Application Attack and DDoS Protection
The Barracuda Web Application Firewall provides robust security against targeted and automated attacks. OWASP Top 10 attacks like SQL Injections and Cross-Site Scripting (XSS) are automatically identified and logged. Administrators have the ability to set granular controls on response, allowing them to block, throttle, redirect, or perform a number of other actions.
Advanced DDoS protection capabilities allow administrators to distinguish real users from botnets through the use of heuristic fingerprinting and IP reputation, thereby allowing them to block, throttle, or challenge suspicious traffic. It is the only product in the industry to offer integrated IP reputation intelligence that combines real-time situational insights and historical intelligence to secure against application DDoS using a variety of risk assessment techniques such as application-centric thresholds, protocol checks, session integrity, active and passive client challenges, historical client reputation blacklists, geo-location, and anomalous idle-time detection.
Adaptive profiling enables administrators to build positive security profiles of their applications by sampling web traffic from trusted hosts. Once enabled, the positive security profiles allow administrators to enforce granular whitelist rules on sensitive parts of the application. This greatly reduces the risk of attacks and helps prevent zero-day vulnerabilities by restricting input only to inputs that meet strict standards.
Vulnerability Remediation Service
The Barracuda Vulnerability Remediation Service vastly reduces the cost and complexity of configuring and maintaining the Barracuda Web Application Firewall. To deploy and configure, simply install the WAF with an IP address, point it at the applications you wish to secure, and initiate a scan. The resulting report can then be turned into active configuration on the WAF, completing the deployment and configuration process.
DevOps will continue to refine and improve your online presence. Barracuda Vulnerability Remediation Service makes it very easy to maintaining an “always secure” environment during this process. Automated security scanning speeds your development process, while granular controls allow either a hands-off approach to security, or step-wise implementation of each security policy before it is implemented in active configuration.
Often the first step of any targeted attack is to probe public-facing applications to find out details about the underlying servers, databases, and operating systems. Cloaking prevents attack reconnaissance of protected applications by suppressing server banners, error messages, HTTP headers, return codes, debug information, or backend IP addresses from leaking to a potential attacker. Without any details of the underlying infrastructure, it is much more difficult to target attacks, thereby reducing the risk of breach.
Protection for Mobile Applications, REST APIs and AJAX
Applications that rely on XML can now be secured with an XML Firewall capability that secures applications against schema and WSDL poisoning, highly-nested elements, recursive parsing, and other XML-based attacks. This secures communications between client and application or between applications from different systems closing an often overlooked attack vector.
Web Scraping Protection
Web Scraping involves copying large amounts of data from a website or application using automated tools. This is often done for commercial advantages that are to the detriment of the organization that owns the web application. Typically, the motivation of the attacker is to undercut competition, steal leads, hijack marketing campaigns, and appropriate data via the web application. Examples include theft of intellectual property from digital publishers, scraping products and pricing information from e-commerce sites, and stealing listings on real estate, auto dealers and travel sites.
The Barracuda Web Application Firewall protects against web scraping by detecting and blocking malicious bots from accessing the website. Advanced detection techniques include the ability to set honeytraps to identify malicious bots and headless browser detection. Site administrators can also set whitelists for allowing specific bots, such as search engine crawlers to access the website. The Barracuda Web Application Firewall validates all bot traffic against known signatures before allowing them access to the website.
Data Loss Prevention
Deployed as a reverse-proxy, the Barracuda Web Application Firewall inspects all inbound traffic for attacks and outbound traffic for sensitive data. Content such as credit card numbers, U.S. social security numbers, or any other custom patterns can be identified by the Barracuda Web Application Firewall and either blocked or masked without administrator intervention. Best of all, the information is logged and can be used by administrators to find potential leaks.
Iron-clad URL Tamper Prevention via URL Encryption
Attacks on a web-based application often start by analyzing and tampering with its URLs. Barracuda Web Application Firewalls, models 660 and above, come with a unique URL Encryption feature that allows administrators to encrypt URLs before they are sent to clients. The original URLs or the directory structure are never exposed externally to prying eyes. Users of the web applications interact and navigate the site using only encrypted URLs, which are decrypted by the WAF on the way back in. The decryption process immediately identifies URL query or parameter tampering, malicious content injection or blind forceful browsing attacks.
The Barracuda Web Application Firewall is designed to provide easy, cost-effective assistance to help administrators comply with major application-specific requirements like PCI-DSS, HIPAA, FISMA, and SOX. It is certified by a number of third-party testing labs including ICSA Labs as an effective Web Application Firewall solution. The Barracuda Web Application Firewall directly satisfies section 6.6 of PCI-DSS and assists compliance with built-in PCI compliance reports. Its robust identity and access management and data loss prevention (DLP) capabilities ensure privacy of sensitive data. A FIPS 140-2 HSM model ensures that applications it protects meet the highest cryptographic standards.
Integrations: Cavium Networks
Cloud Edition for Microsoft Azure
When migrating data, applications, and/or workloads to the cloud, administrators still need to safely manage both corporate and customer information. In most cases, organizations are still subject to the privacy and compliance directives of their industry, whether HIPAA, SOX, PCI, or others. By integrating the proven application security and data loss prevention capabilities of Barracuda Web Application Firewall (WAF) with Microsoft Azure’s native security features, administrators are in a superior position to deploy secure, reliable, and resilient cloud services in Azure while meeting any regulatory or compliance needs. To find out more about the Barracuda Web Application Firewall on Microsoft Azure, visit us in the Microsoft Azure Marketplace, download the WAF on Azure whitepaper or visit the Barracuda Campus.
Cloud Edition for Amazon Web Services
The Barracuda Web Application Firewall provides proven application security and Data Loss Prevention for applications deployed on Amazon Web Services. AWS Security Competency certified Barracuda Web Application Firewall integrates with AWS Elastic Load Balancer, Cloud Formation Templates and more to support bootstrapped configuration and autoscaling. To find out more about the Barracuda Web Application Firewall on Amazon Web Services, visit our AWS Marketplace page, AWS White Paper or visit the Barracuda Campus.
Vulnerability Scanner Integration
Security organizations often use vulnerability scanners to look for exploitable weaknesses in their applications. Barracuda has the ability to integrate with popular scanners like IBM AppScan and Cenzic Hailstorm to automatically configure an application’s security template to protect against identified issues. All of this is automatically configured using the output of the scanners without any administrator intervention.
Integrations: Barracuda Vulnerability Manager, Cenzic Hailstorm, HPE Security WebInspect , HPE Security Fortify On Demand , IBM AppScan.
In addition, the Barracuda Web Application Firewall integrates with over 20 vulnerability scanners via Denim Threadfix integration
Advanced Threat Protection
The Barracuda Web Application Firewall seamlessly integrates with Barracuda Advanced Threat Protection (BATP) to provide security against advanced threats. Simply add BATP to the Barracuda WAF to block advanced zero-hour threats. By analyzing files in a CPU-emulation based sandbox, it can detect and block malware embedded deep inside files uploaded to your web site or web application. At a time when advanced threats like ransomware are causing havoc, BATP ensures defense in depth against malicious threats.