What is Cloudflare VPN?
Leveraging its content delivery network and DDoS protection infrastructure, Cloudflare has expanded its services to include Secure Access Service Edge (SASE). Companies can adopt a subset of Cloudflare’s SASE offering to create a Zero Trust alternative to their legacy VPN systems.
Launched in 2010, Cloudflare has built a distributed infrastructure that puts 95% of the internet population within 10ms of a Cloudflare server. When users worldwide access Cloudflare-hosted websites or services, they get low-latency connections and a better experience.
Cloudflare has used this infrastructure to expand into a range of network services, including its SASE offering, Cloudflare One. A secure, cloud-based wide-area network service, Cloudflare One consists of five components:
- Cloudflare Access (VPN alternative and CASB)
- Cloudflare Gateway (secure web gateway)
- Cloudflare Magic Firewall (firewall as a service)
- Cloudflare Magic WAN (WAN as a service)
- Cloudflare Global Network (SD-WAN)
Companies looking for a more focused replacement for their legacy VPN systems can get Cloudflare Teams, a bundle of Cloudflare Access, and Cloudflare Gateway.
Cloudflare Access uses Zero Trust principles to connect a company’s users and resources. Security rules are enforced when users connect to the Cloudflare network. Once the user is authenticated and authorized, they connect to a resource.
Cloudflare Gateway is an advanced web filter that keeps unauthorized or malicious activity from penetrating protected networks. The Gateway’s activity logging lets companies audit user activity even when using SaaS applications.
- Provide secure access for on-premises and remote users
- Provide secure access for third-party users
- Secure access to cloud-based resources
- Migrate to a distributed Zero Trust architecture
- Advanced threat protection reduces attack surfaces
- Improved user experience on Cloudflare’s low-latency network.
- End-to-end encryption between user devices and resources
- Security policies set by identity and device
- Detailed user and device activity logging
- Free pricing tier supports up to 50 users and three network locations
- Although encrypted, all company data passes through Cloudflare’s infrastructure
- Work-related or not, all user traffic passes through Cloudflare by default
- Split tunneling requires additional configuration
- Compatibility issues may require legacy VPN for specific applications
- Legacy VPNs and firewalls may interfere with Cloudflare’s WARP client
Whether running on-premises, on a private cloud, or provided by a SaaS vendor, Twingate’s software-defined perimeters hide company resources. Thus, Hackers cannot see the resources — even if they penetrate a protected network — reducing the attack surface and limiting lateral movement.
Administrative consoles simplify the management of role-based policies based on principles of least privilege. As a result, permissions are provided on a just-in-time, need-to-know basis. Twingate makes it easier to manage privileged credentials and reduces the risks created by compromised credentials.
Twingate delivers benefits beyond secure access control. Company networks become more performant and productivity improves. Direct, encrypted connections between users and cloud resources shift traffic off the company network without compromising security. In addition, these low-latency connections improve the user experience and employee productivity.
- Single system for controlling access for all users
- Single system for protecting on-premises and cloud resources
- Fast, low-impact pathway to Zero Trust architecture
- Eliminate overlapping security and access control systems
- Reduced attack surface makes breaches more difficult
- Smaller blast radius when attacks succeed
- No changes to networks, resources, or user devices needed
- Coexists with existing security stack
- Easier administration through unified consoles
- Deploy Twingate in less than 15 minutes
- Free pricing tier limited to five users and one network
- Most advanced features require an enterprise pricing tier
The old way of protecting networks relies too much on trust. VPN gateways are designed to grant full access to the protected network. But since they publish their presence, VPN gateways are easily discovered. Exploiting a gateway’s vulnerabilities — or simply compromising a user’s credentials — lets hackers access everything on the network.
Zero Trust is a modern security paradigm that addresses the challenges legacy VPN architectures create. However, Cloudflare and Twingate implement Zero Trust in very different ways.
Cloudflare replaces a company’s protected network with its own protected network. A resource is connected to the nearest Cloudflare data center. On the user’s device, the WARP client app contacts its closest Cloudflare data center. Once authenticated and authorized, Cloudflare creates an encrypted tunnel from the user’s device to the protected resource through the various data centers.
Twingate creates a more complete separation between the control plane and the data plane. Access control policies are distributed from a Twingate server. Policy enforcement, however, is executed by the client app and the resource. The encrypted tunnel between client and resource follows the most direct route across the internet or a private network.
As networking becomes more distributed, the centralized topology of VPN systems undermines network performance. Concentrating all traffic through VPN gateways forces users to compete for throughput. At the same time, backhauling traffic destined for the cloud through the company network adds latency and creates poor user experiences.
Cloudflare eliminates VPN’s performance impacts by leveraging its CDN’s global point-of-presence (PoP) network. Users and resources connect to the nearest Cloudflare PoP. All traffic flows through Cloudflare’s network and bypasses the public internet. However, all traffic includes the user’s web browsing and other non-essential activity by default.
Twingate, on the other hand, created an architecture that turns every device into a local PoP. Little data passes between the client app and Twingate’s control system — just enough to coordinate authentication and distribute access control rules. All company data flows directly between users and resources along the most performant routes. In addition, Twingate enables split tunneling by default, so web browsing and other non-essential traffic pass over the public internet.
VPN technology has become more challenging to use and manage. In a typical workday, remote users access many resources hosted in different locations. Each on-premises subnet requires a unique VPN gateway. Cloud resources require their own VPN gateways. Users must adapt to this fractured system just to get their jobs done.
As complex as this is for users, it pales compared to the administrator’s experience. They must maintain policies across multiple systems. In addition, the constant flow of vulnerabilities, exploits, and patches requires continuous vigilance.
Both Twingate and Cloudflare make remote access much easier for users and administrators alike. By replacing a company’s network with its own, Cloudflare takes on network management responsibilities. Users simply activate their WARP client to get access to needed resources.
Twingate’s approach simplifies the user experience even further. The Twingate Client operates seamlessly in the background, automatically routing protected and personal traffic as needed. For administrators, simple consoles reduce the management of user permissions and access rules to a few mouse clicks.
When a company suddenly needs to turn its office employees into an at-home workforce, its legacy VPN solution will require significant upgrades.
Unfortunately, VPN architectures are brittle and resistant to change. Expanding capacity requires expensive investments in hardware and licenses. And since VPN technologies are tightly coupled to a company’s network architecture, any change must be carefully planned to minimize disruption.
Both Twingate and Cloudflare provide more responsive solutions for today’s dynamic business environment. Administrators simply add or remove users to respond to changing business needs.
Both Twingate and Cloudflare support subscribers of their respective free pricing tiers with community forums. Paid subscribers to both services get email support, but Cloudflare also offers phone and chat support options. In both cases, Enterprise-level clients get priority support.
Twingate’s approach to Zero Trust extends beyond access control with advanced security features. The Twingate Client can evaluate device posture before establishing connections to protected resources. Security rules can deny access until operating system updates and other measures are taken to regain compliance.
When companies implement Twingate’s access control solution, they get detailed activity logs indexed by user and device. Activity baselines let network administrators quickly identify unusual behavior. These faster response times limit the blast radius of a successful breach.
Too many users have access to SSH and other network services. This makes it easier for cybercriminals to penetrate deeper into a network. By extending multi-factor authentication through Twingate, companies limit which users can access these tools and make lateral movement more challenging.
With VPN a growing point of vulnerability, organizations of all sizes are turning to solutions based on Zero Trust. Twingate’s modern approach to secure access control fits today’s more distributed networks and workforces.
Direct connections between users and protected resources deliver the security, usability, and performance improvements companies need. And since a Twingate implementation requires no changes to existing networks, companies can deploy Zero Trust in minutes.
Take Twingate for a spin with our free Starter tier for individual or small team use. Or contact us to learn how Twingate’s Zero Trust solution makes access control simpler and more secure.
Visualize and Analyze Network Log Data with Twingate and Datadog
Improve security and monitoring by making real-time network log data observable with Twingate and Datadog.