Barracuda Networks CloudGen Firewall SAC Editions Overview:
Properly managing enterprise networks is critical to key business operations as more businesses adopt Internet of Things. As these networks grow larger and more complex, it’s important to implement robust security and performance of endpoint devices. Barracuda Cloud Generation Firewalls are an essential tool for optimizing the performance, security and availability of today's dispersed enterprise WANs.
CloudGen Firewall F-Series for Internet of Things
Properly managing enterprise networks is critical to key business operations as more businesses adopt Internet of Things and machine-to-machine communications. As these networks grow larger and more complex, it’s important to implement robust security and performance of endpoint devices. The Barracuda CloudGen Firewall F-Series is an essential tool for optimizing the performance, security and availability of today's dispersed enterprise WANs.
The Barracuda NextGen F-Series offers large-scale remote access capabilities. It enables the ever-growing number of IoT devices and micro-networks to securely connect to the central or distributed corporate datacenter.
Components for a F-Series deployment are:
- Secure Connector (SC) appliances (hardware only)
- Secure Access Concentrator (SAC) (virtual, Azure)
- NextGen Control Center (hardware, virtual, Azure)
In such a scenario, a large number of small Secure Connector (SC) appliances connect via TINA VPN to their regional Secure Access Concentrator (SAC). The SAC forwards the management traffic to the NextGen Control Center. Corporate policies such as Application Control, URL Filtering, and Virus Scanning are handled either directly on the SAC or forwarded to the border firewall. The configuration and lifecycle management for all SCs and their SACs are handled by one central NextGen Control Center. The Control Center can manage multiple Secure Access Concentrators, allowing you to scale up the network at will.
Easily Scales to the Tens of Thousands of Remote Locations
The encrypted connection between the SC1 appliance and the Secure Access Connector is established with the Barracuda Networks proprietary enhanced IPsec protocol TINA, which is more resilient and provides greater performance than most competitive VPN solutions no loss to security. Every Secure Access Connector can thus maintain an encrypted connection to thousands of remote SC1 appliances while literally dozens of Secure Access Connectors can be managed remotely by the Barracuda NextGen Control Center.
To deploy Barracuda NextGen F-Series appliances to an even wider variety of use cases and remote locations, the SC1 appliance comes with your choice of uplinks and automated failover in case one uplink fails. Besides the typical wired uplinks using DHCP or static IP, the integrated wireless Access Point functionality can be reversed to access the WAN via existing wireless networks. For even greater deployment flexibility, the SC1 is available with an optional 3G modem.
CloudGen Firewall Security Levels
While the device itself is not designed to perform advanced functions like Application Detection, IPS, Anti-Virus or URL Filtering on the box itself, such actions can easily be performed centrally at the larger office or datacenter where the devices connect to the Secure Access Connector. Full next-generation protection is available as moderately priced options for unlimited users per Secure Access Connector gateway deployed. Advanced Threat Detection (ATD) via sandboxing and detonation in the cloud is also available.
Central Management
Managing configurations of security appliances can be a complicated and time-consuming task. To ease administrators’ lives, the F-Series uses a new template-based configuration. Templates can be created at the various organizational levels supported by the NextGen Control Center. Once a template is changed, all SC1 appliances linked to this template are automatically updated within seconds.
Deploying to many locations often results in a complex routing setup. Each remote network needs to be properly defined and routed from the datacenter. The F-Series can also take care of these tasks by assigning defined subnets automatically to SC1 appliances and keeping track of required routing paths.
And - of course - you can manage F-Series and F-Series deployment in the same NextGen Control Center.
Quickly Deployed by Untrained Staff
To make the installation and setup process as efficient as possible, the SC1 appliances can be shipped directly to the intended remote location without the need for specialized IT personnel to be present on-site. The central IT department can quickly create a configuration file via the Barracuda NextGen Control Center, send it to the site (e.g., via email), and have the configuration file copied by drag-and-drop onto the SC1 appliance. After rebooting the SC1, the configuration file is processed and the setup process concluded – your SC1 is ready to go!
The Barracuda Advantage
- Quick rollout
- Comprehensive reporting
- Highly scalable
- Fully compatible with Microsoft Azure
Product Spotlight
- Powerful next-generation network firewall
- Advanced Threat Detection
- Built-in web security and IDS/IPS
- Full application visibility and granular controls
- Centralized management of all functionalities
- Template-based and role-based configuration
- Available for VMware, XenServer, KVM, Hyper-V, and Microsoft Azure
|
Securing the Internet of Things
Barracuda Cloud Generation Firewalls are designed and built from the ground up to provide comprehensive, nextgeneration security while being simple to deploy and maintain, and highly scalable. Need to connect microoffices, point of sales and machine-to-machine business? With Barracuda Cloud Generation Firewalls you're all set! |
|
Easy to Setup and Maintain: Secure Connector
The Barracuda Secure Connector is a hardware appliance purpose-built to be an on-premises connectivity device that ensures high-performance and tamper-proof VPN connections to protect the data flow and, thus, guarantee data continuity. |
|
Machine Access Security Broker
The Secure Access Controller acts as the connectivity and security enforcement hub for the data stream. The Secure Access Controller provides full next-generation firewall functionality and can be run on VMware, Hyper-V, XenServer, or KVM environments as well as directly in Microsoft Azure, Amazon Web Services, and Google Cloud Platform. |
|
Grows with your needs
Integration within the Barracuda Firewall Control Center architecture ensures that your deployment can grow with your needs without technical or financial trapdoors. The template-based configuration ensures easy rollout of additional devices and maintain compliance. |
Benefits:
Simplifying Machine-to-Machine Connectivity
The F-Series is designed for companies that need to securely and cost-effectively connect large numbers of remote devices like Automated Teller Machines (ATMs), point-of-sale kiosks, wind power stations, networked industrial machines or even very small offices. Managing and protecting network traffic among these remote machines is often a logistical nightmare involving managing many different firewalls, VPN software and routing steps.
The S Series consists of a small Secure Connector appliance (SC1) that connects each remote device with multiple uplinks and even an automated failover in case one uplink fails. The SC1 provides zone-based firewalling, Wi-Fi and full VPN connectivity for the connected device. The network traffic is then backhauled to a Secure Access Concentrator running at a central office or in the cloud for inspection and other resource-intensive security tasks such as URL filtering, intrusion prevention (IPS), anti-virus protection and application detection.
Flexible Deployment Options
In order to be able to deploy Barracuda CloudGen Firewall F-Series even to a wide variety of use cases and remote locations the SC1 appliance comes with a choice of uplinks and even automated failover in case one uplink fails. Besides the typical wired uplinks using DHCP or Static IP, the integrated wireless Access Point functionality can be reversed to access the WAN via existing wireless networks. For even more deployment flexibility the SC1 is even available with an optional 3G modem. |
Easy and Affordable Scalability to Thousands of Devices
Instead of having all F-Series appliances establish a VPN connection to the primary Firewall/VPN gateway and potentially bog down corporate traffic Barracuda designed the Secure Access Concentrator (SAC). The Secure Access Connector is "stackable" and optimized to handle VPN tunnel termination, routing and offload Application enforcement, intrusion protection (IPS) and Content Security tasks for thousands of remote locations.
Once connected to a SAC, all S Series components can be centrally managed via the NextGen Control Center. Administrators can easily manage traffic routing and security policies for tens of thousands of devices from a single control panel. In addition, features like template based management and automated network setup simplify the connection of remote devices so that even very large scale deployments can be managed by a few administrators. |
Full Next Generation Security Levels
The encrypted connection between the SC1 appliance and the Secure Access Connector (SAC) is established with the Barracuda Networks proprietary enhanced IPsec protocol called TINA, which is more resilient and performant than most competitive VPN solutions without giving up on any security aspects. Every SAC can maintain an encrypted connection to thousands of remote SC1 appliances, while literally dozens of Secure Access Connectors can be remote controlled by the Barracuda NextGen Control Center.
Full next generation protection is available at customer-friendly priced options for unlimited users per Secure Access Connector gateway deployed. Advanced Threat Detection via sandboxing and detonation in the cloud is available. |
Features:
Next Generation Security
Secure Connector 1 (SC1)
The SC1 is a secure connectivity device providing zone-based firewalling, Wi-Fi, and full VPN connectivity for connecting large number of remote devices or micro offices and centrally backhauling all network traffic.
While the device does not perform advanced functions like application detection, IPS, antivirus, or URL filtering on the box itself this can still be done centrally at the Secure Access Concentrators, larger offices, headquarters, or datacenter where the devices connect to.
TINA VPN
Due to the limitations that come with standard IPsec connections, Barracuda Networks has created several powerful extensions to standard IPsec tunnel management. This core of the Barracuda F-Series VPN engine is called TINA (Transport Independent Network Architecture). The TINA protocol allows the use of TCP, UDP, and ESP for high speed VPN connections, which improves the VPN connectivity substantially by adding:
- Endpoint-to-Endpoint (not network-to-network) connectivity
- NAT friendliness
- Multiple physical transport paths for a logical tunnel
- HTTPS and SOCKS4/5 proxy compatibility
- Dynamic Address Support
- Tunnel heartbeat monitoring
Advanced Threat Detection
While traditional solutions usually detect network threats after they have breached the network by sending log notifications to the administrator, the Barracuda Advanced Threat Detection (ATD) implements full system emulation, providing deep visibility into malware behavior. Files are checked against a cryptographic hash database that is constantly updated. In case the file is unknown, it is emulated in a virtual sandbox where malicious behavior can be discovered.
The Barracuda ATD offers Administrators granular, file-type-based control including automatic quarantine and blacklisting features to maintain the highest level of protection for an organizations network.
The Barracuda Advanced Threat Detection is an optional subscription.
Intrusion Detection and Protection
The Intrusion Detection and Prevention System (IDS/IPS) of the F-Series strongly enhances network security by providing complete and comprehensive real-time network protection against a broad range of network threats, vulnerabilities, exploits, and exposures in operating systems, applications, and databases preventing network attacks such as:
- SQL injections and arbitrary code executions
- Access control attempts and privilege escalations
- Cross-Site Scripting and buffer overflows
- Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks
- Directory traversal and probing and scanning attempts
- Backdoor attacks, Trojans, rootkits, viruses, worms, and spyware
Barracuda CloudGen Firewall F-Series Secure Access Concentrators provides advanced attack and threat protection features such as:
- Stream segmentation and packet anomaly protection
- TCP split handshake protection
- IP and RPC defragmentation
- FTP evasion protection
- URL and HTML decoding
As a result, the Barracuda CloudGen Firewall F-Series is able to identify and block advanced evasion attempts and obfuscation techniques that are used by attackers to circumvent and trick traditional intrusion prevention systems.
As part of the Barracuda Energize Updates subscription, automatic signature updates are delivered on a regular schedule or on an emergency basis to ensure that the Barracuda CloudGen Firewall F-Series is constantly up-to-date. If the firewall unit is centrally managed, the updates are conveniently distributed by the Barracuda F-Series Control Center.
Denial of Service (DoS) and Distributed Denial of Service (DDoS) Protection
In todays world of omnipresent botnets, one of the main tasks of perimeter protection is to ensure ongoing availability of the network for legitimate requests and to detect and repel malicious denial of service attacks. With TCP SYN Flood Protection, the Barracuda CloudGen Firewall F-Series effectively functions as a generic TCP proxy, forwarding only legitimate TCP traffic to the inside of the network.
Additionally, the Secure Access Concentrator allows the definition of a rate limit that is applied to the maximum number of sessions per source address to be handled by the firewall. Packets arriving at a rate faster than allowed will simply be dropped. In a massive DDoS attack, the attackers may simply aim for saturating the link by transmitting vast numbers of UDP packets.
The integrated environmental monitoring feature of the Barracuda CloudGen Firewall F-Series diagnoses such conditions by link and target address monitoring. Once the response of a remote target address to regular ICMP probing fails, the system can be configured to activate different routes and uplinks (for example backup line, ISDN, xDSL). Using this feature, traffic will be unimpeded across unaffected lines and crucial site-to-site and site-to-Internet connectivity remains operational.
Web Filtering
Configuring and maintaining configurations of security appliances can be a complicated and time-consuming task. To ease administrators lifes, the F-Series uses a new template based editor, called SCA Editor. Templates can be created at the various organizational levels supported by the respective NextGen Control Center version (Global, range or cluster level). Once a template is changed all SC1 appliances linked to this template are automatically updated within seconds.
Network Performance
Application Control 2.0
The Barracuda CloudGen Firewall F-Series provides powerful and extremely reliable detection and classification of thousands of applications and sub-applications by combining Deep Packet Inspection (DPI) and behavioral traffic analysis no matter if the protocols are using advanced obfuscation, port hopping techniques, or encryption. It allows the creation of dynamic policies and facilitates establishing and enforcing access and use policies for users and groups by application, application category, location, and time of day. Administrators can now:
- Block unwanted applications for certain users or groups
- Control and throttle acceptable traffic
- Preserve bandwidth and speed-up business-critical applications to ensure business continuity
- Enable or disable specific application sub-functions (e.g., Facebook Chat, YouTube Postings, or MSN file transfers)
- Intercept SSL-encrypted application traffic
The Barracuda CloudGen Firewall F-Series features advanced application-based routing path selection and Quality of Service (QoS) capabilities. These provide additional business value in addition to security by significantly improving network quality and availability, as well as reducing direct line cost due to bandwidth saved.
For rich reporting and drill-down capabilities, the F-Series comes with real-time and historical application visibility that shows application traffic on the corporate network, thus providing a basis for deciding which connections should be given bandwidth prioritization, crucial to QoS optimization for business-critical applications. Furthermore, it allows adjusting and refining the corporate application use policies.
Traffic Shaping and Quality of Service
Limited network resources make bandwidth prioritization a necessity. The Barracuda CloudGen Firewall F-Series provides strong Quality of Service (QoS) that lets the administrator apply quality aspects and service guarantees to selected traffic flows within the WAN. QoS is often used to prioritize the network traffic of applications that are critical and must not be affected by the network traffic of other applications.
Failover and Link Balancing
To ensure the best and most cost-efficient connectivity, the Barracuda CloudGen Firewall F-Series Secure Access Connector provides a wide range of built-in uplink options such as unlimited leased lines, up to four xDSL uplinks, etc. By eliminating the need to purchase additional devices for link balancing, security-conscious customers will have access to a WAN connection that never goes down, even if one or two of the existing WAN uplinks are severed.
Traffic intelligence mechanisms make sure the next defined uplink is activated on the fly and all traffic is rerouted to make full use of the remaining lines. In the event that backup lines provide less bandwidth, intelligent traffic shaping automatically prioritizes business-critical applications, networks, or distinct endpoints.
Scalability
Secure Access Concentrator (SAC)
The SAC is a virtual deployed gateway designed especially for terminating the encrypted traffic the SC1 appliances provide as well as providing the more advanced security functions like application control, antivirus, IPS and URL filtering.
To ensure scalability to the thousands, multiple SACs can be integrated and managed by a NextGen Control Center. Separating the workload of management and traffic handling is another factor that enables us to handle tens of thousands of remote devices.
Microsoft Azure
As organizations have adopted virtualization for their server infrastructures, there has been a corresponding trend to extend the benefits of virtualization to the security layer.
Barracudas award-winning security solutions are available as virtual appliances to help organizations in Microsoft Azure for establishing site-to-site and/or client-to-site connections to Azure and creating a DMZ in Azure to implement an additional high-security layer. For Barracuda CloudGen Firewall F-Series, the NextGen Control Center as well as the Secure Access Concentrator can be deployed as virtual images in the Azure cloud.
Ease of Management
Rapid Deployment
To make the installation and setup process as efficient as possible the SC1 appliances can be shipped directly to the intended remote location without the need for specialized IT personnel to be present on-site. The central IT department can quickly create a configuration file via the Barracuda NextGen Control Center through the included configuration wizard.
Once the configuration file is on site (e.g. via email) an employee or technician connects the SC1 to a workstation or laptop and copies the configuration-file by drag and drop onto the SC1 mass-storage (attached via USB-OTG port). After rebooting the SC1, the configuration file is processed and the setup process concluded the SC1 is ready.
Automatic Network Setup
Deploying to many locations often results in a complex routing setup. Each remote network behind an SC1 needs to be defined and routed to properly from the datacenter. The Automatic Network Setup automates the process of creating a new SC1 configuration file. You can define a single large network that is automatically partitioned into smaller subnets which then in turn are automatically assigned to the SC1 appliances. The Secure Access Connectors are updated with all needed routing paths.
Barracuda NextGen Control Center
Managing the security issues in a widely distributed network can be painful and extremely time-consuming. Managing a system may take only 15 minutes per day, but having 20 security devices in place results in five hours per day just to manage the existing system. With the Barracuda NextGen Control Center, managing multiple Barracuda CloudGen Firewall F-Series takes the same amount of time as managing one.
- Create pre-configured templates for easy-rollout.
- Have all information about the security deployment available in real time.
- Create reports of either one or all Barracuda CloudGen Firewall F-Series.
Personalized Application Control
On top of the thousands of applications that are delivered out of the box and constantly updated, the Barracuda CloudGen Firewall F-Series provides a way to easily create user-defined application definitions for best-in-class application control customized and tailored to an organizations specific needs.
User Identity Awareness
Different network users may need different bandwidth-use rules. Most often, access to certain network resources is limited to certain users or user groups. Preferential allocation of more bandwidth to certain users or user groups and a limitation of available bandwidth for others is a common requirement. It requires the network device to know what user an IP actually belongs to.
NextGen Report Creator
The Barracuda NextGen Report Creator is a free tool that allows administrators to collect and consolidate traffic and application usage statistics from multiple Barracuda CloudGen Firewall F-Series Secure Access Concentrator units and to create easy-to-read reports in PDF format. Report tasks can be scheduled at various times during the day or week and distributed automatically via email.
Besides predefined out-of-the-box reports such as Top Applications, Top Blocked URL Categories and Websites, Top Users by Bandwidth, as well as activity reports for specific users, the reporting engine provides customizable granular reports on user activity, activities during last day/week/month, etc.
Revision Control System, Audit and Reporting
The integrated revision control system increases auditing ease for the infrastructure and cuts overhead. Additionally, the revision control system for all changes provides compliance with governmental and company policy requirements. Comprehensive reporting makes bandwidth usage and all other security-related information visible, reportable and easy to read.
Specifications:
SAC Editions1 |
SAC400 |
SAC610 |
SAC820 |
Number of Protected IPs |
unlimited |
unlimited |
unlimited |
Allowed Cores |
2 |
4 |
8 |
Max. number of VPN Connections |
500 |
1,200 |
2,500 |
Firewall & VPN Throughput |
1 Gbit/s |
2 Gbit/s |
4 Gbit/s |
Firewall |
|
|
|
Application Control2 |
|
|
|
IPS2 |
|
|
|
Dynamic Routing |
|
|
|
VPN3 |
|
|
|
SSL Interception |
|
|
|
Web Filter |
|
|
|
Malware Protection4 |
Optional |
Optional |
Optional |
Advanced Threat Detection4,5 |
Optional |
Optional |
Optional |
1 The Barracuda CloudGen Firewall F-Series SAC virtual image covers all editions.
2 Requires a valid Energize Updates subscription.
3 Barracuda CloudGen Firewall F-Series SAC editions include as many VPN licenses as the number of protected IPs. VPN clients with an active connection to the Barracuda CloudGen Firewall F-Series SAC are counted towards the protected IP limits.
4 Including FTP, mail and Web protocols.
5 Requires a valid Malware Protection subscription.
Technical Specs
Firewall
- Stateful packet inspection and forwarding
- Full user-identity awareness
- Intrusion Detection and
Prevention System (IDS/IPS)
- Application control and granular application enforcement
- Interception and decryption of SSL/ TLS encrypted applications
- Antivirus and web filtering in single pass mode
- SafeSearch enforcement
- YouTube for Schools support
- Denial of Service protection (DoS/DDoS)
- Spoofing and flooding protection
- ARP spoofing and trashing protection
- DNS reputation filtering
- TCP stream reassembly
- NAT (SNAT, DNAT), PAT
- Dynamic rules / timer triggers
- Single object-oriented rule-set for routing, bridging, and routed bridging
- Virtual rule test environment
Hypervisor and Public Support (for SAC and NextGen Control Center)
- VMware
- Hyper-V
- XenServer
- KVM
- Microsoft Azure
Intrusion Detection & Prevention
- Protection against exploits, threats and vulnerabilities
- Packet anomaly and fragmentation protection
- Advanced anti-evasion and obfuscation techniques
- Automatic signature updates
Advanced Threat Detection
- Dynamic, on-demand analysis of malware programs (sandboxing)
- Dynamic analysis of documents with embedded exploits (PDF, Office, etc.)
- Detailed forensics for both malware binaries and web threats (exploits)
- Support for multiple operating systems (Windows, Android, etc.)
- Flexible malware analysis in the cloud
VPN
- Secure site-to-site
- Supports AES-128/256, 3DES, DES, Blowfish, CAST, null ciphers
High Availability
- Active-passive
- Transparent failover without session loss
- Network notification of failover
- Encrypted HA communication
Central Management Options
- Barracuda NextGen Control Center
– Unlimited SACs and SC1s
– Support for multi-tenancy
– Multi-administrator support & RCS
Protocol Support
- IPv4
- BGP/OSPF/RIP
- VoIP (H.323, SIP, SCCP [skinny])
- RPC protocols (ONC-RPC, DCE-RPC)
- 802.1q VLAN
Support Options
Barracuda Energize Updates
- Standard technical support
- Firmware updates
- IPS signature updates
- Application control definition updates
- Online web filter
Security Options
- Advanced Threat Detection
- Malware Protection
CloudGen Firewall Technology:
Secure Your Networks Perimeter
Barracuda CloudGen Firewall S provides several layers to protect an organization’s IoT network
Intrusion Detection and Prevention
The built-in Intrusion Detection and Prevention System (IDS/IPS) strongly enhances network security by providing complete and comprehensive real-time network protection for your operating systems, applications, and databases against a broad range of threats and attacks.
By providing advanced attack and threat protection features such as stream segmentation and packet anomaly protection, TCP split handshake protection, IP and RPC defragmentation, FTP evasion protection, as well as URL and HTML decoding, the Secure Access Concentrator (SAC) can identify and block advanced evasion attempts and obfuscation techniques used by attackers to circumvent and trick traditional intrusion prevention systems.
As part of Barracuda’s Energize Updates subscription, automatic signature updates are delivered on a regular schedule or on an emergency basis to ensure that the SAC is constantly up-to-date. If the firewall unit is centrally managed, the pattern updates are conveniently distributed by the Barracuda NextGen Control Center.
Malware Protection
The optional Malware Protection shields your internal network from malicious content by scanning web / email content and file transfers via two fully integrated antivirus engines. Malware Protection is based on regular signature updates as well as advanced heuristics to detect malware or other potentially unwanted programs even before signatures are available.
The Malware Protection covers viruses, worms, trojans, malicious java applets, and programs using known exploits on, for example, PDFs, pictures and office documents, macro viruses, even when using stealth or morphing techniques for obfuscation.
Advanced Threat Detection
Barracuda’s Advanced Threat Detection (ATD) uses next-generation sandbox technology powered by full-system emulation to catch not only persistent threats and zero-day exploits, but also advanced malware designed to evade detection. Files are forwarded to a cloud-based sandbox environment, where they are executed and analyzed to identify suspicious and malicious behavior.
Barracuda ensures flexible and simple deployment with your existing network infrastructure—no additional hardware is required since resourceintensive sandboxing is offloaded to the cloud. The cloud database is continuously updated by all SACs with enabled ATD. Processing of already known files is thereby speeded up.
The administrator has full policy control over how PDF documents, Microsoft Office files, EXEs/MSIs/DLLs, Android APKs, compressed files, and archives are emulated and delivered to the client. Based on identified malware activity, infected users can be automatically quarantined, thus preventing the malware from spreading within the network.
Customizable, on-demand analysis reports for any emulated file provide full insight and details on malicious activities, file behavior, system-registry entries, and evasion and obfuscation techniques. This also enables network activities, such as establishing encrypted connections to Botnet Command and Control Centers for increased security posture, to evade scaled botnet attacks.
Web Filtering
The web filtering options for the SAC enable highly granular, real-time visibility into online activity, broken down by individual users and applications. Administrators can thus easily create and enforce effective Internet content and access policies. Web filtering protects user productivity, blocks malware downloads and other web-based threats, and enables compliance by blocking access to unwanted websites and servers, thereby providing an important additional layer of security alongside application control.
Controlling Application Usage
Mobile devices, online applications, social networks, and streaming media have caused an enormous increase in nonbusiness network data traffic, pushing bandwidth capacities to their limits and causing degradation in performance of business-critical applications.
The Barracuda CloudGen Firewall F-Series gives administrators granular control over applications, allowing them to define rules for forwarding data traffic using the best respective transmission channels based on type of application, user, content, time of day, and geographical location.
Block unwanted applications, control acceptable traffic, and ensure business continuity
Application Control
The Barracuda CloudGen Firewall family provides powerful and extremely reliable detection and classification of thousands of applications and sub-applications by combining Deep Packet Inspection (DPI) and behavioral traffic analysis – no matter if the protocols are using advanced obfuscation, port hopping techniques, or encryption. It allows the creation of dynamic application policies and facilitates the establishment and enforcement of acceptable access and use policies for users and groups by application, application category, location, and time of day. Barracuda CloudGen Firewalls combine application control with seamless integration of authentication schemes like Active Directory, RADIUS, or LDAP/S. As a result, administrators are always on top of what users are doing to on the organization’s network. Barracuda CloudGen Firewalls feature advanced application-based routing path selection and Quality of Service (QoS) capabilities. These provide additional business value and security by significantly improving network quality and availability, and by reducing direct line cost due to saved bandwidth.
For rich reporting and drill-down capabilities, Barracuda CloudGen Firewalls come with real-time and historical application visibility that shows application traffic on the corporate network, thus providing a basis for deciding which connections should be given bandwidth prioritization, which is crucial to QoS optimization for business-critical applications. Furthermore, it lets admins adjust and refine corporate application use policies.
Personalized Application Control
On top of thousands of applications that are delivered out of the box and constantly updated, Barracuda CloudGen Firewalls provide a way to easily create user-defined application definitions for best-in-class application control customized and tailored to an organization’s specific needs.
Application-Based Provider Selection
The combination of next-generation security and adaptive WAN routing lets Barracuda CloudGen Firewalls dynamically assign available bandwidth for several links not only based on protocol, user, location, and content, but also based on applications, application categories, and web filter categories. This keeps expensive, highly available lines free for business and mission-critical applications, while significantly reducing response times and freeing up additional bandwidth.
Deep Application Context
The deep application context analysis allows for a more thorough inspection of the application data stream by continually evaluating the actual intention of applications and the respective users. By this means, administrators can gain detailed insight into what a specific application was used for, or if a user was trying to circumvent the corporate application usage policy.
User Identity Awareness & Control
Barracuda CloudGen Firewalls support the authentication of users and enforcement of user-aware firewall rules, web filter settings, and application control by seamlessly integrating with Microsoft Active Directory.
- Microsoft and Citrix terminal service environments
- Microsoft Active Directory
- NTLM
- RADIUS
- RSA SecurID
- LDAP/LDAPS
- TACACS+
- and more..
Application Risk and Usage Report
The Application Usage and Risk Report is a predefined report in the Barracuda Report Creator tool providing automated reports and risk analysis based on the network traffic that is traversing the network. It provides an overview on how effective the currently deployed technologies are in detecting and enforcing the corporate application usage policies and recommends what should be taken into account when redefining these policies. The report creation can be started manually (on-demand) or scheduled (including automated email distribution). And - of course - this report is fully customizable to comply with possible branding requirements.
Central Management across the IoT
To centralize management across an IoT network and organization networks, the Barracuda NextGen Control Center lets administrators manage and configure security, content, traffic management, and network access policies from a single interface. Template-based configuration and globally available security objects enable efficient configuration across thousands of locations.
The Barracuda NextGen Control Center helps significantly reduce the cost associated with security management while providing extra functionality both centrally and locally at the managed gateway. Software patches and version upgrades are centrally controlled from within the management console, and deployment can be applied to all managed devices.
Highly customizable administrative roles can be defined to delegate administrative capabilities for specific departments or locations.
Scalable Deployment
Managing the security issues in a widely distributed enterprise network can be painful and extremely time consuming. Managing a system may take only 15 minutes per day. But having 20 systems in place results in five hours per day – just to manage the existing system.
With the Barracuda NextGen Control Center, managing multiple SACs takes the same amount of time as managing one.
- Create pre-configured templates for easy rollout.
- Have all information of the enterprise security deployment available in real time.
- Create reports for either one or all F-Series compounds.
Lifecycle Management
Scalable Barracuda CloudGen Firewall F-Series offer companies sustainable investment protection. Energize Updates automatically provide the latest firmware and threat definitions to keep the appliance up-to-date. With a maintained Instant Replacement subscription, organizations receive a new appliance with the latest specs every four years.
Barracuda CloudGen Firewall FAQ:
What is a Next Generation Firewall?
Next generation firewalls are the successors of traditional firewall and unified threat management (UTM) devices. Traditional firewalls generally perform packet forwarding and blocking functions and often incorporate packet inspection techniques. UTM devices usually add content security functions but typically fail to tightly integrate those functions tightly with network management, network access and WAN connectivity capabilities of enterprise-class firewalls.
To protect networks in the presence of social media and other Web 2.0 applications, a next generation firewall infrastructure intelligently combines network security, content security, Layer 7 application profiling and network access control to detect application-specific attacks, enforce application-aware inbound and outbound access policies, and perform application-aware traffic routing and prioritization across the wide area network (WAN).
Based on over a decade of R&D and real-world deployments in over 1,000 of the most demanding enterprise customer environments, the Barracuda CloudGen Firewall is the most advanced next generation firewall on the market today.
What is a Network Security Gateway?
Network security gateways are the successors of traditional firewalls, unified threat management (UTM) devices, and the latest cycle of "next-generation" firewalls. Traditional firewalls forward packets and block functions often employing packet inspection. UTM devices usually add content security functions. Next-generation firewalls add detection and control of social media and Web 2.0 applications, but typically fail to integrate these functions tightly with link management, WAN management, and SSL VPN remote connectivity.
In comparison, the Barracuda CloudGen Firewall, the first true network security gateway, starts by integrating an advanced network firewall with Layer 7 application recognition and user awareness, content security, malware protection, plus IPS in a suite of security technologies. It tightly integrates these features with intelligent network link aggregation and traffic management, VPN WAN management, and optimization for seamless remote office integration and SSL VPN for remote client security. As a network security gateway, the Barracuda CloudGen Firewall weaves a seamless fabric of security, performance optimization, high-availability, and centralized management into network infrastructures while simplifying network architecture.
Why do I need a Next Generation Firewall?
As you organization relies on more cloud-based applications like Office 365, Salesforce, and Dropbox, internet connectivity becomes even more important. Our Barracuda CloudGen Firewalls combine powerful application awareness and network routing capabilities to provide the highest levels of internet availability for users and critical applications.
What are the major capabilities of the Barracuda CloudGen Firewall?
The Barracuda CloudGen Firewall is a next generation firewall and VPN that provides:
- Integrated content security and network access control
- Optimization of intelligent traffic flow across the WAN
- Industry-leading centralized management capabilities
What are the differences among the F-Series, S Series and X-Series firewalls?
The Barracuda CloudGen Firewall F-Series is designed for network engineers who manage distributed enterprise environments. It provides all the security functionality one expects from an enterprise next-generation firewall, including application detection and prioritization, IPS, malware protection, URL filter and even DDoS protection. Furthermore, its powerful traffic optimization features, extremely resilient site-to-site connectivity capabilities, and extensive logging and auditing tools make the F-series an ideal fit for organizations that need to efficiently manage and scale massive firewall deployments.
The Barracuda CloudGen Firewall F-Series provides remote connectivity in an affordable and easy to deploy solution. It is designed from the ground up to support Internet of Things initiatives where thousands of remote devices need to be connected to a headquarters or data center. The SC appliances are managed via a NextGen Control Center, and security features like IPS, application detection etc. are provided at the Secure Access Concentrator where the VPN for each SC appliance terminates.
The Barracuda CloudGen Firewall X-Series is ideal for small to medium-sized organizations looking for a simple, yet powerful next-generation firewall that provides IPS, application detection, URL filter, malware protection and some basic email security. Designed for the resource-constrained IT professional, the X-Series’ intuitive web interface has a low learning curve while providing and easy-to-use management interface.
How do I know if I should get the X-Series or F-Series?
If you only have a few locations to manage (e.g., between one and three) and are looking for a firewall that is application aware and easy to use with a Web UI, then the X-Series firewall is ideal for you.
If you have a lot of remote locations to manage, secure and connect (e.g., more than three) and need a solution to seamlessly manage, protect and optimize your network, the F-Series firewall is right for you.
If you have to securely connect large numbers of devices to backhaul traffic to your HQ or data center, want to centrally administer the deployment and stay scalable, then the F-Series is the perfect choice for you.
Can I centrally manage multiple firewalls from one place?
Yes, all the Barracuda CloudGen Firewall Series—X, F, and S—can be centrally managed from a single pane of glass. The F and F-Series utilize the Barracuda NextGen Control Center to manage massive firewall deployments. The NextGen Control Center is available in physical, virtual and cloud form factors depending on your infrastructure requirements. The X-Series firewall can be centrally managed from Barracuda Cloud Control, which is the same web-based portal that IT administrators use to control their other Barracuda products.
What is the difference in terms of deployment between the F, S and X-Series firewalls?
The Barracuda CloudGen Firewall F-Series can easily be deployed as "standalone" and provides great value this way, but its full potential and cost savings is unleashed when it’s centrally managed using a NextGen Control Center.
The F-Series firewall cannot be deployed as standalone, but needs one or multiple Secure Access Concentrators for VPN tunnel termination and a NextGen Control Center for central management. The Web UI on the SC appliances is only intended for initial setup.
The Barracuda CloudGen Firewall X-Series is designed to be used as standalone, and can optionally (at no extra charge) be connected to the Barracuda Cloud Control portal for convenient remote management.
What level of support can I expect to receive from Barracuda?
Regardless of whether you’re using the X-Series or F-Series firewalls, you can expect the same level of award-winning support from Barracuda’s expertly trained technicians. Barracuda offers 24x7 support with no phone trees, ensuring that you will always speak to an in-region technician who is ready to help.
Does the Barracuda CloudGen Firewall help my organization troubleshoot network problems?
All Barracuda NG Control Center and Barracuda CloudGen Firewall appliances come with extensive network connectivity troubleshooting and visualization tools. Even for large networks it typically only takes a few mouse clicks to analyze and remediate a problem in the central audit log or access cache screen.
What is included in the Energize Updates subscription for the Barracuda CloudGen Firewall?
Energize Updates from Barracuda Central deliver updates on the extensive library of definitions for intrusion prevention and Layer 7 application profiling. In addition, Energize Updates subscriptions also provide access to Basic Support, Firmware Maintenance and optional participation in the Barracuda Early Release Firmware program
What if I have more questions about the Barracuda CloudGen Firewall?
For additional assistance or for a product demonstration of the Barracuda CloudGen Firewall, please contact us.