Barracuda API Security

Stop API attacks and improve customer experience.

Basic API Security

As a reverse proxy, Barracuda Web Application Firewall and WAF-as-a-Service intercept and secure all URLs against attacks. This means that attacks that use the actual URL surface are defeated and includes examination of the entire URL for malicious inputs.

Incoming requests are checked for valid content—in terms of both protocol correctness and allowed sizes—to protect the backend application’s parser against targeted attacks.

API traffic is inspected for attack patterns using our Smart Signature technology. All user inputs are validated against these Smart Signatures to detect attacks such as XML external entities, SQL injections, and more.

Using the API specification, Barracuda automatically creates and enforces gradual positive security down to the key level. This enforcement adds a layer of protection over the signature enforcement layer.

Outgoing traffic can be inspected for specific patterns like SSN’s, national identity numbers, credit card numbers, etc. to strip them out and prevent data leakage.

Secure API delivery

The secure reverse proxy architecture provides a hardened HTTPS front end. This front end enforces specific HTTPS protocols and ciphers, enabling better compliance with standards such as NIST and PCI-DSS, while protecting your backend stack against protocol attacks.

Whether it is delivering different responses based on the application versions, headers or platforms, or performing A/B testing, canary rollouts, etc., the content routing module on Barracuda Web Application Firewall enables quick setup and easy API delivery.

REST API’s are by nature chatty, increasing the overhead on the backend server. Barracuda uses connection pooling to reduce the load on the backend server by load-balancing incoming requests on a continually open pool of connections. Response caching and compression speeds up responses to API requests, improving performance for the end user and helping you meet SLA’s.

A single misbehaving client can at times overload an API. With IP-based rate limits and tarpits, you can choose to block or slow down clients that are sending in a large number of requests, protecting your backend server from overload.

Bot Protection

Barracuda Web Application Firewall and WAF-as-a-Service can detect and block advanced bots that perform automated attacks against your APIs. The cloud-based machine learning layer detects even the most advanced almost-human bots that attempt to bypass standard detection and prevention methods.

Brute Force attacks are typically used during reconnaissance attempts, and include attacks like directory traversal, credential cracking, and others. Barracuda Web Application Firewall solutions can identify brute force attempts from individual clients and block them.

Many RESTful web service APIs are farmed by third-party aggregators. For example, price-matching websites can inundate the REST APIs of e-commerce services excessively. Brute force and anti-DDoS policies on Barracuda Web Application Firewall and WAF-as-a-Service help enforce disciplined access to the API.

Barracuda Web Application Firewall solutions provide complete protection against all types of both volumetric and application DDoS attacks.

Access Control

REST applications often tie HTTP methods to operational policies and role-based access control. Often, all the verbs are not valid for every resource. Barracuda Web Application Firewall solutions can help enforce which methods are allowed on what resources use granular positive profiling capabilities.

Barracuda Web Application Firewall solutions can pre-authenticate API services or completely offload authentication on to itself in the DMZ. Apart from basic authentication, OpenID Connect, SAML, LDAP, RADIUS, it also supports client certificates, CRL, and OCSP. Additionally, API keys can be allow-listed and validated in any part of the request, including headers.

Ease of use and visibility

Barracuda Web Application Firewall and WAF-as-a-Service can import XML and JSON API specifications for automated configuration of security for your APIs. An easy-to-use wizard-based interface pulls in the specification and allows you to configure various parts of the security, including brute force protection, DDoS protection, authentication, and more from a single interface, reducing administrator overload.

Barracuda Web Application Firewall solutions provide extensive logging and reporting for all HTTP requests with ready integration with the top SIEM vendors. This provides a centralized auditing and regulatory compliance framework for enterprise API services that deal with PII, confidential or sensitive data.

In addition, the cloud-based Advanced Analytics Dashboard is driven by data from your websites connected to Barracuda Advanced Bot Protection. The dashboard provides a deep look into your bot traffic statistics. You can drill right down to the level of each detected bot and see details about its visits to your application, the amount of traffic it has generated, source IP address, and more. The data provides you with a deep historical look at bot traffic, and its effects on your application.