CloudFlare plans for better security

Saturday, September 26, 2020

With the huge increase of people around the world working remotely, there have been some security holes that Cloudflare will be rectifying with a new project called Cloudflare Access.

It would have been impossible for Cloudflare to predict the current global pandemic and the impact it would have on workforces moving to remote operations. Even so, they began working on a project called Cloudflare Access towards the start of 2019. This was designed to improve security around remote access to networks.

Cloudflare Access is an authentication tool that helps to protect remote desktop protocol (RDP). It does this by using Argo tunnel to form a connection that is fully encrypted between a user’s RDP server and Cloudflare’s edge. Essentially, this creates a private network and removes the resources on the RDP from public internet access. When this tunnel has been set up, a user is only able to access the RDP using Cloudflare Access. They will also be able to form rules and identity verifications around who can access the locked down resources.

Why is it important to protect RDP?

Cloudflare states that RDP is one of the most frequently used protocols that employees use to remotely access office environments. As standard, it is installed on Windows but MacOS and Linux also support it. For many businesses around the world, RDP is relied upon to allow businesses to work from home.

Since the global pandemic, working from home has increased exponentially. Due to the unforeseen circumstances that this arose in, numerous businesses did not configure RDP properly, and tried to get their workforce online as quickly as possible. Unfortunately, this has given rise to new opportunities for malicious parties to target and attack remote working end points.

Why have attackers been able to exploit the situation?

There are two main contributors to this situation. The first one of these is the amount of exposure to the internet a RDP server has. If a server hasn’t been properly set up, it can be visible and attackable from the public internet. Unpatched weaknesses and poor enforcement of firewall rules can be the main reasons this exposure gets punished. 

Secondly, for corporate environments, there needs to be specialised corporate SSO tools used to protect an RDP server. Without proper management, users create and save passwords in multiple locations that aren’t always protected by the organisation. This can result in wrong, recycled, and out of date passwords protecting important resources.

What does Cloudflare plan to do about it?

By using Cloudflare access, authentication protocols are strengthened. This is done by reinforcing identity checks to define who can access an RDP. No matter what system your organisation makes use of, users will have to authenticate with their specific credentials before any RDP session can begin. Some of the providers included are Okta, and Azure AD, amongst others. By making use of Cloudflare Access, passwords can be strengthened and rotated in the same manner as with other critical tools.

How does Cloudflare Access work?

For the user, an instance will be created targeting the RDP session’s final destination, which is the internal host that the user aims to connect with. From there, the user will create a connection to a local Cloudflare client via the RDP. A browser window will launch that takes the user to an authentication protocol.

When the user has proven their identity, the Cloudflare client will utilise Cloudflare Access to gain entry to Cloudflare edge. Once the edge is satisfied of the user’s identity, it will provide access to the user’s desired location.

On the origin side of Cloudflare Access, an administrator will create an instance to operate in bastion mode. This bastion will form a long-lived HTTP2 session with the two nearest data centers. When this is created, Cloudflare rests until clients request connections to a final destination.

How is this progressing into the future?

Looking forward, Cloudflare plans to roll this system out across multiple protocols, not just RDP. This means FTP, SSH, and TCP could all have the same treatment in the future.

2020 has been a tumultuous year to say the least. It is no surprise that the changing work patterns that large proportions of populations around the world have undergone has created vulnerabilities in digital ecosystems. Cloudflare addressing these problems head on is a positive step to creating a safer digital ecosystem for us all.