Introduction

Navigating Website

Table of contents

• Navigation
• Top menu bar
• Search

Navigation

There are several methods for navigating through the chapters of the website.

The sidebar on the left provides a list of all chapters. Clicking on any of the chapter titles will load that page.

The sidebar may not automatically appear if the window is too narrow, particularly on mobile displays. In that situation, the menu icon (three horizontal bars) at the top-left of the page can be pressed to open and close the sidebar.

The arrow buttons at the bottom of the page can be used to navigate to the previous or the next chapter.

The left and right arrow keys on the keyboard can be used to navigate to the previous or the next chapter.

Top menu bar

The menu bar at the top of the page provides some icons for interacting with the website.

Tapping the menu bar will scroll the page to the top.

Search

Pressing the search icon () in the menu bar, or pressing the S key on the keyboard will open an input box for entering search terms. Typing some terms will show matching chapters and sections in real time.

Clicking any of the results will jump to that section. The up and down arrow keys can be used to navigate the results, and enter will open the highlighted section.

After loading a search result, the matching search terms will be highlighted in the text. Clicking a highlighted word or pressing the Esc key will remove the highlighting.

Cloudflare Questions

Table of contents

• Cloudflare Help Center
• DNS
• Firewall
• Web Connection
• CF Tunnels
• Cloudflare Services for the Critical Infrastructure Defense Project
  • Cloudflare 1.1.1.2
  • Phishing, malware
  • Harden authoritative DNS infrastructure
  • Protect public applications from attack OWASP Top Ten, DDoS, account takeover, zero-day vulnerabilities

Cloudflare Help Center

DNS

• Implement the first item in the Critical Effort, set RBL external DNS resolver to the fastest DNS resolver, Cloudflare 1.1.1.2. No risk. Reduces phishing and malware
• Change Your Authoritative Nameservers
• 1.1.1.1 and WARP

"1.1.1.1 is a public DNS resolver operated by Cloudflare that offers a fast and private way to browse the Internet. Unlike most DNS resolvers, 1.1.1.1 does not sell user data to advertisers. In addition, 1.1.1.1 has been measured to be the fastest DNS resolver available."

"WARP is an optional app built on top of 1.1.1.1. WARP creates a secure connection between personal devices (like computers and smartphones) and the services you access on the Internet. While 1.1.1.1 only secures DNS queries, WARP secures all traffic coming from your device.

WARP does this by routing your traffic over the Cloudflare network rather than the public Internet. Cloudflare automatically encrypts all traffic, and is often able to accelerate it by routing it over Cloudflare’s low-latency paths. In this way, WARP offers some of the security benefits of a virtual public network (VPN) service, without the performance penalties and data privacy concerns that many for-profit VPNs bring."

Firewall

• Is on premises firewall necessary?
  • Yes. CF Magic Wan connected to on premises firewall using GRE or IPsec tunnels
  • Connect to Secure Web Gateway with Magic WAN
  • Cloudflare Firewall References:
  • Welcome to CIO Week and the Future of Corporate Networks
  • Magic Firewall

Web Connection

• Browse to Wordpress. What is the return path using CF?
  • User uses WARP to send Wordpress website request to CF. CF is a reverse proxy server. After a 1.1.1.1 DNS lookup, CF sends website request to Wordpress. CF receives return information from Wordpress and checks it before sending back to the user.

CF Tunnels

What is the on premisses CF tunnel end point?

• The on premisses firewall

How do users get to end point?

• Connect to the CF Gateway using WARP

Cloudflare Services for the Critical Infrastructure Defense Project

Cloudflare 1.1.1.2

• Deploy targeted DNS filtering and logging
  • Filter DNS on devices

Phishing, malware

• Cloudflare Gateway
  • Cloudflare Gateway

Harden authoritative DNS infrastructure

• DDoS of applications due to DNS outage
  • Cloudflare DNS
• Cloudflare DNS Firewall
  • Shield Your DNS Infrastructure From DDoS Attacks With Cloudflare's DNS Firewall

Protect public applications from attack OWASP Top Ten, DDoS, account takeover, zero-day vulnerabilities

• Cloudflare WAF

  • What is a Web Application Firewall (WAF)?

• Cloudflare DDoS Mitigation

  • DDoS Mitigation

• Require SSO and MFA on all applications and network connections Spearphishing, lateral movement

  • Cloudflare Access
    • Managing Cloudflare Account Access

• Protect infrastructure from attack Network-level DDoS and recon

  • Cloudflare Magic Transit
    • Magic Transit
  • Cloudflare Magic Firewall
    • Magic Firewall

• Inspect traffic for hidden threats Malware, ransomware

  • Cloudflare Gateway SWG
    • Secure web gateway (SWG)

• Scan email for threats Ransomware, phishing

  • Cloudflare Email security
    • Tackling Email Spoofing and Phishing

• Monitor scripts and other dependencies for malicious changes Exfiltration of sensitive user data, including login credentials

  • Cloudflare Page Shield
    • Page Shield is generally available

• Review security settings for misconfigurations Weak authentication, insecure encryption and DNS config

  • Cloudflare Security Center

Cloudflare Cheat Sheet

Table of contents

• Connectivity
• Edge Network
• Teams
• Warp 1.1.1.1
• Zero Trust Network Access
• Splunk

Eats their own dog food

Connectivity

• The Cloudflare global network runs every service in every data center so users have a consistent experience everywhere. Customer traffic is processed at the data center closest to them, with no backhauling or performance tradeoffs

Edge Network

• Collects own and uses vendor antivirus
• Bare metal builds
• Commodity hardware tested and sourced from multiple vendors who build the servers to our specifications.
• ARM
• Network dual-port 25G
• Linux
• Open source firmware

Teams

• Cloudflare Teams Access
  • Identity federation across multiple identity providers
  • Authentication and Authorization
  • Active Directory IPsec / GRE connection
• modern VPN
• WARP access
  • Configure with Device Management Platform
• Cloudflare Gateway
  • next generation Firewall
  • Replace onsite firewalls

Warp 1.1.1.1

• Team gateway access
• Wireguard protocol
• Not a VPN to access restricted content

Zero Trust Network Access

• Secure Remote Workforces
• Deliver Zero Trust Network Access
• Replace Virtual Private Networks (VPNs)
• Protect Employees on the Internet
• Stop Ransomware, Phishing & Data Loss
• Manage Access for Contractors

Splunk

More products, more partners, and a new look for Cloudflare Logs

• Gateway logs provide visibility into internet and web traffic, across all users, devices, and locations
• Direct Splunk integration

• “Organizations are in a state of digital transformation on a journey to the cloud. Most of our customers deploy services in multiple clouds and have legacy systems on premise. Splunk provides visibility across all of this, and more importantly, with SOAR we can automate remediation. We are excited about the Cloudflare partnership, and adding their data into Splunk drives the outcomes customers need to modernize their security operations.” — Jane Wong, Vice President, Product Management, Security at Splunk

Cloudflare 1.1.1.1 and WARP

Table of contents

• Give it a Test Drive:
  • Useful WARP links:
  • Interesting WARP Technology links:

Give it a Test Drive:

• After installing WARP, check if it is are connected to 1.1.1.1 by visiting 1.1.1.1 Help

• If it works for you, maybe distribute it to others in the company. It may help them by fixing performance and security issues, especially those away from the office and VPN users

Useful WARP links:

• Introducing WARP: Fixing Mobile Internet Performance and Security

• Cloudflare WARP client

Interesting WARP Technology links:

• The Technical Challenges of Building Cloudflare WARP

• WireGuard

Cloudflare Videos

Table of contents

• Videos
  • How Cloudlare Secures Remote Workforces
  • Cloudlare for Teams 101

Videos

How Cloudlare Secures Remote Workforces

Cloudlare for Teams 101

Miscellaneous Cloudflare Links

Table of contents

• Why We Are Acquiring Area 1

Why We Are Acquiring Area 1

Zero Trust

Table of contents

• Zero Trust
  • Reference
    • Logon Cloudflare and create an account.
    • Go to Cloudflare Zero Trust and create a Zero Trust account.
    • Go to Zero Trust Dashboard
    • Install the WARP client on your devices

Zero Trust

Cloudflare Zero Trust documentation

Cloudflare Zero Trust replaces legacy security perimeters with our global edge, making the Internet faster and safer for teams around the world.

Zero Trust access for all of your applications.

• Authenticate users on our global edge network
• Onboard third-party users seamlessly
• Log every event and request

A Secure Web Gateway to protect users and devices.

• Enforce your company’s Acceptable Use Policy (AUP)
• Block risky sites with custom blocklists and built-in threat intel
• Enhance visibility and protection into SaaS applications

A fast and reliable solution for remote browsing.

• Execute all browser code in the cloud
• Mitigate the impact of attacks
• Seamless, lightning-fast end user experience

Reference

Start from the Cloudflare Dashboard

Logon Cloudflare and create an account.

Go to Cloudflare Zero Trust and create a Zero Trust account.

Go to Zero Trust Dashboard

• Click Settings

• Click General

• Edit Team domain for a different domain

  your-team-name.cloudflareaccess.com

Install the WARP client on your devices

If you want to enable security features such as Browser Isolation, HTTP filtering, AV scanning, and device posture, or connect networks to Cloudflare, here are the next step you need to take:

1. Set up a login method. Configure One-time PIN or connect a third-party identity provider on the Zero Trust Dashboard. This is the login method your users will utilize when authenticating to add a new device to your Zero Trust setup.

2. Next, define device enrollment permissions. Create device enrollment rules to define which users in your organization should be able to connect devices to your organization’s Zero Trust setup. As you create your rule, you will be asked to select which login method you would like users to authenticate with.

3. Install the Cloudflare root certificate on your devices. Advanced security features including HTTP traffic inspection require users to install and trust the Cloudflare root certificate on their machine or device. If you are installing certificates manually on all your devices, these steps will need to be performed on each new device that is to be subject to HTTP filtering.

4. Download and deploy the WARP client to your devices. Choose one of the different ways to deploy the WARP client, depending on what works best for your organization.

5. Log in to your organization’s Cloudflare Zero Trust instance from your devices where WARP is running. On your device, navigate to the Settings section in the WARP client and insert your organization’s team name.

6. Enable the Proxy setting in the Teams Dashboard. Navigate to Settings > Network and enable the Proxy setting. This will allow you to create Network policies .

7. Enable TLS decryption in the Teams Dashboard. In the Settings > Network page, enable the TLS decryption switch. This will allow you to start routing your HTTP traffic to Gateway. You can also choose to enable the FIPS compliance setting.

Your devices are now connected to Cloudflare Zero Trust through the WARP client, and you can start enforcing security measures on your traffic and access requests.

​​