Barracuda WAF

A Web application firewall (WAF) is a firewall that monitors, filters or blocks data packets as they travel to and from a Web application. A WAF can be either network-based, host-based or cloud-based and is often deployed through a proxy and placed in front of one or more Web applications.

Barracuda Web Application Firewall enables administrators to configure security rules with varying degrees of granularity. A security policy, comprised of security settings, is shared by multiple applications. 

A newly configured service originally uses the ‘default security policy’, so all URLs and Parameters are compared to the ‘default security policy’ settings. The Barracuda Web Application Firewall applies rules to traffic and generates a log of rule violations viewable in the BASIC > Web Firewall Logs page.  

You can use the Web Firewall Logs to evaluate rule violations, and when warranted, create exceptions to the rule violated. Exceptions can apply globally if they modify the security policy, which affects all services using that policy. Or you can apply an exception locally that only applies to a specific website or URL. To create a fine grained exception, you use the WEBSITES > Allow/Deny OR WEBSITES > Website Profiles pages.

The default security policy associated with a Service might sometimes end up blocking genuine requests, which are called false positives. To reduce false positives you can enable Exception Profiling for desired websites on the WEBSITES tab. Exception profiling uses heuristics displayed on the WEBSITES > Exception Heuristics page to identify false positives. You can set the exception profiler to automatically refine security policy rules for the respective site section by setting Request Violation Handling to Auto on the Exception Heuristics page; alternatively, set Request Violation Handling to Manual if you want the profiler to generate policy recommendations under Pending Recommendation on WEBSITES > Exception Profiling. In this case, the administrator must review the violations, and manually apply desired fixes.

Barracuda strongly recommends that you select automatic remediation in Passive Mode. Passive Mode allows you to manually audit the policy changes and verify no false positives are logged. After verifying, you can deploy the fix in Active Mode

Barracuda WAF supports load balancing of all types of applications. Load balancing ensures that subsequent requests from the same IP address will be routed to the same back-end server as the initial request. This requires an awareness of server health so subsequent requests are not routed to a server which is no longer responding. The Barracuda WAF can monitor server health by tracking server responses to actual requests and marking the server as out-of-service when errors exceed a user configured threshold. In addition, the Barracuda WAF can perform out-of-band health checks, requests created and sent to a server at configured time intervals to verify its health

Overall flow since from request initiate and processing via Firewall and then processing in web server and then finally back to client is as like below.





if we look at the above diagram it clearly shows the flow how the request processing.
1.Request initiated at client browser then it process to WAF with below sections
2.Request limits
3.URL Normalization
4.Cookie Security
5.Global ACL's
6. Session Tracking
7. Allow/Deny Rules
8. URL Protection
9. Parameter Protection
10.Action Policy
11. URL Polices

The above are rules or sections to be processed before reach the web server. so, once the web  server receives the request and process the response again it back through WAF and performs below validations

1. Cloaking
2. Data Theft Protection

When Data Theft Protection is enabled, the Barracuda Web Application Firewall intercepts the response from the server and compares it to the pattern listed in the ADVANCED > View Internal Patterns page and ADVANCED > Libraries page (if any custom identity theft patterns). 

If the response matches any of the defined patterns, it is blocked or cloaked depending on the Action (Block or Cloak) set. If Action is set to Block, the
response sent by the server is blocked. If set to Cloak, data is cloaked, that is, partly overwritten with "X"s












Comments

Popular posts from this blog

Email Sending through O365 using OAuth Protocol

IoT Technology

What is reverse proxy?