Cloudflare SASE Cybersecurity Solutions

Cloudflare SASE Solutions: Comparisons, Review, Benefits, Use Cases, Pros & Cons

Author: Netify Research Team

If you have questions about Cloudflare and how their capability is aligned to your needs, email the Netify research team. UK: uk@netify.co.uk North America: northamerica@netify.com 

(Please use the UK email for ROW - Rest of the World - questions or enquiries)

Netify Review

Cloudflare offer granular SASE security with strong Zero Trust services. Clients can benefit from the company’s wide range of solutions, each one with strong integration capabilities with other Cloudflare products. They also leverage their own global network, with connectivity to 100 countries, including hard to reach areas such as China. 

Netify recommends Cloudflare to SMEs and large global enterprises in a variety of industry verticals looking for a SASE security solution that is available worldwide. However, caution may be taken as the solution does not offer Network Detection and Response (NDR) or Extended Detection and Response (XDR) services - these will have to be sourced from a third party provider. 

About Cloudflare

Cloudflare is a security company that was founded in July 2009. They provide content delivery network, DDoS mitigation and SASE security for businesses, non-profits, developers and consumers. Their headquarters is in San Francisco, California, North America, employing 1,800 staff members. Cloudflare has its own global network, which can access over 250 cities in 100 countries worldwide, including hard-to-reach areas such as China. Over 10,000 networks already connect to Cloudflare with 100Tbps, allowing access to data centres located in Europe, North America, Mainland China, Latin America, Oceania, Asia, Africa and the Caribbean.

Cloudflare caters for E-commerce, the public sector, SaaS, financial services, healthcare, gaming, education and media and entertainment industry verticals. As of 2022, Cloudflare is running an exclusive program in partnership with Yubico, offering Yubico hardware security keys at a discounted rate for Cloudflare customers. Hardware keys are phish-proof and provide a high level of authentication security. Yubico keys, in particular, integrate easily with Cloudflare's Zero Trust service.

What are Cloudflare's Solutions?

• Cloudflare One: Cloudflare’s SASE offering - see Cloudflare SASE for more info. 
• Zero Trust Teams: Cloudflare’s Zero Trust browsing and application access platform offers clients increased visibility and reduced risks and complexity for when users access web applications. The solution leverages Cloudflare’s global network to protect against security threats using context-based Zero Trust rules and isolate endpoints. Detailed logs are kept for HTTP, login, DNS and in-application activity. User activity can also be monitored in SaaS applications, with an audit trail available if investigation is required. The solution features ZTNA, SWG, DNS Filtering and Data Loss Prevention (DLP). 
• Cloudflare Access: Enforces default-deny, Zero Trust rules, that are designed to limit access to private IP spaces, hostnames and corporate applications by working with endpoint protection platforms and identity providers, reducing the need for a VPN. The product has the ability to protect any application, cloud, on-premises or SaaS using a client’s chosen identity provider (for example, Azure AD or Okta), with IP firewall and Zero Trust rules. Device posture integration with Endpoint Protection Platform (EPP) providers is also offered, including Carbon Black, Tanium, Sentinel One and Crowdstrike. Users can also be connected with SSH and web application connections with no need for end user configuration or client software and for non-web applications, private routing, RDP connections a single client can be used across Internet and application use cases. 
• Cloudflare Gateway: Cloudflare’s Secure Web Gateway offering - see What SWG (Secure Web Gateway) solution is supported by Cloudflare?
• Zero Trust Browsing: A Browser Isolation Service with native browser capabilities, designed to make accessing the Internet more secure for businesses. The service runs in the cloud, which keeps it away from clients networks and endpoints, further securing devices. It works by creating an exact replica of a web page on a users device, delivering ti efficiently so that it feels similar to a regular browser. Clients can use the Zero Trust Teams offering to create and implement inspection, isolation and filtering rules. 
• Magic Transit (DDoS Protection): Cloudflare offers users Direct Denial of Service (DDoS) mitigation which leverages their global network. The service works by identifying and mitigating malicious traffic within a Cloudflare data center, preventing it from reaching client sites. Magic Transit also includes a network firewall with the ability to configure allow/deny rules for IP ranges, application-level firewalling with optional TLS termination and a load balancer as well as the ability to create a serverless Cloudflare Worker that will modify traffic automatically. The Magic Transit is also natively configured with Cloudflare’s L4 and L7 products. 
• Cloudflare for SaaS Developers: Clients can use this service to deliver fast and reliable connectivity to their end-users on a global scale. Security features include DDoS protection, Web Application Firewall (WAF) and SSL for SaaS. 
• Web Application Firewall (WAF): An integrated service including Cloudflare’s cloud-delivered application security portfolio, with zero-day vulnerability options, core OWASP rules to block attacks, custom rulesets, exposed credential checks, sensitive data detection, flexible response options and advanced rate limiting. 
• SSL for SaaS: A service designed to protect business client’s data using strong encryption, by partnering with SaaS Providers. The service includes Apex Proxy Flexibility, Bring Your Own IP, Custom SSL Certification Support, Wildcard Custom Hostnames, Custom Origins and Customizable Domain Configurations.

What is the Cloudflare SASE security solution?

Cloudflare’s SASE offering is available as a product called Cloudflare One, which is designed to combine network connectivity services with Zero Trust security on one purpose-built global network, to replace legacy circuits. The solution includes built-in DDoS mitigation, Zero Trust functionality, traffic acceleration and network firewalling. Users can connect to resources without the need of a VPN, offering them the ability to block ransomware, phishing, malware and lateral movement. 

Cloudflare One runs in one of Cloudflare’s 250 sites world-wide, removing the need for manual integration of multiple point products. Each of the Cloudflare data centers offer single-pass routing and traffic inspection allowing users to remain secure regardless of their location worldwide. The SASE solution is able to run on Cloudflare’s peered network, which means that clients are able to integrate new and existing endpoint, identity and cloud providers. Cloudflare One SASE includes Secure Web Gateway (SWG), Firewall as a Service (FWaaS), Zero Trust Network Access (ZTNA) and Wide Area Network as a Service (WANaaS), all of which is supported by the Cloudflare global network.

What ZTNA (Zero Trust Network Access) solution is supported by Cloudflare?

Cloudflare offer powerful ZTNA which primarily creates secure boundaries around business applications, with users required to verify their context, identity and policy adherence before they are allowed to access a service. The platform has the capability to replace VPN connections with universal policies, granting access based on users context and identity. It also allows engineers and other related functions SSH access to infrastructure, which is often required for such services, in order to keep businesses functioning. Privileged technical users are granted access to to business-critical infrastructure from a remote location, without the need to experience tradeoffs. 

ZTNA can be managed by clients using the Instant-On Cloud Platform which leverages Cloudflare’s large global network to access external users with multiple forms of identity supported at once. Clients have the ability to enforce least privilege on vulnerable resources such as RDP, web applications, SSH and other infrastructure. Users can engineer authentication for partners and contractors, which saves room in the corporate directory by integrating with multiple identity providers. Remote workers are able to authenticate corporate or personal accounts that offer the same ease of use as that offered to internal employees.

What CASB (Cloud Access Security Broker) solution is supported by Cloudflare?

Cloudflare offer CASB solutions as part of their Cloudflare for Teams product, controlled by a simple management plane. CASB is offered as standard and comes with ZTNA, SWG, recursive DNS filters, Layer 4 firewall filters, Layer 7 proxy filters, antivirus inspection and remote browser isolation is available as an add-on service. 

What SWG (Secure Web Gateway) solution is supported by Cloudflare?

Cloudflare SWG offers protection from phishing, shadow IT, malware, command and control as well as many other internet risks, over all ports and protocols, with data on user interactions saved for later. The service is designed to stop malware and phishing attacks before they start, protecting any compromised devices to avoid further breaches. Traffic inspection with a policy border is also included, offering the ability to control how data flows and clients are able to block known risky, bad or unwanted destinations at HTTP or DNS level. 

The SWG has the capability to allow clients to control data flows traveling in or out of an organization, using Data Loss Prevention (DLP). This comes with controls for file types, which prevent users from uploading spreadsheets and documents to unsanctioned sites and applications- an example of which is social media. Clients can make use of AV scanning to prevent malicious downloads and SaaS application control, which leverages Cloudflare’s logging capabilities to allow users to use unsanctioned SaaS applications, building a policy allowing access to such applications. 

Cloudflare SWG allows clients to build policies and audits security or compliance incidents easily, with browser isolation to prevent risks from reaching endpoints. The entire solution leverages Cloudflare’s Edge network, which is available in over 250 locations globally, improving availability by keeping clients close to the service. 

What FWaaS (Firewall as a Service) solution is supported by Cloudflare?

FWaaS is offered as Magic Firewall, a cloud-native network firewall which is designed for enterprise WAN. The service allows clients to enforce consistent network security policies across the entire network, including branch offices, headquarters and virtual private clouds. The product has the capability to offer fine-grained filtering rules which can be deployed globally using a single dashboard, from the Cloudflare global network, allowing the security to scale to an individual business's needs. 

The FWaaS does not require downtime for appliance upgrades or artificial choke points and has the ability to filter unwanted traffic before it manages to reach a client’s network. Magic Firewall does this by applying client’s filtering policies directly to the Cloudflare global Edge network. This helps to prevent unwanted traffic from congesting network links or exploiting zero day vulnerabilities from the network environment. Further, intelligent L3 DDoS protection can be enabled for internet traffic using Magic Transit service. The solution also includes filtering rules, based on IP addresses, protocols, port, packet length and bit field match, as well as per rule unlimited scale, fast propagation of rule change sin under 500ms and traffic analytics. The service also provides the firewall foundation for Cloudflare One (SASE). 

How does Cloudflare deliver cloud security?

Cloudflare offer security for multi-cloud, public, hybrid and on-premises environments. The service offers clients the ability to enforce consistent policies across multiple clouds, regardless of vendor, with network infrastructure visibility and balanced workloads for both public and private clouds. 

• AWS: Cloudflare offers clients integration with AWS S3 and EC2 deployments, creating security for dynamic and static web properties hosted on AWS. This also offers the ability to host client's websites and run applications on AWS, as well as unified control panel, a massive network scale and full product stack.
• Azure: Clients can connect into any Azure cloud service, with the capability to accelerate hosted web properties. This offers the use of Azure applications for Azure Active Directory B2C integration with Cloudflare WAF, Cloudflare Argo Tunnel, 1.1.1.1 integration and SSL for Azure Static Web Hosting. Comes with a unified control pane where clients can enforce and customize security policies with visibility into the Azure infrastructure, as well as identity integration for customized security rules that leverage the Cloudflare WAF integration with Azure Active Directory B2C, and a full security product stack. 
• Google Cloud Program (GCP): Offers faster traffic, load balancing and security protection for GCP. Cloudflare security sits in front of GCP infrastructure and offers protection for web properties. Cloudflare also works as a unified control plane for GCP, allowing clients to apply security policies, maintain reliability and speed up web performance. The solution integrates with the full security stack from Cloudflare. 
• IBM: Cloudflare partners with IBM to offer clients joint customer security, performance and reliability services. The partnership works as a unified control plane for IBM cloud deployments, positioned in front of applications and web properties which are hosted on IBM cloud. The partnership offers security, reliability and performance at the Edge - with the benefits of a full security stack from Cloudflare.

How does Cloudflare support remote users?

Cloudflare supports remote users through its ‘Cloudflare for Teams’ solution. Users based both on-premises and remotely are provided with secure connectivity and improved Internet performance. This is available for business-managed devices, as well as un-managed user devices and connects authorized users to any self-hosted SaaS or Internet application. 

 The solution includes the following:

• Zero Trust Network Access 
• Network Firewall as-a-service 
• Secure Web Gateway 
• Private Routing to IP/Hosts 
• DNS Resolution & Filters 
• Cloud Access Security Broker 
• HTTP/S Inspection and Filters

Optional:

• Zero Trust Browser Isolation
• Cloudflare Access
• Cloudflare Gateway

The solution is available in three service tiers - Free, Standard and Enterprise. 

Free Plan: Maximum 50 users, support available from community forums, suitable for test runs and small teams. 

Standard Plan: Suitable for teams of over 50 users that do not require enterprise level support. $7/user billed month-to-month with median initial support response of 4 hours for urgent issues. 

Enterprise Plan: $14/user with tier-based custom quotes available. Suitable for large organizations requiring security transformations with enterprise level support services. Support median response time of 1 hour for urgent issues.

What is the Cloudflare managed, co-managed and DIY services solution?

Cloudflare do not offer managed services directly, however they do have a wide range of integrator and service provider partnerships offering managed services for their products. 

What Reporting and Management is available via the Cloudflare Portal?

Cloudflare’s Peering Portal offers visibility into client networks, displaying the volume of data between the network and Cloudflare and where that data is moving. For proactive traffic management clients can dedicate Cloudflare traffic to a specific peering link. When a client decides to peer with Cloudflare, traffic is sent directly to the vendor's network, instead of sending it to a third party, improving performance. 

What is the Cloudflare SLA?

Cloudflare’s Business Service Level Agreement offers 100% uptime backed by financial guarantees. Should the SLA be unmet, service credits are provided to the customer. Service credits for an outage during a monthly billing period are calculated as follows: 

Service Credit = (Outage period minutes x Affected customer ratio) ÷ Scheduled availability minutes

Cloudflare’s Enterprise SLA is available by contacting an account manager or can be found in the subscription agreement.