Thought some might find this interesting. Was just approved for public release.
Got the source url handy?
it was emailed to me. hang on I’ll see if I can find it
oh ok I can search too in that case
yah was only finding the 2019 pre-release myself
Thanks for sharing
Cloudflare Browser Isolation works with your native browser to protect remote teams and make web browsing safer and faster.
Securely connecting your infrastructure to Cloudflare’s network just became easier.
As a provider, IP Whitelisting is still the main way that firewall exceptions are made to us by our customers to access their protected applications. Is there a better solution to this use case than VPN? I’ve looked at Perimeter81, but I am not sold on the whole approach.
This is a rich space these days. Perimeter being just one of dozens.
The zero trust/beyondcorp model is more or less the gold standard today, with various vendors taking their own approach
Last week cloudflare launched “one”
Today HashiCorp announced boundary
What is your wire protocol for your apps?
For this use case, just https
I think that’s part of the problem. Everyone is going to be implementing their flavor of zero-trust and we’ll have to jump through hoops to set up our connectivity as opposed to having a single way of doing it with something universal like IP Whitelisting/VPN client
So with IP whitelisting, is the single way of doing it with Security Groups, NACLs, WAF, ingress, or in the application?
So HTTP is the ideal case and perhaps the most demonstrated case for how to expose apps in the zero trust model with IAP (identity aware proxies). It’s more or less synonymous to VPNs. A VPN will require a user to identify and login. It then creates a point to point connection with the VPN server and sends layer 3 or 4 traffic over it. Then additional firewall rules and subnet routing policies need to be used to protect services from the VPN traffic.
In the IAP model, you have a point to point TCP connection (just like with the VPN). You’re speaking one wire protocol (HTTP), unlike with the VPN it can be anything. You identifying with Single Sign On (e.g. works well with Okta, Gsuite, etc). The proxy connects you to exactly one service, not the entire network so there’s no need for additional firewalling and routing rules.