Cloudflare | Stack | Fluid Attacks Help

Cloudflare

Rationale

Cloudflare is our SaaS provider for some infrastructure solutions like DNSSECDDoS ProtectionRate limitingAuto-Renewable SSL certificatesContent delivery networkWeb Application FirewallAnti-bot capabilities, Zero Trust Network Access, among others.

The main reasons why we chose it over other alternatives are:

  1. Creating network and security solutions is very easy, as all its components are seamlessly connected.
  2. It can be fully managed using Terraform.
  3. It provides highly detailed analytics regarding site traffic in terms of both performance and security.
  4. It has the Fastest privacy-focused DNS service on the market.
  5. It supports DNSSEC.
  6. It has easy-to-implement, auto-renewable, auto-validated SSL certificates.
  7. It provides a Web Application Firewall with Preconfigured rulesDDoS mitigationRate limitingAnti-bot capabilities, among others.
  8. It has a CDN with special routing protocolsHTTP/3 supportCustomizable cache TTL, and datacenters all over the world. Cache comes automatically configured and is customizable by just changing its default settings.
  9. It provides Workers, a serverless approach for developing applications. We use it for the specific purpose of configuring security headers for all our sites.
  10. It has Page rules that allow to easily implement HTTP redirectionsCache Rules, encryption rules, among others.
  11. It provides Zero Trust features, which are essential for our Connector and Egress access mechanisms, as well as for allowing Fluid Attacks talent to navigate the Internet safely using Cloudflare WARP.

Alternatives

The following alternatives were considered but not chosen for the following reasons:

  1. Akamai: It is not as widely used, resulting in less community support. It is much more expensive and setting up its services seems more complicated when comparing it to Cloudflare.
  2. AWS Certificate Manager: Creating digital certificates required to also manage DNS validation records.
  3. AWS CloudFront: Creating distributions was very slow. Connecting them to a s3 bucket and maintaining such connection was necessary. A Lambda was required in order to support accessing URL's without having to specify index.html at the end. Overall speaking, too much overhead was required to make things work.
  4. AWS Route53: This service does not support DNSSEC, It is not as fast or as flexible as Cloudflare's DNS.
  5. AWS Web Application Firewall: It needs to be connected to a load balancer serving an application, it does not work for static sites. It is not as flexible as Cloudflare's Web Application Firewall.
  6. Tailscale: It is only a ZTNA solution, whereas Cloudflare does many other things (DDoS mitigation, rate limiting, anti-bot, DNS, etc.). It did not support Egress IPs, which is essential for the Egress access mechanism. Being able to do so is essential for Fluid Attacks' platform to be able to display ZTNA navigation logs. It does not provide a client for safely navigating the Internet.
  7. NoPorts: It is only a ZTNA solution, whereas Cloudflare does many other things (DDoS mitigation, rate limiting, anti-bot, DNS, etc.). It had a much more complex installation process. It did not support Egress IPs, which is essential for the Egress access mechanism. It did not support navigation logging, which is essential for Fluid Attacks' platform to be able to display ZTNA navigation logs. In general, it looks like a very basic solution for establishing SSH, SFTP or RDP connections to personal devices via the Internet. It does not provide a client for safely navigating the Internet.
  8. ZeroTier: It is only a ZTNA solution, whereas Cloudflare does many other things (DDoS mitigation, rate limiting, anti-bot, DNS, etc.). It did not support Egress IPs, which is essential for the Egress access mechanism. It did not support navigation logging, which is essential for Fluid Attacks' platform to be able to display ZTNA navigation logs. In general, it looks like a very basic solution for establishing SSH, SFTP or RDP connections to personal devices via the Internet. It does not provide a client for safely navigating the Internet.
  9. Genians: It is only a ZTNA solution, whereas Cloudflare does many other things (DDoS mitigation, rate limiting, anti-bot, DNS, etc.). It did not support Egress IPs, which is essential for the Egress access mechanism. It did not support navigation logging, which is essential for Fluid Attacks' platform to be able to display ZTNA navigation logs. It focuses on on-premise architectures and relies on having servers or virtual machines completely focused on managing the ZTNA network, which increases complexity and introduces a single point of failure. It's documentation is way harder to understand compared to other alternatives. Its implementation is way more complex when compared to other alternatives. It does not provide a client for safely navigating the Internet.

Usage

We use Cloudflare for:

  1. Overall network configurations
  2. DNS Records
  3. HTTP Redirections
  4. Managing security headers
  5. Managing digital certificates
  6. Managing rate limiting
  7. Managing CDN Cache
  8. Hosting .com and .io supported TLDs using Cloudflare Registrar
  9. Allowing Fluid Attacks to connect to applications owned by its clients via Connector or Egress access mechanisms.
  10. Allowing Fluid Attacks employees to navigate the Internet safely using Cloudflare WARP.

We do not use the following Cloudflare services:

  1. Argo Tunnel: Pending to review.
  2. Railgun: Only supported on apt and yum.
  3. Hosting domains with .co and .la not supported TLDs. For these domains we use GoDaddy.