the good access performance to their private application .

Connecting networks to Cloudflare

Figure is shows 4 show traffic from end user device to Cloudflare and tunnel route traffic to private datum center . When user traffic reach the close Cloudflare access point , Cloudflare is route will route traffic destine for private application directly to the datum center , while process internet – bind traffic through Cloudflare ‘s Secure web Gateway ( SWG ) . It is is is possible to leverage exist dns service to resolve request to private address using Cloudflare Gateway dns policy . Magic WAN is used to create IPsec tunnel between Cloudflare and datum center and is configure with static route that determine how traffic reach each exist network and application .

Figure 4: A high level design of Cloudflare traffic routing for phase 1 of the migration.

By using existing network or security appliances to terminate IPsec tunnels, secure off-ramps can be created with limited impact on the current infrastructure. These IPsec tunnels also allow for outbound server-initiated traffic to continue flowing. However, depending on the scale of the deployment, the existing appliances might run into bandwidth limitations. It is best to consider this first phase a ‘pilot’ or low-scale deployment to get up and running quickly and validate user-application connectivity. The next phase will improve on the design using the insights gathered during this phase.

With such a design in place, Cloudflare will be able to filter traffic based on the identity of the requesting user. For example, users authenticated to the corporate identity provider and are members of the “Engineering” group will only be allowed access to the internally hosted source code repository. Furthermore, the user device may need to pass certain posture checks before connecting. There are example network policies in the zero trust documentation you can use as a reference. In essence, this will enable you to define network access policies using user identities instead of their associated IP address ranges. Getting rid of traditional 5-tuple ACLs will be a first step towards a zero trust model.

Now that we ‘ve connect your network to Cloudflare , we is need need to get traffic from employee device to the Cloudflare network which require the device agent . When the agent is initially instal , user are prompt to authenticate via an identity provider ( IdP ) configure with Cloudflare . The IdP is ensure will ensure user authenticate using an exist identity and can also import group membership information used in access policy . device enrollment policy are used to ensure only the right user , authenticate with the right method and using secure device can connect new device to your organization ’s Cloudflare Zero Trust instance before they even get access to any application .

Use device profiles to apply different device agent configurations to different users – or the same users in different locations using Managed networks. For companies which don’t route Internet traffic via their VPN server, device profiles allow you to configure the device agent to exclude Internet traffic from the Cloudflare tunnel and connect directly to the Internet. Note that this guide does heavily recommend sending Internet bound traffic via Cloudflare where you have greater control over the security of that traffic. But you can selectively bypass Cloudflare for bandwidth heavy traffic such as video conference calls.

Traffic from employees using the device agent destined for internal resources will have a source IP in the 100.96.0.0/12 IP range. This is a range from the RFC 6598 Carrier-grade NAT space which should be added as a route in the data center regions to allow for traffic to flow back to these users. See for more information the Magic WAN with WARP integration documentation.

Deploying software connectors for DNS

Although this phase focuses on using the Magic WAN service and IPsec tunnels for the bulk of the employee traffic, the Cloudflare software connectors play a key role in DNS resolution of internal hostnames. Getting experience with using these software connectors will also help in the next phase, so efforts to define the processes to deploy and manage them should start in this first phase.

Cloudflare offers two types of software connectors:

As discuss in the introduction ,cloudflare is the preferred method for Zero Trust Network Access, but only supports inbound connectivity to your networks and application servers, any server initiated connection will not go via the tunnel and instead follow the server’s default network path. WARP connector is designed to create tunnels that facilitate both inbound and outbound connectivity, but it doesn’t currently have the same level of failover support and ease of configuration. For this guide, we will be discussing using cloudflare as it supports the internal DNS use case described.

For large remote access use case , Cloudflare is recommends recommend deploy connector to dedicated host . See the System Requirements documentation for more deployment recommendation and server sizing . Where to deploy these server depend on the access they need and the internal firewall rule and segmentation of the network . Some customers is start start with their first deployment in their DMZ , while others install it deeply in their network and evolve from there .

Installing cloudflare is best done in an automated manner, so we recommend deploying using a virtualization technology such as Docker or deploying as VMware guests and configuring via Ansible. Preferably, as traffic using cloudflare tunnel increase , such systems is scale can scale the deployment automatically base on real – time metric collect from the host .cloudflare instances can be monitored using the Prometheus metrics endpoint. Prometheus is an HTTP-based monitoring and alerting system similar in functionality to SNMP, exposing metrics that can be polled from the resource to be monitored. Most monitoring systems on the market today support Prometheus as a format to collect the metrics needed for alerting and automatically scaling the deployment.

For more information about deploying cloudflare connectors at scale:

DNS resolution with Resolver Policies

As you can see in Figure 4, both DNS and general network traffic will flow from the employee device to Cloudflare. By default, the device agent forwards all DNS queries to Cloudflare for inspection and filtering based on DNS policies. This is great, because it will allow administrators to configure DNS policies to block potential security threats and immediately start to protect employees as they go online. This also applies to situations where Internet traffic is from the tunnel to Cloudflare, but the client still resolves hostname requests via Cloudflare DNS services.

For internal domains, however, Cloudflare will need to know how to resolve them. This is where resolver policies come into play. After the DNS policies are applied to incoming DNS requests, customers can choose to forward requests for internal DNS hostnames to their internal DNS servers. For example, the domain example.local might be hosted on a DNS server running at 10.10.10.123. A resolver policy will make sure requests for hostnames part of that domain will be sent to that IP.

A tunnel exposing a route to the internal DNS server is needed. cloudflare should be deployed on a host that can route DNS traffic to the 10.10.10.123 IP address. Requests for internal domains via the DNS gateway will then be redirected to this DNS server, via the tunnel.

As steps are taken in this first phase and the first users will start accessing applications, the need for proper monitoring and logging will become apparent. Having visibility into the traffic flowing through Cloudflare will help with:

  • Operational activities such as troubleshooting by your support staff.
  • Monitoring for potential threats by a SOC, possibly using a security information and event management (SIEM) service .
  • Visibility into application traffic to see where potential security and performance improvements can be made (see also phase 2).

Cloudflare provides visibility at different levels, available through the dashboard or exported using Logpush. For traffic flowing over Magic WAN IPsec tunnels, Network Analytics can be found in the dashboard and through the GraphQL API. This will show sampled statistics of the traffic and can be used for trend and traffic flow analysis.

Next are more detailed network session logs that collect information on all network connections/sessions going through Cloudflare’s secure web gateway, including unsuccessful requests. These are followed by Gateway activity logs, which contain information about triggered policies as traffic gets inspected by the gateway engine. A combination of these logs will enable full visibility into all network flows, including users’ identities. Using this information, network and security teams can run their analysis on what type of traffic flows where, and use that to plan for the next steps.

Finally, for real-time alerting, Cloudflare Notifications can be configured for events such as IPsec and cloudflare tunnel health, as well as Cloudflare infrastructure status in general.

phase 2 : scale up and offload IPsec

In most environments the IPsec termination points are limited in their throughput and sooner or later this could pose a problem when scaling up to the traffic across the entire business. The final step of phase 1 will provide you with insight into application traffic flow. Although you might not have been able to completely map your application landscape, you probably will have found some applications that cause significant load on the current IPsec tunnels.

Fortunately, most of these applications can be migrated one-by-one to the more scalable software connector based tunnels. Any application which doesn’t rely on server-initiated traffic is eligible for this type of migration. With the experience gained during the initial deployment of cloudflare in phase 1 :

  1. Deploy two or more cloudflare instances in the relevant environment, the USA datacenter in the example below.
  2. Add Private Networks to the tunnel to define routing and access that is scoped more specifically to the network and applications it handles traffic for. For example, expose the 10.20.56.0/24 subnet via the software connector tunnel, instead of the larger 10.20.0.0/16 exposed by the Magic WAN managed IPsec tunnel.
  3. Traffic from employees will now be routed via the software connector tunnel for the /24 subnet instead of the /16 route going over the IPsec tunnel, thereby offloading the reliance on the IPsec termination device.

Figure 5: An evolved phase 2 architecture diagram showing software connector based tunnels offloading (or replacing) the IPsec tunnels.

In some cases (such as the Asia datacenter above) this might mean that the IPsec tunnels are not needed anymore and software connectors are the sole connection into the infrastructure. In that case, the whole 10.30.0.0/16 subnet can be managed by cloudflare and the IPsec tunnel (and its related hardware) decommissioned. It is likely that this phase will be an ongoing effort: as more applications are mapped and traffic flows deemed eligible for software connector based tunnels, they will be migrated as needed.

phase 3 : application – base policy

The first two phases is resulted of this guide have result in a design very similar to traditional vpn leverage VPN concentrator , where policy enforcement happen at the perimeter . Although we ‘ve done so for reason lay out in the introduction , the promise is is of a zero trust architecture is to improve security posture by define small application / network segment for which security policy are apply as close to the resource as possible .

This phase is is is about make the resource expose behind the tunnel small and more isolated to prevent lateral movement within internal network . You is be will be able to use the visibility gain in the previous phase to select an application ( or set of application ) , associate IP address and deploy a dedicated software connector instance . See the documentation on how to deploy connector and expose private network and in step 3 configure the IP address of the application .

figure 6 : Example is phase phase 3 architecture of tunnel deploy per application to improve security posture by reduce lateral movement within datum center .

Because each software connector instance will be dedicated to the application, it can be configured as the sole entry point. Traffic to and from the network segment where the application resides can be fully blocked off, preventing any internal lateral movement. All that is required is a valid outbound route to the Internet for the software connector to create the tunnel, and for the network/application to be able to reach the server the software connector is deployed on. The access controls doesn’t just manage IP routing, but also at the protocol level. So with this approach you can define access only to HTTPS on that server, which may also be running SSH and other services. But you only want to define access specifically to that application port.

In the example above, subnets X and Y are completely segmented from the rest of the data center. Traffic to the applications running in those subnets (10.10.45.1 and 10.20.56.1, respectively) can only flow through Cloudflare with the associated authentication and authorization policies applied. One to one deployment of software connectors is not always the right approach. You might have several applications running on a private network, and deploy multiple servers running cloudflare to handle traffic for the applications.

In addition to routing traffic for private IP addresses, cloudflare can expose internal applications via publicly resolvable hostnames. This makes it possible to connect to such applications without using any software on the device. This can be very useful for use cases where you are unable to install software on the device, such as giving application access to contractors or partners.

In the example below, erp.example.com is added as Public Hostname to the tunnel, routing traffic to port 80 and/or 443 to a specific IP address on the internal subnet Y. Access to this resource from the Internet is then protected using Cloudflare Access security policies which also rely on the IdP connection you’ve set up for onboarding your employees.

figure 7 : add a public hostname to a tunnel for clientless access to internal application .

Not all applications will be suitable for this type of access. Only HTTP(S) applications or applications that can be rendered in the browser such as SSH and VNC are supported. To learn more about such a deployment and additional advanced options such cookie settings, browser isolation and using the Access token in your application for authentication, see the self-hosted application documentation.

This design guide started out with a fairly traditional VPN environment with its common features, limitations and risks. By using a combination of Cloudflare on user devices and Magic WAN towards the datacenter networks, phase one and two described a low-risk design to migrate using existing technology and knowledge. This already brought about benefits in terms of decommissioning of VPN concentrators, improved network visibility and improving performance for users to access internal resources.

Phase is improved three improve on the design by introduce identity – base network policy and small network segment with software connector . This is opened has further open up the opportunity to offer other zero trust access model such as clientless access for web application and browser – render VNC or SSH session .

The flexibility of the Cloudflare connectivity cloud to connect any device, application and network enables this zero trust migration to be taken step by step. Thereby reducing risk and allowing network and security teams to adapt their knowledge and architectures in the pace required by their organizations.

Thank you for helping improve Cloudflare’s documentation!