Automating Application Security on Microsoft Azure

Barracuda Web Application Firewall, Barracuda Vulnerability Remediation Service, and Puppet

Download PDF

Introduction

Organizations like yours are adopting Infrastructure-as-Code in order to be more agile in responding to shifting business requirements. At the same time, the threats posed by advanced malware have been growing exponentially. This poses a challenge: How to accelerate proven security best practices so that they enhance—rather than impede—the agility of the applicationdevelopment lifecycle while continuing to support optimal security.

The Barracuda Web Application Firewall includes powerful built-in security-automation features, and leverages configuration automation solutions such as those developed by Puppet. As a result, it can serve as an important element of your strategy to accelerate the overall applicationdevelopment process by bringing security up to agile speed, especially when implemented in public-cloud environments such as Microsoft Azure.

Puppet has been a pioneer in the development of configuration-automation solutions, and has a proven track record for automating the configuration and management of enterprise workloads. Puppet Forge is a hub for publicly available Puppet modules.

Automating the Provisioning of Barracuda Web Application Firewall Virtual Machines on Microsoft Azure

The Puppet module for Microsoft Azure makes it easier for you to eliminate potential bottlenecks by using code to automate the process of provisioning Web Application Firewall instances in Azure. Using the “azure_resource_template” resource type—included in Puppet’s module—you can customize solution templates to create and configure virtual machines, along with such needed resources as the resource group, storage account, network security group, and network interface card.

REST API for the Barracuda Web Application Firewall

The REST API framework, which enables remote administration, can also be used to automate the configuration of the Barracuda Web Application Firewall. Almost all Web Application Firewall configuration tasks can be achieved with API calls. Here’s an sample API call to create a service:

curl http://<systemip>:<mgmt-port>/restapi/v1/virtual_services -u ‘token:’ -X POST -H ContentType:application/json -d ‘{“name”: “demo_service”, “ip_address”: “<ipaddr>”, “port”: “80”, “type”:”http”, “address_version”:”ipv4”, “vsite”:”demo_vsite”, “group”:”demo_vsite_group”}’

In that example, the call to the virtual_service API is sent as a POST request, with a JSON body containing the required parameters and their values to create a service. Please note that this example is for REST APIv1. In the WAF Firmware version 9.1, there is support for an enhanced RESTAPI framework. The new version number is v3.

Application Security Automation Workflow Model

The Blue-Green testing framework is a proven deployment design pattern to achieve foolproof configuration management with minimal or no downtime.

A schematic diagram to show the Blue Green deployment methodology is shown below:

Notes:
Configuration can be synced between green and blue environments periodically. Iterations to swap the environments are performed as per change requirements.

Typically, you will use the staging environment to automate all these stages of the deployment process:

Introduction of the security policy upon the application:
Barracuda Web Application Firewall supports security policies that are fine-tuned for different types of application. Creating a service ensures that the security policy is bound to the service. REST API calls can be made to the Web Application Firewall for automating this process.

Seamless access to the application through the security layer:
Minimal or no work is involved if the service is configured correctly

Penetration testing through the security layer:
The Web Application Firewall lets you use Barracuda Vulnerability Remediation Service to scan the application through and to ensure that policy fixes are available. This can be automated through REST API calls to the Vulnerability Remediation Service.

Fine-tuning the security layer:
Policy fixes on the Barracuda Web Application Firewall are authorized by the administrator, and can be initiated from the Vulnerability Remediation Service console.

Go to production:
Barracuda Vulnerability Remediation Service can be scheduled to run updated scans on a periodic basis to maintain optimum security.

Puppet has set up a sample environment that automates all these aspects of deployment. You can download it at https://github.com/barracudanetworks/waf-automation/tree/master/wafpuppet/azureinfra.

Deployment Automation Workflow

Provisioning the Barracuda Web Application Firewall

This is the Puppet manifest for creating the Barracuda Web Application Firewall using the ARM template:

Barracuda Web Application Firewall Configuration

Once the Barracuda Web Application Firewall is provisioned on Azure, the “azurecudawafconfig” module is used to configure the Web Application Firewall. REST API calls are used in a ruby script to connect to the Web Application Firewall and configure the service and the rule groups.

The sample script available in the module performs the following operations:

  1. Accepts the EULA
  2. Authenticates with the Web Application Firewall admin username and password and gets a REST API access token
  3. Connects to the REST API and creates two service groups
  4. Creates a certificate for use with the HTTPS service
  5. In each of the service groups, creates two services, one each for HTTP and HTTPS
  6. Connects the Barracuda Web Application Firewall to Barracuda Cloud Control

Barracuda Vulnerability Remediation Service

Barracuda Vulnerability Remediation Service is a complementary service to the Barracuda Web Application Firewall. It lets you automatically scan, remediate, and maintain your application security posture.

The solution supports REST API calls for all the critical aspects of the product, such as listing the services on the Web Application Firewall, configuring and running a scan operation, etc. The sample script available in the module creates a scan for a service mentioned by the administrator.

The script can also be extended to automatically create a scan every time a service is added on the Web Application Firewall.

What Next?

Once the Puppet agent run is complete, your application infrastructure includes a functional Web Application Firewall with a scanning service that’s fully configured to keep your applications secure. Barracuda Cloud Control provides a simple, powerful, centralized interface for comprehensive administration and management.

Code Revision and Versioning

Since there is no manual intervention in the process except for the Puppet agent settings, the Puppet environment code can be uploaded to Continuous Integration (CI) services such as GitHub or Bitbucket.

Summary

Agility in developing, deploying, and updating applications is critical in today’s fast-moving business environment. That same agility must extend to the deployment and configuration of application security solutions. Automating these security processes delivers that agility, and makes it easier to pivot rapidly when business needs shift.

Barracuda Web Application Firewall delivers optimal application security and exceptional ease of use, and its advanced automation frameworks help you boost productivity and stay ahead of the competition by accelerating your development cycles.

For more information, please visit: https://github.com/barracudanetworks/waf-automation