[RabbitmqGuy]

I’m always able to tell what a particular cloudflare product does/is in the first paragraph. However for this one, I’m unable to even after reading the entire blogpost.

(edit) is this like zerotier, tailscale, beyondcorp etc?

[dfabulich]

The most important thing to understand about Cloudflare One is that the name is marketing fluff. It does a bunch of things with a number of confusingly similar products. (Some of its features are provided by third-party "partners.")

The products are designed to be compatible, which is what the name "Cloudflare One" is designed to reflect, but there isn't just one product/feature being offered here. It's more of a vision statement than anything else.

What they're announcing is the compatibility of three previously released features:

1. Cloudflare WARP, their public VPN product for end users https://blog.cloudflare.com/1111-warp-better-vpn/

Note that despite being a "VPN," when WARP launched, it wasn't designed to connect to any company's internal corporate network. WARP is/was a "public VPN," the sort of thing an ordinary user would use to hide their IP address from web sites for privacy reasons. (Cloudflare claimed that WARP would also improve your network performance.)

2. Cloudflare Magic Transit, which is basically a reverse VPN product for on-premise datacenters, providing DDOS protection and packet filtering.

Magic Transit is kinda like Cloudflare's HTTP CDN product, but for all of a datacenter's traffic, geared toward IT professionals.

3. Cloudflare Network Interconnect (CNI), which lets you connect corporate offices to each other over Cloudflare's backbone infrastructure. Like Magic Transit, it was designed to allow IT staff to do traffic management and packet filtering.

Perhaps you'd have thought that these products would work together in some way, but they didn't, and now they kinda do.

Another bit of fluff that may have confused you is that they refer to this as a "Zero Trust" architecture, which sounds a little bit like BeyondCorp. IMO, this is basically a lie. BeyondCorp lets users connect to corporate resources behind a proxy, without a VPN.

If you squint and think of a VPN as a giant proxy, even traditional VPN solutions can seem like "Zero Trust," but that is not at all what anybody meant by that term.

What they are hoping to mitigate is the problem where anybody inside your VPN can access anything else they want inside your VPN, which is how most corporate VPNs work today. That sucks, but they're fixing this with a centralized configurable cloud-based VPN solution, in which you have to trust.

[basch]

>BeyondCorp lets users connect to corporate resources behind a proxy, without a VPN.

BeyondCorp is about trusting nothing and allowing what is allowed. It's an inversion of being Inside or Outside the network, in that everyone is outside. When they say "without a VPN" what they mean is that you arent connecting to inside the trust and then gaining access to everything.

This product from cloudflare, by integrating with an identity manager, is offering that same kind of deny by default, and allow the allowlist type paradigm. Whether or not it is VPN tech is a bit irrelevant, and misses the point of BeyondCorp. Googles implementation was a proxy by choice, but it's not the only way to accomplish the same idea. I get that you get that, but drawing the beyondcorp/not-beyondcorp line at vpn/proxy is missing the forest for the trees.

[acdha]

> Another bit of fluff that may have confused you is that they refer to this as a "Zero Trust" architecture, which sounds a little bit like BeyondCorp. IMO, this is basically a lie. BeyondCorp lets users connect to corporate resources behind a proxy, without a VPN.

I thought this was referring to the combination of Access (identity constraints on connections) and the tunnel system and your app servers only connect outbound to the CDN nodes, forcing all connections to be made through Access. That seems like zero-trust to me, doesn’t it?

[api]

> What they are hoping to mitigate is the problem where anybody inside your VPN can access anything else they want inside your VPN, which is how most corporate VPNs work today. That sucks, but they're fixing this with a centralized configurable cloud-based VPN solution, in which you have to trust.

This can also be accomplished with rules and micro-segmentation of various types.

[api]

ZeroTier is a true "global LAN," basically SD-WAN everywhere, emulates layer 2, and has a rules engine, but does not yet have the IAM integrations that some others have. Guts are very powerful but GUI is more minimal and less mature (as of now).

Tailscale is a Wireguard configurator and P2P hole puncher with IAM integrations and a nice GUI. Runs at layer 3 so it can't do some things that ZeroTier can do, but most stuff runs over IP so only some segments of the market care.

BeyondCorp is more of a concept. Google has their own implementation of it and so do many others.

I too have trouble wrapping my head around this technically speaking. I get the sense that it's basically something that puts your WAN over Cloudflare's network and lets you do access control everywhere in the cloud, which would make it closer to the now-defunct Pertino or some cloud-backhaul-based SD-WAN solutions... but that's probably only a part of it. "One" here seems to refer to "one" bundle of a whole bunch of things.

[basch]

I expect it to be many of the things in the circle on the right. https://www.sdxcentral.com/wp-content/uploads/2020/03/441737...

[D94DCFB5]

Hilariously, I can't see whatever is at that link because Cloudflare.

    Access denied

    This website is using a security service to protect itself from online attacks.

    Ray ID: 5e1522cb6c3cd1c3
    Timestamp: 2020-10-13 01:02:34 UTC

[GoblinSlayer]

As I understand, it's a VPN with cloudflare in the middle.

[basch]

SASE is the new buzzword for a SaaS Threat, Identity, Firewall, SD-WAN, Access Rights, Remote Access bundle. The picture in this article illustrates everything I would expect the suite/bundle to cover eventually. https://www.sdxcentral.com/security/sase/definitions/what-is...

It's a bit of a messy space for a couple reasons. Every vendor who made any one of these products is quickly racing to become a kitchen sink through development and/or acquisition. At the same time, they are splitting up what was once bundled into components you can buy separately to piece into a larger puzzle. Because most companies already have relationships with multiple vendors providing these services, they are fighting each other to both create walled gardens AND SIMULTANEOUSLY interoperable compatible components for larger multi vendor buildouts. (Palo Alto buying CloudGenix SD-WAN, while at the same time being the leading supplier of on Edge firewall VM's for Velocloud devices. Velocloud will both tell you you can run Palo Alto, ZScaler, or Checkpoint, but also that they have in house Carbon Black. What risk are you taking by integrating two vendors that are both trying to crush each other, despite the best in breed solution being part of each of their products.) "We have Cisco for this, so maybe Duo makes sense, but then that overlaps Okta, and that overlaps what we already get from Microsoft, which overlaps what we get from VMWare, which is starting to overlap what we have from Palo Alto.

https://www.sdxcentral.com/articles/news/sase-acquisitions-d...

Anyone in the "Zero Trust" space is likely rebranding bundles as SASE. https://telegra.ph/ZeroTrust-Vendors-04-23

On the topic of Cloudflare. They have a leg up over EVERYBODY because they are building on top of Wireguard, and everybody else is stuck with legacy IPSEC that they cant leave anytime soon. From a future proofing perspective, if you don't already have commitments elsewhere, this is likely a VERY ATTRACTIVE bundle. One of the killer products buried in this is Cloudflare for Teams Access. No more need for AnyConnect. And like I said, most/all the other ZeroTrust Access gateways either a) only come in a bundle with other products 2) are a me-too product offered by a vendor that specializes in something else 3) are ipsec. https://www.cloudflare.com/teams/access/

[api]

So like everything else in the networking space it's a mess of overloaded terms with multiple meanings and tangled concepts all trying to hit as many buzzwords as possible...?

[basch]

Yes and no. I think Cloudflare has advantage here of not being that mess of overload. They dont have the legacy cruft, the legacy customers. They purposely ARENT trying to be everything (by supporting all identity providers but not being one. By not being an MDM.)

I feel the same way about Cloudflare as I did about Velocloud. When Velocloud came out, their pitch was that they WERENT "WAN optimization." They purposely werent compressing the data on the edge to squeeze a couple extra bytes down a tiny pile. By starting from the ground up, and not transforming a legacy product, they kept their hardware costs down. They didnt need the extra horsepower to do things that werent necessary in a modern paradigm. Instead they offered a unique cloud service that made their product a bit different than the rest, and at a lower price.

Cloudflare here has that same competitive advantage of being able to design everything from first principal, with no regard for how things were before. Maybe even moreso.

[1vuio0pswjnm7]

As a potential customer, I guess I am supposed to hypnotised by all these silly names and acronyms but instead I just keep thinking "Just show me the code". Names seem to serve as a way for the authors to avoid telling us exactly what the software does, instead referring to what the software "is". Horribly imprecise and the source of endless arguments. The disagreements in this thread are but a tiny example.

This is nothing new and during the dot-com boom I think the naming nonsense spread to websites, in addtion to software. Software people have been obsessed with wacky names as long as I can remember.

I find this so repulsive and unworkable (e.g., name conflicts, needless keystrokes) that on personal computers I actually name programs I write for myself using an alpha prefix and a numerical suffix. For quick reference I keep a separate index of what each program does. Every program has a unique, sequential number in its name. Every name has the same number of characters.

[api]

I have to break down and plug this then:

https://www.zerotier.com/

[tenebrisalietum]

It's SD-WAN in the cloud with integrated identity federation, DDOS protection, it's own VPN, and I think one or two other things.