Barracuda Web Application Firewall 964
Security and DDoS Protection Against Automated & Targeted Attacks
Click here to jump to more pricing!
Barracuda Networks Web Application Firewall Overview:
The Barracuda Web Application Firewall blocks an ever-expanding list of sophisticated web-based intrusions and attacks that target the applications hosted on your web servers—and the sensitive or confidential data to which they have access.
Barracuda Web Application Firewall gives your DevOps and application security teams comprehensive security that is easy to deploy and manage. Physical, virtual, and in the cloud—Barracuda Web Application Firewall eliminates application vulnerabilities and protects your web applications against application DDoS, SQL Injection, Cross-Site Scripting, and other advanced attacks.
The Barracuda Advantage
- State-of-the-art security utilizing full reverse-proxy architecture
- Malware protection for collaborative web applications
- Employs IP Reputation intelligence to defeat DDoS attacks
- No user-based or module-based licensing
- Designed to make it easier for organizations to comply with regulations such as PCI DSS and HIPAA
- Cloud-based scan with Barracuda Vulnerability Manager
- Automatic vulnerability remediation
Product Spotlight
- Comprehensive inbound attack protection including the OWASP Top 10
- Built-in caching, compression, and TCP pooling ensure security without performance impacts
- Identity-based user access control for web applications
- Built-in data loss prevention
- ICSA certified
Constant Protection from Evolving ThreatsThe Barracuda Web Application Firewall provides superior protection against data loss, DDoS, and all known application-layer attack modalities. Automatic updates provide defense against new threats as they appear. As new types of threats emerge, it will acquire new capabilities to block them. |
|
Identity and Access ManagementThe Barracuda Web Application Firewall has strong authentication and access control capabilities that ensure security and privacy by restricting access to sensitive applications or data to authorized users. |
|
Affordable and Easy to UsePre-built security templates and intuitive web interface provide immediate security without the need for time-consuming tuning or application learning. Integration with security vulnerability scanners and SIEM tools automates the assessment, monitoring, and mitigation process. |
Secure Applications On-Premises or in the Public Cloud
The Barracuda Web Application Firewall provides comprehensive, reverse-proxy-based protection for applications deployed in physical, virtual, or public cloud environments data centers. In addition to applications hosted on-premises, Barracuda Web Application Firewall can natively scale and migrate with applications deployed in public cloud platforms like Amazon Web Services (AWS) and Microsoft Azure.
Available with flexible pricing options including bring-your-own-license and pay-as-you-go via AWS Marketplace and Azure Marketplace, the Barracuda Web Application Firewall is built to can help you seamlessly transition from on-premises to cloud infrastructures while maintaining the same familiar experience.
Protect servers, applications, and data from web-based attacks:
Protect Applications and Data from Advanced Threats
The Barracuda Web Application Firewall blocks an ever-expanding list of sophisticated web-based intrusions and attacks that target the applications hosted on your web servers—and the sensitive or confidential data to which they have access.
Benefits:
|
|
|
|
|
|
|
Features:
Application Attack and DDoS Protection
The Barracuda Web Application Firewall provides robust security against targeted and automated attacks. OWASP Top 10 attacks like SQL Injections and Cross-Site Scripting (XSS) are automatically identified and logged. Administrators have the ability to set granular controls on response, allowing them to block, throttle, redirect, or perform a number of other actions.
Advanced DDoS protection capabilities allow administrators to distinguish real users from botnets through the use of heuristic fingerprinting and IP reputation, thereby allowing them to block, throttle, or challenge suspicious traffic. It is the only product in the industry to offer integrated IP reputation intelligence that combines real-time situational insights and historical intelligence to secure against application DDoS using a variety of risk assessment techniques such as application-centric thresholds, protocol checks, session integrity, active and passive client challenges, historical client reputation blacklists, geo-location, and anomalous idle-time detection.
Adaptive Profiling
Adaptive profiling enables administrators to build positive security profiles of their applications by sampling web traffic from trusted hosts. Once enabled, the positive security profiles allow administrators to enforce granular whitelist rules on sensitive parts of the application. This greatly reduces the risk of attacks and helps prevent zero-day vulnerabilities by restricting input only to inputs that meet strict standards.
Server Cloaking
Often the first step of any targeted attack is to probe public-facing applications to find out details about the underlying servers, databases, and operating systems. Cloaking prevents attack reconnaissance of protected applications by suppressing server banners, error messages, HTTP headers, return codes, debug information, or backend IP addresses from leaking to a potential attacker. Without any details of the underlying infrastructure, it is much more difficult to target attacks, thereby reducing the risk of breach.
Protection for Mobile Applications, REST APIs and AJAX
Mobile application and REST APIs today rely on JSON (JavaScript Object Notation) to transfer data. However, this opens a whole new attack surface which is often overlooked and hard to secure by traditional scan-testing or pen-testing approaches. The Barracuda Web Application Firewall secures the entire attack surface of mobile applications and REST APIs, filters malicious inputs in requests with JSON payloads, helps ensure API SLAs to partners, and provides anti-pharming protection from rogue consumers. Interactive web applications using JSON with AJAX are similarly protected.
XML Firewall
Applications that rely on XML can now be secured with an XML Firewall capability that secures applications against schema and WSDL poisoning, highly-nested elements, recursive parsing, and other XML-based attacks. This secures communications between client and application or between applications from different systems closing an often overlooked attack vector.
Web Scraping Protection
Web Scraping involves copying large amounts of data from a website or application using automated tools. This is often done for commercial advantages that are to the detriment of the organisation that owns the web application. Typically, the motivation of the attacker is to undercut competition, steal leads, hijack marketing campaigns, and appropriate data via the web application. Examples include theft of intellectual property from digital publishers, scraping products and pricing information from e-commerce sites, and stealing listings on real estate, auto dealers and travel sites.
The Barracuda Web Application Firewall protects against web scraping by detecting and blocking malicious bots from accessing the website. Advanced detection techniques include the ability to set honeytraps to identify malicious bots and headless browser detection. Site administrators can also set whitelists for allowing specific bots, such as search engine crawlers to access the website. The Barracuda Web Application Firewall validates all bot traffic against known signatures before allowing them access to the website.
Data Loss Prevention
Deployed as a reverse-proxy, the Barracuda Web Application Firewall inspects all inbound traffic for attacks and outbound traffic for sensitive data. Content such as credit card numbers, U.S. social security numbers, or any other custom patterns can be identified by the Barracuda Web Application Firewall and either blocked or masked without administrator intervention. Best of all, the information is logged and can be used by administrators to find potential leaks.
Iron-clad URL Tamper Prevention via URL Encryption
Attacks on a web-based application often start by analyzing and tampering with its URLs. Barracuda Web Application Firewalls, models 660 and above, come with a unique URL Encryption feature that allows administrators to encrypt URLs before they are sent to clients. The original URLs or the directory structure are never exposed externally to prying eyes. Users of the web applications interact and navigate the site using only encrypted URLs, which are decrypted by the WAF on the way back in. The decryption process immediately identifies URL query or parameter tampering, malicious content injection or blind forceful browsing attacks.
Compliance
The Barracuda Web Application Firewall is designed to provide easy, cost-effective assistance to help administrators comply with major application-specific requirements like PCI-DSS, HIPAA, FISMA, and SOX. It is certified by a number of third-party testing labs including ICSA Labs as an effective Web Application Firewall solution. The Barracuda Web Application Firewall directly satisfies section 6.6 of PCI-DSS and assists compliance with built-in PCI compliance reports. Its robust identity and access management and data loss prevention (DLP) capabilities ensure privacy of sensitive data. A FIPS 140-2 HSM model ensures that applications it protects meet the highest cryptographic standards.
Integrations: Cavium Networks
Vulnerability Scanner Integration
Security organizations often use vulnerability scanners to look for exploitable weaknesses in their applications. Barracuda has the ability to integrate with popular scanners like IBM AppScan and Cenzic Hailstorm to automatically configure an application's security template to protect against identified issues. All of this is automatically configured using the output of the scanners without any administrator intervention.
Integrations: Barracuda Vulnerability Manager, Cenzic Hailstorm, HPE Security WebInspect , HPE Security Fortify On Demand , IBM AppScan.
In addition, the Barracuda Web Application Firewall integrates with over 20 vulnerability scanners via Denim Threadfix integration
Advanced Threat Detection
The Barracuda Web Application Firewall seamlessly integrates with Barracuda Advanced Threat Detection (BATP) to provide security against advanced threats. Simply add BATP to the Barracuda WAF to block advanced zero-hour threats. By analyzing files in a CPU-emulation based sandbox, it can detect and block malware embedded deep inside files uploaded to your web site or web application. At a time when advanced threats like ransomware are causing havoc, BATP ensures defense in depth against malicious threats.
Web-Based Identity and Access Management
The Barracuda Web Application Firewall fully integrates Active Directory or any other RADIUS or LDAP-compatible authentication services. Combined with the strong access control capabilities, administrators can provide granular control over which users or groups are able to access specific resources. For securing Kerberos-enabled environments, it can also perform authentication to the protected web application on behalf of the user, including single-sign-on to multiple Kerberos services.
Streamline Identity Federation with Identity Providers, including Azure AD
The Barracuda Web Application Firewall supports the SAML v2 protocol for authentication and web based single sign-on (SSO), which means that it can act as a SAML Service Provider (SP) to SAML-compliant Identity Providers (IdP), saving you from the complexities of implementing SAML on your web servers. This facilitates SSO between the cloud and on-premise web applications as well as interoperability with Azure AD which supports SAML 2.0.
Two-Factor Authentication
The Barracuda Web Application Firewall integrates with a number of two-factor authentication technologies including client certificates, SMS PASSCODES, and hardware tokens such as RSA SecurID to provide strong user authentication.
Integrations: SMS PASSCODES, RSA SecurID
Client IP Reputation & User Access Control
Using client source addresses, organizations can control access to web resources. The Barracuda Web Application Firewall can control access based on GeoIP to limit access only to specified regions. It is also integrated with the Barracuda Reputational Database and can identify suspicious IP addresses, bots, TOR networks and other anonymous proxies that are often used by attackers to hide their identity and location. Once an IP address is identified as a risk, administrators have the ability to block, limit, throttle, or issue a CAPTCHA challenge before allowing access.
Integrations: MaxMind
Pre-Built Security Templates
Pre-built security templates and an intuitive web interface provide immediate security without the need for time-consuming tuning or learning how to use a new application. Included out of the box are common application templates including Exchange, SharePoint, Oracle Financials, PHP, and more.
Automate and Scale with a RESTful API
With the advent of cloud-based computing, data centers have become increasingly programmable and DevOps is now a key area of focus in network, compute and security tiers. Barracuda Web Application Firewall comes with a REST API that enables you to configure and monitor the appliance programmatically. The functionality of the device is exposed in Representational State Transfer compliant interfaces which can be exercised via any programming language of your choice. REST API allows you to automate, reduce time-to-market and costs by leveraging economies of scale in a programmable environment.
Custom Templates for Increased Productivity
Managing application security policies across multiple units can quickly become an error-prone hassle. The Barracuda Web Application Firewall features security templates that provide the ability to define baseline security settings to use as a model for security policies. By using templates, you can quickly create security policies designed to safeguard a specific application, web-portal, platform, framework or parts thereof. Templates increase productivity, reduce manual errors and deployment time, and ensure policy compliance.
Intuitive, Drill-down Reporting
Powerful graphical reporting provides immediate insight into compliance, threat activity, web traffic and regulatory compliance. More than 50 different pre-defined reports are available, which can be easily customized further, using numerous filters for attack types, traffic, time range, and more.
Generated reports are interactive, with drill-down capability. Reports span PCI compliance, security, audit, web traffic and geo-location analytics. They can be generated on-demand, or scheduled for periodic delivery to multiple recipients over email or FTP.
Comprehensive Logging & Reporting
All client requests, administrator modifications, and firewall actions are logged. This provides a comprehensive audit log for compliance and security policy tuning. Data from the logs are used by the Web Application Firewall to build graphical reports on attacks, web traffic, compliance or a number of other analytical reports. Logs can also be exported to 3rd party analytics suite via Syslog or FTP.
Proactive Risk Monitoring via Customizable Alerts
Scheduling alert notifications for risk monitoring and analysis is an important requirement for proactive security administrators. However, this can quickly become overwhelming with multiple security appliances in the data center. Without any correlation or consolidation, advanced persistent threat (APT) activity can go unnoticed.
To overcome this, the Barracuda Web Application Firewall provides alert consolidation and correlation. Custom notifications can be defined using multiple elements like severity, attack type, application, threshold and frequency (for example, configuring thresholds for SQL Injection frequency on application X and also monitoring forceful browsing for the same application). This ensures that important threat activity does not get drowned in the noise, lowers risk profile and operational costs, and increases productivity. Alert notifications can also be customized for hardware components and individual system modules like Authentication, Admin Activity, SSL, etc.
Automatic Security Updates
The attack definitions and signatures on the Barracuda Web Application Firewall are enhanced by an extensive network of more than 150,000 sensors deployed worldwide, which provide Barracuda Labs with data. The information originating from these sensors provide valuable data that is used by Barracuda Labs to create the current security definitions. These definitions are automatically updated and loaded as virtual patches to the Barracuda Web Application Firewall appliances in the field. These updates ensure the highest security posture for critical applications at all times and greatly reduces the time between vulnerability disclosure and repair vulnerabilities. Automatic updates allow administrators to immediately implement real-time security against new threats; they also provide time to the application development teams to exhaustively analyze the issues in the underlying application and fix vulnerabilities when necessary.
High Availability Clustering
Barracuda Web Application Firewalls can be clustered in active / passive or active / active pairs with failover to ensure instant recovery. Security configurations and deployments are automatically synchronized between the clusters, providing instant recovery from any outages.
Application Load Balancing and Monitoring
Barracuda Web Application Firewall supports load balancing of all types of applications. Load balancing ensures that subsequent requests from the same IP address will be routed to the same back-end server as the initial request. This guarantee of persistence requires an awareness of server health so subsequent requests are not routed to a server which is no longer responding. The Barracuda Web Application Firewall can monitor server health by tracking server responses to actual requests and marking the server as out-of-service when errors exceed a user configured threshold. In addition, the Barracuda Web Application Firewall can perform out-of-band health checks, requests created and sent to a server at configured time intervals to verify its health.
Cloud Edition for Microsoft Azure
When migrating data, applications, and/or workloads to the cloud, administrators still need to safely manage both corporate and customer information. In most cases, organizations are still subject to the privacy and compliance directives of their industry, whether HIPAA, SOX, PCI, or others. By integrating the proven application security and data loss prevention capabilities of Barracuda Web Application Firewall (WAF) with Microsoft Azure’s native security features, administrators are in a superior position to deploy secure, reliable, and resilient cloud services in Azure while meeting any regulatory or compliance needs.
Cloud Edition for Amazon Web Services
The Barracuda Web Application Firewall provides proven application security and Data Loss Prevention for applications deployed on Amazon Web Services. AWS Security Competency certified Barracuda Web Application Firewall integrates with AWS Elastic Load Balancer, Cloud Formation Templates and more to support bootstrapped configuration and autoscaling.
PCI DSS Compliance:
Barracuda Web Application Firewalls protect networks against unauthorized access, data leakage, site defacement and other malicious attacks by hackers that compromise both the privacy and integrity of vital data. By installing a Barracuda Web Application Firewall, businesses that store, process and/or transmit credit card numbers can protect their Web applications and achieve PCI DSS compliance in one easy step.
Payment Card Industry Data Security Standard (PCI DSS) Requirements
In response to the increase in identity theft and security breaches, major credit card companies collaborated to create the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data. It applies to all entities involved in payment card processing – including merchants, processors, acquirers, issuers and service providers, as well as all other entities that store, process or transmit cardholder account data.
The 12 PCI DSS requirements are organized into six main categories that prevent credit card fraud through increased controls around data and its exposure to compromise. To be fully compliant, an organization must satisfy all 12 requirements.
- Maintain a Secure Network: Requirements 1 and 2
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect Cardholder Data: Requirements 3 and 4
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Maintain a Vulnerability Management Program: Requirements 5 and 6
- Use and regularly update anti-virus software
- Develop and maintain secure systems and applications
- Implement Strong Access Controls: Requirements 7, 8, and 9
- Restrict access to cardholder data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Regularly Monitor and Test Networks: Requirements 10 and 11
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain an Information Security Policy: Requirement 12
- Maintain a policy that addresses information security
Merchants and organizations should be most concerned with PCI DSS Section 6, which addresses the development and maintenance of secure systems and applications. PCI-DSS compliance requires organizations either submit to code audits or install a Web Application Firewall to secure their public facing Web applications.
A code audit places considerable strain on a company with a large quantity of code that needs to be reviewed. This results in a considerable amount of time and cost for each application. Furthermore, code audit provides a point in time protection; quarterly reviews must be maintained to account for any change in the application code. This burdens organizations by constraining their engineering teams to fixing vulnerabilities rather than continuing to innovate and drive companies forward in the marketplace.
Barracuda Networks Enables PCI DSS Compliance
The simpler alternative to satisfy PCI DSS compliance is to invest and implement a comprehensive Web application firewall. Barracuda Web Application Firewalls are designed to be easy and cost-effective solutions for PCI DSS compliance. It protects Web applications from attacks and ensures a layer of security regardless of the underlying code. Unlike traditional network firewalls or intrusion detection systems that simply pass HTTP/S traffic, Barracuda Web Application Firewalls proxy all traffic and insulate Web servers from direct access by attackers. This helps organizations ensure PCI DSS compliance across major requirements categories:
The Barracuda Web Application Firewall enables PCI DSS compliance across major requirements:
Requirement | Barracuda Web Application Firewall |
---|---|
1 - Install a Firewall | Acts as a Web application firewall |
3 - Protect data | Proxies Web traffic and insulates Web servers from direct access by attackers |
4 - Encryption | Provides easy SSL encryption even if the application or server does not enable SSL |
6 - Protect Against Vulnerabilities | Blocks known and zero-day attacks as well as the industry-accepted top 10 Web application vulnerabilities for custom development, legacy and third-party applications |
7 - Restrict Access | Provides role-based administration to security policies |
10 - Track and Monitor Access | Logs and reports application access and security violations |
Barracuda Web Application Firewalls also protect organizations from Top Web Application Threats listed by the PCI Council or other security organizations. These include:
Vulnerability | Description | Barracuda Web Application Firewall Solution |
---|---|---|
6.5.1 Injection Flaws | Injection flaws are prevalent in Web applications and are often found in SQL queries, LDAP queries, OS commands, and program arguments. | Inspects each client request to the Web application servers for malicious code and blocks any malicious request. |
6.5.2 Buffer Overflow | Overloads memory capacity to execute a malicious program to steal passwords, alter system configuration, install backdoors or launch other attacks. | Rejects malformed requests to Web servers and limits total Web form request length. |
6.5.3 Insecure Cryptographic Storage | Exploits applications that fail to store sensitive information such as credit card numbers as encrypted fields. | Filters and intercepts outbound traffic to prevent the transmission of sensitive information. |
6.5.4 Insecure Communications | Failure by applications to encrypt network traffic containing sensitive communications. | Provides Instant SSL functionality that transforms an HTTP Web site into an encrypted HTTPS site without having to change any code. |
6.5.5 Improper Error Handling | Exploits error messages to gather information about the OS and server versions, patch levels, etc. to launch targeted attacks on the server with known platform vulnerabilities. | Cloaks details of the Web application infrastructure and blocks a server's error messages from being sent out to the client. Filters and intercepts outbound traffic to prevent the transmission of sensitive information. |
6.5.6 All "High" Vulnerabilities Identified |
All "high" vulnerabilities discovered in the vulnerability identification process. | Protects against all of the top threats. Reverse proxy deployment is architecturally superior and more secure than sniffer or bridge solutions. |
6.5.7 Cross Site Scripting (XSS) | Injects malicious code from a trusted source to execute scripts in the victim's browser that can hijack user sessions, deface Web sites, or redirect the user to malicious sites. | Validates user input by terminating session and inspecting incoming requests before forwarding it to the backend servers, blocking it prior to executing within a browser. |
6.5.8 Improper Access Control | No credential checks. Failure to restrict URL access, directory traversal. | Provides a granular URL and form-level rules engine that restricts access to unauthorized resources. Sets up and enforces authentication & authorization policies via integrated LDAP, RADIUS, CA SiteMinder and RSA SecurID. |
6.5.9 Cross Site Request Forgery (CSRF) | Hijacks a browser from a logged in victim to send forged requests without the victim's knowledge. | Injects randomized tokens into online forms to authenticate data streams, eliminating unauthorized or malicious requests. |
With over a decade of experience in securing Web applications, the Barracuda Web Application Firewall is the proven solution used by organizations of all sizes to secure their valuable assets against Web threats.
Model Comparison:
The Barracuda Web Application Firewall blocks an ever-expanding list of sophisticated web-based intrusions and attacks that target the applications hosted on web servers. Below are the hardware specifications for the Web Application Firewall.
Model Comparison | 360 | 460 | 660 | 860 | 960 |
---|---|---|---|---|---|
Capacity | |||||
Backend Servers Supported | 1-5 | 5-10 | 10-25 | 25-150 | 150-300 |
Throughput | 25 Mbps | 50 Mbps | 200 Mbps | 1 Gbps | 5 Gbps |
HTTP Transactions Per Second | 8,000 | 15,000 | 30,000 | 90,000 | 180,000 |
HTTP Connections Per Second | 2,000 | 3,000 | 10,000 | 16,000 | 30,000 |
HTTPS Transactions Per Second | 2,500 | 4,000 | 12,000 | 20,000 | 50,000 |
Concurrent Connections | 90,000 | 150,000 | 500,000 | 950,000 | 1.8M |
Networking | |||||
Advanced Routing | - | - | |||
Multi-port Hardware | - | - | - | ||
Link Bonding | - | - | - | ||
Hardware | |||||
Form Factor | 1U Mini | 1U Mini | 1U Fullsize | 2U Fullsize | 2U Fullsize |
Dimensions (in) | 16.8 x 1.7 x 14 | 16.8 x 1.7 x 14 | 16.8 x 1.7 x 22.6 | 17.4 x 3.5 x 25.5 | 17.4 x 3.5 x 25.5 |
Weight (lb) | 12 | 12 | 26 | 46 | 52 |
Data Path Ports | 2 x 10/100 | 2 x GbE | 2 x GbE | 8 x GbE1 | 8 x GbE1; 2 x 10GbE1 |
Management Port | 1 x 10/100 | 1 x 10/100 | 1 x 10/100/1000 | 1 x 10/100/1000 | 1 x 10/100/1000 |
ECC Memory | |||||
Power Supply | 1 | 1 | 1 | 2 | 2 |
AC Input Current (Amps) | 1.2 | 1.4 | 1.8 | 4.1 | 5.4 |
Voltage | 100-240V 50-60 Hz | 100-240V 50-60 Hz | 100-240V 50-60 Hz | 100-240V 50-60 Hz | 100-240V 50-60 Hz |
Heat Output (BTU/Hr) | 490 | 575 | 740 | 1680 | 2200 |
Operating Temperature | 5°C-35°C (41°F-95°F) | ||||
Operational Relative Humidity | 8% ~ 90% (non-condensing) | ||||
Features | |||||
Response Control | |||||
Advanced Threat Detection2 | |||||
Outbound Data Theft Protection | |||||
File Upload Control | |||||
SSL Offloading | |||||
Authentication and Authorization | |||||
Vulnerability Scanner Integration | |||||
Protection Against DDos Attacks | |||||
Web Scraping Protection | |||||
Network Firewall | |||||
High Availability | Active/Passive | Active/Passive | Active/Active | Active/Active | Active/Active |
JSON Security | |||||
Caching and Compression | |||||
LDAP/RADIUS Integration | |||||
Load Balancing | |||||
Content Routing | |||||
Adaptive Profiling | |||||
Antivirus for File Uploads | |||||
URL Encryption | |||||
XML Firewall |
1 Fiber NIC and Ethernet hard bypass options available.
2 Requires active Advanced Threat Detection subscription
Technical Specs
Web Application Security
- OWASP top 10 protection
- Protection against common attacks
– SQL injection
– Cross-site scripting
– Cookie or forms tampering - Form field meta-data validation
- Adaptive security
- Website cloaking
- URL encryption
- Response control
- JSON payload inspection
- Web scraping protection
- Outbound data theft protection
– Credit card numbers
– Custom pattern matching (regex) - Granular policies to HTML elements
- Protocol limit checks
- File upload contro
- Geo IP location
– Anonymous Proxy - Tor Blocking
Networking
- VLAN, NAT
- Network ACLs
- Advanced routing
Supported Web Protocols
- HTTP/S 0.9/1.0/1.1/2.0
- WebSocket
- FTP/S
- XML
- IPv4/IPv6
Authentication & Authorization
- LDAP/RADIUS/local user database
- SAML 2.0
- Client certificates
- Single Sign-On
- Azure AD
- RSA SecurID
- SMS Passcode
- Kerberos v5
- Multi-Domain support
DDoS Protection
- Inegration with Barracuda NextGen Firewall to block malicious IPs
- Barracuda IP Reputation Database
- Heuristic Fingerprinting
- CAPTCHA challenges
- Slow Client protection
- ToR exit nodes
- Barracuda blacklist
SIEM Integrations
- HPE ArcSight
- RSA enVision
- Splunk
- Symantec
- Microsoft Azure Event Hub
- Custom
Application Delivery & Acceleration
- High availability
- SSL offloading
- Load balancing
- Content routing
XML Firewall
- XML DOS protection
- Schema/WSDL enforcement
- WS-I conformance checks
Logging, Monitoring & Reporting
- Barracuda IP Reputation Database
- Heuristic Fingerprinting
- CAPTCHA challenges
- Slow Client protection
Support Options
Instant Replacement Service
- Replacement unit shipped next business day
- 24x7 technical support
- Hardware refresh every four years
Hardware Options
- FIPS 140-2 HSM Model Available
- Optional Ethernet Bypass
Management Features
- Customizable role-based administration
- Vulnerability scanner integration
- Trusted host exception
- Rest API
- Custom Templates
- Interactive and scheduled Reports
Views:
Front Panel
The following figure illustrates the Barracuda Web Application Firewall power and disk activity indicator lights for models 860:
Rear Panel Ports and Connectors - Ethernet Interface
The following figure illustrates the Barracuda Web Application Firewall rear panel ports and connectors for models 860:
- WAN Port
- LAN Port
- Management Port
- Unused Network Port
- VGA Display (console)
- Unused Printer Port
- Serial Port
- Unused USB Port
- Unused USB Port
- Not Connected
- Keyboard
- Mouse
- Redundant Power Supply
- Redundant Power Supply
Rear Panel Ports and Connectors - Fiber Interface
The following figure illustrates the Barracuda Web Application Firewall rear panel ports and connectors for models 860:
- Fiber WAN Port
- Fiber LAN Port
- Unused Network Port
- Management Port
- VGA Display (console)
- Unused Printer Port
- Serial Port
- Unused USB Port
- Unused USB Port
- Not Connected
- Keyboard
- Mouse
- Redundant Power Supply
- Redundant Power Supply
Deployment and Administration:
The Barracuda Web Application Firewall integrates security, scalability and application acceleration into a next generation Application Delivery Controller (ADC) platform for highly secure and scalable web applications. Its application-layer firewall protects web applications against existing and emerging Layer 7 threats such as Cross Site Scripting (XSS), SQL injections (SQLi) and Cross Site Request Forgery (CSRF). The integrated access control engine enables administrators to create granular access control policies for Authentication Authorization & Accounting (AAA) without having to change the application. The onboard L4/L7 Load Balancing capabilities enable organizations to quickly add backend servers to scale deployments as they grow. Its application acceleration capabilities like SSL Offloading, caching, compression, and connection pooling to ensure faster application delivery of the web application content.
Available in five models, the Barracuda Web Application Firewall can be used to securely deploy applications of any size.
Value Proposition | |
---|---|
Web Application Security
|
Application Delivery
|
Authentication, Authorization, Accounting (AAA)
|
Mature Product
|
Deployments
Standard Deployment Configuration: The Barracuda Web Application Firewall is designed to easily fit into any existing data center environment and to rapidly secure and accelerate new and existing Web applications. Barracuda Networks offers the most flexible array of Barracuda Web Application Firewall deployment options, including both Bridge-path and Route-path.
Bridge-path: Bridge-path, the recommended mode of implementation for most customers with existing Web application traffic, enables simple and fast deployment without requiring any IP address changes on either the front- or back-end Web servers or network devices. The bridge is transparent, so no user traffic is disrupted.
Route-path: Route-path provides the highest degree of protection for a Web application infrastructure by acting as a full reverse proxy for all Web application traffic. As a reverse proxy, Route-path allows only predefined traffic that adheres to security policies. Additionally, the reverse proxy controls the only route to the back-end network, so traffic cannot flow to any server unless specifically forwarded by the proxy. This is the most flexible deployment mode because it facilitates the content-based traffic management functions of the Barracuda Web Application Firewall.
One-Armed Proxy Deployment: Deploying the Barracuda Web Application Firewall in the One-Armed Proxy configuration requires the unit to be set up off a switch only from the WAN port. This configuration creates an additional route for traffic to reach the servers without disturbing the natural flow through the network. Only the traffic that needs to be monitored or secured is routed via the Barracuda Web Application Firewall. One-Armed Proxy as a deployment option is utilized during the initial phases when the administrators want to validate the solution without having to change network settings. Another scenario to use the One-Armed Proxy deployment is to utilize the load balancing feature of the appliance for HTTP/HTTPS traffic, while letting SMTP and other traffic go directly to the server.
Fault Tolerant Barracuda Web Application Firewall Environment: Some organizations may need only a single Barracuda Web Application Firewall. When inline in Bridge-path mode, the Barracuda Web Application Firewall’s Ethernet Hard Bypass ensures reliable application delivery. For Web applications with stringent security requirements, the Barracuda Web Application Firewall may be installed in a redundant pair configuration, providing real-time application state replication so that security and user sessions will not be compromised during a failover event.
Next Generation Application Delivery Platform
Flexible Deployment: The Barracuda Web Application Firewall offers multiple deployment options for maximum flexibility while ensuring complete security. Built ground up for full reverse proxy deployments, the Barracuda Web Application Firewall insures maximum security and application acceleration in the industry accepted best practice for secure application deployment. In addition to reverse proxy, the appliance can be deployed in one-armed proxy or bridge modes. An inbuilt FIPS 140-2 Level 2 HSM model provides regulatory compliance in the strictest environments.
IPv6/IPv4 Capable: The Barracuda Web Applications Firewall is IPv6 ready, offering easy integration into IPv6 or mixed IPv4/IPv6 environments. This gives organizations the flexibility to use the Barracuda Web Application Firewall as an IPv6 gateway while keeping it internal servers on IPv4 until it is ready for full end-to-end IPv6 networks.
Comprehensive security: The Barracuda Web Application Firewall provides unparalleled application security to help organizations secure critical web assets. The security capabilities of the Barracuda Web Application Firewall are further augmented by an extensive network of more than 150,000 sensors that are deployed worldwide and feed into Barracuda Labs. The sensors provide valuable data to the security research team to build new security definitions and automatically update Barracuda Web Application Firewalls in the field.
Centralized control with Barracuda Control Center: The Barracuda Control Center is the centralized management platform for all Barracuda Networks products. The Barracuda Control Center acts as the centralized policy decision point, while the Barracuda Web Application Firewall acts as the policy enforcement point. The Barracuda Control Center also enables administrators to have an aggregated view of the distributed network via a centralized console. This console can provide aggregated reporting based on data from all of the enforcement endpoints.
Application-Layer Security
Input validation: Lack of proper input validation is one of the prime culprits in Layer 7 security vulnerabilities. The Barracuda Web Application Firewall decrypts all encrypted traffic and normalizes inputs to ensure that all data is inspected and validated against known attack patterns before sending to the backend servers. Protocol Validation allows administrators to enforce protocol versions or verbs for HTTP, HTTPS, FTP or FTPS.
Cloaking: The Barracuda Web Application Firewall cloaking capability strips out all server related information such as server headers and server banners. Denying information about the server infrastructure restricts the attacker's ability to tune their attacks based on the type of web servers, Operating System, or databases being used.
Session Tampering Protection: Most applications use cookies or hidden, read-only parameters for application session state and other sensitive information. The Barracuda Web Application Firewall can encrypt or sign these tokens to prevent third party impersonation attacks.
Session Riding and Clickjacking Protection: Third party sites can employ malicious JavaScript that exploits the servers trust with the user's browser. The Barracuda Web Application Firewall blocks such attacks by generating unique tokens or injection anti-UI redressing measures to prevent malicious JavaScript from attacks like Session Riding or Clickjacking.
Anti-virus and malware protection: Web applications that allow files to be uploaded can also utilize the built-in anti-virus and anti-malware scanner to ensure that infected files are not uploaded to the web application.
Layer 7 DDoS Protection: Distributed Denial of Service attacks (DDoS) attacks have moved to the application layer as they provide higher impact compared to network layer DDoS. Due to its complete visibility into application layer constructs, the Barracuda Web Application Firewall can intelligently fingerprint and throttle these attacks and ensure that the protected web applications continue to service genuine users.
Brute Force protection: The Barracuda Web Application Firewall tracks user access to restricted resources and blocks clients if the server does not accept the supplied credentials. Additional rate controlling mechanisms in the Barracuda Web Application Firewall provide additional layer of security against brute force attempts.
XML / Web Services protection: Service Oriented Architectures (SOA) with web services is used to build large, distributed and scalable applications. These applications, along with many Web 2.0 based applications, use XML for transferring data between servers and between clients and servers. The XML Firewall built into the Barracuda Web Application Firewall enforces structure on web services and XML data interchange using WSDL and XML Schema provides protection against XML attacks.
Data Loss Protection: In addition to inbound content inspection, the Barracuda Web Application Firewall also offers outbound content inspection for Data Loss Prevention. The Barracuda Web Application Firewall prevents data leakage by either masking or blocking responses containing sensitive information such as credit card numbers or any other custom data patterns.
Access Control
Authentication: The Barracuda Web Application Firewall integrates with any user database using LDAP or RADIUS to authenticate a user's credentials before granting access to the secured resources. This allows administrators to add an authentication layer or to offload an existing application authentication policy to the Barracuda Web Application Firewall.
Authorization: Authenticated users can be granted different access privileges by applying access control rules. These privileges can be based on a user's accounts or on the group to which the user belongs.
Two-factor authentication: Password-based security can be augmented by using client certificates or security tokens. The Barracuda Web Application Firewall integrates with RSA SecurID and client certificates to provide this extended layer of security.
Single Sign On (SSO): For a group of applications that need client authentication before granting access, single sign on is used to provide clients with one seamless authentication system, whereby the client logs in once and their identity is propagated to all applications in the group. The Barracuda Web Application Firewall integrates with CA SiteMinder to enable administrators to build a single sign on portal for all of their web applications.
Scaling the Application Infrastructure
The Barracuda Web Application Firewall provides significant capabilities that enable organizations to scale their application deployment infrastructure.
Load balancing: The built-in load balancing module distributes incoming traffic across the available servers using one of many available algorithms, such as Weighted Round Robin or Least Connections. Availability of multiple servers is monitored with the help of an integrated application monitoring module. Traffic can be distributed at Layer 4 or at Layer 7.
Layer 7 content routing: The Barracuda Web Application Firewall provides enormous flexibility while deploying large applications in which each application module can be deployed on multiple servers. Requested content such as the URL of the module, HTTP Headers and parameters, is used to route content to the correct set of servers.
SSL offloading: Web servers hosting HTTPS websites require a significant amount of processing power in handling SSL encryption / decryption. The Barracuda Web Application Firewall provides SSL offloading capabilities, thereby freeing up the processing power of the servers and making them more efficient.
Instant SSL: Using the Instant SSL capability of the Barracuda Web Application Firewall, deployment teams can convert their HTTP based applications to HTTPS without having to touch the application code.
Rate control: The Barracuda Web Application Firewall can control the number of application sessions being created and/or how many times a client can access a given resource. These measures, in conjunction with other rate control techniques such as client queuing, protect web applications from application-level denial of service (DoS) attacks.
Accelerating application delivery
Caching: The Barracuda Web Application Firewall speeds up application response time by caching static content and using it to respond to repeated requests for the same content. Caching rules can be tuned based on URL space, file size or file type.
Compression: The integrated compression engine in the Barracuda Web Application Firewall compresses data as it is sent out to the client. This capability is extremely useful in low bandwidth situations and makes application delivery faster.
Protocol tuning: The Barracuda Web Application firewall employs multiple techniques such as connection-pooling and TCP multiplexing to optimize protocol performance. Connection pooling techniques enable Barracuda Web Application Firewall to cut down the overhead associated with creating and terminating connections, thereby cutting the time it takes to respond to client requests.
Barracuda Web Application Firewall Core Technologies:
Hardened OSBased on the Linux open source kernel, which has stood up to the scrutiny of security researchers over time, the Barracuda Web Application Firewall operating system is hardened for maximum security and stability. In addition to internal testing, Barracuda Networks credits the "white hat" research community who continually work with security vendors to uncover and resolve potential vulnerabilities in both the Linux operating system and its associated utilities. While the vast majority of Barracuda Web Application Firewall technology is proprietary, Barracuda Networks does leverage secure and functional open source alternatives whenever possible. |
|
SecurityBarracuda Labs maintains a large network of proxy honey pots to gather information about botnets and emerging web threats worldwide. In addition, customers of other Barracuda Networks products can "opt-in" to report threat data to create a large and distributed data collection network. The data collected from this global network of sensors is applied to tune security policies and also to track and secure against evolving attacks. |
|
Granular ControlStarting with baseline security, the Barracuda Web Application Firewall allows administrators to tune the configuration settings at different levels of granularity. The administrators can configure rules that affect the entire application, a section of the application or even a specific URL. These granular rules can be created utilizing the extremely flexible content matching algorithms with an extensive list of security controls. |
|
Logging and ReportingThe Barracuda Web Application Firewall's extensive logging and reporting capability empowers administrators and web application teams to tune and secure their web applications. The built in reporting engine provides summarized reports on various aspects of the deployments such as traffic statistics, attack reports and compliance related reports. The logs can be exported out to external logging systems and are completely documented to ease the integration with available SIEM products. |
|
Adaptive ProfilingThe built-in profiling engine continuously evaluates traffic passing through the Barracuda Web Application Firewall. The profiler can create a complete application profile consisting of all URLs, forms and parameters to ensure a comprehensive positive security model. In addition, the Barracuda Web Application Firewall also profiles traffic violations triggered by the configured rule set and uses the heuristics-driven exception profiling engine to create recommendations for tuning the existing rule set. This heuristics-driven model creates a very tight feedback mechanism for tuning security policies. |
|
Role-Based AdministrationBarracuda Web Application Firewall management tasks can be delegated with rolebased administration. The system ships with multiple built-in roles such as administrator, auditor, network manager and application manager. These roles can be customized or others can be added to meet the requirements of the organization. |
FAQ:
What does the Barracuda Web Application Firewall do?
The Barracuda Web Application Firewall protects your Web site from attackers leveraging protocol or application vulnerabilities to instigate unauthorized access, data theft, denial of service (DoS), or defacement of your Web site.
The Barracuda Web Application Firewall provides complete protection of Web applications and is designed to enforce policies for both internal and external data security standards, such as the Payment Card Industry Data Security Standard (PCI DSS). At the same time, the Barracuda Web Application Firewall features a number of traffic management capabilities designed to improve the performance, scalability and manageability of today’s most demanding data center infrastructures.
Why do I need a Web Application firewall?
Businesses of all sizes that operate their own Web applications should deploy a powerful Web site firewall to protect their Web sites from application vulnerabilities.
Traditionally, security has been considered a network issue, where system administrators lock down host computers through a network firewall. While a typical network firewall can help restrict traffic to HTTP and HTTPS, this traffic can contain command exploits leveraging vulnerabilities in the Web application itself. Without the Barracuda Web Site Firewall acting as an application firewall, a hacker’s attack can result in unauthorized access, data leakage, site defacement and/or other attacks that compromise both the privacy and integrity of vital data.
What are the major capabilities and benefits of the Barracuda Web Application Firewall?
The major capabilities and benefits of the Barracuda Web Application Firewall include:
Comprehensive Web Site Protection: The Barracuda Web Application Firewall proxies all Web traffic, providing complete protection in front of your Web sites. Web site protection capabilities include: HTTP protocol compliance, protection against common/high-visibility attacks, protection against attacks based on session state, online form field validation, outbound data theft protection, Web site cloaking, anti-Web crawling and application denial of service (DoS) protection, as well as fine-grain controls.
Application Access Control: The Barracuda Web Application Firewall provides PKI support to provide certificate verification and prevents cookie tampering to ensure hidden or read-only form fields are not changed by the user.
Application Delivery and Acceleration: In addition to the security and access control benefits of Barracuda Web Application Firewall, there are also additional operational capabilities. Capabilities include SSL offloading, SSL acceleration, load balancing and high availability.
Logging, Monitoring and Reporting: The Barracuda Web Application Firewall features advanced capabilities to provide immediate feedback to operations teams that deploy, manage and secure mission critical applications. Besides a system log, Web firewall log, traditional Web log and audit log, the Barracuda Web Application Firewall also provides specific reports relevant to PCI compliance.
How does the Barracuda Web Application Firewall detect and mitigate threats?
The Barracuda Web Application Firewall provide award-winning protection from all common attacks on Web applications, including SQL injections, cross-site scripting attacks, session tampering and buffer overflows. As a full proxy, the Barracuda Web Application Firewall provides comprehensive inbound and outbound protection. By inspecting request traffic, the Barracuda Web Application Firewall can block inbound attacks and cloak Web sites from hackers, while response traffic inspection prevents sensitive data leakage, such as credit card or Social Security numbers.
In addition, the Barracuda Web Application Firewall secures applications from unauthorized user access a full PKI integration for use with client certificates.
Can the Barracuda Web Application Firewall help my company comply with the Payment Card Industry Data Security Standard (PCI DSS)?
Yes, the Barracuda Web Application Firewall assists organizations that store, process and/or transmit credit card numbers to comply with the Payment Card Industry - Data Security Standard (PCI DSS) requirements.
As major credit card companies are increasing pressure on merchants to comply with the PCI DSS, many e-commerce businesses are seeking solutions to meet requirement 6.6 of PCI DSS calling for either detailed custom application code reviews or installation of a Web Application Firewall by June 30, 2008. Failure to comply with these security standards may result in fines, restrictions or permanent expulsion from card acceptance programs. Through multiple advanced features, the Barracuda Web Application Firewall can help organizations easily become PCI DSS compliant. Click here for additional information.
What logging, monitoring and reporting features are available with the Barracuda Web Application Firewall?
Logging monitoring and reporting capabilities of Barracuda Web Application Firewall include:
Comprehensive logging. The Barracuda Web Application Firewall maintains a rich set of logs on the appliance, including system activity, Web Firewall activity, Web services activity, network firewall activity and traditional Web logs.
PCI reports. The Barracuda Web Application Firewall provides a quick snapshot of application attacks defined in the PCI DSS Section 6.5, including unvalidated input, broken access control, cross-site scripting and so on.
Syslog support. The Barracuda Web Site Firewall forwards logs to a syslog server for centralized and persistent storage or analysis by a third party tool.
Will the Barracuda Web Application Firewall fit into my existing network environment?
Yes, the Barracuda Web Application Firewall is designed to easily fit into any existing data center environment and to rapidly secure and accelerate new and existing Web applications. Barracuda Networks offers the most flexible array of Barracuda Web Application Firewall deployment options, including both Bridge-path and Route-path.
How do I know which Barracuda Web Application Firewall model is best suited to my needs?
A regional Barracuda Networks sales representative can evaluate your network environment and Web usage needs to help determine which model(s) is the best fit for your company.
How does the Barracuda Web Application Firewall protect against Denial of Service attacks?
Multiple security capabilities such as Rate Control, Brute Force Protection, Slow Client Attack Prevention and Client IP reputation are integrated into the Barracuda Web Application Firewall to provide protection against Denial of Service attacks.
What if I have more questions or want to see an online demo of the Web Application Firewall?
For answers to additional questions, please contact us.
Documentation:
Download the Barracuda Web Application Firewall Data Sheet (.PDF)
Download the Barracuda Web Application Firewall Hardware Data Sheet (.PDF)
Download the Barracuda Web Application Firewall Technology Data Sheet (.PDF)
Pricing Notes:
- Please Note: Energize Updates and Instant Replacement Subscriptions need to be maintained for every Barracuda Product. All subscriptions are continuous and must start from the date of activation. Renewals purchases are continuous and start from the date of expiration of your current subscriptions. No exceptions.
- Benefitis of Energize Updates:
- Basic Support, which includes email support 24x7 and phone support between the hours of 9 a.m. and 5 p.m. Monday through Friday in the US (Pacific Time), Japan, China, Austria and the United Kingdom time zones.
- Firmware Maintenance which includes new firmware updates with feature enhancements and bug fixes.
- Security Updates to patch or repair any security vulnerabilities.
- Optional participation in the Barracuda Early Release Firmware program.
- Benefits of Instant Replacement:
- Enhanced Support which provides phone and email support 24x7.
- Data migration service for Barracuda Spam & Virus Firewalls. Barracuda Networks will assist movement of data and configuration from the old product to the new product if the old data is accessible.
- Data recovery service for Barracuda Backup Servers. In the event of a disaster and upon request, Barracuda Networks will preload the most recent data and configuration stored by Barracuda Networks to the new product (note this may take additional time).
- Hard Disk replacement on Barracuda Networks models that have swappable raid drives. Barracuda Networks will ship via standard shipping a hard disk replacement. Customer must return the failed hard disk to Barracuda Networks.