Cloudflare Questions

Table of contents

• Cloudflare Help Center
• DNS
• Firewall
• Web Connection
• CF Tunnels
• Cloudflare Services for the Critical Infrastructure Defense Project
  • Cloudflare 1.1.1.2
  • Phishing, malware
  • Harden authoritative DNS infrastructure
  • Protect public applications from attack OWASP Top Ten, DDoS, account takeover, zero-day vulnerabilities

Cloudflare Help Center

DNS

• Implement the first item in the Critical Effort, set RBL external DNS resolver to the fastest DNS resolver, Cloudflare 1.1.1.2. No risk. Reduces phishing and malware
• Change Your Authoritative Nameservers
• 1.1.1.1 and WARP

"1.1.1.1 is a public DNS resolver operated by Cloudflare that offers a fast and private way to browse the Internet. Unlike most DNS resolvers, 1.1.1.1 does not sell user data to advertisers. In addition, 1.1.1.1 has been measured to be the fastest DNS resolver available."

"WARP is an optional app built on top of 1.1.1.1. WARP creates a secure connection between personal devices (like computers and smartphones) and the services you access on the Internet. While 1.1.1.1 only secures DNS queries, WARP secures all traffic coming from your device.

WARP does this by routing your traffic over the Cloudflare network rather than the public Internet. Cloudflare automatically encrypts all traffic, and is often able to accelerate it by routing it over Cloudflare’s low-latency paths. In this way, WARP offers some of the security benefits of a virtual public network (VPN) service, without the performance penalties and data privacy concerns that many for-profit VPNs bring."

Firewall

• Is on premises firewall necessary?
  • Yes. CF Magic Wan connected to on premises firewall using GRE or IPsec tunnels
  • Connect to Secure Web Gateway with Magic WAN
  • Cloudflare Firewall References:
  • Welcome to CIO Week and the Future of Corporate Networks
  • Magic Firewall

Web Connection

• Browse to Wordpress. What is the return path using CF?
  • User uses WARP to send Wordpress website request to CF. CF is a reverse proxy server. After a 1.1.1.1 DNS lookup, CF sends website request to Wordpress. CF receives return information from Wordpress and checks it before sending back to the user.

CF Tunnels

What is the on premisses CF tunnel end point?

• The on premisses firewall

How do users get to end point?

• Connect to the CF Gateway using WARP

Cloudflare Services for the Critical Infrastructure Defense Project

Cloudflare 1.1.1.2

• Deploy targeted DNS filtering and logging
  • Filter DNS on devices

Phishing, malware

• Cloudflare Gateway
  • Cloudflare Gateway

Harden authoritative DNS infrastructure

• DDoS of applications due to DNS outage
  • Cloudflare DNS
• Cloudflare DNS Firewall
  • Shield Your DNS Infrastructure From DDoS Attacks With Cloudflare's DNS Firewall

Protect public applications from attack OWASP Top Ten, DDoS, account takeover, zero-day vulnerabilities

• Cloudflare WAF

  • What is a Web Application Firewall (WAF)?

• Cloudflare DDoS Mitigation

  • DDoS Mitigation

• Require SSO and MFA on all applications and network connections Spearphishing, lateral movement

  • Cloudflare Access
    • Managing Cloudflare Account Access

• Protect infrastructure from attack Network-level DDoS and recon

  • Cloudflare Magic Transit
    • Magic Transit
  • Cloudflare Magic Firewall
    • Magic Firewall

• Inspect traffic for hidden threats Malware, ransomware

  • Cloudflare Gateway SWG
    • Secure web gateway (SWG)

• Scan email for threats Ransomware, phishing

  • Cloudflare Email security
    • Tackling Email Spoofing and Phishing

• Monitor scripts and other dependencies for malicious changes Exfiltration of sensitive user data, including login credentials

  • Cloudflare Page Shield
    • Page Shield is generally available

• Review security settings for misconfigurations Weak authentication, insecure encryption and DNS config

  • Cloudflare Security Center