On 16 October 2020, Cloudflare officially announced the launch of Magic Firewall™, a network-level firewall delivered through Cloudflare to protect your company. Magic Firewall protects external customers, branches, data centres, cloud resources. Best of all, it’s fully aligned with Cloudflare One™, offering you a one-stop snapshot of everything on your network.

Cloudflare Magic Transit™ secures IP subnets using the same DDoS security technologies we developed to defend our global network. This helps ensure that the network is secure from attack and accessible, and replaces physical equipment with Cloudflare’s network.

But that leaves some hardware on-site for another function: firewalls. Networks don’t only need security against DDoS attacks; managers need a means for all data to reach and exit the network. With Magic Firewall, we want to help deprecate certain network firewall equipment and shift the responsibility to the global network of Cloudflare.

Firewall boxes are miserable

Network firewalls were still clunky. They’re not just pricey, they’re constrained by their hardware limitations. If you need more CPU or memory, purchase more crates. If you lack capacity, the whole network suffers, directly influencing workers struggling to do their job. To compensate, network providers and protection departments are required to purchase more capacity than we require, resulting in costing more than needed.

Network providers find themselves putting together solutions from various suppliers, mixing and matching functions, and thinking about maintaining network-wide policies in line. The effect is headache and cost-added.

The alternative isn’t hardware.

Any companies then switch to still more suppliers and buy external hardware to handle their patchwork firewall hardware. Teams could then balance refresh cycles, upgrades, and end-of-life control through more channels. There are band-aid measures that don’t address the underlying problem: how can we build a single vision of the whole network that provides visibility into what’s going on (good and bad) and immediately, worldwide, implement policy?

Introduce Mystical Firewall

Instead of more band-aids, we’re ready to introduce Magic Firewall as a single, comprehensive network filtering solution. Unlike legacy appliances, the Cloudflare network operates Magic Firewall. The network scales up or down for consumer needs at any moment.

Running our network is an additional bonus. Most consumers backhaul network traffic to single chokepoints for firewalling, adding latency. Cloudflare runs data centres in 200 locations across the globe, each of which is capable of providing the same solution. Regional offices and data centres will rely on a Cloudflare Magic Firewall engine operating within 100 milliseconds of service.

Integrated Cloudflare One

Cloudflare One consists of items that enable you to apply a single filtering engine with consistent security controls, not just part of your network. The same sorts of restrictions your company needs to add to traffic exiting your networks could add to traffic leaving your computers.

Magic Firewall can work with Cloudflare’s already used. For eg, traffic leaving endpoints outside the network will access Cloudflare utilising the Cloudflare WARP client where Gateway uses the same rules your team configures to philtre network level. Branch offices and data centres will interact with the same rules via Magic Transit. This offers you a one-stop snapshot of the whole network, instead of hunting knowledge through various platforms and vendors.

How’s it working?

What’s Magic Firewall? Magic Firewall is a way to substitute the antiquated on-site firewall with an as-a-service system, moving the perimeter to the edge. With Magic Transit, we now allow you to implement firewall rules at our edge, but the process of implementing or modifying rules previously included coordinating with your account team or Cloudflare help. Our first edition, generally available in the coming months, will enable all our Magic Transit customers to submit self-service static OSI Layer 3 & 4 mitigations on a Cloudflare scale.

Our first edition of Magic Firewall would concentrate on static mitigation, enabling you to set a standard set of rules that extend to the whole network, if computers or software are in the cloud, an employee’s computer, or a division. You should communicate rules authorising or blocking depending on:

• Protocol: Protocol
• IP and port source/destination
• Box length
• Field-bit play

Laws can be written up in Wireshark syntax, a domain-specific language popular in the networking environment, and the same syntax as we use in other products. With this syntax, you can quickly build powerful rules to enable or reject all traffic inside or beyond your network. If you think a bad guy is inside or outside your perimeter, just log into the dashboard and obstruct the flow. Laws are forced out worldwide in seconds, shutting down edge risks.

Simple and efficient to instal firewalls. With Magic Firewall, rules can be configured using a simple UI for complex logic. Or, only type and customise the philtre rule manually using Wireshark syntax. Don’t want a UI mess? The API will apply rules almost as quickly.

So what’s next?

Looking at packets isn’t enough … Even with firewall laws, teams also need visibility into what’s going on their network: what’s going inside these data streams? Do we have hostile actors from within or outside our network doing sinister things? Deploying Cloudflare to sit between any two parties who communicate with any of the properties (either employee devices or Internet-exposed services) helps us to execute any protocol, wherever it comes from or what’s within the flow. Applying traffic-related policy is just around the corner, and we’re pleased to say we’re working to introduce new functionality to dynamically detect intrusion incidents related to what’s occurring in the immediate future inside datastreams.

Article Source Cloudflare