Barracuda CloudGen Firewall

While traditional solutions usually detect network threats after they have breached the network by sending log notifications to the administrator, Barracuda Advanced Threat Protection (ATP) implements full system emulation, providing deep visibility into malware behavior. Files are checked against a cryptographic hash database that is constantly updated. In case the file is unknown, it is emulated in a virtual sandbox where malicious behavior can be discovered.

Barracuda ATP offers Administrators granular, file-type-based control including automatic quarantine and block-listing features to maintain the highest level of protection for an organization’s network.

Barracuda Advanced Threat Protection is an optional subscription.

Botnet and Spyware Protection guards against botnet infections by blocking access to malicious sites and servers, and detects potentially infected clients based on DNS Sinkholing technology. DNS Sinkholing blocks clients from accessing malicious domains by monitoring outbound DNS requests passing through the firewall. DNS requests to malicious domains are redirected to an internal sinkhole, thereby preventing data exfiltration and identifying the victim. Once an infected client is detected, it can be isolated automatically. An alert can also be created or reported by Barracuda Firewall Report Creator.

The Intrusion Detection and Prevention System (IDS/IPS) of Barracuda CloudGen Firewall strongly enhances network protection by providing complete and comprehensive real-time network protection against a broad range of network threats, vulnerabilities, exploits, and exposures in operating systems, applications, and databases preventing network attacks such as:

• SQL injections and arbitrary code executions
• Access control attempts and privilege escalations
• Cross-Site Scripting and buffer overflow
• Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks
• Directory traversal and probing and scanning attempts
• Backdoor attacks, Trojans, rootkits, viruses, worms, and spyware

Barracuda CloudGen Firewall provides advanced attack and threat protection features such as:

• Stream segmentation and packet anomaly protection
• TCP split handshake protection
• IP and RPC defragmentation
• FTP evasion protection
• URL and HTML decoding

As a result, Barracuda CloudGen Firewall is able to identify and block advanced evasion attempts and obfuscation techniques that are used by attackers to circumvent and trick traditional intrusion prevention systems.

As part of Barracuda Energize Updates subscription, automatic signature updates are delivered on a regular schedule or on an emergency basis to ensure that Barracuda CloudGen Firewall is constantly up-to-date. If the firewall unit is centrally managed, the updates are conveniently distributed by Barracuda Firewall Control Center.

In today’s world of omnipresent botnets, one of the main tasks of perimeter protection is to ensure ongoing availability of the network for legitimate requests and to detect and repel malicious denial of service attacks. With TCP SYN Flood Protection, Barracuda CloudGen Firewall effectively functions as a generic TCP proxy, forwarding only legitimate TCP traffic to the inside of the network.

Additionally, Barracuda CloudGen Firewall allows the definition of a rate limit that is applied to the maximum number of sessions per source address to be handled by the firewall. Packets arriving at a rate faster than allowed will simply be dropped. In a massive DDoS attack, the attackers may simply aim for saturating the link by transmitting vast numbers of UDP packets. The integrated environmental monitoring feature of Barracuda CloudGen Firewall diagnoses such conditions by link and target address monitoring. Once the response of a remote target address to regular ICMP probing fails, the system can be configured to activate different routes and uplinks (for example backup line, ISDN, xDSL). Using this feature, traffic will be unimpeded across unaffected lines and crucial site-to-site and site-to-Internet connectivity remains operational.

The Malware Protection built into Barracuda CloudGen Firewall shields the internal network from malicious content by scanning web content (HTTP and HTTPs), email (SMTP, POP3), and file transfers (FTP) via two fully integrated antivirus engines. Barracuda Malware protection is based on regular signature updates as well as advanced heuristics to detect malware or other potentially unwanted programs even before signatures are available. Barracuda Malware Protection covers viruses, worms, Trojans, malicious java applets, and programs using known exploits on PDF, picture and office documents, macro viruses, and many more, even when using stealth or morphing techniques for obfuscation.

All Barracuda CloudGen Firewall models can apply IPS, Virus Protection, Application Control, URL Filter and even Advanced Threat Protection to SSL encrypted web traffic using the standard ' trusted man-in-the-middle' approach. SSL Interception can be fine-tuned to exempt local networks, users/groups, URL Filter categories or custom defined domains from SSL Inspection.

Build layers of security around your data, devices, and users. Multiple security layers are necessary in order to provide the protection your organization needs. Barracuda XDR adds additional layers of protection for major attack surfaces such as email, endpoints, servers, firewalls, and cloud devices.

At the heart of every Barracuda CloudGen Firewall is a high performance stateful deep packet inspection engine examining the header as well as the data part of every passing packet. Malformed packets are disregarded, protecting the infrastructure behind the Barracuda device against network level attacks. Protocol compliant packages are then checked to match any of the defined firewall rules.

Once a data packet is opened up for inspection by the Firewall, all other security inspection mechanisms like IPS/IDS, anti-virus are also applied to the packet or stream of consecutive packets. Security inspection is done in single pas mode without the need to hand over to a separate proxy.

Multi-factor authentication (MFA) has become the standard for preventing unauthorized access to company critical information. Barracuda CloudGen Firewall supports and enforces multi factor authentication methods for protected resources, SSL-VPN as well as VPN connections. This makes the need for purchasing an additional multi-factor authentication or identity access management (IAM) solution obsolete.

Time-based one-time passwords (TOTP) are commonly used for two-factor authentication and is today the de-facto standard for multi factor authentication methods as used by cloud application providers. Every Barracuda CloudGen Firewall includes an advanced multi-factor authentication function using the TOTP algorithm to protect company critical resources as well as SSL-VPN and VPN connections from unauthorized use.

If Dynamic Bandwidth & Latency Detection indicates the measured bandwidth of an uplink is not sufficient to sustain the minimally required business critical traffic (e.g., VoIP), Barracuda CloudGen Firewall automatically shifts sessions for non-business critical traffic to secondary links to free up bandwidth for critical traffic.

Barracuda CloudGen Firewall uses dynamic bandwidth and latency detection to automatically balance existing sessions inside logical VPN tunnels across all available uplinks. This real-time balancing optimizes network efficiency and bandwidth usage at any given moment.

A unique combination of next-generation security and adaptive WAN routing technology allows Barracuda CloudGen Firewall to dynamically assign available bandwidth, uplink, and routing information based not only on protocol, user, location, and content, but also on applications, application categories, and even web content categories. This keeps expensive, highly available lines free for business- and mission-critical applications, while significantly reducing response times and freeing up additional bandwidth.

Barracuda CloudGen Firewall combines a comprehensive set of advanced security features with capabilities that support the Software-Defined Wide-Area Network (SD-WAN). SD-WAN capabilities allow CloudGen Firewalls to create secure pathways across both multiple WAN connections and multiple carriers, without the involvement of typical high-management overhead. Advanced load sharing lets you use multiple WAN connections simultaneously and distribute encrypted VPN tunnels across multiple WAN connections. Built-in compression, caching, and WAN optimization technologies significantly increase your available bandwidth. These capabilities reduce your need for expensive leased lines, consolidate multiple security functions into a single device, and create a unified management framework — all of which results in significant cost savings for your organization.

In order to achieve the best possible user experience across the Wide Area Network, all Barracuda CloudGen Firewall models pro-actively measure the available bandwidths and latency between VPN endpoints. The results are directly available to the firewall policy engine to select the best suitable uplink per application or disqualify an uplink if the bandwidth or latency fall outside of acceptable limits.

Barracuda CloudGen Firewall copies packets and sends them simultaneously through the selected primary and secondary VPN transports. Both packet streams are reassembled at the other end of the logical VPN tunnel. This significantly reduces packet loss for applications like VoIP or video streaming. It also provides instant failover — with no packets dropped — in case one VPN transport of a logical VPN tunnel goes down.

In order to achieve the best possible user experience across your WAN, all Barracuda CloudGen Firewall models are able to detect available bandwidths and latency between VPN endpoints in real time. The firewall policy engine is able to dynamically select the most suitable uplink for each application, or to disqualify an uplink if bandwidth or latency is outside defined limits. In addition, if the measured bandwidth of an uplink is not sufficient to sustain business-critical traffic (e.g., VoIP), the CloudGen Firewall automatically shifts sessions for non-critical traffic to secondary links, to free up high-quality bandwidth for critical traffic.

Due to the limitations that come with standard IPsec connections, Barracuda Networks has created several powerful extensions to standard IPsec tunnel management. This core of Barracuda Firewall VPN Engine is called TINA (Transport Independent Network Architecture). The TINA protocol allows the use of TCP, UDP, and ESP for high speed VPN connections, which improves the VPN connectivity substantially by adding:

• Endpoint-to-Endpoint (not network-to-network) connectivity
• NAT friendliness
• Multiple physical transport paths for a logical tunnel
• Multiple tunnels between two locations
• HTTPS and SOCKS4/5 proxy compatibility
• Dynamic Address Support
• Tunnel heartbeat monitoring

Create highly reliable and secure site-to-site connections between on-premises firewalls (both hardware and virtual appliances). Site-to-site connectivity also includes public cloud offerings like Amazon Web Services and Microsoft Azure. But it is not just about maintaining static site-to-site VPN tunnels. Having a hub-and-spoke VPN setup allows you to create tunnels automatically and on-demand between connected nodes in order to avoid the hub turning into a bottleneck. You thereby ensure low latency connections for VoIP applications, for example. As soon as the connection is no longer required, the VPN tunnel is automatically closed again. Administrators naturally have full real-time visibility into the dynamic mesh VPN setup.

To ensure unbeatable, cost-efficient connectivity, Barracuda CloudGen Firewall provides a wide range of built-in uplink options including unlimited leased lines, up to twelve DHCP uplinks, and up to four xDSL uplinks. By eliminating the need to purchase additional devices for link balancing, security-conscious customers have access to a WAN connection that never goes down, even if one or two of the existing WAN uplinks are severed. In addition, traffic intelligence mechanisms ensure that the next-defined uplink is activated on the fly and that all traffic is rerouted to make full use of the remaining lines. In the event that backup lines provide less bandwidth, intelligent traffic shaping automatically prioritizes business-critical applications, networks, or distinct endpoints.

Limited network resources make bandwidth prioritization a necessity. Barracuda CloudGen Firewall provides strong Quality of Service (QoS) that lets the administrator apply quality aspects and service guarantees to selected traffic flows within the WAN. QoS is often used to prioritize the network traffic of applications that are critical and must not be affected by the network traffic of other applications.

Barracuda CloudGen Firewall provides a large set of QoS techniques, such as traffic shaping, traffic prioritization, and bandwidth partitioning, which assigns a bandwidth limit to certain types of traffic. To select traffic for different priority classes, the available real-time traffic analysis can be used to identify whether network traffic was sent by business-critical applications or by potentially unwanted applications.