Was looking into this today and this video came up, so thought I’d share
Summary:
This video is about securing Cloudflare tunnels with VLANs and an internal firewall.
The speaker, Jim, argues that while Cloudflare tunnels are a great technology, they can introduce security risks because all the traffic that comes into your network is visible to Cloudflare. To mitigate these risks, Jim suggests segmenting your internal network and adding extra layers of security.
Here are the key steps to secure Cloudflare tunnels with VLANs and an internal firewall according to Jim:
- Create a Mac VLAN for the Cloudflare tunnel. This will isolate the traffic coming from the tunnel from the rest of your network.
- Add an internal firewall rule to allow traffic only from the Mac VLAN to the specific port where your service is running. This will restrict the Cloudflare tunnel’s access to only the resources it needs.
- Configure your firewall to perform IDS/IPS on the traffic coming from the Cloudflare tunnel. This will help to identify and block malicious traffic.
By following these steps, you can add extra layers of security to your network and reduce the risk of a breach even if your Cloudflare tunnel is compromised.
Jim also mentions that a next-generation firewall can be used for additional security benefits. This type of firewall can perform deeper inspections of traffic and provide better protection against sophisticated attacks.
Overall, the video provides a good overview of the security risks associated with Cloudflare tunnels and how to mitigate those risks using VLANs and an internal firewall.
This is really just best practice for any arbitrary sort of external access; even if you’re using some sort of VPN (wireguard, tailscale doesn’t matter) to get back into your network, as long as there’s an external way into your network, you want to drop that into its own isolated area so in the event a malicious attacker gets through, they’re sandboxed to the area you allow them to.