Full Report
In our post about Project Glasswing, we made the argument that the architecture around a vulnerability matters more than the speed of the patch. Here we walk through what that architecture looks like, the threats it defends against, and how we run it ourselves as Cloudflare's customer zero.
Analysis Summary
# Best Practices: Resilient Vulnerability Architecture (Project Glasswing)
## Overview
These practices shift the focus from "reactive patching" to "proactive architectural defense." By implementing a Zero Trust architecture, organizations can neutralize the impact of vulnerabilities (such as RCEs or credential leaks) even before a patch is available or applied.
## Key Recommendations
### Immediate Actions
1. **Identity-Based Access Control:** Replace traditional VPNs with an Identity Provider (IdP) linked to a Zero Trust reverse proxy. This ensures that even if an application is vulnerable, it is not reachable by unauthenticated users.
2. **MFA Everywhere:** Enforce multi-factor authentication (MFA), preferably hardware-based (FIDO2), for every internal application access point.
3. **Hide the Attack Surface:** Disable all inbound "allow" rules on your firewall for web applications. Use an outbound-only connector (like a Zero Trust tunnel) to expose services to the internet via a secure gateway.
### Short-term Improvements (1-3 months)
1. **Device Posture Checks:** Integrate endpoint management (MDM) with your gateway. Only allow devices that are encrypted, running updated OS versions, and company-managed to access internal tools.
2. **Implementation of Private Routing:** Move internal applications to private IP ranges that do not route to the public internet, accessible only through a Zero Trust client.
3. **Application-Specific Policies:** Move away from "all or nothing" network access. Create granular policies where User A can only see Application A, not the entire subnet.
### Long-term Strategy (3+ months)
1. **Infrastructure as Code (IaC) for Security:** Standardize all application deployments through Terraform or similar tools to ensure security headers, WAF rules, and access policies are consistent.
2. **Browser Isolation:** For highly sensitive or high-risk applications, use Remote Browser Isolation (RBI) to execute code in a disposable container rather than on the user's local machine.
3. **SaaS Connectivity Architecture:** Apply the same Zero Trust principles to third-party SaaS apps via CASB (Cloud Access Security Broker) to prevent data exfiltration.
## Implementation Guidance
### For Small Organizations
- **Focus on Identity:** Leverage a single IdP (like Google Workspace or Microsoft Entra ID) and connect it to a Zero Trust platform to secure your top 5 most used internal tools.
- **Eliminate Port Forwarding:** Use tunnels to bypass the need for complex firewall management.
### For Medium Organizations
- **Segment by Department:** Group applications by functional roles (e.g., Finance, Engineering) and apply group-based access policies.
- **Automate Onboarding:** Sync your HR system with your IdP to ensure instant access revocation when an employee leaves.
### For Large Enterprises
- **Zero Trust for Legacy Systems:** Use secure connectors to "wrap" older, un-patchable legacy hardware or on-prem servers in a modern identity layer.
- **Global Traffic Management:** Deploy security at the edge to ensure that low latency is maintained while inspecting encrypted traffic at scale.
## Configuration Examples
*While specific code depends on the vendor, a standard "Glasswing" style policy follows this logic:*
* **Rule Type:** Allow
* **Action:** Service Auth
* **Criteria:**
* **Identity:** User belongs to `@company.com` + Group `Engineering`.
* **Authentication:** MFA Required (hard key).
* **Posture:** Device is "Managed" AND "Gateway Client Active".
* **Location:** Origin must be from a sanctioned country list.
* **Result:** Application is invisible to any request not meeting 100% of these criteria.
## Compliance Alignment
- **NIST SP 800-207:** Directly aligns with Zero Trust Architecture (ZTA) tenets.
- **CISA Zero Trust Maturity Model:** Supports the "Identity," "Device," and "Network" pillars.
- **ISO/IEC 27001:** Addresses access control (A.9) and system acquisition/maintenance (A.14).
- **SOC2 Type II:** Provides evidence of continuous monitoring and restricted access controls.
## Common Pitfalls to Avoid
- **The "Crunchy Shell" Mistake:** Relying on a strong perimeter (firewall) but having no internal controls once a single vulnerability is exploited.
- **Trusting IP Whitelisting:** IP addresses are easily spoofed or shared (NAT); use Identity and Device Posture instead.
- **Patching Fatigue:** Focusing solely on the speed of the patch rather than building a network that makes the vulnerability unexploitable in the first place.
## Resources
- **Cloudflare Zero Trust Documentation:** hXXps[://]developers[.]cloudflare[.]com/cloudflare-one/
- **CISA Zero Trust Guide:** hXXps[://]www[.]cisa[.]gov/zero-trust-maturity-model
- **Project Glasswing Methodology:** [Link to original Cloudflare blog post]