Barracuda Web Site Firewall Administrator's Guide
Barracuda Web Site Firewall Administrator’s Guide
Version 7.0
Barracuda Networks Inc.
3175 S. Winchester Blvd.
Campbell, CA 95008
http://www.barracuda.com
Copyright Notice
Copyright 2008, Barracuda Networks
www.barracuda.com
080702-70v4132-01-0516
All rights reserved. Use of this product and this manual is subject to license. Information in this document is subject to change without notice.
Trademarks
Barracuda Web Site Firewall is a trademark of Barracuda Networks. All other brand and product names mentioned in this document are
registered trademarks or trademarks of their respective holders.
ii Barracuda Web Site Firewall Administrator’s Guide
Contents
Chapter 1 – Introduction . . . . . . . . . . . . . . . . . . . . . . . . . .7
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Methods of attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Other Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Current Prevention Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Network Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Intrusion Detection Systems . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Building Security into the Application . . . . . . . . . . . . . . . . . . . . . . 11
Patch Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Web Security Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Deep Inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Web Application Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Barracuda Web Site Firewall Purpose . . . . . . . . . . . . . . . . . . . . . . . 15
Features of Barracuda Web Site Firewall. . . . . . . . . . . . . . . . . . . . . . 17
Web Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Website Cloaking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Policy Recommendation Wizard . . . . . . . . . . . . . . . . . . . . . . . . 18
Security Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Request Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Cookie Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
URL/ Parameter Protection . . . . . . . . . . . . . . . . . . . . . . . . . 19
Data Theft Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
URL Normalization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Global ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Action Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Passive Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Custom Security per Application . . . . . . . . . . . . . . . . . . . . . . . . 20
SSL Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Certificate Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Performance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Energize Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Logging and Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Usability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Chapter 2 – Web Site Firewall Concepts . . . . . . . . . . . . . . 23
Basic Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Web Site Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Server Monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Trusted Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Web Site Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Protocol Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Request Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
iii
Cloaking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Cookie Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Allow/Deny Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Load balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Chapter 3 – Getting Started . . . . . . . . . . . . . . . . . . . . . . . . 33
Deployment Modes for the Barracuda Web Site Firewall. . . . . . . . . . . . . . 34
Reverse Proxy (Recommended) . . . . . . . . . . . . . . . . . . . . . . . . 36
Bridge-Path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
One-armed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Best Practise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Initial Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Prepare for the Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Connect Barracuda Web Site Firewall to Network . . . . . . . . . . . . . . . 41
Configure IP Address and Network Settings . . . . . . . . . . . . . . . . . . 41
Configure the Barracuda Web Site Firewall . . . . . . . . . . . . . . . . . . . 42
Update the Barracuda Web Site Firewall Firmware . . . . . . . . . . . . . . . 43
Verify Your Subscription Status . . . . . . . . . . . . . . . . . . . . . . . . . 43
Update Attack and Security Definitions . . . . . . . . . . . . . . . . . . . . . 44
Chapter 4 – Securing a Web Site . . . . . . . . . . . . . . . . . . . . 45
Creating Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Deploying HTTP service . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Deploying HTTPS service . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Securing an HTTP Web Site with HTTPS. . . . . . . . . . . . . . . . . . . . 47
Creating a redirect service . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Passive versus Active Mode . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Security Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Allowing/Denying Specific URLs . . . . . . . . . . . . . . . . . . . . . . . . 49
Chapter 5 – Customized Security for Websites. . . . . . . . . . 51
Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Request Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Cookie Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
URL Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Parameter Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Cloaking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Data Theft Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Protected Data Types . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
URL Normalization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Global ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Existing Global ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Action Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Creating a New Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Web Site Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
URL profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Parameter profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
iv Barracuda Web Site Firewall Administrator’s Guide
Web Site Translations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Configuring Request Rewrite . . . . . . . . . . . . . . . . . . . . . . . . 62
Request Rewrite Condition . . . . . . . . . . . . . . . . . . . . . . . . . 62
Configuring Response Rewrite . . . . . . . . . . . . . . . . . . . . . . . 64
Response Rewrite Condition . . . . . . . . . . . . . . . . . . . . . . . . 64
Trusted Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Chapter 6 – Keys and Certificates . . . . . . . . . . . . . . . . . . . 67
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Types of Certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
X.509 Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Certificate Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Certificate Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Key Pair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Distinguished Name (DN) . . . . . . . . . . . . . . . . . . . . . . . . . 69
Token . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
CA Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Creating a Test Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Loading a Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Signed Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Certificate Key. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Intermediary Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Chapter 7 – Monitoring, Reporting and Logging . . . . . . . . . 73
Monitoring Barracuda Web Site Firewall . . . . . . . . . . . . . . . . . . . . . . 74
Viewing Performance Statistics . . . . . . . . . . . . . . . . . . . . . . . . . 74
Monitoring the Health of Services . . . . . . . . . . . . . . . . . . . . . . . . 74
Automating the Delivery of System Alerts. . . . . . . . . . . . . . . . . . . . 75
Viewing System Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Understanding the Indicator Lights . . . . . . . . . . . . . . . . . . . . . . . 75
Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Web Firewall Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Access Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Audit Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Search Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Available Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Generate Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Report Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Chapter 8 – High Availability . . . . . . . . . . . . . . . . . . . . . . . 81
Creating a High Availability (HA) Environment . . . . . . . . . . . . . . . . . . . 82
Evaluating System Status . . . . . . . . . . . . . . . . . . . . . . . . . 83
Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Failback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Data Propagated to Linked Systems . . . . . . . . . . . . . . . . . . . . 84
Updating Redundant Barracuda Web Site Firewalls . . . . . . . . . . . . 84
v
Removing units from a cluster . . . . . . . . . . . . . . . . . . . . . . . 85
Removing the units for RMA . . . . . . . . . . . . . . . . . . . . . . . . 85
Chapter 9 – Advanced Concepts . . . . . . . . . . . . . . . . . . . . 87
Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Multiple IP Address Configuration. . . . . . . . . . . . . . . . . . . . . . . . 88
Static Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Interface Routes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Creating Identity Theft Patterns . . . . . . . . . . . . . . . . . . . . . . . . . 90
Using Custom Patterns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Creating Attack Types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Creating Input Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Creating Custom Parameter Class . . . . . . . . . . . . . . . . . . . . . . . 92
Creating a Customized Response Page for Errors . . . . . . . . . . . . . . . 93
View Internal Patterns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Chapter 10 – Administrating the Barracuda Web Site
Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Administrative Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Controlling Access to the Administration Interface . . . . . . . . . . . . . . . 96
Customizing the Appearance of the Web Interface . . . . . . . . . . . . . . . 96
Setting the Time Zone of the System . . . . . . . . . . . . . . . . . . . . . . 96
Enabling SSL for Administration . . . . . . . . . . . . . . . . . . . . . . . . 96
Maintaining the Barracuda Web Site Firewall. . . . . . . . . . . . . . . . . . . . 99
Backing up and Restoring Your System Configuration . . . . . . . . . . . . . 99
Updating the Firmware of Your Barracuda Web Site Firewall . . . . . . . . . . 99
Updating Attack and Security Definitions Using Energize Updates . . . . . . 100
Replacing a Failed System . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Reloading, Restarting, and Shutting Down the System . . . . . . . . . . . . 100
Using the Built-in Troubleshooting Tools . . . . . . . . . . . . . . . . . . . 101
Using the Task Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Setting the System Configuration . . . . . . . . . . . . . . . . . . . . . . . 101
Rebooting the System in Recovery Mode. . . . . . . . . . . . . . . . . . . 101
Reboot Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Appendix A – Barracuda Web Site Firewall Hardware . . . . . 103
Barracuda Web Site Firewall Front Panel . . . . . . . . . . . . . . . . . . . . 104
Barracuda Web Site Firewall Back Panel. . . . . . . . . . . . . . . . . . . . . 105
Hardware Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Notice for the USA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Notice for Canada . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Notice for Europe (CE Mark) . . . . . . . . . . . . . . . . . . . . . . . . . 106
Appendix B – Extended Match and Condition Expressions . 107
Quick reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Structure of an Extended Match Expression . . . . . . . . . . . . . . . . . 107
vi Barracuda Web Site Firewall Administrator’s Guide
Operators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Joins. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Combining . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Escaping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .110
Appendix C – Limited Warranty and License . . . . . . . . . . . 111
Limited Warranty . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .111
Exclusive Remedy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .111
Exclusions and Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . .112
Software License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .112
Energize Update Software License . . . . . . . . . . . . . . . . . . . . . . .113
Open Source Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . .117
vii
viii Barracuda Web Site Firewall Administrator’s Guide
Chapter 1
Introduction
This chapter provides an overview of the Barracuda Web Site Firewall and includes the following
topics:
• Overview on page 8
• Current Prevention Techniques on page 11
• Web Security Requirements on page 13
• Barracuda Web Site Firewall Purpose on page 15
• Features of Barracuda Web Site Firewall on page 17
Introduction 7
Overview
Methods of attack
Web-based applications offer organizations a rapid, cost-effective vehicle for deploying applications
to customers, partners, and employees. They also present an easy target for malicious hackers, putting
critical data and processes at significant risk from external attack. Current security methods were not
designed to address Web-based attacks. Every organization relying on Web applications must
consider how to protect themselves against the constantly changing array of potential applicationlayer attacks.
There are wide variety of known application and network layer attack methods. These methods fall
into a number of categories. The following table describes some of the common attack techniques.
The Protection column summarizes how a Barracuda Web Site Firewall can address these attack
methods.
Table 1.1: Protection against different methods of attack
Technique Description
Application Layer Attack Techniques
Cross-Site
Scripting
SQL Injection SQL injection allows commands to
Command
Injection
Cookie/Session
Poisoning
Cross-site scripting takes
advantage of a vulnerable Web
site to attack clients who visit that
Web site. The most frequent goal
is to steal the credentials of users
who visit the site.
be executed directly against the
database, allowing disclosure and
modification of data in the
database.
Operating system and platform
commands can often be used to
give attackers access to data and
escalate privileges on back-end
servers.
Cookies are often used to transmit
sensitive credentials, and they can
be modified to escalate access or
assume another user's identity.
Protection provided by Barracuda
Web Site Firewall
Protects against cross-site scripting
vulnerabilities by inspecting application traffic
and blocking all methods of inserting malicious
scripts into URLs, headers, and forms.
Protects against all SQL injection vulnerabilities
by inspecting application traffic and blocking all
methods of inserting dangerous database
commands into URLs, headers, and forms.
Protects against all command injection
vulnerabilities by inspecting application traffic
and blocking all methods of inserting dangerous
operating system and platform commands into
URLs, headers, and forms.
Digitally encrypts, signs, and time-stamps
cookies, protecting their content from tampering.
Parameter/Form
Tampering
8 Barracuda Web Site Firewall Administrator’s Guide
Parameters used in URLs, HTTP
headers, and forms are often used
to control and validate access to
sensitive information.
Protects against parameter tampering by using
parameter profiles for all application parameters
and allowing only user requests that match the
legitimate profile.
Table 1.1: Protection against different methods of attack
Technique Description
Buffer Overflow Attackers attempt to flood
vulnerable back-end servers with
excess requests. If successful,
attackers can often execute
commands directly on the
compromised server.
Directory
Traversal/
Forceful
Browsing
Cryptographic
Interception
Cookie
Snooping
Allowing access outside of the
defined application provides
unintended information disclosure
and/or modification.
Hackers seldom attempt to break
strong encryption like SSL.
Instead, they attack sensitive
hand-off points where data is
temporarily unprotected. The use
of multiple devices for managing
cryptography and encryption
makes cryptographic interception
far more likely.
Cookies are commonly used to
transmit user credentials and are
often encoded only with simple
encoding methods like Base64.
This can lead to disclosure of login
credentials.
Protection provided by Barracuda
Web Site Firewall
Automatically enforces legitimate buffer limits at
the perimeter, ensuring that even vulnerable
servers cannot be compromised.
Prevents the access of unpublished Web pages
by using application profiles and blocking
requests with path traversal metacharacters and
enforcing access to only those pages that the
application was designed to expose.
Has extensive SSL security capabilities and can
ensure that no unencrypted traffic traverses the
network in any circumstance. Combining all
critical DMZ functionality into a single device
also reduces the risk of exposure.
Digitally encrypts, signs, and time-stamps
cookies, protecting their content from tampering.
Log Tampering Erasing and tampering with
transaction logs allows an attacker
to cover their tracks or alter Web
transaction records.
Error Message
Interception
Attack
Obfuscation
Application
Platform Exploits
Security
Management
Exploits
Information in error messages are
often rich with site-specific
information, allowing an attacker
to learn private application
architectures.
Hackers frequently disguise
attacks by encoding their requests
with methods like URL encoding or
Unicode.
Well-known exploits can often be
addressed through a patch, but
patching is not always timely.
Sophisticated attackers may target
security management systems in
an attempt to modify or turn off
security enforcement. (These
could be either network or
application layer.)
Centralizes the collection of all back-end server
logs, then digitally signs and encrypts them to
prevent tampering. As with all its features,
secure logs can be generated on a perapplication basis.
The Website cloaking feature prevents
unintended information disclosure from error
messages.
Fully decodes URL, Unicode, and polymorphic
encoding before inspection.
Allows for blocking of well-known attacks,
effectively buying time for proper patch
management.
Has all management functions securely
firewalled from production traffic and is operated
through dedicated, secure management
channels.
Introduction 9
Table 1.1: Protection against different methods of attack
Technique Description
TCP
Fragmentation
Denial of Service There are a wide variety of
Fragmenting an attack into
multiple TCP packets allows
attacks to slip by devices that are
inspecting only packets, and not
inspecting the entire session.
methods used to flood critical
applications and servers in an
attempt to take them out of
production.
Other Considerations
Many techniques to manage Web application security can have an adverse impact on performance and
availability. Adverse consequences can include the following:
• Significant performance degradation from intensive data analysis and processing
• Web site inaccessibility for legitimate users from misapplied rules
• Long and complex configuration procedures subject to a variety of observable and transparent
errors
• Processing bottlenecks from inefficient load balancing
• Availability risks from complex or unreliable failover (redundancy) procedures
Protection provided by Barracuda
Web Site Firewall
Network Layer Attack Techniques
Performs both stateful and deep inspection
throughout the entire session, incorporating
packet and stream reassembly to search out
attacks.
Includes full network-layer DoS protection
through integrated techniques like SYN cookies
and client-rate limiting.
10 Barracuda Web Site Firewall Administrator’s Guide
Current Prevention Techniques
Companies try to protect their Web applications with solutions designed to protect networks that were
optimized for client-server application delivery. Network firewalls, intrusion detection systems,
software development methodology, and patch management are woven together to create a complex
security system that is ineffective in stopping Web attacks.
Network Firewalls
The first generation network firewalls were designed to control access to network resources.
Administrators could create network Access Control Lists (ACLs) to allow or deny traffic based on
source and destination IP addresses and ports. Traditional network firewalls do not prevent Web
attacks, whether inside or outside the corporate firewall. They are incapable of inspecting, blocking,
modifying, deleting, or rewriting application HTTP content of requests and responses. To provide
access to mission-critical Web applications, port 80 is typically configured as either open or closed,
meaning anyone trying to access Web applications from the Internet may connect directly to Web and
application servers with virtually no security inspection and enforcement.
Stateful inspection firewalls represented a significant improvement in firewall technology. Today
they are widely deployed. These firewalls add stateful inspection to network layer ACLs. They track
the session state and verify that inbound packets match a previously allowed session. Stateful
inspection firewalls added the capability to prevent network-layer attacks with TCP anomaly and
attack signature methodologies. Many also perform IP defragmentation/assembly, detecting
problems and attacks distributed among multiple packets. However, stateful inspection firewalls
cannot detect many application-layer attacks. An attack hidden in a valid packet is still passed on to
the target application. Likewise, an attack encrypted or payload encoded in the data cannot be
detected at the firewall.
Intrusion Detection Systems
Network Intrusion Detection Systems (IDS) use signature-recognition to log and alert administrators
of potential threats. They are passive and do not block attacks or alert you of unknown attacks. The
bulk of the attack database is comprised of network layer attacks. Inherently, the pure signature
detection methods create a "false positive" problem that drains resources. In addition, they can be
bypassed with encryption, TCP fragmentation, and other evasion techniques.
Building Security into the Application
Security features can be written directly into an application, and many companies have used this
approach. However, securing applications directly is difficult and time consuming. According to a
U.S. Department of Defense study, on average there are up to 15 security defects in every 1000 lines
of code. Shortcuts, debug features, poor code, and insufficient documentation all increase security
risk. Developers are hard pressed to deliver feature functionality on time and in budget. Security can
become a second-level priority, which substantially increases security risk.
Introduction 11
Patch Management
Security patch management is about applying software patches for known application vulnerabilities.
However, keeping up with the deluge of patches has become close to impossible. IT organizations
face two major choices; try to find and patch all known problems to close application security holes,
or patch only the most pressing ones and live with the risk of potential attack. In addition, security
patches cannot be deployed to prevent unknown vulnerabilities or threats. Patches also do not
eliminate vulnerabilities caused by administration or configuration errors.
Patching is problematic at best. For custom applications, the software developers must keep current
on advisories affecting libraries and code as well as best practices for application security, such as
validating input in forms and cookies. Couple this with the challenge of integrating multiple
platforms, Web servers, application servers, databases and legacy systems, and the scope of the
security problem becomes evident.
For commercial application software, IT organizations must rely on vendors to supply fixes, typically
as interim patches for known security problems. But aggressive patching as a strategy is costly, risky,
and sometimes ineffective. Companies can take up to six months to release a patch for a known
security problem. Patches that make it through the pipeline faster may not experience the thorough
testing that customers expect. Managing software patches alone is a huge task for complex data
centers, which must track and maintain critical patches from multiple vendors.
12 Barracuda Web Site Firewall Administrator’s Guide
Web Security Requirements
Securing Web applications at the perimeter simplifies and centralizes security management,
significantly reducing the cost and effort. Perimeter security provides the following benefits:
• Limits changes to back-end servers and applications
• Reduces the need for continuous patch management
• Supports rapid, secure deployment of new applications
Establishing perimeter Web security requires that data packets be deeply inspected and that Web (as
well as network) firewalls be implemented.
Deep Inspection
A firewall capable of deep inspection is one that can look far enough into the packet to block attacks
at Layers 4-7 (as well as lower levels) of the OSI network model. A deep packet inspection firewall
performs all the tasks of a stateful inspection firewall (such as enforcing network-layer ACLs,
maintaining TCP session state, applying TCP attack prevention, and defragmenting and reassembling
packets) and the following four essential tasks:
• Decryption of application-layer information. Attacks can be disguised in URL-encoding,
Unicode, or SSL-encrypted data. Deep inspection firewalls can decrypt application-specific
protocols. SSL-encrypted data is the most notable. If the firewall cannot decrypt SSL on the fly,
then it leaves a wide opening to applications that are probably the most sensitive.
• Traffic normalization to a consistent, canonical format. A deep inspection firewall must be able
to normalize all traffic to a common, canonical encoding before performing a security string
match. In the HTTP world, this means decoding Unicode, UTF, or Hex to base text. Otherwise,
the firewall compares policies in different formats, and the security strings will not match.
Hackers can take advantage of firewalls that do not normalize traffic by disguising attacks with
different encoding formats.
• Application protocol conformance. Deep inspection firewalls have protocol conformance
detectors built on the TCP/IP protocol for specifications such as HTTP, SMTP, POP3, DNS,
IMAP, and FTP. Only RFC-compliant traffic should be allowed; at the minimum traffic is
manipulated to conform to a protocol.
• Bi-directional payload inspection. The firewall must be able to inspect, manipulate, and apply
policy on the payload of traffic flow to and from the Web servers, in both directions and
simultaneously on all portions of the packet, including HTTP headers, URLs, forms, and
message body.
Web Application Firewalls
Web application firewalls have both similar and unique components relative to traditional network
firewalls.
The major features of traditional firewalls (network ACLs and NAT) have corollaries in the Web
application security field, Web Address Translation (WAT). In many ways you can think of the URL
as the IP address of the Web universe. You apply Web ACLs (WACLs) and WAT to URLs much as
you apply ACLs and NAT to an IP address. Just as a traditional firewall denies or allows traffic based
on connection tables or network ACLs, the Web application firewall denies or allows traffic by
comparing the results of its deep inspection with Web application ACLs.
Introduction 13
The other two critical components of a Web application firewall are unique to the demands of Web
application security, that is, profiling application traffic for expected behavior and passive
monitoring. A Web data center is highly dynamic, with new applications, recoded software modules,
and patches constantly changing the landscape. Security professionals need tools and methods for
applying effective policies in such a dynamic environment. Dynamic application profiling and
passive monitoring extend an application firewall to assist in effective policy analysis and
implementation.
14 Barracuda Web Site Firewall Administrator’s Guide
Barracuda Web Site Firewall Purpose
The Barracuda Web Site Firewall is designed to provide all the features necessary to implement a
high-speed Web application security perimeter. Figure 1.2 explains the detailed architecture of
Barracuda Web Site Firewall. The Barracuda Web Site Firewall combines all critical Web security
functionality into a single, high performance gateway, including a full-featured Web application
firewall specifically designed to protect the Web data center. The Barracuda Web Site Firewall
performs deep inspection of all Web traffic, enabling it to provide a wide range of intrusion
prevention capabilities at both the network and application layers.
The Barracuda Web Site Firewall can reside in-line behind an existing network firewall as shown in
Figure 1.1 or in other locations to protect the Web data center.
Figure 1.1: Standard Barracuda Web Site Firewall Deployment
The Barracuda Web Site Firewall's deep inspection capabilities enable it to examine application-layer
traffic and apply policies defined in ACLs to individual applications or entire groups of applications.
In addition, the Barracuda Web Site Firewall can analyze data in both directions, profile application
behavior to define an allowed normal behavior set, and passively monitor policies before putting them
into action. The Barracuda Web Site Firewall provides an extensive range of application security and
optimization features.
The Barracuda Web Site Firewall physically separates Web traffic from management operations by
providing separate ports for data (two on the front) and management (one on the back), ensuring that
administrators never have access to the Web traffic itself. When the Barracuda Web Site Firewall is
in operation, data traffic is never passed to the management system. An attacker cannot access the
management system, because it is effectively blocked from the data control and forwarding ports.
The Barracuda Web Site Firewall stores highly confidential information, such as keys and certificates,
on an internal disk drive that is fully encrypted.
Introduction 15
Figure 1.2: Barracuda Web Site Firewall Architecture
16 Barracuda Web Site Firewall Administrator’s Guide
Features of Barracuda Web Site Firewall
Barracuda Web Site Firewall supports features designed specifically to address the problems
discussed above. These features include the following:
Web Firewall ...................................................................................... 17
Load Balancing..................................................................................17
Website Cloaking ............................................................................... 18
Policy Recommendation Wizard ........................................................18
Security Policies ................................................................................ 18
Passive Monitoring ............................................................................ 19
Custom Security per Application....................................................... 20
SSL Encryption .................................................................................. 20
Certificate Management..................................................................... 20
Performance....................................................................................... 20
High Availability................................................................................21
Energize Updates ............................................................................... 21
Logging and Reporting ...................................................................... 21
Usability.............................................................................................21
Web Firewall
The Barracuda Web Site Firewall proactively protects Web applications by performing deep
inspection of all Web traffic, enabling it to provide a wide range of intrusion prevention capabilities.
The Barracuda Web Site Firewall supports application firewalls that can inspect and enforce security
policy at all layers.
At the application layer, the Barracuda Web Site Firewall proactively blocks attacks before they reach
the Web server, preventing malicious requests and embedded software code from ever reaching the
target application. The Barracuda Web Site Firewall defragments, normalizes, and decodes all
incoming requests; examines them for validity and correct formation; and only allows properly
formatted and RFC-compliant requests to pass through. Known patterns of malicious activity are
blocked and invalid input embedded in headers, forms, and URLs is stopped. The Barracuda Web Site
Firewall enforces Web address translation, request limits, URL normalization, and cookie security.
The Barracuda Web Site Firewall stops entire classes of attacks, both known and unknown, including
Day Zero attacks. It thwarts common Web hacking techniques such as cross site scripting, buffer
overflows, forceful browsing, and SQL injection.
Each Web firewall can be defined at a granular level. For example, consider a typical CGI script that
accepts a wide range of parameters in form fields such as transaction ID, account number, date, and
password. The password parameter might legitimately include special characters like an exclamation
mark (!) that in other situations could signal a metacharacter used to launch a malicious script. While
general ACLs could deny these metacharacters, a specific ACL for just the password parameter would
allow necessary special characters.
Load Balancing
The Barracuda Web Site Firewall has the capability to act as a stand-alone load balancer or in
conjunction with other load balancers. It can be situated in front of a set of servers and distribute
incoming traffic across the servers based on an algorithm.
Introduction 17
The Barracuda Web Site Firewall includes the following load-balancing features:
• Sends traffic requests to a collection of servers according to a user-configured algorithm.
• Automatically identifies the status of a server for appropriate routing of traffic.
• Add and removes servers without interrupting network traffic.
• Provides persistence support that allows a user to maintain connection integrity between a client
and a Web application.
• Provides redirect support that defines the HTTP redirect response when all servers in a server
group are deemed to be out of service.
Website Cloaking
Most successful Web attacks begin by probing a network for weaknesses. Readily available tools on
the Internet make it easy for potential intruders to scan a Web site for information about applications,
servers, and URLs. The Barracuda Web Site Firewall provides Website cloaking capabilities that
make enterprise Web resources invisible to hackers and worms scanning for vulnerabilities. The
Barracuda Web Site Firewall hides URL return codes, HTTP headers, and back-end IP addresses.
Because the Barracuda Web Site Firewall fully terminates all inbound and outbound TCP/IP sessions,
there is no direct access to Web servers, application servers, operating systems, or patches running on
the protected Web sites. With an Barracuda Web Site Firewall deployed in front of Web applications,
critical information that could be used to exploit vulnerabilities is completely inaccessible, making it
less likely that hackers or worms will be able to launch a successful attack.
Policy Recommendation Wizard
Policy Wizard simplifies the human intervention to allow the false- positives (URLs and parameters
that should be allowed but are not allowed). For all the blocked requests or responses in the firewall
logs, the policy wizard recommends an action(s) which will remove it from being generated in the
future. If, for a log entry which is identified as a false positive, the recommended action is accepted,
the policy wizard automatically applies the fix without the user having to manually locate and change
the configuration. This greatly simplifies the administration and monitoring of the Barracuda Web
Site Firewall.
Security Policies
The Barracuda Web Site Firewall provides default security policies to define strict checks to a
Website and Web applications. Apart from these default policies, you can create customized policies.
Each policy is a collection of nine sub-policies which protects against:
• HTTP protocol compliance
• SQL injection blocking
• OS command injection protection
• XSS protection
• Form/cookie tampering defense
• Denial of Service Protection
• Web site cloaking
18 Barracuda Web Site Firewall Administrator’s Guide
Request Limits
Enforcing size limits on the HTTP request header fields prevents the request with malicious code to
pass. Requests that have fields larger than the defined lengths are dropped. Proper configuration of
limits helps mitigate buffer overflow exploits that lead to Denial of Service (DoS) attacks.
Cookie Security
Cookie Security reduces the Cross Site Scripting Attacks using HttpOnly cookies. It guarantees
confidentiality of the cookie and avoids tampering of the cookie value. A shorter timeout interval can
be configured for cookies to help minimize the chances of cookie stealing.
URL/ Parameter Protection
URL Protection s
ettings protects the service against web attacks in the absence of a URL profile.
Parameter Protection protects the service against attacks based on parameter values in the absence
of a parameter profile.
Data Theft Protection
Data Theft Protection identifies confidential personal or business information such as social security
numbers, credit card information, and other privileged personal or corporate information such data in
responses sent by the server and protect it against exposure.
URL Normalization
Barracuda Web Site Firewall normalizes all traffic into a standard or "canonical" form before
applying any security policy string matches. In the HTTP world, this means decoding Unicode, UTF,
or Hex to base text. Otherwise, hackers can disguise attacks within different encoding formats that the
firewall might not detect using a string match.
Global ACLs
Global ACLs defines strict Access Controls (ACLs) to a Website and services.
Action Policy
Action Policy specifies the action to be taken for a particular type of Web attack.
Passive Monitoring
Configuring a Web firewall can have unintended consequences. Applying inappropriate rules can
adversely impact current application behavior. Because of this, many administrators are hesitant to
enforce the highest levels of security. Passive monitoring is an essential feature for application
security, as it lets administrators test policies non-intrusively before putting them into action.
The Barracuda Web Site Firewall provides a passive mode where a rule’s effects can be observed
before the rule is actively applied. The administrator can then analyze the behavior to determine if the
policy is appropriate or has unintended consequences.
For example, for a new Barracuda Web Site Firewall implementation, an administrator can configure
ACLs with passive monitoring and then deploy the device in line. The Barracuda Web Site Firewall
then generates log events for traffic that would have been blocked. The device also supports passive
Introduction 19
monitoring for specific ACLs, so administrators can test the effects of security policy changes without
affecting production traffic.
Custom Security per Application
The Barracuda Web Site Firewall allows administrators to manage multiple security zones from a
single gateway. Different applications can require varying sets of security policies. For example, a
business-to-business extranet application might require a Web firewall, encryption, authentication,
and detailed transaction logging, while an HR portal might only require encryption and moderate
logging. The Barracuda Web Site Firewall provides a single, consolidated way to manage security
customized to each application.
SSL Encryption
The Secure Sockets Layer (SSL) protocol provides an authenticated (public and private key pair),
secure (encrypted), and reliable (integrity check) connection. Many businesses rely on SSL
encryption to protect transactions from being compromised. Supporting SSL encryption can,
however, be an expensive and time consuming process.
The Barracuda Web Site Firewall lets enterprises easily encrypt entire Web sites using SSL. No
changes to back-end applications or servers are required. The Barracuda Web Site Firewall fully
terminates incoming HTTPS sessions and automatically transforms unencrypted URLs (HTTP) into
encrypted ones (HTTPS).
The Barracuda Web Site Firewall supports both SSL strengths: 40-bit and 128-bit encryption.
(Strength refers to the length of the session key that each encrypted transaction generates; longer keys
are considered more difficult to break.) The Barracuda Web Site Firewall also supports both the SSL
and the Transport Layer Security (TLS) protocols.
The Barracuda Web Site Firewall off-loads all SSL processing from the servers, freeing processing
resources and providing an instant performance boost for servers. Without SSL processing creating a
bottleneck, existing servers can better handle growing Web traffic. Customers experience faster
response times and the security of knowing that their transactions are safe from online eavesdropping.
Certificate Management
Barracuda Web Site Firewall allows users to upload PKI Objects to manage the encryption and
decryption process. This includes signed and intermediary certificates purchased from Certificate
Authorities.
Users can also generate and use self-signed certificates using Barracuda Web Site Firewall.
Performance
The top of the line Barracuda Web Site Firewall can handle up to 1 million simultaneous TCP sessions
and 4,000 full SSL sessions per second. None of this processor-intensive work is off-loaded to other
system servers, thus significantly reducing the performance cost of enhanced Web security.
The data ports come in either 10/100-Mb or 1-Gb speeds. You can deploy the Barracuda Web Site
Firewall in-line, in which one data port is for external (front-end) traffic with the Web while the other
20 Barracuda Web Site Firewall Administrator’s Guide
is for internal (back-end) traffic with the Web servers, or one-armed, in which a single data port is
used for both internal and external traffic.
The Barracuda Web Site Firewall contains load balancing features and is designed to complement
existing traffic management devices. The Barracuda Web Site Firewall integrates critical reliability
services for security enforcement by clustering or load balancing multiple Web servers into a single
redundant system. It identifies failed applications and transparently places those servers in or out of
service.
High Availability
Two Barracuda Web Site Firewalls can be configured as a fault-tolerant cluster pair. In this
configuration each Barracuda Web Site Firewall manages its set of active services, but each also
functions as a redundant standby gateway for the services running on its partner. Should one of the
Barracuda Web Site Firewalls have a problem or go into single-user mode, the active services on that
gateway automatically move to the partner gateway. The active Barracuda Web Site Firewall
maintains the state information during a failover, so the sessions can continue even when a failover
occurs.
In most areas of the Barracuda Web Site Firewall, administrators can make dynamic configuration
changes without taking the system off-line. This allows you to add, modify, or delete services without
adversely affecting existing services.
Energize Updates
Once you install the Barracuda Web Site Firewall, your Energize Update and Instant Replacement
subscriptions are most likely active. However, it is important for you to verify the subscription status
so that your Barracuda Web Site Firewall can continue to receive the latest attack and security
definition files released by Barracuda Central. The Energize Update service is responsible for
downloading these updates to your Barracuda Web Site Firewall.
Logging and Reporting
The Barracuda Web Site Firewall uses the logging feature to record occurrence of significant
events.These log messages of the Barracuda Web Site Firewall are extensive and have filtering
capabilities for easing the search. These log messages can be used to analyze the traffic for suspicious
activity and also fine tune the web firewall policies
The Barracuda Web Site Firewall reporting feature help the system administrators in their day-to-day
security management and statistical analysis of the log messages.The reporting feature augments the
management capabilities available with the Barracuda Web Site Firewall. Using this module, reports
can be generated based on all the logged information.
Usability
The Barracuda Web Site Firewall includes a graphical user interface (GUI) for administering and
configuring the Barracuda Web Site Firewall. The GUI interface is designed to provide a consistent
look and feel across multiple tasks and to leverage standard interfaces that many users already know.
Introduction 21
Ease of use is a very important feature in Web Site Firewalls, since the underlying technology and
related configuration can be complex. Barracuda Web Site Firewall GUI has been specifically
designed to facilitate easy deployment and administration of the product for intermediate as well as
advanced users. For new users, the default security policies will provide adequate protection out of
the box. Advanced users can use the advanced GUI screens to customize their security policies.
22 Barracuda Web Site Firewall Administrator’s Guide
Chapter 2
Web Site Firewall Concepts
This chapter provides an overview of the Barracuda Web Site Firewall and includes the following
topics:
• Basic Terminology on page 24
• Service on page 26
• Trusted Host on page 27
• Web Site Security on page 28
• Load balancing on page 30
• High Availability on page 31
Web Site Firewall Concepts 23
Basic Terminology
The following is a list of some of the terms used by the Barracuda Web Site Firewall. Understanding
these particular terms will aid administering your Barracuda Web Site Firewall.
Table 2.1: Basic terminology
Term Description
ACL A network Access Control List (ACL) defines an IP firewall rule. The rules
Certificate An encrypted digital statement that establishes credentials of a user. It
Cookie Poisoning HTTP is a stateless protocol, which means that it does not remember the
specify matching criteria for a packet and a corresponding action. If the
packet matches the criteria, the configured actions are allowed.
contains a public key and a variety of other identification information. A
certificate is a secure object that was created based on a distinguished name
(DN) and the key. A certificate can be created and stored locally in Barracuda
Web Site Firewall. It can also be installed and loaded from a third-party
company and then stored locally.
connection status and contents of a session. Cookies are small files on the
hard drive or in memory that maintain the state of a Web application. Cookies
usually contain a session identifier (session ID), and they can contain user
credentials such as the user ID and password. Cookie poisoning is an attempt
to modify the data in the cookie, usually to assume another user's online
identity.
Cross-site Scripting Cross-site scripting (XSS) is a type of vulnerability typically found in web
applications which allow code injection by malicious web users into the web
pages viewed by other users. An exploited cross-site scripting vulnerability
can be used by attackers to bypass access controls such as the same origin
policy. Vulnerabilities of this kind have been exploited to craft powerful
phishing attacks and browser exploits.
Forceful Browsing Forceful browsing is an attempt to access files and directories in a Web
application without using the Web application to provide the links to the files
and directories. An attacker who attempts to execute a forceful browsing
attack would see a directory such as
http://someapp.com/guests/welcome.html and attempt to go to
http://someapp.com/members/welcome.html. In this way, the attacker gains
access to the members area of the Web site without supplying proper
credentials.
Load Balancing Load balancing distributes traffic to servers according to a specific algorithm.
Load balancing is managed by the Barracuda Web Site Firewall on a per
application basis.
Private Key A secret key in the asymmetric key pair and in the sole possession of a single
owner. A private key is the secret portion of an encryption/decryption key pair.
It should be known only to the person exchanging a secure transaction. A
private key can be created and stored locally in an Barracuda Web Site
Firewall.
SQL Injection SQL injection is a technique that exploits a security vulnerability occurring in
the database layer of an application. The vulnerability is present when user
input is either incorrectly filtered for string literal escape characters embedded
in SQL statements or user input is not strongly typed and thereby
unexpectedly executed.
24 Barracuda Web Site Firewall Administrator’s Guide
Term Description
Server This container represents the server properties. It contains all the parameters
that are configurable for the server. This resource is created under a server
group.
Service A user-designed entry point for controlled access to the Web site. A service
sets the front-end interface (VIP) and a variety of possible controls (such as
SSL encryption, authentication, load balancing, and caching policies) for the
Web site.
Signed Certificate A signed certificate is a certificate obtained from a third party CA organization.
SSL Secure Socket Layer. This is an encryption technology to provide secure Web
traffic.
Syslog This specifies the mechanism for storing log messages or events from various
network elements.
TCP Session Hijacking To hijack a TCP session, the attacker must be able to assume the identity of
one end of the TCP session. (The Web [HTTP] uses TCP as its transport
mechanism.) Usually the attacker spoofs the IP address of one end of the
session, and it can then send and receive as this new party in the
conversation.
Trusted Certificate A trusted certificate is a certificate sent from a CA. Including the CA's
certificate as a trusted certificate implies that any entity that has a certificate
signed by the CA will be authenticated for the SSL services that a Barracuda
Web Site Firewall provides.
Virtual IP (VIP) The user-defined IP address (registered if it is used for Internet access) on
which the Barracuda Web Site Firewall accepts traffic for a configured
application. In a redundant configuration it is a virtual address that applies
regardless of which Barracuda Web Site Firewall is managing the application
at any given time.
Web Logs These logs contain messages about actions that occurred on a customer's
Web site protected by an Barracuda Web Site Firewall. While Web logs is a
common industry term, in this context the term Web application logs is used
to distinguish these logs from Web firewall logs.
Web Worms Web worms are a special type of malicious code ("malware") that target Web
applications. A worm is an automated form of a virus that requires no user
interaction to propagate. A Web worm uses port 80 (HTTP) or 443 (HTTPS)
to target Web applications.
Web Site Firewall Concepts 25
Service
Web Site Profiles
A Service processes Web (HTTP and HTTPS) traffic between front-end clients and back-end Web
servers. The service defines a transport layer access point. A front-end virtual IP (VIP) and port
number identifies the service. (The back-end interface is specified under
Config
page; see Advanced IP Config help for more information.) The front-end and back-end
parameters identify the external and internal interfaces for the service.
By default all services use 'default' as the Web Firewall Policy. Depending on your need you can use
the available Web Firewall polices or create a new policy specific to that service under
POLICIES > Policy Manager
the IP address and port configured on the service.
The structure of the Web Site is called the profile of the Web Site.Web Site Profiles are used to
describe a Web Site. Profiles can be used to specify fine grained security settings for individual URLs
or form parameters.
URL Profiles are defined for each Web Site and provide security settings applicable at the defined
URL. Form parameters can be secured by creating parameter profiles under the corresponding URL
Profile.
page. These policies define the processing of HTTP requests destined to
ADVANCED > Advanced IP
SECURITY
The profile is distinct from the action that is what happens when a request is not conforming to the
profile received. The combination of a profile and a set of action preferences determine how a nonconforming request is disposed off.
For example, a profile contains information about a particular form URL with five parameters and
specifies each parameter's name. This means that a request with four or six parameters is treated as
violation of the profile. But, the action to be taken on different types of violations is not part of the
profile. The action can be deny the request, only log it or just ignore it.
A Web Site profile is auto generated when a new service is added to the Barracuda Web Site Firewall.
If the parameter “Use Profile” is set to “Yes”, then URL profiles and parameter profiles must be
created for validating the requests coming for that service.
Server Monitors
The Server Monitor is the mechanism used by the Barracuda Web Site Firewall to detect the
availability of a downstream real server. It can be configured on a per server basis to use one of several
different methods to establish the availability of a real server.
26 Barracuda Web Site Firewall Administrator’s Guide
Trusted Host
The Barracuda Web Site Firewall allows you to designate a Trusted Host, that is, to specify an IP
address for which authentication is not necessary. In this case, it is assumed that any request from that
address is from an allowed user, and all user requests from that IP address are exempted from
authentication.
Web Site Firewall Concepts 27
Web Site Security
Protocol Checks
At a basic level, the Barracuda Web Site Firewall verifies that all inbound requests comply with the
HTTP specification. For example, only the request with version HTTP/1.0 and HTTP/1.1 are allowed
and the request with version HTTP/0.9 and below is blocked automatically.
Request Limits
Message headers included in an HTTP request describe the contents of each message. However, the
request could include malicious code that a hacker added (injected) into the message header.
Enforcing size limits on the HTTP request header fields prevents the request with malicious code to
pass. (Requests that have fields larger than the defined lengths are dropped.) Proper configuration of
limits helps mitigate buffer overflow exploits that lead to Denial of Service (DoS) attacks.
Cloaking
Most successful Web attacks begin by probing a network for weaknesses. Readily available tools on
the Internet make it easy for potential intruders to scan a Web site for information about applications,
servers, and URLs. The Barracuda Web Site Firewall provides Web Site cloaking capabilities that
make enterprise Web resources invisible to hackers and worms scanning for vulnerabilities. The
Barracuda Web Site Firewall hides URL return codes, HTTP headers, and back-end IP addresses.
Because the Barracuda Web Site Firewall fully terminates all inbound and outbound TCP/IP sessions,
there is no direct access to Web servers, application servers, operating systems, or patches running on
the protected Web sites. With an the Barracuda Web Site Firewall deployed in front of Web
applications, critical information that could be used to exploit vulnerabilities is completely
inaccessible, making it less likely that hackers or worms will be able to launch a successful attack.
Cookie Security
A cookie is a simple text file provided by a Web server. Cookies provide a mechanism to store Web
application state information on a client's navigation platforms, such as browsers and other user
agents. Cookies are used to store user preferences, shopping cart items, and sometimes very sensitive
information such as registration and login information. If the structure of the cookie can be revealed,
the user's information is vulnerable to attack.
A server can send a cookie, which is a packet of whatever information the server chooses to send (such
as information to authenticate or identify a user), to maintain state between otherwise stateless HTTP
transactions. Because cookies are simple text files, they can easily be altered and then used to launch
a Web attack. Cookies can also be stolen and sensitive information, such as client information, can be
obtained from the message.
28 Barracuda Web Site Firewall Administrator’s Guide
Loading...