Barracuda Networks Web Application Controller Overview

Barracuda Web Application Controllers:

Barracuda Web Application Controllers protect your Web site from attackers leveraging protocol or application vulnerabilities to instigate unauthorized access, data theft, denial of service or defacement of your Web site. Unlike traditional network firewalls or intrusion detection systems that simply pass HTTP, HTTPS or FTP traffic for Web applications, Barracuda Web Application Controllers proxy this traffic and insulate your Web servers from direct access by hackers.

The Barracuda Web Application Firewall protects Web applications and Web services from malicious attacks. The Barracuda Application Gateway also increases the performance and scalability of these applications. Barracuda Web Application Controllers offer every capability needed to deliver, secure, accelerate and manage enterprise Web applications from a single appliance through an intuitive, real-time user interface.

• Single point of protection for inbound and outbound traffic for all Web applications
• Protects Web sites and Web applications against application layer attacks
• Delivers best practices security right out of the box
• Monitors traffic and provides reports about attackers and attack attempts

Comprehensive Web Site Protection:

Barracuda Web Application Controllers, including both the Barracuda Web Application Firewall and Barracuda Application Gateway, provide award-winning protection from all common attacks on Web applications, including SQL injections, cross-site scripting attacks, session tampering and buffer overflows.

Almost all applications are vulnerable to such attacks because application developers do not consistently employ strict secure coding practices. Barracuda Web Application Controllers are designed to combat all attack types that have been categorized as significant threats, including:

• Cross Site Scripting (XSS)
• SQL injection flaws
• OS command injections
• Site reconnaissance
• Session hijacking
• Application denial of service
• Malicious probes/crawlers
• Cookie/session tampering
• Path traversal
• Header tampering
• Information leakage

A Single Solution to a Multifaceted Problem:

Online Web-based applications are increasingly at risk from professional hackers who target such applications in order to commit data theft or fraud. Being compromised can damage an enterprise’s reputation, result in loss of customers and impact the organization’s bottom line.

In addition, companies that transact online are faced with a host of growing industry regulations such as the Payment Card Industry Data Security Standard (PCI DSS), which mandates that all enterprise and Web applications handling credit card and account information must undergo an extensive and costly audit of custom application code. The alternative to satisfy PCI DSS compliance is simply installing a Web application firewall.

The combination of these factors along with banking industry PCI DSS compliance concerns, creates demand for a more technologically and cost-effective risk protection solution for online Web applications.

Backed by the worldwide leader in email and Web security appliances, Barracuda Web Application Controllers will continue to dominate the market by breaking technology barriers.

Web Application Controller Features:

Traditionally, security has been considered a network issue, where system administrators lock down host computers through a network firewall. While a typical network firewall can help restrict traffic to HTTP, HTTPS and FTP, this traffic can contain command exploits leveraging vulnerabilities in the Web application itself that can result in unauthorized access, data leakage, site defacement and other attacks by hackers that compromise both the privacy and integrity of vital data. Businesses of all sizes that operate their own Web applications should ensure that their Web sites are protected against application vulnerabilities.

Barracuda Web Application Controllers, including both the Barracuda Web Application Firewall and Barracuda Application Gateway, provide complete protection of Web applications and are designed to enforce policies for both internal and external data security standards, such as the Payment Card Industry Data Security Standard (PCI DSS). At the same time, the Barracuda Application Gateway features a number of additional traffic management capabilities designed to improve the performance, scalability and manageability of today’s most demanding data center infrastructures.

Comprehensive Web Site Protection:

Barracuda Web Application Controllers proxy all of your Web site traffic, providing complete protection in front of your Web sites. Capabilities include:

• HTTP protocol compliance. At a basic level, Barracuda Web Application Controllers verify that all inbound requests comply with the HTTP specification. For example, inbound requests with more than one Content-Length header are typically the basis of HTTP request smuggling attacks; therefore they are illegal according to the HTTP specification and are blocked automatically.
• Protection against common, high-visibility attacks. Hackers can take advantage of vulnerabilities in your online Web forms to attack your applications. Barracuda Web Application Controllers protect your Web applications against SQL injections, OS command injections and cross-site scripting attacks.
• Protection against attacks based on session state. Barracuda Web Application Controllers protect your Web applications against any attacks based on session state, such as forms tampering or cookie tampering.
• Online form field validation. Through a positive security model, Barracuda Web Application Controllers can ensure that requests conform with a developer’s intention. For example, if a developer specifies that a field should contain 40 characters of text input, any attempt by an attacker to inject a Trojan or a virus will be rejected outright because it does not conform to that input pattern.
• Outbound data theft protection. In addition to inspecting the request traffic, Barracuda Web Application Controllers also inspect all outbound packets for any data pattern expressible as a UNIX-style regular expression. Built-in policies protect all major credit cards and US Social Security number patterns and new data patterns can be added at any time. Inspection for outbound leakage of these patterns can be applied to security policy on-the-fly.
• Web site cloaking. To prevent hackers from doing reconnaissance on your Web infrastructure, Barracuda Web Application Controllers automatically strip identifying banners of Web server software and version numbers out of all transactions.
• Anti-crawling. While some Web crawlers, such as search engines, are often desirable, you may wish to prevent all other users from downloading your entire site. Barracuda Web Application Controllers can easily identify and allow legitimate crawlers while blocking more malicious ones.
• Rate controls and application denial of service (DoS) protection. You can specify a performance cap for your application, above which traffic is queued. Rate controls ensure that applications are not pushed beyond their performance limits, preventing application-layer DoS.
• Advanced learning modes and fine-grained control. Barracuda Web Application Controllers feature automatic “profiling” of Web sites based on traffic passing through the system as well as automatic fine-grain rules creation based on both HTTP requests and responses down to the level of individual HTML elements.

Protection of XML Web Services:

Barracuda Web Application Controllers provide the capability to secure both traditional HTML Web applications with new XML Web services applications. Available as an option to the Barracuda Web Application Controller, the Web Services Security Edition enables a strong new layer of defense to deploy SOAP applications across the perimeter – all without requiring administrators to learn all the details of XML or Web services.

• Protection against targeted XML attacks. Analogous to the protections offered for traditional HTML Web Applications, Barracuda Web Application Controllers also protect Web services applications from targeted XML attacks, including SQL injection, command injection, buffer overflow and parameter tampering.
• Validation of XML schema, SOAP envelopes and XML content. To ensure full compliance to Web services protocols and specifications governing their use, Barracuda Web Application Controllers validate XML schemas, SOAP envelopes, headers and message content. Barracuda Web Application Controllers conduct full XML content inspection looking for policy violations such as oversized messages, unexpected field values and inappropriate external references.
• WS-I profile validation. Barracuda Web Application Controllers ensure that all Web services transactions conform to extensive WS-I basic profile requirements for security and interoperability.
• Web services cloaking. By masking the true URI of mission critical Web services, Barracuda Web Application Controllers make them more difficult for hackers to target.
• Protection against XML denial of service (DoS) attacks. Barracuda Web Application Controllers protect against XML DoS attacks, such as coercive parsing, external entity attacks, jumbo payloads and recursive elements attacks.

Application Access Control:

The Barracuda Web Application Controller implements a single point for policy enforcement and control, including authentication to ensure that users are known, access control policy for resources, session monitoring, protection against data leakage and integration with existing authentication, authorization and access control (AAA) systems. Capabilities include:

• Simple single sign-on (SSO) portal. By combining built-in authentication and authorization capabilities with Web address translation and cookie session management features, administrators utilize the Barracuda Web Application Controller to present a simple front-end portal to back-end applications without requiring changes to source code, IP addressing or the server infrastructure. Authentications are logged and user credentials are forwarded in the HTML header making integration with backend applications simple and scalable.
• LDAP and RADIUS integration. For authentication and authorization, Barracuda Web Application Controllers integrate with common authentication services, including Active Directory and other LDAP-compatible directories as well as RADIUS servers.
• PKI support. Barracuda Web Application Controllers provide full PKI infrastructure and can act as a Certificate Authority, including participating in a certificate trust chain.
• Web access management.
  • Policy Enforcement Point (PEP) for CA SiteMinder. For organizations utilizing CA SiteMinder for Web access management, Barracuda Web Application Controllers offer full-scale integration that encompasses authentication, authorization and single sign-on capabilities in single domain and multi-domain environments, along with performance enhancements. The Barracuda Web Application Controllers serve as the single high-performance Policy Enforcement Point (PEP), allowing CA SiteMinder to focus on its role as the Policy Decision Point (PDP).
  • RSA Access Manager. Barracuda Web Application Controllers can be integrated with RSA Access Manager for Web access management. The integrated system provides a high performance setup for application layer security along with authentication, authorization and single sign-on capabilities in single domain and multi-domain environments.

Application Delivery and Acceleration:

In addition to the security and access control benefits of Barracuda Web Application Controllers, there are also additional operational capabilities available with the Barracuda Application Gateway. Capabilities include:

• Caching. The Barracuda Application Gateway can reduce load on backend Web servers and increase performance by caching Web content and avoiding repeated requests to backend Web servers.
• Compression. To reduce network traffic requirements, the Barracuda Application Gateway can automatically apply GZIP compression to renderable HTML content to be decompressed by the browser.
• Connection pooling. To reduce backend server overhead for maintaining new TCP connections, the Barracuda Application Gateway can automatically pool multiple frontend connections into a single backend connection. Connection pooling keeps the backend servers focused on processing application logic rather than protocol termination.
• SSL acceleration. Barracuda Web Application Controllers include hardware-based SSL Acceleration, offloading backend servers from the computational burdens of encrypting and decrypting secure Web traffic.
• Load balancing. The Barracuda Application Gateway includes integrated load balancing capabilities to distribute traffic among multiple backend servers. It supports both Layer 4 and Layer 7 cookie persistence and includes support for Layer 7 content switching based on URL pattern, parameter or HTTP header fields..
• High Availability. When inline in Bridge-path, the Ethernet Hard Bypass ensures reliable application delivery even with a single Barracuda Web Application Controller. For Web applications with stringent security requirements, Barracuda Web Application Controllers may be installed in a redundant pair configuration, providing real-time application state replication so that security and user sessions will not be compromised during a failover event.

Logging, Monitoring and Reporting:

Barracuda Web Application Controllers feature advanced capabilities to provide immediate feedback to operations team that deploy, manage and secure mission critical applications. Capabilities include:

• Comprehensive logging. Barracuda Web Application Controllers maintain a rich set of logs on the appliance, including system activity, Web Firewall activity, Web services activity, network firewall activity, and traditional Web logs.
• Tamper-proof log storage. Any log can be time-stamped, digitally signed and encrypted to ensure tamper proof storage.
• Syslog support. Barracuda Web Application Controllers forward logs to a syslog server for centralized and persistent storage or analysis by a third party tool.
• Integration with eIQ Network Security Analyzer. Barracuda Web Application Controllers integrate with eIQ Network Security Analyzer (available separately) for comprehensive event correlation, event alerting and reporting.