Connectivity and Remote Access
BYOD (Bring Your Own Device)
The influx of private computing devices, from smartphones to laptops and tablets, into the workplace may help increase productivity, flexibility, and convenience. However, BYOD adds new security challenges and risks, such as enabling and controlling access, as well as preventing data loss.
The Barracuda NextGen Firewall F-Series provides strong capabilities to give users the full advantage of their devices while reducing possible risks to the business. Unwanted applications can be blocked, LAN segmentation can protect sensitive data, and network access control can check the health state of each device connecting to the corporate network.
Secure Remote Access
The Barracuda NextGen Firewall F-Series incorporates advanced site-to-site and client-to-site VPN capabilities, using both SSL and IPsec protocols to ensure remote users can easily and securely access network resources without complex client configuration and management. Every F-Series firewall unit supports an unlimited number of VPN clients at no extra cost.
The Barracuda VPN client also provides the ability to enforce Windows Security Center settings on client machines running Windows. This allows administrators to centrally enforce the usage of Windows Security settings on PCs. The enforced policies can include enabling the Microsoft Network Firewall, Windows Updates, Windows Virus Protection, Windows Spyware Protection, and Internet Security Settings.
Barracuda VPN Clients are available for Microsoft Windows, Mac OS, and various Linux systems.
Network Access Control
The optional Advanced Remote Access subscription for the Barracuda NextGen Firewall F-Series adds a customizable and easy-to-use portal-based SSL VPN as well as sophisticated Network Access Control (NAC) functionality.
The Barracuda Network Access Client, when used with the F-Series firewall, provides centrally managed Network Access Control (NAC) and an advanced personal firewall. This allows enforcement of minimum Windows client security prerequisites before being allowed access to the network or access to a quarantine network. Security posture can be specified according to available Windows patch level, availability of antivirus and/or anti-spyware, and user ID. Access restrictions are enforced locally on the client by the centrally managed personal Windows firewall as well as at the gateway. Using existing Barracuda NextGen Firewall F-Series appliances, Barracuda Networks offers a ready-to-use Network Access Control framework without expensive investments into the basic network infrastructure. All Barracuda Network Access Clients as well as all Barracuda NextGen Firewall F-Series units acting as policy servers can be administered, monitored, and reviewed from a single Barracuda F-Series Control Center.
Gain easy access to your organization’s applications via SSL VPN connections. Barracuda‘s Mobile Portal enables you to set up shortcuts on the home screen of devices such as smartphones or tablets. When accessing the portal via the web browser on a mobile device, users can browse apps, network folders and files as if they were connected to the office network.
The Mobile Portal supports most commonly used devices, e.g., Apple iOS, Android, and Blackberry devices.
Barracuda’s Mobile Portal is an optional feature included with the optional Advanced Remote Access subscription.
CudaLaunch is an application for Windows, macOS, iOS, and Android devices that provides mobile workers secure remote access through the Barracuda NextGen Firewall F-Series to their organization’s private cloud applications and other sensitive information. CudaLaunch provides several benefits over traditional browser-based SSL VPN remote access. As an app, it provides a familiar app store setup and install experience for end users.
Unlike browser-based remote access, CudaLaunch provides a more responsive look and feel that is unified across mobile platforms and avoids the idiosyncrasies of mobile browsers. Once an end user starts the app, a swipeable launchpad provides quick and easy access to internal applications, favorites, and TINA VPN connections (which securely connect the device to your corporate network). This richer VPN connection supports mobile apps that connect back to the corporate network (like remote desktop apps).
Designed to be completely self-configuring, CudaLaunch includes easy central management for large deployments and integrates with the powerful security features of the F-Series firewall. For IT administrators, the F-Series firewall provides one place to manage security policies for all types of remote access (CudaLaunch, SSL VPN, Barracuda Network Access Client, and standard IPsec). The end user experience is consistent across platforms and remote access types, making for ease of use and significantly lower support costs. The self-configuration and management of VPN connections eliminates the need to manually configure IPsec connections on Windows, macOS, iOS, and Android, making setup fast and easy.
More information on CudaLaunch is available here.
The app is available for free at:
Mac App Store (macOS)
Barracuda Cloud Control (Windows Universal Installer (32-bit / 64-bit))
(Also available as a standalone app that requires no installation; therefore, there are no local admin rights. This version is available on the Barracuda Cloud Control only for windows version.)
App Stores (iOS)
Google Play (Android)
Please note that CudaLaunch requires Barracuda NextGen Firewall F-Series firmware 6.1.1 and an active Advanced Remote Access subscription.
Due to the limitations that come with standard IPsec connections, Barracuda Networks has created several powerful extensions to standard IPsec tunnel management. This core of the Barracuda F-Series VPN engine is called TINA (Transport Independent Network Architecture). The TINA protocol allows the use of TCP, UDP, and ESP for high speed VPN connections, which improves the VPN connectivity substantially by adding:
- Endpoint-to-Endpoint (not network-to-network) connectivity
- NAT friendliness
- Multiple physical transport paths for a logical tunnel
- Multiple tunnels between two locations
- HTTPS and SOCKS4/5 proxy compatibility
- Dynamic Address Support
- Tunnel heartbeat monitoring
Create highly reliable and secure site-to-site connections between on-premises F-Series firewalls (both hardware and virtual appliances). Site-to-site connectivity also includes public cloud offerings like Amazon Web Services and Microsoft Azure. But it is not just about maintaining static site-to-site VPN tunnels. Having a hub-and-spoke VPN setup allows you to create tunnels automatically and on-demand between connected nodes in order to avoid the hub turning into a bottleneck. You thereby ensure low latency connections for VoIP applications, for example. As soon as the connection is no longer required, the VPN tunnel is automatically closed again. Administrators naturally have full real-time visibility into the dynamic mesh VPN setup.
SD-WAN, short for Software Defined Wide Area Network, refers to a new category of devices that create secure pathways across both multiple WAN connections and multiple carriers without the involvement of typical high-management overhead. SD-WAN devices perform load sharing by using multiple WAN connections simultaneously, distribute encrypted VPN tunnels across multiple WAN connections, and increase available bandwidth via built-in compression, caching, and WAN optimization technology. The result is significant cost savings due to simplified management and the reduced need for high-quality lines.
The Barracuda NextGen Firewall F-Series is the only firewall with full, built-in next-generation security and SD-WAN capabilities. Organizations can thereby cut costs by reducing their need for expensive leased lines, consolidating multiple security solutions into a single device, and switching to a unified management framework.
IoT & Machine-2-Machine connectivity
In the age of the Internet of Things, more and more companies need to securely and economically connect large numbers of remote devices like automated teller machines (ATMs), point-of-sale kiosks, wind power stations, networked industrial machines, or even very small offices. Managing and protecting network traffic among these remote machines is often a logistical nightmare involving many different firewalls, VPN software, and routing steps.
Barracuda NextGen Firewalls are available as ultra-small appliances, the Secure Connector appliance (FSC1), which reliably connect each remote device with multiple uplinks and even an automated failover in case one uplink fails.
The FSC1 provides zone-based firewalling, Wi-Fi, and full VPN connectivity for the connected device. The network traffic is then backhauled to a NextGen Firewall Secure Access Concentrator(FSAC), running at a central office or in the cloud, for inspection and other resource-intensive security tasks such as URL filtering, intrusion prevention (IPS), antivirus protection and application detection.
More on what Barracuda provides to protect your Internet of Things is available here.
Intelligent Network Perimeters
The Barracuda NextGen Firewall F-Series combines Deep Packet Inspection (DPI) and behavioral traffic analysis to reliably detect and classify thousands of applications and sub-applications, regardless of advanced obfuscation, port hopping techniques, or encryption. It allows the creation of dynamic policies and facilitates establishing and enforcing access and use policies for users and groups by application, application category, location, and time of day. Administrators can now:
- Block unwanted applications for certain users or groups
- Control and throttle acceptable traffic
- Preserve bandwidth and speed-up business-critical applications to ensure business continuity
- Enable or disable specific application sub-functions (e.g., Facebook Chat, YouTube Postings, or MSN file transfers)
- Intercept SSL-encrypted application traffic
The Barracuda NextGen Firewall F-Series features advanced application-based routing path selection and Quality of Service (QoS) capabilities. These provide additional business value in addition to security by significantly improving network quality and availability, as well as reducing direct line cost due to bandwidth saved.
For rich reporting and drill-down capabilities, the F-Series comes with real-time and historical application visibility that shows application traffic on the corporate network, thus providing a basis for deciding which connections should be given bandwidth prioritization, crucial to QoS optimization for business-critical applications. Furthermore, it allows adjusting and refining the corporate application use policies.
For an up-to-date list of applications and sub-applications that are pre-loaded into Application Control, please check the Online Application Explorer.
Deep Application Context
The deep application context analysis allows for deeper inspection of the application data stream by continually evaluating the actual intention of applications and the respective users. Administrators can thereby gain detailed insight into what a specific application was used for or if a user was trying to circumvent the corporate application usage policy.
Personalized Application Control
In addition to the thousands of applications pre-loaded in Application Control, the Barracuda NextGen Firewall F-Series makes it easy for you to create your own application definitions tailored to your specific needs.
To view a complete list of applications and sub-applications that are included under Application Control, please check the Online Application Explorer.
User Identity Awareness
Different network users may need different bandwidth-use rules. Most often, access to certain network resources is limited to certain users or user groups. Preferential allocation of more bandwidth to certain users or user groups and a limitation of available bandwidth for others is a common requirement. It requires the network device to know what user an IP actually belongs to.
Barracuda NextGen Firewall F-Series are fully user-identity aware by linking a user to one or several IP addresses. Any role assignments that result from identity communicated to the firewall by our health agents can be used within the firewall to facilitate role-based access control (RBAC). F-Series firewalls support authentication of users and enforcement of user-aware firewall rules, web security gateway settings, and Application Control 2.0 using Active Directory, NTLM, MS CHAP, RADIUS, RSA SecurID, LDAP/LDAPS, TACACS+, as well as authentication with x.509 certificates.
Intrusion Detection and Prevention
The Intrusion Detection and Prevention System (IDS/IPS) of the F-Series strongly enhances network security by providing complete and comprehensive real-time network protection against a broad range of network threats, vulnerabilities, exploits, and exposures in operating systems, applications, and databases preventing network attacks such as:
- SQL injections and arbitrary code executions
- Access control attempts and privilege escalations
- Cross-Site Scripting and buffer overflows
- Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks
- Directory traversal and probing and scanning attempts
- Backdoor attacks, Trojans, rootkits, viruses, worms, and spyware
Barracuda NextGen Firewall F-Series provides advanced attack and threat protection features such as:
- stream segmentation and packet anomaly protection
- TCP split handshake protection
- IP and RPC defragmentation
- FTP evasion protection
- URL and HTML decoding
As a result, the Barracuda NextGen Firewall F-Series is able to identify and block advanced evasion attempts and obfuscation techniques that are used by attackers to circumvent and trick traditional intrusion prevention systems.
As part of the Barracuda Energize Updates subscription, automatic signature updates are delivered on a regular schedule or on an emergency basis to ensure that the Barracuda NextGen Firewall F-Series is constantly up-to-date. If the firewall unit is centrally managed, the updates are conveniently distributed by the Barracuda F-Series Control Center.
Denial of Service (DoS) and Distributed Denial of Service (DDoS) Protection
In today’s world of omnipresent botnets, one of the main tasks of perimeter protection is to ensure ongoing availability of the network for legitimate requests and to detect and repel malicious denial of service attacks. With TCP SYN Flood Protection, the Barracuda NextGen Firewall F-Series effectively functions as a generic TCP proxy, forwarding only legitimate TCP traffic to the inside of the network.
Additionally, the F-Series allows the definition of a rate limit that is applied to the maximum number of sessions per source address to be handled by the firewall. Packets arriving at a rate faster than allowed will simply be dropped. In a massive DDoS attack, the attackers may simply aim for saturating the link by transmitting vast numbers of UDP packets. The integrated environmental monitoring feature of the Barracuda NextGen Firewall F-Series diagnoses such conditions by link and target address monitoring. Once the response of a remote target address to regular ICMP probing fails, the system can be configured to activate different routes and uplinks (for example backup line, ISDN, xDSL). Using this feature, traffic will be unimpeded across unaffected lines and crucial site-to-site and site-to-Internet connectivity remains operational.
The Web Security Gateway option of the F-Series firewall enables highly granular, real-time visibility into online activity broken down by individual users and applications, letting administrators create and enforce effective Internet content and access policies. It protects user productivity, blocks malware downloads and other web-based threats, and enables compliance by blocking access to unwanted websites and servers, providing an important additional layer of security alongside application control.
Traffic Shaping and Quality of Service
Limited network resources make bandwidth prioritization a necessity. The Barracuda NextGen Firewall F-Series provides strong Quality of Service (QoS) that lets the administrator apply quality aspects and service guarantees to selected traffic flows within the WAN. QoS is often used to prioritize the network traffic of applications that are critical and must not be affected by the network traffic of other applications.
The F-Series provides a large set of QoS techniques, such as traffic shaping, traffic prioritization, and bandwidth partitioning, which assigns a bandwidth limit to certain types of traffic. To select traffic for different priority classes, the available real-time traffic analysis can be used to identify whether network traffic was sent by business-critical applications or by potentially unwanted applications.
Failover and Link Balancing
To ensure unbeatable, cost-efficient connectivity, the Barracuda NextGen Firewall F-Series provides a wide range of built-in uplink options including unlimited leased lines, up to twelve DHCP uplinks, and up to four xDSL uplinks. By eliminating the need to purchase additional devices for link balancing, security-conscious customers have access to a WAN connection that never goes down, even if one or two of the existing WAN uplinks are severed. In addition, traffic intelligence mechanisms ensure that the next-defined uplink is activated on the fly and that all traffic is rerouted to make full use of the remaining lines. In the event that backup lines provide less bandwidth, intelligent traffic shaping automatically prioritizes business-critical applications, networks, or distinct endpoints.
A unique combination of next-generation security and adaptive WAN routing technology allows the Barracuda NextGen Firewall F-Series to dynamically assign available bandwidth, uplink, and routing information based not only on protocol, user, location, and content, but also on applications, application categories, and even web content categories. This keeps expensive, highly available lines free for business- and mission-critical applications, while significantly reducing response times and freeing up additional bandwidth.
To view a complete list of applications and sub-applications that are covered by Application-Based Routing, please check the Online Application Explorer.
The Barracuda NextGen Firewall F-Series can significantly enhance the WAN performance of distributed network environments by improving the availability, performance, and response time of business-critical applications by lowering throughput and transmission delays, affecting time-sensitive decisions and enterprise profitability. The next-generation networking concept of the F-Series provides a set of powerful features to efficiently reduce and offset the negative effects of high latencies and response times.
By implementing enterprise-grade WAN acceleration features such as data deduplication, traffic compression, and protocol optimization, the F-Series firewalls can significantly improve site-to-site WAN traffic and increase productivity by accelerating the delivery of business applications - at no extra charge. WAN traffic can be effectively compressed up to 95 percent, significantly reducing the bandwidth needed at remote locations while increasing network responsiveness.
Managing the security issues in a widely distributed enterprise network can be painful and extremely time-consuming. Managing a system may take only 15 minutes per day. But having 20 firewall systems in place results in five hours per day – just to manage the existing system. With the Barracuda NextGen Control Center, managing mulitple Barracuda NextGen Firewall F-Seriess takes the same amount of time as managing one.
- Create pre-configured templates for easy-rollout.
- Have all information about the enterprise security deployment available in real time.
- Create reports of either one or all Barracuda NextGen Firewall F-Seriess.
File Content Enforcement
The Barracuda NextGen Firewall F-Series includes true file-type detection and enforcement capabilities based not only on extension and MIME type, but also on sophisticated true file-type detection algorithms. Bypassing executable files by renaming or compressing is detected and blocked. In addition to blocking / allowing connections, the NextGen Firewall F-Series also lets admins change download priorities. If, for example, an ISO image started downloading with normal web traffic priority, the admin can increase or decrease the assigned bandwidth, even though the user started downloading via a regular web-browsing session.
Secure Against Advanced Threats
Botnet and Spyware Protection
Botnet and Spyware Protection guards against botnet infections by blocking access to malicious sites and servers, and detects potentially infected clients based on DNS Sinkholing technology. DNS Sinkholing blocks clients from accessing malicious domains by monitoring outbound DNS requests passing through the firewall. DNS requests to malicious domains are redirected to an internal sinkhole, thereby preventing data exfiltration and identifying the victim. Once an infected client is detected, it can be isolated automatically. An alert can also be created or reported by the Barracuda Report Creator.
Advanced Threat Protection
While traditional solutions usually detect network threats after they have breached the network by sending log notifications to the administrator, the Barracuda Advanced Threat Protection (ATP) implements full system emulation, providing deep visibility into malware behavior. Files are checked against a cryptographic hash database that is constantly updated. In case the file is unknown, it is emulated in a virtual sandbox where malicious behavior can be discovered.
The Barracuda ATP offers Administrators granular, file-type-based control including automatic quarantine and blacklisting features to maintain the highest level of protection for an organization’s network.
The Barracuda Advanced Threat Protection is an optional subscription.
The Malware Protection built into the Barracuda NextGen Firewall F-Series shields the internal network from malicious content by scanning web content (HTTP and HTTPs), email (SMTP, POP3), and file transfers (FTP) via two fully integrated antivirus engines. Malware protection is based on regular signature updates as well as advanced heuristics to detect malware or other potentially unwanted programs even before signatures are available. Barracuda F-Series Malware Protection covers viruses, worms, Trojans, malicious java applets, and programs using known exploits on PDF, picture and office documents, macro viruses, and many more, even when using stealth or morphing techniques for obfuscation.
Single Pane of Glass
Centralizing all management across many different next-generation firewalls and remote-access users, the Barracuda NextGen Control Center enables administrators to manage and configure security, content, traffic management, and network access policies from a single interface. The Barracuda NextGen Control Center helps significantly in reducing the cost associated with security management while providing extra functionality, both centrally and locally, at the managed gateway.
Barracuda NextGen Control Center allows you to create re-usable objects for any configuration entry imaginable: IP address, networks, ranges, DNS names, content security policies, network security policies etc.
These objects can be created once and reused in subsequent configurations nodes. For example, if there is an object Internal_Network_Branchname as a network object, it can be referenced in the network settings, firewall rules, and VPN settings. If the object needs to be changed, it only needs to be changed once, preferably on the Control Center. Then, the changes will be automatically applied at every location where the object is referenced. This provides a faster, easier, and more convenient method of changing configuration services across multiple units.
When configuring multiple NextGen Firewalls across the WAN, there will always be components that the firewall have in common, such as domain names, DNS servers, NTP servers, application security configurations, URL filter configurations, and so on. The Barracuda NextGen Control Center collects all of these in a repository (global configuration node) linked to multiple Barracuda NextGen Firewalls. Using repositories on the NextGen Control Center, an administrator can update thousands of firewalls with just a single change in the repository.
Repositories still provide the flexibility to override specific settings on specific firewalls. For example, if one location uses a different DNS server than the others, you can create an explicit overwrite for just this setting on this single firewall.
Centralized Software Updates
The Barracuda NextGen Control Center provides centralized software updates for all centrally managed NextGen Firewall units. Updates can be scheduled for a specific time and even just for specific subsets of remote NextGen Firewall units. In case a software updates is not successful, it is automatically rolled back and reported.
Just like on the NextGen Firewall F-Series, the Barracuda NextGen Control Center allows simultaneous login of multiple administrators in “writing mode”. This is useful in MSSP and multi-admin environments where there is a greater likelihood of administrators managing systems in teams. Once a change needs to be made, only the dedicated configuration node needs to be locked for changing by the admin actually performing the change. All other settings outside of this locked configuration node are still viewable and modifiable by other admins logged on to the system.
Role-Based Admin Capabilities
The Barracuda NextGen Control Center provides extensive role-based administration benefits. Administrators can be assigned specific roles such as:
- MSSP Admin
- Customer Admin
- Log Viewer
- Content Filter Admin
In addition, custom roles for special needs with special privileges can also be created. For example, you can define services to delegate specific tasks to a dedicated team or end user. If one team or end user wants to be able to change firewall rules, a specific customer administrator role can be created that is allowed only to change this particular portion of the configuration. The admin may then review all other configurations, but will not be allowed to change anything else.
Barracuda NextGen Firewall Control Center units C610/VC610 and higher provide special handling for multi-tenant management, allowing for an MSSP to be able to easily manage multiple customers on the same Barracuda NextGen Control Center. For example, administrators of Customer 1 will not be able to see anything from Customer 2 and vice versa. There is no limit to how many customers can be administered with one Barracuda NextGen Control Center.
The default screen for every Barracuda NextGen Control Center displays a status overview of all centrally managed Barracuda NextGen Firewall units. The status is visualized via a traffic light concept (red, yellow, green) and is provided for individual units, clusters, and whole tenant installations (called “Ranges”). The “worst” status always wins, effectively allowing the administrator to have a centralized view of the overall status and to be able to dig deeper with only a few mouse clicks.
The NextGen Control Center allows the creation of a global firewall ruleset that is installed on all machines it is applied to. In addition, local and special rule sets can be be installed on specific boxes only.
The MSSP has a Network Operation Center (NOC) to monitor all services provided to a customer. In this environment, there are global firewall rules that allow every kind of monitoring connection and local firewall rules specific to a customer. The MSSP can determine whether global or local rules take precedent depending on the customer. This provides an added level of granularity for configuration because there are special rules defined for each customer to allow traffic to pass through the firewall.
With this feature, the MSSP can be sure that there is a reliable monitoring and log flow. This is required for providing as well as demonstrating proof of service level agreements to customers.
The security landscape just never stop changing. That is why Barracuda Networks constantly introduces and releases new exciting features and improved security functionalities for all its NextGen Firewalls through its Energize Updates subscription. But when you have dozens or even thousands of devices managed in a company’s WAN network, some devices, networks, or even branches will inevitably run older firmware versions level than certain devices that require the most up-to-date technology. Fortunately, the Barracuda NextGen Control Center is backwards compatible to older firmware versions deployed for at least three years, effectively easing the process of needing to upgrade across the organization.
Revision Control System (RCS)
On both the Barracuda NextGen Control Center and all Barracuda NextGen Firewall F-Series units, all administrator actions can be logged and changes can be selectively rolled back if required. In case a rollback is required, the administrator has the option to rollback all changes or only specific ones (such as firewall rules) while leaving the network settings untouched.
Drag & Drop VPN GTI Editor
The Barracuda NextGen Control Center VPN Graphical Tunnel Interface (GTI) provides a graphical interface to create and manage VPN tunnels. When configuring VPN tunnels manually, there are many identical configuration steps and settings. But since the GTI Editor eliminates many of these redundant steps, you can configure VPN tunnels more quickly and with less errors.
With a pool license, the license of the Barracuda NextGen Firewall is tied to the NextGen Control Center, not to the serial number and hardware combination. So in case of hardware failure, a new appliance can be deployed without being relicensed. This is great for managed security services providers because they can optimize license usage.
For more details, please refer to the whitepaper Barracuda Pool Licensing with Barracuda NextGen Firewall F.