Cloudflare

Rationale

Cloudflare  is our SaaS  provider for some infrastructure solutions like DNSSEC , DDoS Protection , Rate limiting , Auto-Renewable SSL certificates , Content delivery network , Web Application Firewall , Anti-bot capabilities , Zero Trust Network Access , among others.

The main reasons why we chose it over other alternatives are:

• Creating network and security solutions is very easy, as all its components are seamlessly connected.
• It can be fully managed  using Terraform .
• It provides highly detailed analytics regarding site traffic in terms of both performance and security.
• It has the Fastest privacy-focused DNS service  on the market.
• It supports DNSSEC .
• It has easy-to-implement, auto-renewable, auto-validated SSL certificates .
• It provides a Web Application Firewall  with preconfigured rules , DDoS mitigation , rate limiting , anti-bot capabilities , among others.
• It has a CDN  with special routing protocols , HTTP/3 support , Customizable cache TTL , and datacenters all over the world . Cache comes automatically configured and is customizable by just changing its default settings.
• It provides Workers , a serverless approach for developing applications. We use it for the specific purpose of configuring security headers for all our sites.
• It has Page rules  that allow for easy implementation of HTTP redirections , cache rules, and encryption rules , among others.
• It provides Zero Trust  features, which are essential for our Connector  and Egress  access mechanisms, as well as for allowing Fluid Attacks talent to navigate the Internet safely using Cloudflare WARP .

Alternatives

The following alternatives were considered but not chosen for the following reasons:

• Akamai : It is not as widely used, resulting in less community support. It is much more expensive and setting up its services seems more complicated when comparing it to Cloudflare .
• AWS Certificate Manager : Creating digital certificates required to also manage DNS  validation records.
• AWS CloudFront : Creating distributions was very slow. Connecting them to an S3 bucket and maintaining such a connection was necessary. A Lambda  was required in order to support accessing URLs without having to specify index.html at the end. Overall speaking, too much overhead was required to make things work.
• AWS Route53 : This service does not support DNSSEC . It is not as fast or as flexible as Cloudflare’s DNS .
• AWS Web Application Firewall : It needs to be connected to a load balancer serving an application; it does not work for static sites . It is not as flexible as Cloudflare’s Web Application Firewall .
• Tailscale:  It is only a ZTNA solution, whereas Cloudflare does many other things (DDoS mitigation, rate limiting, anti-bot, DNS, etc.). It did not support Egress IPs , which is essential for the Egress  access mechanism. Being able to do so is essential for Fluid Attacks’ platform to be able to display ZTNA navigation logs. It does not provide a client for safely navigating the Internet.
• NoPorts : It is only a ZTNA solution, whereas Cloudflare does many other things (DDoS mitigation, rate limiting, anti-bot, DNS, etc.). It had a much more complex installation process . It did not support Egress IPs , which is essential for the Egress  access mechanism. It did not support navigation logging, which is essential for Fluid Attacks’ platform to be able to display ZTNA navigation logs. In general, it looks like a very basic solution for establishing SSH, SFTP or RDP connections to personal devices via the Internet. It does not provide a client for safely navigating the Internet.
• ZeroTier : It is only a ZTNA solution, whereas Cloudflare does many other things (DDoS mitigation, rate limiting, anti-bot, DNS, etc.). It did not support Egress IPs , which is essential for the Egress  access mechanism. It did not support navigation logging, which is essential for Fluid Attacks’ platform to be able to display ZTNA navigation logs. In general, it looks like a very basic solution for establishing SSH, SFTP or RDP connections to personal devices via the Internet. It does not provide a client for safely navigating the Internet.
• Genians : It is only a ZTNA solution, whereas Cloudflare does many other things (DDoS mitigation, rate limiting, anti-bot, DNS, etc.). It did not support Egress IPs , which is essential for the Egress  access mechanism. It did not support navigation logging, which is essential for Fluid Attacks’ platform to be able to display ZTNA navigation logs. It focuses on on-premise architectures and relies on having servers or virtual machines completely focused on managing the ZTNA network, which increases complexity and introduces a single point of failure. Its documentation is way harder to understand compared to other alternatives. Its implementation is way more complex when compared to other alternatives. It does not provide a client for safely navigating the Internet.

Usage

We use Cloudflare  for:

• Overall network configurations 
• DNS Records 
• HTTP Redirections 
• Managing security headers 
• Managing digital certificates 
• Managing rate limiting 
• Managing CDN Cache 
• Hosting .com and .io supported TLDs  using Cloudflare Registrar 
• Allowing Fluid Attacks to connect to applications owned by its clients via Connector  or Egress  access mechanisms
• Allowing Fluid Attacks employees to navigate the Internet safely using Cloudflare WARP 

We do not use the following Cloudflare  services:

• Argo Tunnel  (pending review).
• Railgun : Only supported on apt and yum.
• Hosting domains with .co and .la are not supported TLDs . For these domains, we use GoDaddy .