Barracuda WAF

transcript

Protect your online assets today, Hackers Don’t Wait! Barracuda Web Application Firewall

Jumpstart Training

Mohd Fadhly Mohd Hassimmfadhly@barracuda.com

Barracuda Networks Technical Conference 2012

Barracuda Web Application Firewall Features and Benefits

Architecture

Barracuda Web Application Firewall vs IPS/IDS

Attack IPS/IDS BWAF

1. Injection attack protection (XSS, SQL) Limited Yes

2. Normalize encoded traffic No Yes

3. Inspect HTTPS traffic Limited Yes

4. Session tampering/hijacking/riding protection No Yes

5. Forceful browsing prevention No Yes

6. Data theft protection, cloaking No Yes

7. Brute-force protection No Yes

8. Web services protection No Yes

9. Application layer DoS protection No Yes

10. Rate control protection No Yes

Barracuda WAF Features Overview

• Comprehensive Website Protection– Proxies all Website traffic to provide complete

protection for Websites

• Identity and Access Management– Application authentication and authorization

• Application Delivery and Acceleration– Additional non-security capabilities and features such

as High-Availability clustering, load balancing and content compression and caching

• Logging, Monitoring and Reporting

Securing against injection attacks

• Every web application has a form

• Forms have input fields• Hackers can inject bad data into

these fields

• Types of possible attacks– Cross Site Scripting attacks– SQL injection attacks– OS Command injection– Malware injection

' OR username IS NOT NULL OR username = '

Inbound and Outbound Inspection

Servers

Inbound inspection for Layer 7 attacks

Outbound inspection to protect against data theft via

blocking or data masking

Barracuda Web Application Firewall• Based on reverse proxy technology

• Has bi-directional content inspection and security

• As a reverse proxy, it can load balance and accelerate application delivery

Securing web transactions

• HTTP is a stateless protocol• Transactions boundaries are maintained

using– Cookies– Read only parameters– Session bound enumerations

• Type of attacks against these – Tampering attacks– Hijacking attacks– Replay attacks– Cross site request forgery

Browser Web Server

Request

Response

Securing against rate based attacks

• Hackers can do legitimate operations repeatedly to create problems

• Operations can result in– Creation of a session– Download of big files – Big database transaction– Slow download upload

• Type of attacks against these – Guessing of passwords– Excessive session creation rates– Resource choking

Browser Web Server

Securing outbound data

• Responses may contain – Sensitive information

• Credit card numbers• Social Security Numbers

– Errors• Server errors

• Useful to the hacker– Steal information– Fine tune the attack

Securing Against Distributed Denial of Service

OSI Model DoS Attack

7 Application Slowloris – Incomplete HTTP Requests

6 Presentation

5 Session

4 Transport SYN Flood – Incomplete TCP Handshakes

3 Network

2 Data Link

1 Physical Cut a cable

Where it fits in

DDoS Prevention Setting in Barracuda WAF

How we prevent against Slow client attack

DDoS Security• Geo Filter

• Geo Filter enables you to associate a geo pool with a Service to block the incoming traffic originating from the geographical regions specified in the geo pool.Multi select edit

HTTP Parameter Pollution

• How does your web application respond if it receives multiple parameters all with the same name?

HPP prevention in WAF

Max instances of a parameter can be configured for wildcard values as well

Cross site request forgery-example

1. A valid user, Alice, logs in to bank.example.com with her credentials. A trust relationship is established between Alice and bank.example.com at this point.

2. Attacker sends Alice a link (social engineering). The HTML code for the web page for that link has an image tag pointing to bank.example.com and references an action. For ex. , <img src="http://bank.example.com/transfer?account=alice&amount=1000000&to=attacker">

3. Alice visits the attacker controlled web page, alice’s web browser parses the HTML content and thereby initiates an unintentional request to bank.example.com and requests the action referenced in the HTML code.

4. bank.example.com completes the action since it trusts Alice as a valid user for that action.

WAF prevents CSRF

• WAF prevented CSRF as part of website profiles , under URL profiles

What’s new in Firmware v7.7 :

• CSRF prevention is enhanced and supported as a global setting under Security policies -> URL protection

Threat Control Manager

• Barracuda approach in mitigating Website Vulnerabilities using Vulnerability Scanners

• Currently, the Barracuda Web Application Firewall supports only – IBM AppScan (version 7.9) and – Cenzic Hailstorm (version 6.6). – The assessment report exported should be

in .xml format.

• Users click on a link or go to the webpage that has the HTML form

• WAF detects the form in the response body, appends a hidden parameter with a hashed token value to the response page.

• The subsequent HTTP request for user input in the form by that user is checked for the inclusion of the previously generated hidden param and token hash. If there is no match, the request is blocked as a CSRF violation.

• The same check is applied for URLs incase Forms and URLs is selected for CSRF prevention.

Identity and Access Management

• LDAP and RADIUS integration– Including Active Directory

• Simple Single Sign-On (SSO)• Two-Factor Authentication

– Certification-based authentication– RSA token IDs– -SMS Passcode Integration

• Access Control– Granular policies governing what areas or which

resources users can access

User Authentication

• User DB– Internal Stored

User Database– Or external

LDAP, RADIUS• Client Certificates

– Digital certificate authentication can also be used

Business Partner

Internet

LDAP, RADIUS …

External Authentication System

2. Please Supply User-ID: ______Password:

1. Initial Access

3. User supplies Credentials 4. DB

verification 5. Access after successful sign on

Start page

Multi Domain SSO

• User needs to log in only once across multiple domains• Master domain and slave domains are defined

– Ex. slave: abc.com and master: xyz.com

• If the request comes directly to slave domain (www.abc.com) before the master, it is redirected to master.

• Master domain issues the authentication cookie

www.abc.com

www.xyz.com Master domain

Slave domainhttp://www.abc.com/protected.html

Should have gone straight to slave

But BWAF redirects the request to the master domain:

Application Delivery and Acceleration

• High Availability Cluster• Load balancing• SSL offloading• Content Caching• Compression• Connection pooling

Servers

Perimeter

SSL Accelerators

Security

Web & XML

Caching

Barracuda Web Application Firewalls

Load Balancing

Access Control

Evolution of DMZ Architecture

Servers

Perimeter

Evolution of DMZ Architecture

IPv6 IPv6

IPv6 IPv4

IPv4 IPv6

Barracuda Web Application Firewalls

Vulnerability Scanner

Integration

Role Based Administration

Servers

Perimeter

Backed by Barracuda Central

Barracuda Web Application FirewallsBarracuda Central

• Attack updates• Anti Virus updates• Definition updates• Geo Location

updates• IP Reputation

updates

IPv6 IPv6

IPv6 IPv4

IPv4 IPv6

Vulnerability Scanner

Integration

Role Based Administration

VLAN Trunking

• 7.7 Firmware release updates feature supporting VLAN Trunking

• one Vsite per VLAN with Vsite host Services belongs to each VLAN

• WAN IP & WAN Default Gateway should be on default VLAN

Active-Active HA

Automatic Failover-Failback

Manual Mode

VSite concept example 1 – Standalone setup

Vsite “test” is created and one service is part of the vsiteA vsite level route is configured to route all traffic through 192.168.30.2 which is different from the WAN GW,192.168.20.2Possible : To create acls specific to vsite

VSite concept example 2 – HA setup

WAF Load Balancing

SSL Offloading

• The Barracuda WAF does SSL encryption and decryption– Offloads the job of encryption from servers to the

Barracuda– Requires only 1 certificate instead of 1 certificate for each

server– Back-end SSL between the WAF and the Servers is also

available

HTTPS HTTP

Caching and Compression

• Caching– Docs, pdfs, images and other file types can be cached

locally instead of being repeatedly pulled from application server

• Compression– Text can be compressed using gzip,deflate– Compression should be done by the WAF and not the

application server

Connection pooling

• Setting up TCP sessions can be resource intensive

• WAF automatically pools multiple front-end connections into a single back-end connection

• This reduces connection overhead and improves server performance

Configuration, Logging, Monitoring & Reporting

• Web-based UI• Role-Based Access Control• Comprehensive logging• Syslog support• Extensive reports

Servers

Perimeter

Gain Visibility

Barracuda Web Application FirewallsBarracuda Central

• Attack updates• Anti Virus updates• Definition updates• Geo Location

updates• IP Reputation

updates

Barracuda WAF Web Interface

• Easy• Intuitive• Consistent• Multiple Languages• Configure and Forget

Role-Based Access Control

• Each admin user has unique login credentials, privileges and permissions

• Admins can be defined and authenticated with LDAP

• Compliant with PCI DSS Section 7.1

Log Types

• Access Logs• Web Firewall Logs• Audit Logs

Deployment Options

WAF in the Network

• Modes of Operation– Bridge Mode

• With Ethernet Fail Open– Proxy Mode

• Inline or One-Arm

Internet

Application 1223.216.5.9

N/w Firewall Web Application FirewallSwitch

Switch / Router

Clients

Application 3

The WAF should be between the Network firewall and the switch to the backend application servers.

Bridge and Proxy Mode

• Bridge Mode

• Operates as a Layer 2 Bridge

• Traffic meeting specified definition is inspected and then passed to app server– The rest of the traffic is

bridged

• Proxy Mode

• Operates as a Layer 3 router– Client sessions

terminate at WAF– WAF initiates session to

app server• Traffic meeting specified

definitions is inspected– The rest of the traffic is

blocked

Bridge Mode Deployment

• Bridge mode of deployment uses the same IP for the VIP as the IP addresses of the Web servers

Internet

Application 2 223.216.5.10

Configure the IP addresses of the Web Server on the Web Application Firewall.

N/w Firewall Barracuda Web Application FirewallSwitchSwitch / Router

Clients

Application 1 : 223.216.5.9Application 2 : 223.216.5.10

The WAN and LAN must be on two different logical switches.

Bridge Mode

• Advantages– No addressing changes needed on firewall, app servers– No NAT required– Ethernet Fail Open available

• Disadvantages– No TCP Connection Pooling available– No Load Balancing available– Not as secure as Proxy-mode

Hardware Bypass Feature

Normal Operation Fail SafeComponent Failure

Fail SafePower Failure

BarracudaWeb Application Firewall

System Health Monitor

Firewallcomponent

Wide Area Network(WAN)

Local Area Network(LAN)

Firewall component

Local Area Network( LAN)

!!! !!!

Firewallcomponent

Local Area Network(LAN)

Inline Proxy Mode

Internet

N/w Firewall Web Application FirewallSwitch

Switch / Router

Clients

VIP 1223.216.5.9

VIP 2223.216.5.10

Server IPs change to private addresses

Also called “Full Reverse Proxy Mode”

One-Armed Configuration

Client TrafficTest Traffic

Testers can use the internally published VIP

Server

10.10.10.101:80

10.10.10.202:80

Advertised IP for Website No changes

Clients

Switch / Router

Internet

Once the evaluation of the Barracuda WAF is complete, it can be moved inline into production, either coexisting with the Load Balancer or replacing it

Review: Deployment Modes

Criteria Reverse Proxy Bridge One-ArmedMaximize network bandwidth (use both ports)

Create secure path to Web servers

Load Balancing and Layer 7 features (e.g. Instant SSL)

Minimize change to existing network infrastructure

Integrate with existing enterprise load balancers

Establish multiple paths to Servers for testing

Cannot change existing Server IP addresses

Sizing and Product Selection

• https://www.barracudanetworks.com/products/webapplicationfirewall/models

Model Comparison By Capacity

Proper WAF Sizing

Barracuda Web Application Firewall Product Line

Barracuda Web App Firewall 660

Enterprise

Summary : What does Barracuda WAF do ?

• Attack protection• SQL injection, Cross Site Scripting, Command injection, CSRF ….• DoS, Brute Force, Session Hijacking, XML attacks, Anti Virus

protection

• Data Theft Protection – Credit Cards, SSN, Custom patterns

• Website Cloaking

• Access Control – Form and Basic Authentication and Single Sign On with integrations into LDAP, RADIUS, CA SiteMinder, RSA SecurID

• Application Delivery – Load Balancing, Caching,

Compression, SSL Offloading, Rate Control

Thank You

Barracuda WAF

Documents