สมัครเพื่อรับการแจ้งเตือนเมื่อมีโพสต์ใหม่:สมัครรับข้อมูล

Protocol detection with Cloudflare Gateway

2024-03-08

อ่านเมื่อ 2 นาทีก่อน
โพสต์นี้ยังแสดงเป็นภาษาEnglishด้วย
Protocol detection with Cloudflare Gateway

Cloudflare Gateway, our secure web gateway (SWG), now supports the detection, logging, and filtering of network protocols regardless of their source or destination port. Protocol detection makes it easier to set precise policies without having to rely on the well known port and without the risk of over/under-filtering activity that could disrupt your users’ work. For example, you can filter all SSH traffic on your network by simply choosing the protocol.

Today, protocol detection is available to any Enterprise user of Gateway and supports a growing list of protocols including HTTP, HTTPS, SSH, TLS, DCE/RPC, MQTT, and TPKT.

Why is this needed?

As many configuration planes move to using RESTful APIs, and now even GraphQL, there is still a need to manage devices via protocols like SSH. Whether it is the only management protocol available on a new third party device, or one of the first ways we learned to connect to and manage a server, SSH is still extensively used.

With other legacy SWG and firewall tools, the process of blocking traffic by specifying only the well known port number (for example, port 22 for SSH) can be both insecure and inconvenient. For example, if you used SSH over any other port it would not be filtered properly, or if you tried using another protocol over a well known port, such as port 22, it would be blocked. An argument could also be made to lock down the destinations to only allow incoming connections over certain ports, but companies don’t often control their destination devices.

With so many steps, there are risks of over-blocking legitimate traffic, which potentially prevents users from reaching the resources they need to stay productive and leads to a large volume of support tickets for your administrators. Alternatively, you could underblock and miss out on filtering your intended traffic, creating security risks for your organization.

How we built it

To build a performant protocol detection and filtering capability we had to make sure it could be applied in the same place Gateway policies are being applied. To meet this requirement we added a new TCP socket pre-read hook to OXY, our Rust-based policy framework, to buffer the first few bytes of the data stream. This buffer, then, allows Gateway to compare the bytes to our protocol signature database and apply the correct next step. And since this is all built into OXY, if the policy is set to Block, the connection will be closed; if it’s set to Allow, the connection will be proxied or progressed to establish the TLS session.

How to set up Gateway protocol filtering

Cloudflare Gateway’s protocol detection simplifies this process by allowing you to specify the protocol within a Gateway Network policy. To get started navigate to the Settings section on the Zero Trust dashboard and then select the Network tile. Under the Firewall section you’ll see a toggle for protocol detection and once enabled you’ll be able to create network policies.

Next, go to the Firewall Policies section of your Zero Trust Gateway dashboard and then click ‘+ Add a policy’. There you can create a policy such as the one below to block SSH for all users within the Sales department.

This will prevent members of the sales team from initiating an outgoing or incoming SSH session.

Get started

Customers with a Cloudflare One Enterprise account will find this functionality in their Gateway dashboard today. We plan to make it available to Pay-as-you-go and Free customer accounts soon, as well as expanding the list of protocols.

If you’re interested in using protocol detection or ready to explore more broadly how Cloudflare can help you modernize your security, request a workshop or contact your account manager.

เราปกป้องเครือข่ายของทั้งองค์กร โดยช่วยลูกค้าสร้างแอปพลิเคชันรองรับผู้ใช้อินเทอร์เน็ตทั่วโลกได้อย่างมีประสิทธิภาพ เพิ่มความรวดเร็วของการใช้เว็บไซต์หรือแอปพลิเคชันอินเทอร์เน็ต จัดการการโจมตีแบบ–DDoS ป้องปรามบรรดาแฮกเกอร์ และช่วยเหลือคุณตลอดเส้นทางสู่ Zero Trust

เข้าไปที่ 1.1.1.1 จากอุปกรณ์ใดก็ได้เพื่อลองใช้แอปฟรีของเราที่จะช่วยให้อินเทอร์เน็ตของคุณเร็วขึ้นและปลอดภัยขึ้น

หากต้องการศึกษาข้อมูลเพิ่มเติมเกี่ยวกับภารกิจของเราเพื่อปรับปรุงการใช้งานอินเทอร์เน็ต เริ่มได้จากที่นี่ หากคุณกำลังมองหางานในสายงานใหม่ ลองดูตำแหน่งที่เราเปิดรับ
Security WeekCloudflare GatewayZero Trust

ติดตามบน X

Ankur Aggarwal|@Encore_Encore
Cloudflare|@cloudflare

โพสต์ที่เกี่ยวข้อง

23 ตุลาคม 2567 เวลา 13:00

Fearless SSH: short-lived certificates bring Zero Trust to infrastructure

Access for Infrastructure, BastionZero’s integration into Cloudflare One, will enable organizations to apply Zero Trust controls to their servers, databases, Kubernetes clusters, and more. Today we’re announcing short-lived SSH access as the first available feature of this integration. ...

09 ตุลาคม 2567 เวลา 23:00

What’s new in Cloudflare One: Digital Experience (DEX) monitoring notifications and seamless access to Cloudflare Gateway with China Express

This roundup blog post shares the latest new features and capabilities at Cloudflare. Learn more about new Digital Experience (DEX) monitoring notifications and seamless access to Cloudflare Gateway with China Express. ...

08 ตุลาคม 2567 เวลา 13:00

Cloudflare acquires Kivera to add simple, preventive cloud security to Cloudflare One

The acquisition and integration of Kivera broadens the scope of Cloudflare’s SASE platform beyond just apps, incorporating increased cloud security through proactive configuration management of cloud services. ...