SOCFortress Integrations — CloudFlare

3 min readJul 8, 2023

Intro

Cloudflare provides a range of internet security and performance services.

It operates as a content delivery network (CDN) and distributed DNS (Domain Name System) service provider.

Cloudflare’s primary aim is to optimize and protect websites, applications, and online services from various online threats and to improve their performance.

CloudFlare Services

Cloudflare’s services are widely used by websites, online services, and organizations of all sizes to enhance security, improve performance, and ensure reliable availability. By leveraging its global network infrastructure and advanced technologies, Cloudflare aims to make the internet safer, faster, and more reliable for users and website owners.

1. Content Delivery Network (CDN): Cloudflare operates a global network of servers strategically placed across different locations worldwide. These servers store cached versions of websites’ static content, such as images, CSS, and JavaScript files. When a user requests a website, Cloudflare delivers the content from the server closest to the user, enhancing page load times and reducing bandwidth usage.

2. DDoS Protection: Cloudflare offers robust Distributed Denial of Service (DDoS) protection, safeguarding websites and online services from malicious attacks that attempt to overwhelm servers with an excessive amount of traffic. By leveraging their extensive network infrastructure and traffic filtering capabilities, Cloudflare can mitigate and absorb large-scale DDoS attacks, ensuring that websites remain online and accessible.

3. DNS Management: Cloudflare provides DNS services, enabling users to manage and control their domain names and associated DNS records. Cloudflare’s DNS service helps optimize the speed and security of DNS resolution, translating domain names into IP addresses and directing traffic efficiently.

4. SSL/TLS Encryption: Cloudflare offers SSL/TLS (Secure Sockets Layer/Transport Layer Security) encryption for websites, ensuring that data transmitted between users and websites remains secure and protected from eavesdropping or tampering. Cloudflare provides SSL certificates and handles the encryption process, making it easier for website owners to implement secure connections.

5. Web Application Firewall (WAF): Cloudflare’s WAF protects websites and applications from various types of web-based attacks, such as cross-site scripting (XSS), SQL injection, and malicious bot traffic. It applies predefined security rules and continuously analyzes incoming traffic to identify and block potential threats.

6. Load Balancing and Traffic Routing: Cloudflare offers load balancing capabilities to distribute incoming network traffic across multiple servers or data centers, helping optimize performance and minimize downtime. Additionally, it provides intelligent traffic routing features, allowing organizations to direct traffic based on specific rules, such as geolocation or performance metrics.

Ingesting CloudFlare Logs and Security Events.

Python script, “cf-logs-downloader” available on Github

Requirements:

CloudFlare Zone ID(s)
CloudFlare API Token
Fluent-Bit (Or any other log shipper).

The executable included in the repo can be installed as a systemd service that’ll take care of making API calls and pulling out logs and security events.

CloudFlare Logs and Security Events — Visualizations.

HTTP Connections by method and TLS version

CloudFlare WAF Actions

HTTP Connections by method and TLS version

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/