Cloudflare has added two new major features to its Cloudflare One network-as-a-service platform. Magic WAN allows organizations to connect their branch offices, data centers, cloud assets, and remote workers to its global network and use it as their own software-defined WAN. Magic Firewall is a firewall-as-a-service that allows organizations to enforce security policies on this new virtual network.
The shifting network perimeter
Cloudflare One, initially launched in October, is a platform that follows a new network security model Gartner describes as secure access service edge (SASE) where traditional network security functions are implemented as cloud services in a unified way rather than on-premises through a variety of hardware boxes and virtual appliances. This is a direct result of the growing adoption of cloud-based services and cloud computing infrastructure over the past few years and, more recently, the shift to working from home which has greatly challenged traditional network architectures.
Cloudflare One already combines zero-trust access to cloud and local applications with Cloudflare Access, web traffic filtering with Cloudflare Gateway, DDoS protection with Magic Transit and private fiber links into Cloudflare’s network with Cloudflare Network Interconnect. Magic WAN now comes to expand on that and allow companies to use Cloudflare’s network as the central hub and backbone in their hub-and-spoke network architecture, where the spokes are offices, datacenters, virtual private clouds (VPCs), and employees scattered around the world.
Traditionally, organizations have used a mesh routing technology called MPLS (multiprotocol label switching) to link all their various sites and datacenters through the networks of telecom providers. This is not cheap and easy to deploy and adds a lot of management complexities because network security policies and traffic filtering still need to be applied at each location through a combination of firewalls and other security appliances.
What is Magic WAN?
With Magic WAN, Cloudflare aims to simplify that. Cloudflare’s global Anycast network is already built for high performance and availability to serve its core CDN business. The company has data centers in more than 200 cities across over 100 countries with local peering at internet exchange points. Regardless of where branch offices or employees are located, chances are high they’ll always connect to a server close to them and then the traffic will be routed through Cloudflare’s private network efficiently benefiting from its performance optimizations, smart routing and security.
With Magic WAN organizations only need to set up Anycast GRE tunnels from their offices or datacenters to Cloudflare and they can then define their private networks and routing rules in a central dashboard. Cloudflare’s existing Argo Tunnel, Network Interconnect and soon IPsec can also be used to connect datacenters and VPCs to its network, while roaming employees will connect using Cloudflare WARP, a secure tunneling solution that’s built around the highly performant Wireguard VPN protocol.
This also solves the scalability and performance issues that organizations have faced with traditional VPN gateways and concentrators when they were suddenly faced with a large remote workforce due to the pandemic. Since Cloudflare becomes the VPN gateway for the organization’s users, there’s no need to do split tunneling like before where only some of their device traffic would get routed over the office VPN because of the bandwidth capacity or concurrent connections limitations of the company’s VPN gateway. Once inside the Cloudflare network, the traffic can then be further filtered and zero-trust access control policies can be enforced to verify the identity of the device, its security posture, and location before allowing it to connect to various corporate resources or applications.
What is Magic Firewall?
While Magic WAN allows defining a private corporate network inside Cloudflare and connecting existing sites, employees and assets into it, Magic Firewall allows network admins to control what type of traffic is allowed in and out of the network. For example, the network might include web servers that need to be accessible from the internet over ports 80 (HTTP) and 443 (HTTPS), but SSH connections to those servers should only be allowed from inside the corporate network or certain devices on the corporate network for administrative purposes.
Magic Firewall, which is available by default for Magic WAN, is meant to replace all the individual firewall boxes that are deployed in branch offices or datacenters with a single, cloud-based dashboard that simplifies management and compliance auditing. In the future, Cloudflare plans to launch cloud-based IDS/IPS and DLP solutions as part of Cloudflare One to allow companies to replace those types of security appliances as well.
For now, to support the integration of Magic WAN with existing SD-WAN deployments that some organizations might already have, the company has launched partnerships with on-ramp and data center providers such as Arista Networks, Aruba SilverPeak, Digital Realty, and CoreSite.
If you recognize that the world is no longer about going into an office and connecting to a corporate network, Cloudflare One is about how employees who could be located anywhere connect to the services that they need to connect to and how to secure their traffic out on the internet, John Graham-Cumming, Cloudflare’s CTO tells CSO. “It’s about putting together in a way, a virtual network so that people and devices and servers talk to each other in a secure way using our network as the corporate network. It’s a combination of different things, and part of it is the networking side, but it’s also about how you control access to applications, from where, from what device, how the authentication is done and then how you filter what those people are doing. So, it’s taking what was originally a lot of hardware appliances and things like that in a corporate network and putting them onto the internet as a service.”