WAF01 Barracuda Web Application Firewall Foundation - Slide Deck
advertisement
WAF01001- Introducing the Barracuda WAF Barracuda Web Application Firewall WAF01 - Barracuda Web Application Firewall 1 WAF01001- Introducing the Barracuda WAF Web Application Firewall Overview 2 Deployment Environments Barracuda Web Application Firewall 3 © Barracuda Networks Inc., Revision: 7/25/2022 1 WAF01001- Introducing the Barracuda WAF Overview Data Theft Protection Credit Card Numbers Social Security Numbers Custom Patterns Advanced Bot Protection Google reCaptcha Blocklists Credential Stuffing Protection Proactive Defense Application Cloaking Geo-IP Control Comprehensive Application Security OWASP Top-10 Attacks Application DDOS API Security JSON / XML / GraphQL WAF Barracuda Web Application Firewall Internet Server 4 Architecture Barracuda Energize Updates Policy Definitions Security Updates Attack Definitions Barracuda Web Application Firewall Protocol Termination and Validation Encryption Decryption Data Normalization Authentication and Authorization Caching Compression Traffic Inspection and Security Checks Cloaking Load Balancing Data Theft Web Servers Clients Logging and Monitoring 5 Barracuda WAF Additional Services Advanced Bot Protection Barracuda Advanced Threat Protection Barracuda WAF Control Center Barracuda Vulnerability Remediation Service Barracuda Active DDoS Prevention WAF Barracuda Vulnerability Manager 6 © Barracuda Networks Inc., Revision: 7/25/2022 2 WAF01001- Introducing the Barracuda WAF WAF01002 - On-premise Deployment Deployment Modes 7 Reverse Proxy Mode • Requests and responses are terminated at the WAF • Configure what should be allowed/inspected Backend Servers Tommy WAF 8 One-Arm Proxy Deployment WAF WAN LAN 192.168.0.11 VIP1: 192.168.0.110 VIP2: 192.168.0.120 VIP3: 192.168.0.130 Switch Internet Firewall 192.168.0.1 192.168.0.12 192.168.0.13 9 © Barracuda Networks Inc., Revision: 7/25/2022 3 WAF01001- Introducing the Barracuda WAF Two-Arm Proxy Deployment WAF WAN LAN 10.0.0.11 VIP1: 192.168.0.110 VIP2: 192.168.0.120 VIP3: 192.168.0.130 Switch Internet 10.0.0.12 Firewall 192.168.0.1 10.0.0.13 10 Bridge-Path Mode • Acts as a Layer 2 transparent bridge – – – – Inspects only the traffic configured for inspection All other traffic is bridged Only available for hardware models with bypass card Not available for VMs HTTP HTTP Backend Servers Tommy Other Traffic WAF 11 Bridge-Path Deployment WAF WAN LAN 192.168.0.11 VIP1: 192.168.0.11 VIP2: 192.168.0.12 VIP3: 192.168.0.13 Switch Internet Firewall 192.168.0.1 192.168.0.12 Switch 192.168.0.13 12 © Barracuda Networks Inc., Revision: 7/25/2022 4 WAF01001- Introducing the Barracuda WAF WAF01002 - On-premise Deployment Sizing and Licensing 13 Hardware Sizing Throughput 1060 960 All features 860 660 460 Restricted features 360 Capacity 14 VX Sizing Throughput V960 V860 All features V760 V660 V460 Restricted features V360 Capacity 15 © Barracuda Networks Inc., Revision: 7/25/2022 5 WAF01001- Introducing the Barracuda WAF Virtual Deployment Requires a 64-bit-capable host Image Type Supported Hypervisors OVF • VMware ESX and ESXi (vSphere Hypervisor) versions 4+ • Sun/Oracle VirtualBox and VirtualBox OSE version 3+ VMX • VMware Server 2.x • VMware Workstation 6+, Player 3+, and Fusion 3+ XVA • Citrix XenServer 5.5+ VHD • Microsoft Hyper-V QCOW2 • Kernel-based Virtual Machine (KVM, Nutanix) 16 Virtual & On-Prem Licensing • Physical Appliances – Automatic activation – Can be manually triggered if it fails • Virtual Machines – – – – Open the VM console Enter the license token Configure the default domain Can be re-provisioned WAF 17 WAF01003 - Basic Configuration Tasks Introducing Basic Configuration Tasks 18 © Barracuda Networks Inc., Revision: 7/25/2022 6 WAF01001- Introducing the Barracuda WAF Web Interface Access Configured Via: • Web interface • Rest API http://[WAF_IP]:8000 WAF Or 192.168.200.100 https://[WAF_IP]:8443 192.168.200.200 Default Credentials: • Username: admin • Password: <Serial number> 19 Web Interface Access Sign Out SECTIONS PAGES (relative to the sections) Instant Search Help 20 WAF01004 - Logging, Monitoring, Reporting Monitoring 21 © Barracuda Networks Inc., Revision: 7/25/2022 7 WAF01001- Introducing the Barracuda WAF Status Monitoring • • • Attacks Statistics Performance Statistics Subscription Status Dashboard Notifications WAF SNMP Global Thresholds Service Thresholds Modules Events • • • • • • Version v2c/v3 Auth/Enc (v3) Trap Receivers 22 Notifications Sent automatically for system and security events Default thresholds set to 85% In a 5-min. time frame Set globally or Per service WAF Email Admin 23 WAF01004 - Logging, Monitoring, Reporting Logging 24 © Barracuda Networks Inc., Revision: 7/25/2022 8 WAF01001- Introducing the Barracuda WAF Logging System Logs Network Firewall Logs WAF Audit Logs Access Logs Web Firewall Logs 25 Logging – Filters Search for specific log entries Save for later RexEx CSV Export as CSV 26 Logging – Log Servers All WAF logs can be sent to a maximum of 5 log servers WAF Barracuda Reporting Server TCP – UDP - SSL Local0..7 Syslog • • • • AMQP(S) Broker ArcSight Splunk Symantec SIM … • • • • Rabbit MQ Active MQ NSQ … Microsoft Azure's Event Hub / OMS 27 © Barracuda Networks Inc., Revision: 7/25/2022 9 WAF01001- Introducing the Barracuda WAF WAF01004 - Logging, Monitoring, Reporting Reporting 28 Reports Based on all logged information Security Reports – attack prevention Audit Reports – server and login / out activity Traffic Reports Configuration Summary Reports PCI reports: compliance with PCI FTP/S Server Email 29 WAF01004 - Logging, Monitoring, Reporting GDPR Compliance 30 © Barracuda Networks Inc., Revision: 7/25/2022 10 WAF01001- Introducing the Barracuda WAF GDPR Compliance Encrypt Passphrase Logs Reports 31 WAF01005 - WAF Services Introducing Services 32 Services Overview Must match web application End Users VIP Port Service HTTP WAF Real Server HTTP 33 © Barracuda Networks Inc., Revision: 7/25/2022 11 WAF01001- Introducing the Barracuda WAF Services Types HTTP Cleartext traffic HTTPS FTP FTPS Redirect Instant SSL Custom Custom SSL Encrypted traffic 34 SSL Services VIP HTTPS Tommy Web Application HTTPS WAF Gemalto SafeNet Luna HSM (optional) 35 Venafi Integration • Automated certificate management via Venafi platform – New certificates – Manual renewal – Auto-renewal • Role-based access control Venafi TTP VIP HTTPS Tommy WAF Web Application HTTPS 36 © Barracuda Networks Inc., Revision: 7/25/2022 12 WAF01001- Introducing the Barracuda WAF Instant SSL • Creates one redirect and one HTTPS service – Connection to user will be HTTPS – Connection to web application will be HTTP 1st HTTP Request Redirect to HTTPS VIP Tommy HTTP Redirect HTTPS WT Web Application WAF Response Rewrite 37 Perfect Forward Secrecy (PFS) HTTPS John Session1 Session2 Tommy HTTPS Backend Servers WAF 38 HTTP Strict Transport Security (HSTS) 1st HTTP Request Redirect to HTTPS Tommy Strict-Transport-Security: max-age=36000 VIP HTTP HTTPS Web Application WAF 39 © Barracuda Networks Inc., Revision: 7/25/2022 13 WAF01001- Introducing the Barracuda WAF WebSocket Security • Upgraded to WebSocket after HTTP handshake – Persisting connection using bidirectional messages • WebSocket security policy – Inspect headers only OR text payload – JSON inspection requires JSON profile HTTP Handshake Service HTTP / S WebSocket Tommy Real Server WAF 40 Let's Encrypt Integration • Easy generation of certificates for HTTP services • Free signed certificates (90 days) HTTP HTTP HTTP HTTP Create Renew CA Certificates 41 WAF01005 - WAF Services Introducing Content Rules 42 © Barracuda Networks Inc., Revision: 7/25/2022 14 WAF01001- Introducing the Barracuda WAF Content Routing Route traffic based on request content John Web Server (Mobile Web App) Service Content Rule Tommy Web Server (Desktop Web App) WAF 43 Extended Match Rules Rules that pin-point to specific information USER-Agent co Firefox/16 URL Allow/Deny Rule Tommy Firefox 16 Application Server 301 - Update_your_browser.html WAF 44 Rule Evaluation Order 1 2 Host URL 3 Extended Sequence num. Match www.cudau.org /cgi-bin/index.cgi www.cudau.org /payments/* 1 User-Agent co MSIE 6.0 www.cudau.org /payments/* 2 User-Agent co Mobile www.bigfishinc.org /payments/* www.cudau.org /* www.bigfishinc.org /* 45 © Barracuda Networks Inc., Revision: 7/25/2022 15 WAF01001- Introducing the Barracuda WAF Rule Evaluation Order Request: https://www.cudau.org/cgi-bin/index.cgi Host URL Extended Sequence num. Match www.cudau.org /cgi-bin/index.cgi www.cudau.org /payments/* 1 User-Agent co MSIE 6.0 www.cudau.org /payments/* 2 User-Agent co Mobile www.bigfishinc.org /payments/* www.cudau.org /* www.bigfishinc.org /* 46 Rule Evaluation Order Request: https://www.bigfishinc.org/index.php Host URL Extended Sequence num. Match www.cudau.org /cgi-bin/index.cgi www.cudau.org /payments/* 1 User-Agent co MSIE 6.0 www.cudau.org /payments/* 2 User-Agent co Mobile www.bigfishinc.org /payments/* www.cudau.org /* www.bigfishinc.org /* 47 Rule Evaluation Order Request: https://www.cudau.org/payments/pay.php (from an iPhone) Host URL Extended Sequence num. Match www.cudau.org /cgi-bin/index.cgi www.cudau.org /payments/* 1 User-Agent co MSIE 6.0 www.cudau.org /payments/* 2 User-Agent co Mobile www.bigfishinc.org /payments/* www.cudau.org /* www.bigfishinc.org /* 48 © Barracuda Networks Inc., Revision: 7/25/2022 16 WAF01001- Introducing the Barracuda WAF WAF01006 - Networking Introducing Networking 49 Network Groups • Three independent routing entities that contain: – – – – – Routes Network ACLs NAT rules Virtual interfaces VLANs Management Path Management Port Management Management Data Path Vsites System WAN Port End Users LAN Port Backend Servers WAF 50 Vsites • A Vsite encompasses one network group and its associated services – Available only on model 660 or higher • A service group is a container for the services Vsite 1 Vsite n Service 1 Service n Service 2 Service n Service Group 1 Service Group n Box IP Layer WAN/LAN WAF WAN/LAN 51 © Barracuda Networks Inc., Revision: 7/25/2022 17 WAF01001- Introducing the Barracuda WAF WAF01007 - High Availability Introducing High Availability 52 Active-Active HA Active-Active HA Config active active Barracuda WAF Barracuda WAF • Different Vsites are active on different units • Available only on models 660 or higher • The unit from which the join cluster is initiated will have its configuration overwritten • The Management Network Group configuration is not synced 53 Active-Active Setup 54 © Barracuda Networks Inc., Revision: 7/25/2022 18 WAF01001- Introducing the Barracuda WAF Active-Passive HA Active-Passive HA Config active Barracuda WAF passive active Barracuda WAF • All Vsites are active on one unit • The unit from which the join cluster is initiated will have its configuration overwritten • The Management Network Group configuration is not synced 55 Active-Passive Setup 56 High Availability Requirements • Same model / Same firmware • A unique WAN, LAN IP address, and default host name – WAN IP address used for joining the units in cluster and configuration sync • Network connectivity over the WAN interface • WAN interfaces on the same logical network • Same time and time zone (prevents sync issues) 57 © Barracuda Networks Inc., Revision: 7/25/2022 19 WAF01001- Introducing the Barracuda WAF Cluster Failover • Link down – One of the monitored links is down • Inability to serve traffic – Instability in any traffic processing • Lost heartbeat – Heartbeat sent every 3 seconds – Heartbeat not received for more than nine (9) seconds 58 WAF01008 - Security Policies Introducing Security Policies 59 Security Models • Positive security model – Everything is blocked. Unless… – …explicitly allowed • Negative security model – Only specific patterns are blocked – Everything else is allowed 60 © Barracuda Networks Inc., Revision: 7/25/2022 20 WAF01001- Introducing the Barracuda WAF Positive Security Model • Very strict security model • Complex to configure and maintain • Legitimate requests might be blocked (false positives) Tommy O’Connor First Name: Tommy Last Name: O’Connor First Name • Input Field • Type Alpha • Max Char 16 Last Name • Input Field • Type Alpha • Max Char 16 WAF Submit Browser 61 Negative Security Model • Compromise between security level and administration complexity • Attacks not profiled will be successful (security breach) Tommy O’Connor First Name: Tommy Last Name: O’Connor Matching: • Attack Patterns • Denied Metacharacters • Custom Patterns WAF Submit Browser 62 WAF Modes – Passive • Passive Mode – Logs the attacks but allows traffic to pass through • Cookie security is still enforced Logs Attack Attacker Service_B (passive) Attack Web Server WAF 63 © Barracuda Networks Inc., Revision: 7/25/2022 21 WAF01001- Introducing the Barracuda WAF WAF Modes – Active Active Mode – Logs and blocks the attacks Attack blocked Service_A (active) Logs Attack Attacker Web Server WAF 64 Security Policies Only for HTTP & HTTPS services Positive & negative elements Assigned to several services or content rules HTTP HTTP Security Policy Tommy Backend Servers WAF 65 Predefined Security Policies • • • Adjust Copy Customize Default Outlook Web App Barracuda WAF Microsoft SharePoint SAML 66 © Barracuda Networks Inc., Revision: 7/25/2022 22 WAF01001- Introducing the Barracuda WAF Security Policies – The 9 Sub-Policies Tommy Application Server 67 Request Limits • Enforce size limits on HTTP request header fields • Requests with fields larger than the specified maximums are dropped • Mitigate buffer overflow exploits, preventing DoS attacks Max Request Length Max URL Length GET /cgi-bin/badstore.cgi HTTP/1.1 Max Line Length Host: www.badstore.com User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache 68 URL Normalization • Normalizes all traffic before applying any security policy string matches • Always enabled if the WAF is in Active state • Prevents disguised attacks search?%27+OR+1%3D1+--+ Attacker Request blocked Normalization search?' OR 1=1 -- WAF 69 © Barracuda Networks Inc., Revision: 7/25/2022 23 WAF01001- Introducing the Barracuda WAF Cookie Security – Encryption Prevents both viewing and tampering with cookies WAF Cookie Tommy 70 Cookie Security – Signing • Two cookies are forwarded in the response to the client browser – If cookies are altered , signature verification fails – Cookies are removed before forwarding the request Cookie Cookie WAF Cookie Tommy Cookie Remove Cookie Application Server 71 Global ACLs • Strict control rules for all services that share the same security policy • Configurable actions – – – – – – Process - Processes any request matching this ACL Allow - Allows the request by disabling all security Deny and Log - Denies the request matching this ACL and logs the event Deny with no Log - Same as Deny, but the event is not logged Temporary Redirect - Redirects the request with a 302 message Permanent Redirect - Redirects the request with a 301 message 72 © Barracuda Networks Inc., Revision: 7/25/2022 24 WAF01001- Introducing the Barracuda WAF URL Protection • Restricts the allowed methods in headers and content types • Restricts the number of request parameters and their lengths • Limits file uploads • Detects and blocks specified attack types • Prevents attacks embedded in URL requests or their parameters – Normally executed with the permissions of the executing component 73 Parameter Protection • Specifies denied metacharacters • Maximum parameter value length and instances • Regulates file uploads – Allowed extensions/MIME types – File size (max 25 Mb if AV is enabled) • Protects a service from attacks that employ: – Malicious parameters of a URL query string – Malicious parameters of the form POST 74 Action Policy • Action taken when a policy is violated • Configurable actions: – Protect and Log - Blocks the request with the specified violation and logs the event – Protect and no Log - Like Protect and Log, but the event is not logged – Allow and Log - Allows the request and logs the violation – None - Allows the request by ignoring the violation • A follow-up action can be configured 75 © Barracuda Networks Inc., Revision: 7/25/2022 25 WAF01001- Introducing the Barracuda WAF Cloaking • Prevents hackers from obtaining information that could be used to launch a successful subsequent attack • HTTP headers and return codes are replaced before sending a response GET page4.html WAF GET page4.html 404 – page4.html not found 200 – default.html Attacker Application Server 76 Data Theft Protection • Intercepts the response from the server and compares it with: – Internal patterns – Libraries Block Response Cloak XXXX XXXX XXXX 0004 6011 0000 0000 0004 Attacker Response WAF Application Server 77 WAF01017 – Bot Mitigation Introducing Advanced Bot Protection 78 © Barracuda Networks Inc., Revision: 7/25/2022 26 WAF01001- Introducing the Barracuda WAF Agenda • • • • • Bot Mitigation Policies Virus Protection Account Takeover Protection Bot Protection Bot Spam Protection 79 Bot Mitigation Feature ABP License Required Google reCAPTCHA No Bot Widget and Reporting No Bot Block List and IP Reputation No Bot Spam Mitigation No Barracuda Active Threat Intelligence Yes Account Takeover Yes Barracuda ABP Cloud Integration Yes Client Profile Yes Advanced Web Scraping Categories Yes 80 ABP Cloud Integration ABP Cloud Service Machine Learning Customer A/C Ingestion Engine Analysis Engine Lookup Databases Augmented Request Analysis WAF Inbound Inspection Outbound Inspection 81 © Barracuda Networks Inc., Revision: 7/25/2022 27 WAF01001- Introducing the Barracuda WAF WAF01017 – Bot Mitigation Bot Mitigation Policies 82 Bot Mitigation Policy • Automatically created for each service • Created for specific parts of a web app • Modules that can be activated: – – – – – – Data Theft Protection Antivirus / Barracuda Advanced Threat Protection Brute Force Prevention Credential Stuffing / Spraying Web Scraping Policies Rate Control (also available at service level) 83 Bot Mitigation Policy Request Tommy Response Application Server 84 © Barracuda Networks Inc., Revision: 7/25/2022 28 WAF01001- Introducing the Barracuda WAF Bot Mitigation Feature Overview Bot Mitigation Client Fingerprint Credential Lookup Advanced Bot Protection 85 Client Fingerprint & Risk Evaluation ABP Cloud 1st HTTP Request JS Bot Mitigation Service Tommy Web Application WAF 86 Client Fingerprint & Risk Score Request Analysis Client System Client Fingerprint JS JavaScript Risk Score 20 SSL Fingerprint 87 © Barracuda Networks Inc., Revision: 7/25/2022 29 WAF01001- Introducing the Barracuda WAF WAF01017 – Bot Mitigation Virus Protection 88 Antivirus • Virus scanning enabled on a per-URL basis • Clam AV • Barracuda creates the AV signatures pushed through Energize Updates Request blocked EU WAF Web Server Attacker 89 Advanced Threat Protection BATP File Upload Web App Application/PDF 6 MB Service URL Policy - BATP Web Servers System & WAF Logs BATP License Admin WAF 90 © Barracuda Networks Inc., Revision: 7/25/2022 30 WAF01001- Introducing the Barracuda WAF WAF01016 Advanced Bot Protection Account Takeover Protection 91 Credential Stuffing / Spraying • Authentication methods: – HTML form – HTTP basic authentication – JSON / AJAX request Attacker Attack blocked Tommy Email: Password Test : Submit /cgi-bin/reg.cgi Application Server WAF 92 Privileged Account Protection • Client Profiling enabled • Send notification – Email – Slack – Webhook Risk score exceeded ATO Cloud WAF Tommy Application Server 93 © Barracuda Networks Inc., Revision: 7/25/2022 31 WAF01001- Introducing the Barracuda WAF Bruteforce Prevention Maximum number of requests to a URL within a configured interval – All requests or only invalid requests – From a single client or from all sources 1 2 3 Attacker 4 1.1.1.1 tommy/123456 Bruteforce tommy/password 1 2 tommy/qwerty tommy/abc123 1.1.1.1 Request blocked 60s 3 Web Server WAF 94 WAF01017 – Bot Mitigation Bot Protection 95 Web Scraping Policies • Prevents a web application from being scraped • Detects bots and discriminates misbehaving bots • Bots can be trapped using honey traps Bot WAF Application Server 96 © Barracuda Networks Inc., Revision: 7/25/2022 32 WAF01001- Introducing the Barracuda WAF Client Tarpit • Configurable as a follow-up action • Delays request handling • • Attacker Violation Suspicious 10s Application Server Client Tarpit WAF 97 WAF01017 – Bot Mitigation Spam Protection 98 Referrer Spam • Targets access logs of site – Will link back to spammer • Uses block list to filter „SPAM Referrer“ Attack blocked https://badurl.org Attacker Referrer URL Application Server WAF WAF 99 © Barracuda Networks Inc., Revision: 7/25/2022 33 WAF01001- Introducing the Barracuda WAF Comment Spam • Uses database of known SPAM URLs • Blocks requests so comments do not get posted Attack blocked Comment This Page will help you Attacker Submit Application Server Comment Field WAF 100 WAF01010 - Introduction to Advanced Security Features Advanced Security Features - Overview 101 Allow/Deny Rules Public Private Access Control Payments Web Application 102 © Barracuda Networks Inc., Revision: 7/25/2022 34 WAF01001- Introducing the Barracuda WAF Website Profiles Overview • Specific rules to fine-tune the security settings of a service – URL profiles – Parameters profiles URL Profile Tommy Reed /cgi-bin/reg.cgi Parameters Profile First Name • Input Field • Type Alpha • Max Char 16 Last Name • Input Field • Type Alpha • Max Char 16 First Name: Tommy Last Name: Reed Submit /cgi-bin/reg.cgi WAF /cgi-bin/reg.cgi Application Server 103 Application DDoS Attack Protection WAF Backend Servers 104 API Security on the Barracuda WAF 1. SSL/TLS Security 2. API Message Security 3. Protocol Security 4. Access Control 5. Cloaking API Server Outbound Inspection Inbound Inspection WAF as API Proxy 105 © Barracuda Networks Inc., Revision: 7/25/2022 35 WAF01001- Introducing the Barracuda WAF Client-Side Protection Third-party open-source repository Barracuda WAF Browser Web Server 106 WAF01012 - Introduction to Security Tuning Tools Security Tuning Tools - Overview 107 Tuning Security Rules Service Exception Profiling Web Firewall Logs Fix Security Rules WAF 108 © Barracuda Networks Inc., Revision: 7/25/2022 36 WAF01001- Introducing the Barracuda WAF Mitigating Website Vulnerabilities Service Security Rules Barracuda WAF Barracuda Vulnerability Manager Barracuda Vulnerability Remediation Service Vulnerability Scanners 109 WAF01013 - Tuning the WAF Configuration Tuning the WAF Configuration 110 Web Firewall Logs • • • • Traffic violations are logged in the Web Firewall log Can be used to mitigate false positives Suggests the recommended “Fix” Accepting a recommendation could have the following impact: – Localized - Website profile modification (URL or parameter) – Global - Security policy modification 111 © Barracuda Networks Inc., Revision: 7/25/2022 37 WAF01001- Introducing the Barracuda WAF Auto-Configuration Engine • WAF analyzes traffic patterns – Analyzing takes up to one week • Creates recommendations – On global and service level – Apply or ignore WAF Browser Web Server 112 ACE Recommendations • • • • • • • Services Request Limits Tuning IP Reputation Cookie security settings Well-known ADR URL Protection tuning SSL errors 113 Trusted Hosts • Hosts whose traffic is assumed to be safe – Defined by IP address / network – Configured in groups • Use cases – Exempt specific traffic from security checks or authentication – Train the Adaptive Profiling engine – Train the Exception Profiling engine 114 © Barracuda Networks Inc., Revision: 7/25/2022 38 WAF01001- Introducing the Barracuda WAF Exception Profiling • Fine-tunes security policies associated with a service • Uses a heuristics-based strategy to refine security settings in response to logged traffic Request blocked 8 Mb Tommy Increase by 100% Service Exception Profiling Security Settings Level: LOW - Trigger Count: 3 - New Value: +100% Max File size Upload - 5 Mb/ 10 Mb WAF 115 Exception Profiling Heuristics • Changes can be suggested or applied automatically • Trusted traffic – Trusted (Hosts) • Untrusted traffic – Low – Medium – High • Untrusted traffic levels are shared among services 116 WAF01014 - Application Delivery Introducing Application Delivery 117 © Barracuda Networks Inc., Revision: 7/25/2022 39 WAF01001- Introducing the Barracuda WAF Load Balancing Scheduling Policies • (Weighted) Round Robin – Distributes each new connection to the servers sequentially according to their configured weight • Least Requests – Distributes more requests to Real Servers with fewer recent requests 1 2 3 Least Requests Round Robin 118 Persistence • Load balancing module chooses the best suitable Real Server • Populates the persistence table – Source information – Selected Real Server Tommy | WS1 Persistence Tommy Load Balance Service 1 2 3 WS1 WAF WS2 119 Connection Pooling • A set of open TCP connections used by requests – A new connection is created and added to the pool if all in use • Reduces the user’s connection waiting time • Reduces the load on the backend servers WAF Tommy Pool Web Server 120 © Barracuda Networks Inc., Revision: 7/25/2022 40 WAF01001- Introducing the Barracuda WAF Caching • Stores commonly used information in local memory (RAM) – Reduced latency when retrieving web content – An overall reduction in bandwidth and server load • A content rule can be used Service Tommy Content Rule Web Server WAF 121 Compression • Compresses specific content types – Reduction in bandwidth utilization – Quicker object retrieval due to smaller size • A content rule can be used Service Content Rule Tommy Web Server WAF 122 Web Translations • URL Translations – Modifies the prefix, domain, and response body of an internal URL to an externally viewable URL • HTTP Request Rewrite – Can be used to relay the client IP address to the backend server • HTTP Response Rewrite • Response Body Rewrite – Searches and replaces any text string in the response body 123 © Barracuda Networks Inc., Revision: 7/25/2022 41 WAF01001- Introducing the Barracuda WAF WAF01015 - Access Control & Security Introducing Access Control 124 Content • Access Control • Web Token Validation 125 WAF01015 Access Control & Security Access Control 126 © Barracuda Networks Inc., Revision: 7/25/2022 42 WAF01001- Introducing the Barracuda WAF Access Control Overview • The WAF can authenticate users using external authentication services – Authentication can be implemented only for HTTP or HTTPS service • A validated user has access depending on authorization privileges Username: tommy Password: ******* Submit Tommy login_page.html Authorization Service Web Server Authentication Authentication Server WAF 127 Dual Authentication • Authentication module supports dual authentication – LDAP (Primary) – RSA SecurID (Secondary) – Radius with OTP (Secondary) Primary Authentication WAF LDAP Tommy Secondary Authentication RSA / RADIUS 128 Multi-Domain Authentication • Allows the configuration of multiple domains for a service • Login format: domain\username – Users without domain are authenticated against the default domain • SLO supported for SAML jupiter\john John Service Jupiter Domain pluto\tommy Tommy WAF Pluto Domain 129 © Barracuda Networks Inc., Revision: 7/25/2022 43 WAF01001- Introducing the Barracuda WAF Thank You 130 © Barracuda Networks Inc., Revision: 7/25/2022 44
