WAF01 Barracuda Web Application Firewall Foundation -Student Guide
advertisement
WAF01001- Introducing the Barracuda WAF Barracuda Web Application Firewall WAF01 - Barracuda Web Application Firewall Training Video Transcript © Barracuda Networks Inc., Revision: 7/25/2022 1 WAF01001- Introducing the Barracuda WAF WAF01001- Introducing the Barracuda WAF Web Application Firewall Overview Training Video Transcript Welcome to the module Introducing the Barracuda Web Application Firewall. My name is Christoph, and I'm a technical trainer at Barracuda Campus. In this video, you will be given a broad overview of how the Barracuda WAF works. You will learn about its architecture and the additional services available for the WAF. © Barracuda Networks Inc., Revision: 7/25/2022 3 WAF01001- Introducing the Barracuda WAF Deployment Environments Barracuda Web Application Firewall Training Video Transcript The Barracuda Web Application Firewall is designed to protect your web applications regardless of the environment your web applications are running in. In other words, the WAF may be running on-premises, as a virtual machine, or in the cloud depending on your web application.. For a full list of environments the WAF can operate in, please refer to Barracuda Campus. © Barracuda Networks Inc., Revision: 7/25/2022 4 WAF01001- Introducing the Barracuda WAF Overview Advanced Bot Protection Google reCaptcha Blocklists Credential Stuffing Protection Data Theft Protection Credit Card Numbers Social Security Numbers Custom Patterns Proactive Defense Application Cloaking Geo-IP Control Comprehensive Application Security OWASP Top-10 Attacks Application DDOS API Security JSON / XML / GraphQL WAF Internet Barracuda Web Application Firewall Server Training Video Transcript But what kind of attacks does the Barracuda Web Application Firewall protect your web application against? Well, first you should know that it inspects both inbound and outbound traffic. All traffic that causes a security violation is blocked. For inbound traffic, the WAF is designed to protect against any of the OWASP top 10 attacks and also against DDoS attacks. The OWASP top 10 is a list that shows the most dangerous, common, and impactful attacks against web applications. With Advanced Bot Protection the WAF can protect bot-based attacks, like credential stuffing or spraying, web scraping, and may other attacks. It can even identify clients as bots or at least as suspicious and then challenge them with a captcha and reCaptcha. The WAF also has a blocklist of known bots that is updated by Barracuda on a regular basis. The WAF can also inspect your outbound traffic; thus, it is capable of identifying credit card numbers, social security numbers, and also custom-created patterns, which enables it to prevent data loss. The WAF also enables proactive defense by using Application Cloaking, where, for example, headers like the OS version of the web servers are removed. This prevents attackers from gathering information about your system. I also protects you against other attack types, for example, application DDOS attacks. The Barracuda WAF can also proactively secure your web applications by cloaking or by using GEO IP control. According to OWASP, web services are becoming a common target for attackers, which is why the WAF has built in a JSON and GraphQL protection and a XML firewall to protect web services, too. © Barracuda Networks Inc., Revision: 7/25/2022 5 WAF01001- Introducing the Barracuda WAF Architecture Barracuda Energize Updates Policy Definitions Security Updates Attack Definitions Barracuda Web Application Firewall Protocol Termination and Validation Decryption Encryption Data Normalization Compression Authentication and Authorization Caching Cloaking Traffic Inspection and Security Checks Load Balancing Data Theft Web Servers Clients Logging and Monitoring Training Video Transcript To inspect both requests and responses the Barracuda Web Application Firewall is deployed as a reverse proxy in between your clients and your web servers. This ensures that all traffic is inspected, both incoming and outgoing. This way every request and every response can be terminated at the WAF which allows it to perform deep inspection based on 9 sub policies. Each of these sub policies ensures security for a different aspect of the web application and can be fine-tuned to perfectly fit to your web applications. Sub policies are inspected in one after another, if a violation is found the request is blocked and not inspected any further. Some of these policies require patterns for attack or anti-virus updates. To keep your policy definitions, security updates, and attack definitions up to date, a Barracuda Energizer Updates subscription is required. The Barracuda Web Application firewall has security modules to inspect your traffic, both incoming and outgoing. These modules can be fine-tuned to match your web applications. We also offer policies that help you integrate the Barracuda WAF with your applications. They are predefined policies for widely used applications, such as WordPress. And finally, the WAF performs powerful logging, which includes, but is not limited to, blocked or allowed traffic. © Barracuda Networks Inc., Revision: 7/25/2022 6 WAF01001- Introducing the Barracuda WAF Barracuda WAF Additional Services Advanced Bot Protection Barracuda Advanced Threat Protection Barracuda WAF Control Center Barracuda Vulnerability Remediation Service Barracuda Active DDoS Prevention WAF Barracuda Vulnerability Manager Training Video Transcript To increase the security level of your WAF, it can be integrated with additional services, for example, the Barracuda Vulnerability Remediation service, the Barracuda WAF Control Center, Barracuda Advanced Threat Protection, Barracuda Advanced Bot protection, Barracuda Active DDOS Prevention, and the Barracuda Vulnerability Manager. These additional services will be discussed in later modules. © Barracuda Networks Inc., Revision: 7/25/2022 7 WAF01002 - On-premise Deployment WAF01002 - On-premise Deployment Deployment Modes Training Video Transcript In this video, you will learn about the two operating modes of the Barracuda Web Application Firewall: reverse proxy and bridge path. © Barracuda Networks Inc., Revision: 7/25/2022 8 WAF01002 - On-premise Deployment Reverse Proxy Mode • Requests and responses are terminated at the WAF • Configure what should be allowed/inspected Backend Servers Tommy WAF Training Video Transcript If the WAF is deployed in reverse proxy mode, it will be deployed between your users and your backend servers, meaning there will be two different sessions – one session between your user and the WAF, and the other session between the WAF and the backend servers. In this way, all incoming requests and also all responses sent from your backend servers will be terminated at the WAF. This means that if there is a violation created by requests coming from a user, it will be terminated at the WAF and it will not even reach your backend servers. This is also the case for responses coming from your backend servers. If the response contains something you configured that should not leave the company, the WAF will also block that response. You can configure what should be allowed or inspected, and you can also configure follow-up actions. © Barracuda Networks Inc., Revision: 7/25/2022 9 WAF01002 - On-premise Deployment One-Arm Proxy Deployment WAF WAN LAN 192.168.0.11 VIP1: 192.168.0.110 VIP2: 192.168.0.120 VIP3: 192.168.0.130 Switch Internet Firewall 192.168.0.1 192.168.0.12 192.168.0.13 Training Video Transcript If the WAF is working as a reverse proxy, there are two different deployment types available: the one-arm deployment and the two-arm deployment. In the one-arm deployment, the WAN port is the only port used for handling traffic. The traffic flows from the Internet through your firewall and is redirected from the firewall to the WAN port of the WAF. On this port, the WAF can listen to several virtual IP addresses or VIPs. These VIPs are used to address specific web applications protected by the WAF. The WAF will then inspect the traffic before forwarding it your backend server. The response from the backend server will again flow into the WAN port of the WAF, be inspected, and will then go through the firewall into the Internet. This is the least invasive deployment type because it requires only small changes to your network configuration since the WAF and your servers are in the same subnet. Which makes it ideal for both proof-of-concept and testing. © Barracuda Networks Inc., Revision: 7/25/2022 10 WAF01002 - On-premise Deployment Two-Arm Proxy Deployment WAF WAN LAN 10.0.0.11 VIP1: 192.168.0.110 VIP2: 192.168.0.120 VIP3: 192.168.0.130 Switch Internet Firewall 192.168.0.1 10.0.0.12 10.0.0.13 Training Video Transcript From a security aspect, the two-arm proxy deployment is the best approach for connecting the Barracuda WAF into your environment and therefore the recommended deployment. However, it's also the method that requires the most time to integrate because it requires you to redesign the network part of your backend servers. You need to do this because the WAF will be connected to two different network segments. The first network segment connects the WAN port of your WAF to your firewall and the internet. As in the onearm deployment, the WAN port is where the VIPs are located. The second network segment connects the LAN port to your backend servers. So in this case, traffic will flow as follows: We'll come in through the Internet, hit your firewall, then go into the WAN port of your WAF, traffic will be inspected, then it will go out of the LAN port, and then to your backend servers. The response will go from your backend servers into the LAN port of your WAF, will also be inspected, and then go through the WAN port and your firewall into the Internet. © Barracuda Networks Inc., Revision: 7/25/2022 11 WAF01002 - On-premise Deployment Bridge-Path Mode • Acts as a Layer 2 transparent bridge – – – – Inspects only the traffic configured for inspection All other traffic is bridged Only available for hardware models with bypass card Not available for VMs HTTP HTTP Backend Servers Tommy Other Traffic WAF Training Video Transcript With a bridge-path deployment, the WAF acts as a Layer Two transparent bridge. In this mode, it only inspects the traffic that has been configured for inspection. All other traffic is simply bridged. That means that if you have HTTP configured for inspection, it will be examined, but FTP traffic will simply pass through the WAF. This is the easiest way to integrate the WAF into your environment. However, some features are not available, for example, application delivery. You also have no control over the traffic that is not configured. This mode is only available for hardware models that have a bypass. © Barracuda Networks Inc., Revision: 7/25/2022 12 WAF01002 - On-premise Deployment Bridge-Path Deployment WAF WAN LAN 192.168.0.11 VIP1: 192.168.0.11 VIP2: 192.168.0.12 VIP3: 192.168.0.13 Switch Internet Firewall 192.168.0.1 192.168.0.12 Switch 192.168.0.13 Training Video Transcript Within bridge-path mode, both the WAN and the LAN are in the same subnet as the real servers. And it is the easiest way to integrate the WAF because you don't need to reconfigure the IP addresses within your environment. You also do not need any redirection rules. This deployment looks very similar to the two-arm proxy mode, but the biggest difference is that the WAN and LAN ports are both on the same network, which is also the same as the servers. In this scenario, traffic will flow from the Internet into the firewall, hen into the WAN port of the WAF, and will leave via the LAN port, going to your backend servers. The response will go into the LAN port of the WAF, and will leave it through the WAN port and your firewall into the Internet. © Barracuda Networks Inc., Revision: 7/25/2022 13 WAF01002 - On-premise Deployment WAF01002 - On-premise Deployment Sizing and Licensing Training Video Transcript Welcome, my name is Christoph and I am a technical trainer at Barracuda Campus. In this video, you will learn about sizing and licensing of both physical and virtual Barracuda Web Application Firewalls. © Barracuda Networks Inc., Revision: 7/25/2022 14 WAF01002 - On-premise Deployment Hardware Sizing Throughput 1060 960 All features 860 660 460 Restricted features 360 Capacity Training Video Transcript When it comes to choosing the right hardware model, there are four factors you should keep in mind. They are the throughput, the capacity that your web application requires, the number of backend servers you want to address, and the features that your web application requires. Generally, you can say the higher the model number is, the higher the capacity of the WAF is. This means the higher the model number, the more cores and RAM there will be, which of course also increases the throughput and the number of sessions it can handle simultaneously. The higher the model number, the more backend servers are supported by the WAF. The feature set is another critical point when choosing the right model, as the smallest models do not support the full feature set. Model 360 and 460, for example, do not support virus scans for file upload. Starting from model 660, the full feature set is supported. The difference between these appliances is mainly the capacity they can handle. So the higher the appliance model, the more RAM and CPUs it will have. In addition, the larger models have more Ethernet interfaces, and some of them also support multiport or fiber ports. © Barracuda Networks Inc., Revision: 7/25/2022 15 WAF01002 - On-premise Deployment VX Sizing Throughput V960 V860 All features V760 V660 V460 Restricted features V360 Capacity Training Video Transcript The sizing of Virtual WAFs is very similar to hardware appliances: generally, the higher the model number, the higher the capacity and throughput. So again, the V360 and V460 offer only a restricted feature set. The V660 offers the full feature set and is only limited by the number of cores it has. If you require additional throughput or additional capacity, you need to purchase a license of a larger model. © Barracuda Networks Inc., Revision: 7/25/2022 16 WAF01002 - On-premise Deployment Virtual Deployment Requires a 64-bit-capable host Image Type Supported Hypervisors OVF • VMware ESX and ESXi (vSphere Hypervisor) versions 4+ • Sun/Oracle VirtualBox and VirtualBox OSE version 3+ VMX • VMware Server 2.x • VMware Workstation 6+, Player 3+, and Fusion 3+ XVA • Citrix XenServer 5.5+ VHD • Microsoft Hyper-V QCOW2 • Kernel-based Virtual Machine (KVM, Nutanix) Training Video Transcript If you want to deploy the Barracuda WAF in a virtual environment, we also support different image types that are available for the most common platforms. The only prerequisite is that the hosts are 64-bit capable. And of course the host should have enough capacity left for the VMs. OVF images are supported by VMware ESX and ESXi starting from version 4 and also by Sun/Oracle’s VirtualBox starting from version 3. Barracuda also offers VMX images for VMware Server and VMware Workstation as well as VMWare Player and Fusion. XVA is available for Citrix XenServer starting from version 5.5. And Microsoft Hyper-V is supported by VHD images. The WAF can also be deployed on Kernel-based virtual machines such as KVM or Nutanix with the QCOWD2 format. © Barracuda Networks Inc., Revision: 7/25/2022 17 WAF01002 - On-premise Deployment Virtual & On-Prem Licensing • Physical Appliances – Automatic activation – Can be manually triggered if it fails • Virtual Machines – – – – Open the VM console Enter the license token Configure the default domain Can be re-provisioned WAF Training Video Transcript Licensing works according to the platform you have chosen. If you have a physical appliance↓, the license will be activated automatically and is tied to the serial number of the WAF. If it fails, you can trigger license activation again manually. If you have deployed a virtual WAF, you have to enter the license token via the VM console and also provide the default domain. For both license types, physical and virtual, you need to ensure that the VM has access to the internet, so that the machines can report back to Barracuda and validate the license. When using a virtual appliance and you find you require more CPUs or RAM, you can easily re-provision the appliance to a larger model by purchasing the license and then entering the new license token. © Barracuda Networks Inc., Revision: 7/25/2022 18 WAF01003 - Basic Configuration Tasks WAF01003 - Basic Configuration Tasks Introducing Basic Configuration Tasks Training Video Transcript Welcome, my name is Christoph and I am a technical trainer at Barracuda Campus. In this video, you will learn how you can access the WAF to configure it and the first settings you should make before you use it in order to protect your web applications. © Barracuda Networks Inc., Revision: 7/25/2022 19 WAF01003 - Basic Configuration Tasks Web Interface Access Configured Via: • Web interface • Rest API http://[WAF_IP]:8000 WAF Or 192.168.200.100 https://[WAF_IP]:8443 192.168.200.200 Default Credentials: • Username: admin • Password: <Serial number> Training Video Transcript To configure the Web Application Firewall, you can choose between two options. You can use the web interface in a browser, or you can use a REST API. To access the WAF, you also require its IP address. You can also choose between two protocols, so you can connect to the WAF using HTTP, using port 8000, or HTTPS with port 8443. The default credentials to access the WAF are “admin” as username and the serial number as password. © Barracuda Networks Inc., Revision: 7/25/2022 20 WAF01003 - Basic Configuration Tasks Web Interface Access Sign Out SECTIONS PAGES (relative to the sections) Instant Search Help Training Video Transcript The web interface is divided into different sections, and for each section, there are different pages. So, if you want to configure something in the Barracuda Web Application Firewall, you must go to the correct section and to the correct page corresponding to that section. There is also a very handy instant search help that can help you to configure the Barracuda Web application Firewall. Just type in a term, and the system will automatically show you the path that you have to follow to configure the specific feature. In the top-right corner, to the left of the sign-out button, you will find the help button. When clicked, it provides direct links to Campus articles like the deployment best practices, release notes, and documentation on using rest API with the WAF. © Barracuda Networks Inc., Revision: 7/25/2022 21 WAF01004 - Logging, Monitoring, Reporting WAF01004 - Logging, Monitoring, Reporting Monitoring Training Video Transcript Welcome. My name is Christoph, and I am a technical trainer at Barracuda Campus. In this video, you will learn about the monitoring capabilities of the Barracuda WAF. © Barracuda Networks Inc., Revision: 7/25/2022 22 WAF01004 - Logging, Monitoring, Reporting Status Monitoring • • • Attacks Statistics Performance Statistics Subscription Status Dashboard WAF Notifications SNMP Global Thresholds Service Thresholds Modules Events • • • • • • Version v2c/v3 Auth/Enc (v3) Trap Receivers Training Video Transcript To monitor the status of the Barracuda WAF, you have three options: the dashboard is the first thing you will see when you log into your Barracuda WAF. It gives you statistics about attacks and performance and also gives you your subscription status. Notifications can be sent out for both global and service thresholds. They can also be sent out for specific events. And finally, you can integrate your WAF with SNMP↓, which allows you to receive the WAF’s system information on your SNMP. © Barracuda Networks Inc., Revision: 7/25/2022 23 WAF01004 - Logging, Monitoring, Reporting Notifications Sent automatically for system and security events Default thresholds set to 85% In a 5-min. time frame Set globally or Per service WAF Email Admin Training Video Transcript The WAF can send out notifications for system or security events automatically. Per default, the thresholds are set to 85%, so if any threshold reaches 85% in a 5-minute interval, a notification will be sent. Thresholds can be set for global events, like reaching CPU usage of 85%, or per service, if a certain number of attacks on a service have been blocked, which might indicate that the web application behind the service is under attack. Either way, a notification will then be sent via email or via Slack. © Barracuda Networks Inc., Revision: 7/25/2022 24 WAF01004 - Logging, Monitoring, Reporting WAF01004 - Logging, Monitoring, Reporting Logging Training Video Transcript Welcome. My name is Christoph, and I am a technical trainer at Barracuda Campus. In this video, you will learn about the monitoring capabilities of the Barracuda WAF. © Barracuda Networks Inc., Revision: 7/25/2022 25 WAF01004 - Logging, Monitoring, Reporting Logging System Logs Network Firewall Logs WAF Audit Logs Access Logs Web Firewall Logs Training Video Transcript Whenever an event occurs on the WAF, it automatically creates a log entry. This log entry gets written into a specific log, depending on the nature of the event. Overall, the WAF collects data in 5 different log types. System logs contain information on configuration changes. Access and Web firewall logs are dedicated to requests and response. Access logs contain information on the requests that were allowed to pass the WAF, whereas Web Firewall logs contain blocked requests and responses. Audit logs contain login information on the WAF, and Network firewall logs track events on the network firewall of the WAF. © Barracuda Networks Inc., Revision: 7/25/2022 26 WAF01004 - Logging, Monitoring, Reporting Logging – Filters Search for specific log entries Save for later RexEx CSV Export as CSV Training Video Transcript As these logs contain a massive amount of data, the WAF allows you to search and filter for specific log entries. These filters can be saved for later use. ↓You can even use regular expression within the filters. The results can be exported as a CSV file. © Barracuda Networks Inc., Revision: 7/25/2022 27 WAF01004 - Logging, Monitoring, Reporting Logging – Log Servers All WAF logs can be sent to a maximum of 5 log servers Barracuda Reporting Server TCP – UDP - SSL Local0..7 Syslog WAF • • • • AMQP(S) Broker ArcSight Splunk Symantec SIM … • • • • Rabbit MQ Active MQ NSQ … Microsoft Azure's Event Hub / OMS Training Video Transcript The WAF can only store a limited amount of logs, so it makes a lot of sense to connect it with a log server for long- time storage. It can be connected to up 5 log servers. Supported are the Barracuda Reporting Server, log servers that use TCP, UPD, or SSL like ArcSight, Symantec SIM, or Splunk . Also brokers like Rabbit MQ or, Active MQ. If the WAF runs in Azure, it can also send logs to Microsoft Azure’s event hub. © Barracuda Networks Inc., Revision: 7/25/2022 28 WAF01004 - Logging, Monitoring, Reporting WAF01004 - Logging, Monitoring, Reporting Reporting Training Video Transcript In this video, you will learn about the reporting capabilities of the Barracuda Web Application Firewall. © Barracuda Networks Inc., Revision: 7/25/2022 29 WAF01004 - Logging, Monitoring, Reporting Reports Based on all logged information Security Reports – attack prevention Audit Reports – server and login / out activity Traffic Reports Configuration Summary Reports PCI reports: compliance with PCI FTP/S Server Email Training Video Transcript The Barracuda WAF allows you to generate different reports based on the logs that have been captured within the WAF. There are five types of reports that you can generate: security reports cover all web attacks and also the prevention activity. Administrator reports cover details about log-in and log-out activities performed by the different user rolls. Traffic reports cover all the traffic activities on the WAF. The configuration summary reports give you a detailed report of the configuration settings. So, for example, what changes have been done to the configuration. And, finally, PCDI reports tell you if you are compliant with the PCDI standards. These reports can either be created manually, or they can be scheduled to be delivered on a specific day or in a specific time interval. They can either be delivered via email or can be delivered to an FTP server. © Barracuda Networks Inc., Revision: 7/25/2022 30 WAF01004 - Logging, Monitoring, Reporting WAF01004 - Logging, Monitoring, Reporting GDPR Compliance Training Video Transcript Welcome. In this video I will explain how the Barracuda WAF can be compliant with the EU’s General Data Protection Regulation. © Barracuda Networks Inc., Revision: 7/25/2022 31 WAF01004 - Logging, Monitoring, Reporting GDPR Compliance Encrypt Passphrase Logs Reports Training Video Transcript Since the Barracuda Web Application Firewall stores data within its logs and reports, it must also be compliant with the General Data Protection Regulation, which went into effect in 2018. To fulfill the legal requirements, the WAF encrypts the logs and the problem reports, even the ones that you send to your logging service. To do that, it uses a pass phrase that you yourself will have to create. © Barracuda Networks Inc., Revision: 7/25/2022 32 WAF01005 - WAF Services WAF01005 - WAF Services Introducing Services Training Video Transcript In this video, you’ll be learning about the different types of services you can use with the Barracuda Web Application Firewall. © Barracuda Networks Inc., Revision: 7/25/2022 33 WAF01005 - WAF Services Services Overview Must match web application End Users VIP Port Service HTTP WAF Real Server HTTP Training Video Transcript Let's start by defining what a service is. A service is a logical projection of your web application hosted on your backend servers, so it has to match the web application. In the WAF, we use the term “real server”. Please don't get confused by this term. A real server can be anything from a virtual machine to a cloud instance or a physical server. The service uses virtual IP addresses and ports to grant access and protect your web application. Incoming requests will be terminated at the WAF and inspected, and only if no security violations are found will the incoming requests be forwarded to the real server. After the real sever has processed the request, its reply will also be terminated at the WAF and inspected before the WAF forwards it to the client. © Barracuda Networks Inc., Revision: 7/25/2022 34 WAF01005 - WAF Services Services Types Cleartext traffic HTTP HTTPS FTP FTPS Redirect Instant SSL Custom Custom SSL Encrypted traffic Training Video Transcript Since the service is closely linked to the protocol that your web application uses, there are several types of services available. They can be divided into services that handle cleartext traffic and services that handle encrypted traffic. Most of these service types are used to access your application like HTTPS, HTTP, and also Instant SSL. Others, like FTP, allow file transport. Redirect services allow you to redirect traffic, for example, from HTTP to an HTTPS service. Instant SSL will rewrite your traffic to HTTPS even if your backend servers cannot speak HTTPS. And finally, Customs Services and Custom SSL services can be used to forward traffic without any further analysis. You should also note at this point that the Instant SSL services are not available if the WAF is running in bridge mode. © Barracuda Networks Inc., Revision: 7/25/2022 35 WAF01005 - WAF Services SSL Services VIP HTTPS Tommy WAF Web Application HTTPS Gemalto SafeNet Luna HSM (optional) Training Video Transcript SSL Services are used if your web application is using HTTPS for communication. In this scenario, we have two connections. One connection is going from the user or from the client to the VIP port of the SSL service, and the other connection is going from the WAF to your backend servers. Both connections are using HTTPS in this scenario. You need to define the ciphers you want to use as well as the certificates that will be used for communication. Certificates can either be stored directly on the WAF, or you can also use a Gemalto SafeNet Luna HSM in order to manage and keep your certificates safe. © Barracuda Networks Inc., Revision: 7/25/2022 36 WAF01005 - WAF Services Venafi Integration • Automated certificate management via Venafi platform – New certificates – Manual renewal – Auto-renewal • Role-based access control Venafi TTP VIP HTTPS Tommy WAF Web Application HTTPS Training Video Transcript Managing your certificates, especially if you have a lot of HTTPS services, can be a hastle and very often leads to downtimes if certificates are not renewed on time. Which is why the Barracuda WAF is now integrated with the Venafi platform. Venafi TTP allows you to create new certificates and then push them to the WAF. But it also allows you to manually renew your certificates automatically or manually. All of this happen via API. It is recommended to deploy Venafi with role-based access control with certificate and service permissions on the Barracuda WAF. © Barracuda Networks Inc., Revision: 7/25/2022 37 WAF01005 - WAF Services Instant SSL • Creates one redirect and one HTTPS service – Connection to user will be HTTPS – Connection to web application will be HTTP 1st HTTP Request Redirect to HTTPS VIP Tommy HTTP Redirect HTTPS WT Web Application WAF Response Rewrite Training Video Transcript If your backend servers don't speak HTTPS, but you want to use a secure connection, you can use the Instant SSL service. When you create an Instant SSL service, you actually create two different types of services. One redirect service and one HTTPS service. When an Instant SSL service is used and a client sends an HTTP request, the redirect service will automatically redirect to the HTTPS service. Typically, that HTTPS service uses the same VIP as the HTTP redirect service. And from that time on, communication between the WAF and the client will be held in HTTPS. Now, since your web application servers don’t speak HTTPS, the WAF will keep communicating with them in HTTP. However, the responses coming from your web application servers will be rewritten by the WAF on the fly from HTTP to HTTPS. This ensures that the communication between the client and the WAF is secure. © Barracuda Networks Inc., Revision: 7/25/2022 38 WAF01005 - WAF Services Perfect Forward Secrecy (PFS) John HTTPS Session1 Session2 Tommy HTTPS WAF Backend Servers Training Video Transcript When you're using HTTPS services, you can use additional features to make your communication even more secure. One of these features is Perfect Forward Secrecy. When you use this feature, you can make sure that your communication will not be compromised even if the private key gets compromised. This is achieved by generating new key pairs↓ for each TLS session. The private key will remain at the WAF while the public will be sent to the user. In order to use PFS, each connection must be established with a DHE handshake. Every user will have his own key. If a private key is compromised, further traffic cannot be compromised anymore. As for the next session, a new private key will be used. © Barracuda Networks Inc., Revision: 7/25/2022 39 WAF01005 - WAF Services HTTP Strict Transport Security (HSTS) 1st HTTP Request Redirect to HTTPS Tommy Strict-Transport-Security: max-age=36000 VIP HTTP HTTPS Web Application WAF Training Video Transcript To protect your web application against men-in-the-middle attacks, you can use the HTTP strict transport security feature or HSTS. Every HTTP request coming in on port 80 is automatically redirected to port 443. In other words, you will have an HTTPS connection. This is achieved by having a second service in place on port 80 that automatically redirects the traffic from port 80 to port 443. In addition, the HTTP transport security header is injected into the response. After that, the browser will only accept certificates that were conceived at the first connection, and this lasts until the maximum age is reached. © Barracuda Networks Inc., Revision: 7/25/2022 40 WAF01005 - WAF Services WebSocket Security • Upgraded to WebSocket after HTTP handshake – Persisting connection using bidirectional messages • WebSocket security policy – Inspect headers only OR text payload – JSON inspection requires JSON profile HTTP Handshake Tommy Service HTTP / S WebSocket Real Server WAF Training Video Transcript WebSocket is a TCP- based network protocoll that allows bi-directional communication between a web socket server and a web application. At the first HTTP/S request, a handshake is performed that upgrades the connection to WebSocket. The Barracuda Web Application Firewall is able the inspect the WebSocket traffic for security violations. For every service, the WAF automatically creates a WebSocket profile. This profile can be adjusted to your web application. The WAF can inspect the headers of the WebSocket communication or the text payload. The payload can be anything; JSON is also supported. However, if you want to inspect the JSON, you will require an additional JSON profile. Without the JSON profile, the WAF cannot perform security checks on the JSON file. For further information on JSON profiles and security, please refer to the JSON Security module in the WAF02 course. © Barracuda Networks Inc., Revision: 7/25/2022 41 WAF01005 - WAF Services Let's Encrypt Integration • Easy generation of certificates for HTTP services • Free signed certificates (90 days) HTTP HTTP HTTP HTTP Create Renew CA Certificates Training Video Transcript To ease the creation of certificates, the WAF can be integrated with Let’s Encrypt. Certificates created with Let’s Encrypt are valid for 90 days but can be renewed directly from the WAF. With Let’s Encrypt you can create and renew CA certificates for your HTTP services. The only prerequisites you have to meet is that your domains need to be accessible over port 80 and your HTTPS service has to be In active mode. Once these preconditions are met, you can go to the certificate site at the Barracuda WAF and click the Let's Encrypt button to create your certificates with Let's Encrypt. © Barracuda Networks Inc., Revision: 7/25/2022 42 WAF01005 - WAF Services WAF01005 - WAF Services Introducing Content Rules Training Video Transcript In this video, I’ll be introducing you to content rules. © Barracuda Networks Inc., Revision: 7/25/2022 43 WAF01005 - WAF Services Content Routing Route traffic based on request content John Web Server (Mobile Web App) Service Content Rule Tommy WAF Web Server (Desktop Web App) Training Video Transcript With the Barracuda Web Application Firewall, you can host multiple web applications under the same service, meaning they're accessible by the same VIP. Content rules are used to analyze the request and then send the traffic to the corresponding backend server, based on the content of the request. In the example you can see here, John is accessing the web application via a mobile device, while Tommy is using a desktop PC. The information they send with the request states if they're using a mobile device or a desktop PC. So the traffic will hit the service, and with the content rule, we can analyze what kind of end device the user is using and then forward the user to the most appropriate backend server. © Barracuda Networks Inc., Revision: 7/25/2022 44 WAF01005 - WAF Services Extended Match Rules Rules that pin-point to specific information USER-Agent co Firefox/16 URL Allow/Deny Rule Tommy Firefox 16 301 - Update_your_browser.html Application Server WAF Training Video Transcript You can use extended rules to dig down into a request and pinpoint specific information like the method being used, the HTTP version used, or any kind of information in the header. These extended match rules are not limited to content rules. They can also be used, for example, in authentication policies or in allow /deny rules. In this example, an extended match URL is used in combination with an allow and deny rule to tell the user to update the browser if a specific browser version is being used. So to access the web application, Tommy's using Firefox 16 to send a request that will be analyzed by the WAF, and the content rule says that any user agent that has Firefox 16 will receive a 301 response with a redirect to an HTML page that tells the user to update the browser. © Barracuda Networks Inc., Revision: 7/25/2022 45 WAF01005 - WAF Services Rule Evaluation Order 1 2 Host URL 3 Extended Sequence num. Match www.cudau.org /cgi-bin/index.cgi www.cudau.org /payments/* 1 User-Agent co MSIE 6.0 www.cudau.org /payments/* 2 User-Agent co Mobile www.bigfishinc.org /payments/* www.cudau.org /* www.bigfishinc.org /* Training Video Transcript Several rules can exist on the WAF. The best fitting rule will be applied. It will first take a look at the host name, and if it can't find a clear match, it will then take a look at the URL, and only then, if there's still no clear match, it will go for the extended rule match↓, and these will be evaluated in the sequence. © Barracuda Networks Inc., Revision: 7/25/2022 46 WAF01005 - WAF Services Rule Evaluation Order Request: https://www.cudau.org/cgi-bin/index.cgi Host URL Extended Sequence num. Match www.cudau.org /cgi-bin/index.cgi www.cudau.org /payments/* 1 User-Agent co MSIE 6.0 www.cudau.org /payments/* 2 User-Agent co Mobile www.bigfishinc.org /payments/* www.cudau.org /* www.bigfishinc.org /* Training Video Transcript In this example, a request is sent to https www.cudau.org/cgi-bin/index.cgi. So, first the WAF will take a look at the host name. In this case, there are four matching entries found, so it will proceed to check the URL. And as you can see for the URL, there's only one matching rule↓, and this means that this rule will be applied. © Barracuda Networks Inc., Revision: 7/25/2022 47 WAF01005 - WAF Services Rule Evaluation Order Request: https://www.bigfishinc.org/index.php Host URL Extended Sequence num. Match www.cudau.org /cgi-bin/index.cgi www.cudau.org /payments/* 1 User-Agent co MSIE 6.0 www.cudau.org /payments/* 2 User-Agent co Mobile www.bigfishinc.org /payments/* www.cudau.org /* www.bigfishinc.org /* Training Video Transcript In the next example, the request is going to www.bigfishing.org/index.php. Again, the WAF first takes a look at the host name. In this case, two rules match. So again it takes a look at the URL that says /index. So this definitely does not match. So it goes for the other rule that says /*, which is a wild card. © Barracuda Networks Inc., Revision: 7/25/2022 48 WAF01005 - WAF Services Rule Evaluation Order Request: https://www.cudau.org/payments/pay.php (from an iPhone) Host URL Extended Sequence num. Match www.cudau.org /cgi-bin/index.cgi www.cudau.org /payments/* 1 User-Agent co MSIE 6.0 www.cudau.org /payments/* 2 User-Agent co Mobile www.bigfishinc.org /payments/* www.cudau.org /* www.bigfishinc.org /* Training Video Transcript And in our final example, we’re trying to access the payment section from an iPhone. So the request is going to www.cudau.org, which is the host name. So again, this will be inspected. First we see that there are currently four matches. So again, the WAF will take a look at the content of the URL. But as you can see, there are still two matches. So in this case, the extended match comes into the play. Remember, these are analyzed sequentially. So it first takes a look at the sequence number one. So we'll check if the user agent is Microsoft's Internet Explorer. Since we're trying to access the web application from an iPhone, we won't be using Microsoft Internet Explorer. Since the iPhone is a mobile device, this information will also be present in the request. So we go to the second match rule, which asks if the user agent is running on the mobile device and since we’re using an iPhone, this rule will match. © Barracuda Networks Inc., Revision: 7/25/2022 49 WAF01006 - Networking WAF01006 - Networking Introducing Networking Training Video Transcript Welcome, my name is Christoph, and I am a Technical Trainer at Barracuda Campus. In this video, you will learn about the different networking settings the Barracuda Web Application Firewall offers. © Barracuda Networks Inc., Revision: 7/25/2022 50 WAF01006 - Networking Network Groups • Three independent routing entities that contain: – – – – – Routes Network ACLs NAT rules Virtual interfaces VLANs Management Path Management Port Management Management Data Path End Users Vsites System WAN Port LAN Port Backend Servers WAF Training Video Transcript The Barracuda Web application Firewall has independent routing entities that are called network groups. A network group has its own routes, network ACLs, NAT rules, virtual interfaces, and VLAN settings. The first network group is called management, and it's connected to the management port. This network group is responsible for processing management traffic from your admin work station to the WAF. The next network group is called system. These two network groups are responsible for processing the traffic to and from the end users, and your backend servers. If you have a model 360 or 460, you don't have a Vsites network group. © Barracuda Networks Inc., Revision: 7/25/2022 51 WAF01006 - Networking Vsites • A Vsite encompasses one network group and its associated services – Available only on model 660 or higher • A service group is a container for the services Vsite 1 Vsite n Service 1 Service n Service 2 Service n Service Group 1 Service Group n Box IP Layer WAN/LAN WAF WAN/LAN Training Video Transcript The Vsite network group is a special network group. In fact, you can have multiple Vsites configured in the Barracuda Web Application Firewall. Each Vsite can have one or more services assigned to it. Then, the services are grouped together using service groups. This will allow you to uncouple your services from the IP Layer of your box. This means that you can have separate routing tables, separate net settings, and separate VLAN settings for your services. Although you can have multiple Vsites, you can only assign one specific service to one specific Vsite. One service cannot share multiple Vsites. © Barracuda Networks Inc., Revision: 7/25/2022 52 WAF01007 - High Availability WAF01007 - High Availability Introducing High Availability Training Video Transcript Welcome, my name is Christoph, and I am a technical trainer at Barracuda Campus. In this video, you’ll be learning how to use high availability with the Barracuda Web Application Firewall and the different available settings. © Barracuda Networks Inc., Revision: 7/25/2022 53 WAF01007 - High Availability Active-Active HA Active-Active HA Config active active Barracuda WAF Barracuda WAF • Different Vsites are active on different units • Available only on models 660 or higher • The unit from which the join cluster is initiated will have its configuration overwritten • The Management Network Group configuration is not synced Training Video Transcript The Barracuda Web Application Firewall can be deployed in a high availability cluster on premises, as a virtual machine, and even in the cloud. You will use two systems of the same type. That means both of them have to be virtual appliances, hardware, or in the cloud. These two systems will share the same configuration in case something happens to one of the systems. Then. your service is will be delivered from the system that is alive. There are two ways to deploy the Barracuda WAF in high availability: the active-active deployment or the active-passive deployment. In the active-active deployment, different Vsites will be active on different units. This means that you must be able to use these Vsites, which is why it only is available for a model 660 or higher. And you must have more than one Vsite configured in your system. It is important to note that the clustering procedure should always be initiated from the unit that is not configured. So let's assume you have two Web Application Firewalls: WAF A and WAF B. WAF B is not configured. You should start the clustering procedure from WAF B because WAF A will overwrite the configuration for WAF B. © Barracuda Networks Inc., Revision: 7/25/2022 54 WAF01007 - High Availability Active-Active Setup Training Video Transcript In the active-active setup, the WAFs share the same configuration but will process different traffic. In this diagram, we have two WAFs deployed in the two-arm proxy deployment. But WAF01 will process traffic for Vsite one, whereas WAF02 will process traffic for Vsite two. The two systems will also exchange heartbeats. By default, only the WAN interface is used. If you want, you can change this configuration and use additional interfaces. For example, in this diagram, we use the WAN and the LAN interfaces for sending the heartbeat. Every three seconds both systems send a heartbeat. If one of the systems sees that there is no heartbeat for more than nine seconds, it initiates a failover. That means that one WAF will then process all the traffic for all Vsites. © Barracuda Networks Inc., Revision: 7/25/2022 55 WAF01007 - High Availability Active-Passive HA Active-Passive HA Config active Barracuda WAF passive active Barracuda WAF • All Vsites are active on one unit • The unit from which the join cluster is initiated will have its configuration overwritten • The Management Network Group configuration is not synced Training Video Transcript The other type of deployment is the active-passive deployment. In this case, all Vsites are active on one unit, and if something happens to this unit, the Vsites are transferred to the other unit. In case you don't have Vsites, services are then used and transferred from one unit to the other one. Also in this setup, the clustering procedure should always be initiated from the unit that is not configured and the Management Network Group is not synched! © Barracuda Networks Inc., Revision: 7/25/2022 56 WAF01007 - High Availability Active-Passive Setup Training Video Transcript With the active-passive setup, two systems will still share the same configuration. But only one system will process the traffic for all Vsites or for all services when Vsites are not available. In this diagram, we have the same setup as before. So, two systems deployed with a two-arm proxy deployment using two interfaces to receive and transmit heartbeats. In this case, if WAF02 does not receive heartbeats for more than nine seconds, it will process the traffic for all these sites. A lost heartbeat is not the only reason that triggers a cluster failover. You can monitor links in the WAF, and if one links is down, this will also cause a failover. Moreover, the inability to serve traffic or any instability on the processing of the traffic will also cause a cluster failover. © Barracuda Networks Inc., Revision: 7/25/2022 57 WAF01007 - High Availability High Availability Requirements • Same model / Same firmware • A unique WAN, LAN IP address, and default host name – WAN IP address used for joining the units in cluster and configuration sync • Network connectivity over the WAN interface • WAN interfaces on the same logical network • Same time and time zone (prevents sync issues) Training Video Transcript Certain requirements must be met in order to deploy the WAF in high availability. The two systems must be of the same model and running the same firmware. A unique IP must be set on both systems. Also, a unique host name must be configured in the two systems. The WAN interface is used to join the cluster and to do the configuration sync. So the two systems must be able to reach each other over the WAN interface. So they have to be on the same logical network. Also, the two systems must have the same system time. This will prevent syncing issues. © Barracuda Networks Inc., Revision: 7/25/2022 58 WAF01007 - High Availability Cluster Failover • Link down – One of the monitored links is down • Inability to serve traffic – Instability in any traffic processing • Lost heartbeat – Heartbeat sent every 3 seconds – Heartbeat not received for more than nine (9) seconds Training Video Transcript But in what scenarios will a failover happen? If one of the monitored links is down, the WAF the services or Vsite will fail over. Also if one of the WAF is unable to server traffic, for example if the CPU or RAM are maxed out. The WAF also sends heartbeats every 3 seconds , if the WAF doesn’t receive a heartbeat for 9 seconds, it assumes that the other WAF is not working and there will be a failover. © Barracuda Networks Inc., Revision: 7/25/2022 59 WAF01008 - Security Policies WAF01008 - Security Policies Introducing Security Policies Training Video Transcript Welcome, my name is Christoph, and I am a technical trainer at Barracuda Campus. In this video you’ll be learning about what security policies are and how you can use them to configure the security settings of your Barracuda Web Application Firewall. © Barracuda Networks Inc., Revision: 7/25/2022 60 WAF01008 - Security Policies Security Models • Positive security model – Everything is blocked. Unless… – …explicitly allowed • Negative security model – Only specific patterns are blocked – Everything else is allowed Training Video Transcript Before we start to configure the security settings of the Barracuda Web Application Firewall, we first want to talk about some theory regarding security models. Security models can be applied to any security device. So they’re not limited to just the Barracuda WAF. There are two different models that can be used when implementing security. In any system, you can use the positive security model or the negative security model. In the positive security model↓, everything is blocked unless you explicitly allow it. You can see this model in, for example, a network firewall. You can have a deny all access rule that blocks all the traffic, and then above this deny all access rule, you have your access rules that will allow the traffic that you want to have in your network. The negative security model↓, on the other hand, only blocks specific patterns and everything else is allowed again. An example for the second security model could be an IPS. You have a database with some patterns and if the traffic that is going through this IPS matches one of these patterns, then it will be blocked. Otherwise, it will be allowed. Let’s have closer look at these two security models. © Barracuda Networks Inc., Revision: 7/25/2022 61 WAF01008 - Security Policies Positive Security Model • Very strict security model • Complex to configure and maintain • Legitimate requests might be blocked (false positives) Tommy O’Connor First Name: Tommy Last Name: O’Connor Submit WAF Browser First Name • Input Field • Type Alpha • Max Char 16 Last Name • Input Field • Type Alpha • Max Char 16 Training Video Transcript The positive security model is a very strict security model. Since everything is blocked unless you allow it, you can specify the traffic that you want your web application to allow. Unfortunately, it is very complex to configure, and it is very complex to maintain. And legitimate requests might be blocked, this is called a false positive. So let's have a look on a scenario. We have user that wants to use our web application. Now, there is a page in our application that will allow a user to enter his first name and the last name. Now in the WAF, these two fields are defined in a certain way. These are two input fields and we configured we only allow letters in these two input fields. Also the maximum number of letters that should be allowed is 16 characters. Now, when Tommy tries to use this page, the WAF will block the request. Why? Well, let's have a look at how Tommy's using the page. His first name is Tommy, and his last name is O’Connor. Now his last name contains an apostrophe. This character will not be accepted because we configured the WAF to only accept letters. Now bear in mind, the WAF is not blocking the request because this seems like a sequel Injection. This is not the apostrophe of a sequel injection. This is just using a character that is not allowed in our configuration. So legitimate requests might be blocked because of this, and these are called false positives. © Barracuda Networks Inc., Revision: 7/25/2022 62 WAF01008 - Security Policies Negative Security Model • Compromise between security level and administration complexity • Attacks not profiled will be successful (security breach) Tommy O’Connor First Name: Tommy Last Name: O’Connor Submit WAF Matching: • Attack Patterns • Denied Metacharacters • Custom Patterns Browser Training Video Transcript Let's now take a look at the negative security model. The negative security model is a compromise between security and administration. You can use some attack patterns that are configured in the WAF and that are known to be used in attacks. You can also use custom patterns. For example, if your web application is vulnerable against a specific string, then you can include this string in the custom patterns. You can also deny specific metacharacters. Now, the question is what happens if there is an attack that is not profiled in the attack patterns or in the custom patterns? In that case, the attack will be successful, so you will have a security breach. However, when you configure the Barracuda Web Application Firewall, you don't have to configure it with only the pure negative model or only a pure positive model. You have to imagine the configuration of the Barracuda WAF as a slider. On this slider, you have the positive model on one side and the negative model on the other. Now, depending on the part of the web application that you're protecting, you might want to pull this slider towards a more positive model. For example, a log-in page or a page that allows payments and so on, since these pages require more security. For other parts of your web application, for example static pages like an About page, you can pull this slider towards a more negative model. The Barracuda Web Application Firewall can be set to work with both the passive model and the active mode. © Barracuda Networks Inc., Revision: 7/25/2022 63 WAF01008 - Security Policies WAF Modes – Passive • Passive Mode – Logs the attacks but allows traffic to pass through • Cookie security is still enforced Logs Attack Attacker Service_B (passive) Attack Web Server WAF Training Video Transcript If the WAF is set to passive mode, traffic that generates the violation will be allowed through the WAF, so it will reach your real servers. But it will still be logged in the Web firewall logs. This makes the passive mode ideal for testing purposes. Also, cookie security will still be enforced, even if the WAF is in passive mode. © Barracuda Networks Inc., Revision: 7/25/2022 64 WAF01008 - Security Policies WAF Modes – Active Active Mode – Logs and blocks the attacks Attack blocked Service_A (active) Attack Logs Attacker Web Server WAF Training Video Transcript When the Barracuda WAF is configured to work in active mode, any traffic that is generating security violations will be blocked and logged in the web firewall logs. This feature is available at the service level, but also for other modules of the WAF. © Barracuda Networks Inc., Revision: 7/25/2022 65 WAF01008 - Security Policies Security Policies Only for HTTP & HTTPS services Positive & negative elements Assigned to several services or content rules HTTP HTTP Tommy Security Policy Backend Servers WAF Training Video Transcript The first security setting that we're going to configure after we add our services into the Barracuda Web Application Firewall is called Security policies. A security policy inspects HTTP requests and responses and looks for security violations. Security policies are made of mostly negative elements from the negative security model, along with some positive elements. They can be used only with HTTP and HTTPS services or with content rules. However, security policies can be shared among different HTTP and HTTPS services and content rules. When you do that, it is very important that the services sharing the security policy are very similar, since changes to the policies are applied to all services. In a worst case scenario, adjusting the policy to one service might break another web application. Or fixing a false positive of one service might create a hole in the security of another. So please be very careful if you decide to share security policies. © Barracuda Networks Inc., Revision: 7/25/2022 66 WAF01008 - Security Policies Predefined Security Policies • • • Adjust Copy Customize Default Outlook Web App Barracuda WAF Microsoft SharePoint SAML Training Video Transcript Our philosophy is to ship a product that can give you a good amount of protection out of the box. That's why we have these policies, and we also want to help you integrate the Barracuda Web Application Firewall with your existing infrastructure. So let's assume that you want to protect Microsoft SharePoint. So you deploy the WAF in front of your SharePoint server, you create your service, and then you use either the SharePoint or SharePoint 2013 policy. The same applies, for example, for the Exchange server to protect its web interface. We also provide a default policy that can be used with any web application. It's a generic policy that will work with most Web applications. But it might require some fine-tuning in order to work properly. That's because of generic nature. It has to work with a lot of systems and with a lot of Web applications. So it might work correctly with one web application, but it might break the functionality of another web application. But in most cases you can use the default policy out of the box. Or you can create your own policy. Creating a new policy will basically allow you to customize your policy and then apply your policy to different services. All predefined policies in the WAF can be adjusted to your web applications. But you can also copy these and then customize them. Also, the policies you create yourself can be copied and customized. © Barracuda Networks Inc., Revision: 7/25/2022 67 WAF01008 - Security Policies Security Policies – The 9 Sub-Policies Tommy Application Server Training Video Transcript In this diagram, you can see the nine sub-polices and their execution workflow. Some sub-policies are applied only to the HTTP request, others only to the HTTP responses, and other sub-policies are engaged in both HTTP requests and responses. If a security violation is found in any of these sub-policies, the request or response is blocked and not trafficked any further. As a first step, the request limits of the HTTP/S request are inspected. If anything within the request, for example, the line length or number of headers, exceeds the set values, the traffic will be blocked. URL normalization makes the content of the URL easier to read for the WAF, thus making it easier to spot hidden attacks. Cookie security validates the cookie by cookie signing or encryption. Global ACLs are allow and deny rules. URL and Parameter protection can enable security checks for these. If a security violation is found in any sub-policy during the request, the action policy tells the WAF how to handle the violation. This can be simply dropping the request, redirecting to a page, or even blocking the IP of the client. For the response, the WAF cloaks any information that might give an attacker critical information about the web app, like the OS version of the web server, for example. Data Theft Protection scans the response for data you don’t want to leak outside the company, like credit card details. And cookie security is enforced for both requests and responses. Also, for a violation within the response, the action policy tells the WAF how to handle it. © Barracuda Networks Inc., Revision: 7/25/2022 68 WAF01008 - Security Policies Request Limits • Enforce size limits on HTTP request header fields • Requests with fields larger than the specified maximums are dropped • Mitigate buffer overflow exploits, preventing DoS attacks Max Request Length Max URL Length GET /cgi-bin/badstore.cgi HTTP/1.1 Max Line Length Host: www.badstore.com User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache Training Video Transcript The first sub-policy that we're going to cover, and the first policy that is applied by the WAF when the request is processed, is called request limits. It enforces size limits on request header fields. So if a request has fields larger than the specified maximums, it is dropped. As you can see from the diagram, we can specify limits for the line length, the URL length, and the overall request length. This will help you to mitigate buffer overflow attacks and it will help you to prevent some denial of service attacks. © Barracuda Networks Inc., Revision: 7/25/2022 69 WAF01008 - Security Policies URL Normalization • Normalizes all traffic before applying any security policy string matches • Always enabled if the WAF is in Active state • Prevents disguised attacks search?%27+OR+1%3D1+--+ Attacker Request blocked Normalization search?' OR 1=1 -- WAF Training Video Transcript The second sub-policy that will process the HTTP request is called URL normalization. As the name implies, it will normalize all the traffic before any security policy string matching is attempted. If the WAF’s service is set to active mode, this sub-policy is always enabled. This will prevent disguised or obfuscated attacks. When the URL is normalized, the old or original URL is saved in the logs, but it's not used anymore. The new normalized URL will be used instead for the other sub-policies. Now, if an attacker attempts an attack within the URL, the WAF will make that URL easier to read for the other sub-policies. If an attack is found within the normalized URL, the request will be dropped. © Barracuda Networks Inc., Revision: 7/25/2022 70 WAF01008 - Security Policies Cookie Security – Encryption Prevents both viewing and tampering with cookies Cookie WAF Tommy Training Video Transcript The Barracuda Application Firewall can increase the security of the cookies used by your web application using the cookie security sub-policy. The cookie protection mode prevents cookies from being tampered with when they are sent to the client. There are two types of cookie security you can choose: encryption and signing. When using encryption, the WAF will encrypt the cookies with an encryption key before they are sent to the browser. This means that the client will never be able to see the original value of that cookie. Moreover, if the client tries to tamper with the encrypted value of the cookie, the WAF will receive the cookie and drop it. There are some situations where the client side scripts of a web application need to access to content of the cookie. In this case, you can’t use cookie encryption because it will break this logic. © Barracuda Networks Inc., Revision: 7/25/2022 71 WAF01008 - Security Policies Cookie Security – Signing • Two cookies are forwarded in the response to the client browser – If cookies are altered , signature verification fails – Cookies are removed before forwarding the request Cookie Cookie Tommy WAF Cookie Cookie Remove Cookie Application Server Training Video Transcript That is why there is the second option, cookie signing. When you use this option, the WAF will generate a signature for the cookie, and two cookies will be sent to the client: the original plain-text cookie and the signed cookie. When the client generates another HTTP request, it has to use both cookies now. If the cookie has been tampered with, the signature verification will fail and the WAF will drop the cookies. © Barracuda Networks Inc., Revision: 7/25/2022 72 WAF01008 - Security Policies Global ACLs • Strict control rules for all services that share the same security policy • Configurable actions – – – – – – Process - Processes any request matching this ACL Allow - Allows the request by disabling all security Deny and Log - Denies the request matching this ACL and logs the event Deny with no Log - Same as Deny, but the event is not logged Temporary Redirect - Redirects the request with a 302 message Permanent Redirect - Redirects the request with a 301 message Training Video Transcript After Cookie Security, the WAF will enforce some global access lists that are configured in the global ACL subpolicy. These are strict control rules that will filter the traffic for all services that share the same security policy. So here you can configure generic access lists for content that should not be accessed by users, for example. Or let's assume your web application is written in PHP, and you have PHP installing the systems. Now, there is a page called PHP page. If you open that page, you get lots of information on those systems. Now you might want to remove that page manually, of course. But then it might happen that when you update the PHP package, that PHP page is installed again. So it makes a lot of sense to create a rule that will deny access to that page. Two options are offered: to block the request with a log entry, which is the recommended option, or to block the request without a log entry. In other cases, you might want to tell the WAF to allow a specific request directly to the backend servers. This will disable all security checks, though. You can also redirect the request. If the request doesn't have specific requirements, you can basically send it somewhere else with the temporary or permanent redirect. The main difference between these two is the HTTP status code they are accompanied with. © Barracuda Networks Inc., Revision: 7/25/2022 73 WAF01008 - Security Policies URL Protection • Restricts the allowed methods in headers and content types • Restricts the number of request parameters and their lengths • Limits file uploads • Detects and blocks specified attack types • Prevents attacks embedded in URL requests or their parameters – Normally executed with the permissions of the executing component Training Video Transcript The next sub-policy is URL protection. With URL protection, you can restrict the allowed HTTP methods in your request. For example: get, put, delte and so on. You can specify the allowed content types. You can also restrict the number of request perimeters. Or limit the number of file uploads and so on. URL protection also allows you to detect and block specific attack types. It will also prevent attacks embedded within URL requests and their parameters. © Barracuda Networks Inc., Revision: 7/25/2022 74 WAF01008 - Security Policies Parameter Protection • Specifies denied metacharacters • Maximum parameter value length and instances • Regulates file uploads – Allowed extensions/MIME types – File size (max 25 Mb if AV is enabled) • Protects a service from attacks that employ: – Malicious parameters of a URL query string – Malicious parameters of the form POST Training Video Transcript Our next sub-policy is called parameter protection. With perimeter protection, you can specify strict limits for the properties of your parameters. For example, you can specify the maximum value length for the parameter, or how many times a parameter should be shown in an HTTP request. You can also specify denied metacharacters. You can allow specific file types or mime extensions to be uploaded into your web application. You can specify the file size of your file uploads. Perimeter protection will allow you to protect your web applications against specific perimeters that might be in the query strings or in the parameters of an HTTP post request. © Barracuda Networks Inc., Revision: 7/25/2022 75 WAF01008 - Security Policies Action Policy • Action taken when a policy is violated • Configurable actions: – Protect and Log - Blocks the request with the specified violation and logs the event – Protect and no Log - Like Protect and Log, but the event is not logged – Allow and Log - Allows the request and logs the violation – None - Allows the request by ignoring the violation • A follow-up action can be configured Training Video Transcript The last sub-policy that we're going to discuss before covering the two sub-policies that are applied only on HTTP responses is called action policy. With an action policy, you can define the action that has to be taken when a policy is violated. So when the WAF is processing the HTTP request and this request generates a violation, it will most likely be blocked. Now you can change this behavior. You can configure several actions depending on your needs. For example, instead of blocking the request you could forward it to preset a default page, you can block the request and then send a TCP reset. Or, you can redirect the request to somewhere else, or block the request and then block the IP address for half an hour. Another option is to challenge the user with a captcha he has to respond to in order to continue to your web application. You can also configure follow-up actions. These are actions that can be performed after the action policy was executed. So, let’s say you have blocked a request, but due to the nature of the violation, you expect the attacker to be a bot, so additionally to blocking the request, you can challenge him with a capture for his next request. © Barracuda Networks Inc., Revision: 7/25/2022 76 WAF01008 - Security Policies Cloaking • Prevents hackers from obtaining information that could be used to launch a successful subsequent attack • HTTP headers and return codes are replaced before sending a response GET page4.html WAF 200 – default.html GET page4.html 404 – page4.html not found Attacker Application Server Training Video Transcript The first stop policy that is used to filter HTTP responses is called cloaking. This sub-policy will suppress any HTTP headers or return codes that could be used by attackers to launch successful subsequent attacks. For example, an attacker tries to force-browse to your web application, a procedure common during reconnaissance in order to gather information about your web application. In our case, he tries to reach page 4.html, This is a legit request without any security violation. So the request will pass the WAF and will be processed by the application server. Since this page does not exist, the server will return a 404 code including an error message. If the web app is not set up properly, this error code might give the attacker critical information, so this is something that should be suppressed. So the WAF will take that response and rewrite to something that does not contain critical information. In this particular case, it changes the Page Not Found message to a 200 ok and even redirects from page 4.html to the default page of the web application. © Barracuda Networks Inc., Revision: 7/25/2022 77 WAF01008 - Security Policies Data Theft Protection • Intercepts the response from the server and compares it with: – Internal patterns – Libraries Block Response Cloak XXXX XXXX XXXX 0004 6011 0000 0000 0004 Attacker Response WAF Application Server Training Video Transcript The last sub-policy is called data theft protection. It filters the data in the response. So when the Web server generates the response and sends the response to the client, the WAF will intercept the response and compare the data in the response with internal patterns and libraries. These patterns include, for example, credit card details or the US social security number. However, you can also create your own custom patterns. The response can either be blocked or cloaked. If you choose cloaking, the WAF will find the specific data in the response and then overwrite parts of it. For example, a credit card number, you can tell the WAF to mask the first 12 digits and then to show only the last four digits in clear text. © Barracuda Networks Inc., Revision: 7/25/2022 78 WAF01016 - Bot Mitigation Policies WAF01017 – Bot Mitigation Introducing Advanced Bot Protection Training Video Transcript Welcome, my name is Christoph, and I'm a technical trainer at Barracuda Campus. Bots are becoming more and more of a problem for web applications and websites, which makes it even more important that you protect yourself against them. The Barracuda Web Application Firewall offers many tools that allow you to protect a web application against different types of bot-based attacks. © Barracuda Networks Inc., Revision: 7/25/2022 79 WAF01016 - Bot Mitigation Policies Agenda • • • • • Bot Mitigation Policies Virus Protection Account Takeover Protection Bot Protection Bot Spam Protection Training Video Transcript In this course, I’ll be introducing you to all the features that will help you protect your web applications against bots. I’ll start with Bot Mitigation policies, where you can enable features like credential stuffing protection and brute force protection. Virus protection can also be enabled with the Bot Mitigation Policy. In Bot protection we will also be talking about Web scraping policies and tarpits. And in Spam Protection you will learn how you can protect your application against spamming bots. © Barracuda Networks Inc., Revision: 7/25/2022 80 WAF01016 - Bot Mitigation Policies Bot Mitigation Feature ABP License Required Google reCAPTCHA No Bot Widget and Reporting No Bot Block List and IP Reputation No Bot Spam Mitigation No Barracuda Active Threat Intelligence Yes Account Takeover Yes Barracuda ABP Cloud Integration Yes Client Profile Yes Advanced Web Scraping Categories Yes Training Video Transcript Some of the bot mitigation features require an extra Advanced Bot Protection license. However, most of these features are available with a standard WAF license, such as Google recapture, for example. The same goes for the Bot Widget and reporting, for the bot blacklist and IP reputation, and also for bot SPAM mitigation. However, other features require an addition Advanced Bot Protection License. Barracuda Active Threat Intelligence is only available with the ABP license. If you want to protect you web application against credential stuffing or spraying, or if you want to take advantage of the Barracuda ABP Cloud, which greatly increases the WAFs resiliency against bots by using artificial intelligence and machine learning, you do require the additional Advanced Bot Protection license. Client Profiles and the Advanced Analytics Dashboard also require the ABP license. Without the license will also only be able to use the basivc web scraping categories, this means if you want to use the very granular web scraping categories to protect you application from specific scrapers, you will need the ABP license. © Barracuda Networks Inc., Revision: 7/25/2022 81 WAF02032 - Bot Spam Mitigation ABP Cloud Integration ABP Cloud Service Machine Learning Customer A/C Analysis Engine Lookup Databases Ingestion Engine Augmented Request Analysis WAF Inbound Inspection Outbound Inspection Training Video Transcript When purchasing the additional ABP license, you can use of the ABP Cloud. It enables you to use augmented request analysis. Integrated with the Barracuda Cloud, it uses machine learning to distinguish regular requests from bot requests. The results are pushed into a database that every WAF with the ABP license has access to. The WAF can then easily find bot requests and handle them accordingly. Barracuda uses a multi-layered approach to protect your web application with its Advanced Bot Protection Cloud. As we heard in previous features, it uses look-up databases that are distributed via the Advanced Bot Protection Cloud to your WAFs where we check URLs, for example, or IP addresses. On the other hand, it also uses machine learning in order to identify clients. The ABP cloud uses a powerful combination of lookup databases and machine learning to identify bots and then creates fingerprints of them that can be distributed to WAFs to block these bots. This greatly increases your protection against bot-based attacks. © Barracuda Networks Inc., Revision: 7/25/2022 82 WAF01001- Introducing the Barracuda WAF WAF01017 – Bot Mitigation Bot Mitigation Policies Training Video Transcript © Barracuda Networks Inc., Revision: 7/25/2022 83 WAF01016 - Bot Mitigation Policies Bot Mitigation Policy • Automatically created for each service • Created for specific parts of a web app • Modules that can be activated: – – – – – – Data Theft Protection Antivirus / Barracuda Advanced Threat Protection Brute Force Prevention Credential Stuffing / Spraying Web Scraping Policies Rate Control (also available at service level) Training Video Transcript A default bot mitigation policy will automatically be created for each service that you create. Additionally, you can create your own bot mitigation policies for specific parts of your web application. This makes a lot of sense for features like anti-virus or brute force prevention, because you don't want to point these features to your whole web application, but only to the parts of the web application where it's really needed. There are different types of modules that you can activate in the bot mitigation policy. These include data theft protection, anti-virus and advanced threat protection, brute force prevention, credential stuffing attacks, as well as web scraping policies and rate control. © Barracuda Networks Inc., Revision: 7/25/2022 84 WAF01016 - Bot Mitigation Policies Bot Mitigation Policy Request Tommy Response Application Server Training Video Transcript If you take a look at the protection workflow of the Barracuda WAF, you will see that bot mitigation policies are enforced in addition to the nine sub-policies. This means that the nine sub-policies will still be enforced, but bot mitigation will actually be enforced in different stages of the workflow between the sub-policies depending on the feature. © Barracuda Networks Inc., Revision: 7/25/2022 85 WAF01016 - Bot Mitigation Policies Bot Mitigation Feature Overview Bot Mitigation Client Fingerprint Credential Lookup Advanced Bot Protection Training Video Transcript Bot mitigation policies are part of a larger feature bundle that is called advanced bot protection. In this feature bundle, you will find different bot mitigation tools that will prevent your web application from being scraped, for example, or will keep bots from using refer spamming on your web application. Another new feature in this bundle is client fingerprinting. These fingerprints are automatically created for each client that accesses your web application through the WAF. If a client gets identified as a bot, its fingerprint can be uploaded to the Barracuda Advanced Bot Protection Cloud and distributed to other Barracuda Web Application Firewalls. You can now also integrate Google Recapture with the Barracuda Web Application Firewall instead of using the Barracuda capture. A feature bundle designed to keep bots from using stolen credentials to gain access to your web application is called credential lookup. © Barracuda Networks Inc., Revision: 7/25/2022 86 WAF01016 - Bot Mitigation Policies Client Fingerprint & Risk Evaluation ABP Cloud 1st HTTP Request JS Tommy Bot Mitigation Service Web Application WAF Training Video Transcript Let’s have a look at our first feature to protect against bots, which is client evaluation. Remember, this is one of the features that requires the ABP license. If this feature is enabled at service level, the WAF will insert a Java script into the first response that it sends to a client. This JavaScript will calculate a unique fingerprint, and the client will have to insert this fingerprint as part of every subsequent request as part of token value. Once the WAF receives the cookie from the client, this information is uploaded to the Barracuda Cloud Advanced Bot Protection cloud where the risk is both evaluated and analyzed. But what will the WAF check in order to evaluate the risk of a client? © Barracuda Networks Inc., Revision: 7/25/2022 87 WAF01016 - Bot Mitigation Policies Client Fingerprint & Risk Score Request Analysis Client System Client Fingerprint JS JavaScript Risk Score 20 SSL Fingerprint Training Video Transcript Well, it checks the client system, meaning the operating system the client uses. It also takes a look at the requests. For example, how fast the requests have been sent, how long it takes to get a response, and also how what the response look like. In addition, the SSL fingerprint will also be analyzed. And finally, the java script I just mentioned earlier will also be analyzed. © Barracuda Networks Inc., Revision: 7/25/2022 88 WAF01001- Introducing the Barracuda WAF WAF01017 – Bot Mitigation Virus Protection Training Video Transcript © Barracuda Networks Inc., Revision: 7/25/2022 89 WAF01016 - Bot Mitigation Policies Antivirus • Virus scanning enabled on a per-URL basis • Clam AV • Barracuda creates the AV signatures pushed through Energize Updates Request blocked EU WAF Attacker Web Server Training Video Transcript Now let's get back to our bot mitigation policies. One of the features that can and should be enabled in every part of a web application where you can upload files is Antivirus. Antivirus can be enabled on a URL basis. This means you should only enable the antivirus feature for the URL that really allows file uploads. The antivirus engine used by the Barracuda WAF is CLAM Antivirus. However, Barracuda creates its own antivirus signatures and pushes them through the Energize Updates. The antivirus engine will scan the uploaded file and block it if malicious content is found. © Barracuda Networks Inc., Revision: 7/25/2022 90 WAF01016 - Bot Mitigation Policies Advanced Threat Protection BATP File Upload Web App Application/PDF 6 MB Service URL Policy - BATP Web Servers System & WAF Logs BATP License Admin WAF Training Video Transcript A feature that is particularly strong against zero day threats, and new or modified viruses is Barracuda Advanced Threat Protection. Just as with antivirus, this feature should be pinpointed only to the parts of a web application where it is possible to upload a file. When enabled, the file will pass through the service and will be checked. Once it hits the policy that includes Barracuda Advanced Threat Protection, a fingerprint will be created. That fingerprint of the file will first be compared against known fingerprints in our database. If we find the same fingerprint, we can immediately block or process the upload depending on whether the fingerprint is associated with a malicious file. However, if it is a new unknown file, the WAF will upload the file to the Barracuda Advanced Threat Protection Cloud, where it will be checked. If the check is positive for any viruses or threats, we will then block that file upload. However, if we don't find any threats, the file will be forwarded to your web application. Remember, if you want to use Barracuda Advanced Threat Protection, you require an extra license. If a file has been uploaded to the Barracuda Cloud, a log entry can be found within the system logs. However, if you block a file, you find these in the web firewall logs. © Barracuda Networks Inc., Revision: 7/25/2022 91 WAF01001- Introducing the Barracuda WAF WAF01016 Advanced Bot Protection Account Takeover Protection Training Video Transcript © Barracuda Networks Inc., Revision: 7/25/2022 92 WAF01016 - Bot Mitigation Policies Credential Stuffing / Spraying • Authentication methods: – HTML form – HTTP basic authentication – JSON / AJAX request Attacker Attack blocked Tommy Email: Password Test : Submit /cgi-bin/reg.cgi Application Server WAF Training Video Transcript An attack with the aim of breaking into accounts is called credential stuffing. In this case, the attacker uses a list or database of stolen credentials. These usually include addresses and the password, and have been retrieved by social engineering or purchased from the dark web. Some of these might even have been leaked from other web applications. The bottom line is that the attacker is using that list of usernames and passwords, and stuffs these credentials into the log-in fields of your web application until one of them finally matches. The attacker then has access to the account on your web application of that particular user. As in most cases, the attacker uses a database of stolen credentials. We're taking advantage of exactly that and have created our own database of stolen or leaked username and password combinations. So if credential stuffing is enabled, we will check for combinations of stolen emails and passwords. But you don't need to worry that we will be transmitting email addresses and passwords of your users to our cloud to compare them with our database. What we do is we create a hash of the combination password and email or username, and only a part of that hash will be sent to our database in order to compare it. So even if somebody manages to catch that hash, he won't be able to restore the username or email address and password combination. However, if we do find that that hash is already within our database of stolen credentials, we can then block the credential stuffing attack. Protection against credential spraying works in similar fashion, except that in this case we are not just looking at the combination of email and password, but much more at each of them individually. So if the attacker uses stolen passwords to force his way into the web application, the WAF will know. You can also choose the authentication method the application uses for authentication. You can choose from HTML Form, HTTP Basic authentication and JSON / AJAX requests © Barracuda Networks Inc., Revision: 7/25/2022 93 WAF01016 - Bot Mitigation Policies Privileged Account Protection • Client Profiling enabled • Send notification – Email – Slack – Webhook Risk score exceeded ATO Cloud WAF Tommy Application Server Training Video Transcript With credential stuffing or spraying, the damage has already been done, meaning the passwords have already leaked. Priviledged Account Protection on the other hand, aims to prevent accounts from being haked. Therefore, it leverages the risk score of client profiling. Therefore client profiling needs to be enabled. If the configures risk is below the configured thresholds, the request will be allowed. However if the risk score exeeds, an alert is triggered. With that alert an action can be performed. That action blocking the request or any other configurable action within the WAF. Addionally a notification will be sent via Email, Slack or a Webhook. This notification can include – if enabled – the used passphrase. Admins can then take action to protect the account under attack. © Barracuda Networks Inc., Revision: 7/25/2022 94 WAF01016 - Bot Mitigation Policies Bruteforce Prevention Maximum number of requests to a URL within a configured interval – All requests or only invalid requests – From a single client or from all sources 1 2 3 Attacker 4 1.1.1.1 tommy/123456 Bruteforce tommy/password tommy/abc123 Request blocked 1 2 tommy/qwerty 1.1.1.1 60s 3 Web Server WAF Training Video Transcript Very often, attackers try to force their way into user accounts. In these cases, they usually have acquired a username or log-in and then run a dictionary of stolen passwords or well-known passwords against that log-in. With the Brute Force Prevention feature, you can specify a maximum number of requests to your service within a configured interval. This will either count all requests or only invalid requests from a single client or single fingerprint or from all sources. Now let's say you have Brute Force Prevention enabled. Then you set the number of maximum requests within a specified time frame to 3, and you also want to count the invalid requests. Also, the IP address will be used as a criteria to identify the client. So the attacker tries a combination of Tommy, and the first password is wrong. The WAF remembers his IP and starts the counter. He tries again. Password is wrong again. After three attempts, the WAF will block any subsequent requests from that IP. Now, this is just one example, this doesn’t necessarily have o be launched against a login page. © Barracuda Networks Inc., Revision: 7/25/2022 95 WAF01001- Introducing the Barracuda WAF WAF01017 – Bot Mitigation Bot Protection Training Video Transcript © Barracuda Networks Inc., Revision: 7/25/2022 96 WAF01016 - Bot Mitigation Policies Web Scraping Policies • Prevents a web application from being scraped • Detects bots and discriminates misbehaving bots • Bots can be trapped using honey traps Bot WAF Application Server Training Video Transcript If you operate a web application, you also want to keep that web application from being scraped. That simply means that bots will go through your web application and mine data. This data can then be used either to replicate your application and then use that fake site and make users log in in order to steal the credentials. Or it might be simply used for mining financial data of your web application. These are just two examples of web scraping. However, the consequences of web scraping can be devastating, which makes it even more important that you protect your web application against it with the Barracuda Web Application Firewall. You can do that with web scraping policies. The web scraping policy will prevent your web application from being scrapped. It can detect all kinds of bots and recognize good bots, such as search engines, and discriminate misbehaving bots, which are usually part of an attack. This can be done by trapping bots with honey traps, for example. You can also decide which bots should be allowed to scrape your web application. Other bots can be blocklisted so they can't get access to it. You can also make bots pause when they are going through the links in the robots TXT file. A well-behaving bot will keep that pause before it follows the next link. A bad bot, on the other hand, will just get after each link, every piece of information that it can find. This helps us distinguish good bots from bad bots and then take actions against the bad ones. © Barracuda Networks Inc., Revision: 7/25/2022 97 WAF01016 - Bot Mitigation Policies Client Tarpit • Configurable as a follow-up action • Delays request handling • • Attacker Violation Suspicious 10s Client Tarpit Application Server WAF Training Video Transcript Aonther way descriminate misbehaving bots, is the client tarpit. It is confirgurable as a follow-up action for violations or for suspicious clients. When triggered, it delay the handling of requests of the client by the specified interval. © Barracuda Networks Inc., Revision: 7/25/2022 98 WAF01001- Introducing the Barracuda WAF WAF01017 – Bot Mitigation Spam Protection Training Video Transcript © Barracuda Networks Inc., Revision: 7/25/2022 99 WAF02032 - Bot Spam Mitigation Referrer Spam • Targets access logs of site – Will link back to spammer • Uses block list to filter „SPAM Referrer“ Attack blocked https://badurl.org Attacker Referrer URL Application Server WAF WAF Training Video Transcript Referrer spam is an attack that is also known as log spam or referral bombing. When this attack is executed, attackers make repeated requests to a website using fake referrer URLs to the site the spammer wishes to advertise. Sites that publish logs, including referral statistics, which will then link back to the spam site. This means that the links will be indexed by search engines as they crawl the access logs of the web application, which will improve the spammer search engine ranking. The Barracuda Web Application Firewall helps you to protect your web application against referrer spam. The WAF checks the referral URL against a list of known spam URLs, and, if necessary, blocks the requests so they won't get referred on your web application. © Barracuda Networks Inc., Revision: 7/25/2022 100 WAF02032 - Bot Spam Mitigation Comment Spam • Uses database of known SPAM URLs • Blocks requests so comments do not get posted Attack blocked Comment This Page will help you Attacker Submit Comment Field Application Server WAF Training Video Transcript Comment spam, on the other hand, is an attack where attackers leave comments with links to malicious websites within your guest books, your forums, and so on. If you have a lot of such comment spam on your web application, it could damage your reputation. So this is also something that you want to avoid, along with the potential risk to your customers. If an attacker or bot posts a comment on your page with a link to a malicious website, the Barracuda Web Application Firewall will compare that link to its list of known spam URLs. This list is updated on a regular basis. So if there is a spam URL, it's very likely to be found in our list. If we do find it in our database, we will block the request. So the comment won't even be posted on your web application. © Barracuda Networks Inc., Revision: 7/25/2022 101 WAF01010 - Introduction to Advanced Security Features WAF01010 - Introduction to Advanced Security Features Advanced Security Features - Overview Training Video Transcript Welcome, my name is Christoph, and I am a technical trainer at Barracuda Campus. The Barracuda Web Application firewall has many other features that will allow you to increase the security of your web applications. Some of these features are very straightforward to configure, whereas others require a deep understanding of how your web applications work and how they're written. This introduction is intended to give you a very high-level overview of these features. If you want to know more about the advanced security features of the WAF, please follow the Advanced Security Features track in the advanced track of these courses. © Barracuda Networks Inc., Revision: 7/25/2022 102 WAF01010 - Introduction to Advanced Security Features Allow/Deny Rules Public Private Access Control Payments Web Application Training Video Transcript Let's assume that you have a web application like the Bad Store, which has a menu on the left side, and with this menu you can navigate to the different parts of the web application. Now some parts of the menu should only be accessible if the user has logged in. Sometimes, programmers can forget to create a check for such a scenario. Normally, you would have to re-write the code in order to change the logic of the web application behind the scenes. Now with Allow and Deny rules, you can check if the client is logged in or not, and if the client has not logged, take an action. Allow and deny rules let you to create different zones for your web applications. So you have to be sure that if somebody is in the private part of your web application, he or she must be logged in. Or if the user is making a payment, then that user must have all the requirements that you need to have to access to the payments page or the checkout page of your web application. © Barracuda Networks Inc., Revision: 7/25/2022 103 WAF01010 - Introduction to Advanced Security Features Website Profiles Overview • Specific rules to fine-tune the security settings of a service – URL profiles – Parameters profiles URL Profile Tommy Reed /cgi-bin/reg.cgi First Name: Tommy Last Name: Reed Submit /cgi-bin/reg.cgi WAF Parameters Profile First Name • Input Field • Type Alpha • Max Char 16 Last Name • Input Field • Type Alpha • Max Char 16 /cgi-bin/reg.cgi Application Server Training Video Transcript Another advanced feature that you can use in the Barracuda Web Application Firewall is called website profiles. With website profiles, you can increase the relationship between the Barracuda WAF and your web applications. In fact, you can increase the relationship to the point that the WAF will know exactly every single URL and every single parameter of your web application. You can define what kind of traffic should be allowed for each parameter, its limits, and the type of traffic. Configuring the WAF with website profiles allows you to have specific settings for your web app. With security policies, you have a very high level of security. If you want to be very granular with your security settings, you have to use website profiles. Also, if you want to use a more positive security model or a semi-positive security model, then you also have to use website profiles. Let’s say you want to secure the log-in section of the web application with website profiles. You can specify exactly what kind of input you expect in the login fields and block everything that doesn’t match your values. With the strict profile check, you can even switch between positive and negative security models. The website profile also has a learning mode where it can learn the structure of the web application and, in this way, automatically create URL and parameter profiles by analyzing requests and responses. It requires some time to configure the profile. The larger your web application is, the more configuration you have to do in the WAF. Some web application firewall models have a learning engine that will allow the WAF to learn how your web application works, and it will create these profiles for you. © Barracuda Networks Inc., Revision: 7/25/2022 104 WAF01010 - Introduction to Advanced Security Features Application DDoS Attack Protection WAF Backend Servers Training Video Transcript The last feature that we will cover in this brief overview is the application Distributed Denial of Service attack protection. The WAF is able to understand who is generating the traffic for your web applications. It is able to recognize if a browser or an automated system, a so-called bot, is sending the request and if it is a bot discriminate it. The WAF can also see if there are any malicious requests in your traffic. It can see, for example, if somebody's tweaking with the TCP window size while it is fetching content from your application. Moreover, you can configure filters in the WAF. The WAF is aware of the location of the origin of the request, so you can create GEO IP filters. You can block connections coming from anonymous proxies or the TOR node. All these features are configured in the websites section. There are several pages, like the IP Reputation Field page or the distributed denial of service prevention page, that will allow you to protect your Web applications from these kind of attacks. © Barracuda Networks Inc., Revision: 7/25/2022 105 WAF01010 - Introduction to Advanced Security Features API Security on the Barracuda WAF 1. SSL/TLS Security 2. API Message Security 3. Protocol Security 4. Access Control 5. Cloaking API Server Outbound Inspection Inbound Inspection WAF as API Proxy Training Video Transcript As the number of services on the internet grow, they’re also becoming more and more targeted by attackers. Most of these servies use an API to communicate with each other. However, these APIs can be the attack vector for hackers, which makes it very important to protect them with the Barracuda Web Application firewall. Some being checked for onbound traffic: As for every other request, the Barracuda WAF performs SSL/TLS security checks. But it can also perform security checks on the API message. For example, by checking for specific attack patterns, or by enforcing limits on the content. The integrity of the protocol being used. And by using JWT, we can perform access control on the APIs. For outbound traffic, The WAF performs cloaking, so no information that might be used in an attack is delivered to clients. © Barracuda Networks Inc., Revision: 7/25/2022 106 WAF02040 - Client Side Protection Client-Side Protection Third-party open-source repository Browser Barracuda WAF Web Server Training Video Transcript Client-side protection is very important, especially if your web application relies on external resources since their security is out of your control. Imagine the third-party repository has a security breach, and attackers are now able to alter the resources on that repository. Until the owner of that repository discovers the hack, attackers can use the repository however they want to. They could, for example, inject a piece of code into the repository’s resources that mines bitcoins for them. And since your web application is using these resources, that would mean that attackers would use your application to further spread the mining to your users’ PCs. Or they could perform cross-site scripting attacks on your users and steal their data. The Barracuda WAF can mitigate these types of attacks by implementing two W3C standards to ensure the integrity of the third-party resources used. But you can do even more. With client-side profiles, you can tell the client’s browser from which sources it is allowed to load resources that found in your application’s code. This way you can ensure that there are no malicious scripts are being loaded from your website. 107 WAF01012 - Introduction to Security Tuning Tools WAF01012 - Introduction to Security Tuning Tools Security Tuning Tools - Overview Training Video Transcript Welcome, my name is Christoph, and I’m a technical trainer at Barracuda Campus. The Barracuda Web Application Firewall has several tools that you can use to fine-tune its security rules. In this video, I will give you a quick overview of these tools. © Barracuda Networks Inc., Revision: 7/25/2022 108 WAF01012 - Introduction to Security Tuning Tools Tuning Security Rules Service Exception Profiling Web Firewall Logs Fix Security Rules WAF Training Video Transcript Once you have completed the configuration of the WAF, which is deployed in front of your web application, you might see that some requests are being blocked, even if they are legitimate requests. Analyzing the logs will reveal that these requests are being blocked because you specified an overly restrictive parameter in some of the security rules. In the Web firewall logs, there will be a suggestion on how to fix the problem, and you can tell the WAF to fix the problem automatically. There are other automated tools that will analyze the traffic, and they will also analyze the WAF configuration. If it turns out that there are too many discrepancies between what the traffic is requesting and what the configuration is actually forcing, then the WAF can change its own configuration accordingly. Or it can give you some suggestions. If you want to know more about fine-tuning security rules, please follow the Tuning Security Rules track in the WAF advanced course. © Barracuda Networks Inc., Revision: 7/25/2022 109 WAF01012 - Introduction to Security Tuning Tools Mitigating Website Vulnerabilities Service Security Rules Barracuda WAF Barracuda Vulnerability Manager Barracuda Vulnerability Remediation Service Vulnerability Scanners Training Video Transcript Protecting your web application is not a one-time job. It is an ongoing process. You should always check the WAF configuration. You might be satisfied with its configuration, but that doesn't mean that it’s the best configuration for your web application. The WAF can use some external tools that allow you to scan your web application through the WAF. These tools create reports from these scans. You can then upload the reports into the WAF. It will then analyze the reports and give you some suggestions about the WAF’s configuration based on the reports. For example, recommendations about what you can do to fix the security rules. These fixes can be applied automatically, or you can do the configuration manually. We have two products that will actually help you with this task. The first is the Barracuda Vulnerability Manager, which is essentially a vulnerability scanner provided by us. It is free to use. You just have to point it to your web application that is protected by a WAF, and then you will get a report. Then you can let the WAF digest the report and then either configure itself or give itself such some suggestions. Or you can use the Barracuda Vulnerability Remediation service, which will continuously scan your web apps through the WAF and automatically reconfigure the WAF whenever a vulnerability has been found. Of course, we also support third-party vulnerability scanners. They just have to be compatible with the format that we use when you upload the report into the WAF. If you want to know more about mitigating website vulnerabilities, please followed the WAF tuning advance track. © Barracuda Networks Inc., Revision: 7/25/2022 110 WAF01013 - Tuning the WAF Configuration WAF01013 - Tuning the WAF Configuration Tuning the WAF Configuration Training Video Transcript Welcome, my name is Christoph, and I am technical trainer at Barracuda Campus. When you configure the WAF for the first time, or when there have been changes to your web application, there might be false positives. Meaning the WAF blocks requests that are not security violations. In other cases, the demands of your web applications might have changed, so you need to adjust the WAF according to these demands. In this video, you’ll be learning about the tools the Barracuda Web Application Firewall offers to fine-tune its configuration. © Barracuda Networks Inc., Revision: 7/25/2022 111 WAF01013 - Tuning the WAF Configuration Web Firewall Logs • • • • Traffic violations are logged in the Web Firewall log Can be used to mitigate false positives Suggests the recommended “Fix” Accepting a recommendation could have the following impact: – Localized - Website profile modification (URL or parameter) – Global - Security policy modification Training Video Transcript The first tool that we are going to look at is the Web Firewall logs. Web Firewall logs contain all traffic violations that are logged. These logs are very important because they will help you understand what traffic is actually blocked by the WAF or what traffic was allowed but still generated a violation. These logs can also be used to mitigate false positives. This is when legitimate traffic gets blocked by the WAF has blocked, even though the traffic should have been allowed to your web application. Now, these logs have a very special functionality, which is called the “Fix” button. If you click on the “Fix” button, a pop-up window will appear, and it will clearly state why that specific traffic generated a violation. Following the explanation, you will also find a suggestion. The suggestion contains information on how you should change the WAF’s configuration to allow that specific traffic. You can also accept the recommendation, in which case the WAF will change its configuration automatically. Now, the change to the configuration can have a local impact or a global impact. You will have a local impact whenever you change something that is service specific. For example, a website profile or a URL policy. You will have a global impact when you change something that is related to a security policy. Since security policies can be shared among multiple services, changing a security policy might affect different services, for example, multiple applications at the same time. So fixing a false positive might loosen the security of another service. So before you apply the fix, you should always check if the effect is local or global. © Barracuda Networks Inc., Revision: 7/25/2022 112 WAF02029 - Advanced System Management Auto-Configuration Engine • WAF analyzes traffic patterns – Analyzing takes up to one week • Creates recommendations – On global and service level – Apply or ignore WAF Browser Web Server Training Video Transcript If you own the ABP license, you can use the WAFs auto-configuration engine. But don‘t get the wrong idea! The WAF doesn‘t configure itself; it gives you recommendations on how to improve your configuration. To provide these recommendations, the WAF analyzes your traffic patterns. How long this process takes depends on several parameters, like the traffic load on your web application and its size. This process can take up to one week. When the WAF has finished analyzing, it presents the configuration recommendation to you. These changes can be on a global level or on service level. The recommendations can then be applied with a single click, or ignored. © Barracuda Networks Inc., Revision: 7/25/2022 113 WAF02029 - Advanced System Management ACE Recommendations • • • • • • • Services Request Limits Tuning IP Reputation Cookie security settings Well-known ADR URL Protection tuning SSL errors Training Video Transcript At the time of recording this video, the WAF gives recommendations on the following settings: Services Request Limits Tuning IP Reputation Cookie Security Settings Well-known ADR URL Protection Tuning SSL Errors © Barracuda Networks Inc., Revision: 7/25/2022 114 WAF01013 - Tuning the WAF Configuration Trusted Hosts • Hosts whose traffic is assumed to be safe – Defined by IP address / network – Configured in groups • Use cases – Exempt specific traffic from security checks or authentication – Train the Adaptive Profiling engine – Train the Exception Profiling engine Training Video Transcript Trusted hosts are entities within the WAF where you assume the traffic coming from them is safe. They are defined by an IP address and a network mask and can also be configured in groups. Usually, trusted hosts are used when you want to exempt specific traffic from the security checks the WAF performs. But they can also be used by other features of the WAF. You can use them to train the adaptive profiling engine and the exception profiling engine. Let’s have a look at these features. © Barracuda Networks Inc., Revision: 7/25/2022 115 WAF01013 - Tuning the WAF Configuration Exception Profiling • Fine-tunes security policies associated with a service • Uses a heuristics-based strategy to refine security settings in response to logged traffic Request blocked 8 Mb Tommy Increase by 100% Service Exception Profiling Security Settings Level: LOW - Trigger Count: 3 - New Value: +100% Max File size Upload - 5 Mb/ 10 Mb WAF Training Video Transcript Exception Profiling are designed o fine-tune security policies . It uses a heuristics-based strategy to refine your security settings. In this diagram, we have a Barracuda Web Application Firewall that is configured with a maximum file size upload of five megabytes. This means that if a user wants to upload a file that is bigger than five megabytes, the request will be blocked by the WAF. Now, this WAF also uses exception profiling. In this case, exception profiling is configured with a low level, which specifies a count of three violations and that will increase the allowed file size by 100%. On the other side, we have our user who is trying to upload a file that is bigger than five megabytes. Now, if more than one user tries to upload a file that is bigger than five megabytes, three users will actually be blocked, because the counter reaches three. Then the WAF will increase the maximum file size upload by 100%, which is 10 megabytes. This will help you to fix a false positive where your configuration was too restrictive.. © Barracuda Networks Inc., Revision: 7/25/2022 116 WAF01013 - Tuning the WAF Configuration Exception Profiling Heuristics • Changes can be suggested or applied automatically • Trusted traffic – Trusted (Hosts) • Untrusted traffic – Low – Medium – High • Untrusted traffic levels are shared among services Training Video Transcript Exception Profiling can change the WAF configuration automatically after the count has been reached, or it can generate recommendations. Recommendations have to be reviewed by an administrator, and they have to be applied manually. Or, you can simply read the recommendation and then change the WAF configuration according to your own needs. When using Exception profiling, you can choose between four different levels. Trusted, and three different levels for untrusted traffic: low, medium, and high. Each level has its own configuration settings. You can choose if the WAF should change the configuration automatically or generate recommendations. You can choose the trigger count for each setting and the new value. Untrusted traffic levels -- low, medium and high -- are shared among services. For example, the lower level on the WAF decides that for a security policy, the maximum file upload size has to be changed by increasing needs to 100%. In this case, both services would be affected. © Barracuda Networks Inc., Revision: 7/25/2022 117 WAF01014 - Application Delivery WAF01014 - Application Delivery Introducing Application Delivery Training Video Transcript Welcome, my name is Christoph, and I am a technical trainer at Barracuda Campus. In addition to securing your web applications, the WAF offers a large feature set that will increase user experience by accelerating data retrieval from your web application while reducing load on the backend servers at the same time. 118 WAF01014 - Application Delivery Load Balancing Scheduling Policies • (Weighted) Round Robin – Distributes each new connection to the servers sequentially according to their configured weight • Least Requests – Distributes more requests to Real Servers with fewer recent requests 1 2 3 Round Robin Least Requests Training Video Transcript 2. The first application delivery feature in this module is the load balancing scheduling policies. As soon as you start adding more than one real server to your services, the WAF will automatically start to load balance the request to the real servers. There are three scheduling policies available on Barracuda Web Application Firewall. Round Robin, weighted round robin, and least requests. When using round robin, the WAF will assign a sequence number to the real servers and start forwarding the requests in sequence. For example, the first request to the first server, the second request to the second server, the third request to the third server, the fourth request to the first server, and so on. Round robin is the default scheduling policy. If you want, you can change this scheduling policy by assigning weights to the backend service of your real servers. In this case, you must select a weighted round robin scheduling policy and then configure a weight for each real server. When adding a real server, the weight will always be one. By altering the weight of a server, you can change the ratio of how many requests a server should process compared to the other ones. The WAF will create a fraction of the weights assigned. So let’s say our previous frequency is now our weights. The first server has a weight of one, the second two, and the third three. This is a total of six. So the first server will receive 1/6 of the requests, the second 1/3, and the last one half of the requests. Now, when does it make sense to use weights on the server? Well, if you have server with less capacity and added new servers that have more capacity, then you would want to send more requests to this particular server. The last scheduling policy is the least request scheduling policy. The WAF will track how many active connections to the backend server are open. So when a new request arrives, the WAF will forward it to the server that has the least amount of connections. Load balancing is a nice feature because it allows you to distribute loads between multiple servers and in case something happens to one of your servers. The other servers will take care of your traffic. 119 WAF01014 - Application Delivery Persistence • Load balancing module chooses the best suitable Real Server • Populates the persistence table – Source information – Selected Real Server Tommy | WS1 Load Balance Tommy Persistence Service 1 2 3 WAF WS1 WS2 Training Video Transcript Sometimes load balancing can mess with your web applications. Now, remember that HTTP is a stateless protocol. So unless the web application has some kind of mechanics to track down the state of your requests when you start load balancing requests, you might have some weird behavior, like users that are logged out even if they just locked in. Or if you have an e-commerce website, users add things in their shopping cart, and then all of a sudden the cart is empty. To avoid these problems, you can enable persistence. It allows you to track which backend servers requests are being forwarded to. And then forward all follow-up requests of a user to the same real server. In our case, we have a WAF that has a service with two real servers configured WS1 and WS2. Now when Tommy makes the first request, it will be processed by the Load Balancing module, which will choose the best real server to process this request. The load balancing module will also populate a persistence table. One side of this table contains information about Tommy, and the other side contains information about the website. When the second request arrives at the WAF, the persistence module will look at the persistence table and then forward the request to the real server in the list. Now, for the servers, it’s easy. The WAF adds its IP address to the table. But what about the user? What if his connection is NATed? In this case, his private IP won’t be visible for the WAF. Well, then you use cookies. There are two different types of cookies that you can use. You can use cookies that are generated by your web applications and tracked down by the WAF. In this example, you would track your session cookies. Or, you can inject cookies as soon as there is a response from WS1. In that case, the WAF injects the cookie to the response, so Thomas’s browser will then use the same cookie in the other requests. Of course, that cookie will be removed before forwarding the request to WS1. 120 WAF01014 - Application Delivery Connection Pooling • A set of open TCP connections used by requests – A new connection is created and added to the pool if all in use • Reduces the user’s connection waiting time • Reduces the load on the backend servers WAF Tommy Pool Web Server Training Video Transcript Application delivery features also allow you to accelerate how your applications are delivered to users and to reduce the load on the backend servers. One of these features is called connection pooling. Connection pooling is enabled by default. The WAF opens a pool of TCP connections to the backend servers. So when a request arrives at the WAF, the WAF doesn't have to open up a TCP connection to the servers because it is already there. So it doesn't have to do the TCP handshake with the backend server. The WAF just uses the existing connection. Now, from a user point of view, there is a reduction in waiting time since the user doesn't have to wait for the connection to be established. Also, the load on the backend servers will be reduced because all the connections are already there. They are already in the transaction table, and they don't have to be opened or closed every time. 121 WAF01014 - Application Delivery Caching • Stores commonly used information in local memory (RAM) – Reduced latency when retrieving web content – An overall reduction in bandwidth and server load • A content rule can be used Service Tommy Content Rule Web Server WAF Training Video Transcript To reduce latency for users, or to reduce bandwidth between the WAF and the server, caching can be enabled. This content will be stored in the WAF’s RAM. 30% of the WAF’s overall RAM is reserved for caching. You can also use content rules to point towards the content of the web app you want to cache in the WAF. You should cache content that doesn’t change too much, because otherwise the WAF would need to fetch that content from your backend servers. 122 WAF01014 - Application Delivery Compression • Compresses specific content types – Reduction in bandwidth utilization – Quicker object retrieval due to smaller size • A content rule can be used Service Content Rule Tommy Web Server WAF Training Video Transcript Compression can be used to reduce bandwidth utilization over the Internet. Due to the smaller size of the objects, they can also be retrieved much more quickly. However, not all content is suited for compression. Use this feature mainly for text-based content. Other objects, like pictures or videos, benefit only little from compression but put a high load on the WAF. Like for caching, you can use content rules to point to the parts of the web app you want to compress. 123 WAF01014 - Application Delivery Web Translations • URL Translations – Modifies the prefix, domain, and response body of an internal URL to an externally viewable URL • HTTP Request Rewrite – Can be used to relay the client IP address to the backend server • HTTP Response Rewrite • Response Body Rewrite – Searches and replaces any text string in the response body Training Video Transcript Our last application delivery feature is called web translations. With web translations, you can modify any HTTP request or response before it is forwarded to the real server or to users. There are several things that you can configure for web translations. URL translations allow you to map an external domain to an internal domain. Then there are HTTP request rewrites, which rewrite parts of an HTTP request before it is forwarded to the backend servers. HTTP response rewrites rewrite the response before it is forwarded to the end users. And finally, response body rewrites search for a specific string inside the body of the response, and replace the string. 124 WAF01015 - Access Control WAF01015 - Access Control & Security Introducing Access Control Training Video Transcript Welcome, my name is Christoph, and I am technical trainer at Barracuda Campus. The Barracuda Web Application Firewall can be used to control access to specific parts of your web application. Different policies can be configured depending on the users or their groups. You can configure these policies with different authentication methods. © Barracuda Networks Inc., Revision: 7/25/2022 125 WAF01015 - Access Control Content • Access Control • Web Token Validation Training Video Transcript This video consists of two parts. The first part is access control, in which you will learn how to use authentication for users. The second part Web Token Validation is focused on crontolling access via API. © Barracuda Networks Inc., Revision: 7/25/2022 126 WAF01015 - Access Control WAF01015 Access Control & Security Access Control Training Video Transcript © Barracuda Networks Inc., Revision: 7/25/2022 127 WAF01015 - Access Control Access Control Overview • The WAF can authenticate users using external authentication services – Authentication can be implemented only for HTTP or HTTPS service • A validated user has access depending on authorization privileges Username: tommy Tommy Password: ******* Submit login_page.html Authorization Service Web Server Authentication Authentication Server WAF Training Video Transcript To control access to your web application with the Barracuda WAF, you can use an internal user database or an external authentication server. You can have different authentication policies, depending on which part of the application is accessed. As for authorization, if a user has the authorization to access the web application, the connection will be established to the web application. Otherwise, the WAF will block access. In this diagram, we have Tommy who wants to access our web application. The access control module is enabled, so we have an authentication policy, which is connected to our service, and also an authorization policy. The log-in page that is presented to the user in this case is generated by the WAF itself. So the WAF expects the user to enter a username and password. Once Tommy has entered his credentials, the WAF will check the credentials with, for example, an external authentication server↓. If the credentials match, the WAF will check the authorization policy. If the user is authorized, so if Tommy is authorized to access the web application, the request will be forwarded to the real servers. © Barracuda Networks Inc., Revision: 7/25/2022 128 WAF01015 - Access Control Dual Authentication • Authentication module supports dual authentication – LDAP (Primary) – RSA SecurID (Secondary) – Radius with OTP (Secondary) Primary Authentication WAF LDAP Tommy Secondary Authentication RSA / RADIUS Training Video Transcript If you want to use dual authentication, then you must have a primary authentication server and secondary authentication servers. You can use, for example, an LDAP server as your primary authentication server and then RSA Secure ID or Radius with a one-time password as your secondary authentication server. In this diagram Tommy wants to access our web application. Tommy will have to provide some credentials, and the WAF will check his credentials against the authentication server. The WAF then requires an additional authentication method. For example, another password that is going to be checked against the RSA Secure ID or Radius server. © Barracuda Networks Inc., Revision: 7/25/2022 129 WAF01015 - Access Control Multi-Domain Authentication • Allows the configuration of multiple domains for a service • Login format: domain\username – Users without domain are authenticated against the default domain • SLO supported for SAML jupiter\john John Service Jupiter Domain pluto\tommy Tommy WAF Pluto Domain Training Video Transcript The authentication module of the Barracuda Web Application Firewall supports authentication with multiple domains. This will allow you to configure multiple domains for a single service. In this example, we have two domains. The Jupiter domain and the Pluto domain, and we have two users: John, who belongs to the Jupiter domain, and Tommy, who belongs to the Pluto domain. When they are logging into their web applications, they will have to specify their domain before the username, using a backslash separating the domain and a username. You can define a default domain. The default domain will be used to authenticate users who did not specify a domain. For SAML the Barracuda WAF supports Single Log Out, so when a user decides to log out, he will be logged out from all domains. © Barracuda Networks Inc., Revision: 7/25/2022 130 WAF01015 - Access Control Thank You Training Video Transcript Thanks for watching! © Barracuda Networks Inc., Revision: 7/25/2022 131
