Web Application Protection Against Hackers and Security Vulnerabilities

Barracuda Web Application Firewall

Introduction• Application-layer security for Web traffic

• Fully application aware

• Application Delivery and Acceleration

• Web User Access Control

• Full-featured, scalable WAF

• Familiar Barracuda Networks interface / ease of use

• Economical – no per user fees

74 percent of all Web application vulnerabilities disclosed in 2008 had no available patch to fix them

by the end of 2008.

Data Center Assets Increasingly Vulnerable

Identity theftData theft

WormsDenial of Service

SQL InjectionParameter tampering

Business ImplicationsLost revenueBrand erosionRegulatory compliance:

SOX, GLBA, HIPAA

Source: IBM X-Force

Challenges with Legacy Security Solutions

None

None

None

None

None

None

None

None

None

Well known signatures only

Well known signatures only

Well known signatures only

IPS / Network Firewalls

Data Theft

Application DoS

Google Hacks

Forceful Browsing

Identity Theft

Buffer overflow

Parameter Tampering

Stealth Commanding

Injection Attacks

Cross Site scripting

Hidden field manipulation

Cookie poisoning

Application Firewall

Application Threat• Network Firewalls

– Blindly allow HTTP/S Web traffic

• IPS/IDS– Signature matching only, not

application aware– Cannot protect from zero-day

attacks– No protection for encrypted traffic– Non deterministic protection– Cannot “normalize” traffic to detect

obfuscated attacks

What is Missing?More insight and control into application structure:URLs, cookies, headers, FORMs, Session, SOAP actions, XML elements …

The solution: Layer 7 security

Web Applications

Port 80/443 traffic goes through

Firewall blocks only network attacks

Barracuda Web Application Firewall

The solution: Barracuda Web Application Firewall

Understands web traffic

Layer 4 and Layer 7 load balancing for Web servers

Accelerates application delivery

Protects against common web attacks

Mitigates broken access control

Comprehensive Application Layer Protection

Users Web Applications/Services

INSPECTS FOR:Malicious Commands

Illegal KeywordsHidden Field Tampering

Parameter TamperingAltered HTTP Methods

Max Length ExceptionsIllegitimate URLs

WSI Profile ValidationXML Schema ValidationVirus/Malware Injection

Distribute DoS

ENFORCES:Intended application logic

Web site cloakingLegitimate crawling

Valid parameter valuesNon-disclosure of sensitive data

Appropriate session stateSSL and Session security

Valid URLsRate Control

• Full inspection of application data input• Complete knowledge of expected values• Real-time policy creation and enforcement

Barracuda Web Application Firewall Benefits

SECUREWEB

APPLICATIONS

SCALE UPAND

SPEED UP

GAIN VISIBIILITYVIA LOGS

AND REPORTS

ACHIEVECOMPLIANCE

Barracuda Web Application Firewall Benefits

SECUREWEB

APPLICATIONS

SCALE UPAND

SPEED UP

GAIN VISIBIILITYVIA LOGS

AND REPORTS

ACHIEVECOMPLIANCE

SECURE WEB APPLICATIONS

• Cloak server information

• Protect against Layer 7 attacks

• Data theft protection

• Integrated XML protection

Barracuda Web Application Firewall Benefits

SECUREWEB

APPLICATIONS

SCALE UPAND

SPEED UP

GAIN VISIBIILITYVIA LOGS

AND REPORTS

ACHIEVECOMPLIANCE

SCALE AND SPEED UP APPLICATION DELIVERY

• Load balancing

• Caching

• Compression

• Integrated access control- LDAP / RADIUS- Client certificates

Barracuda Web Application Firewall Benefits

SECUREWEB

APPLICATIONS

SCALE UPAND

SPEED UP

GAIN VISIBIILITYVIA LOGS

AND REPORTS

ACHIEVECOMPLIANCE

GAIN VISIBILITY VIA LOGS AND REPORTS

• Web firewall logs

• Audit logs

• Access logs

• Traffic / attack reports

Barracuda Web Application Firewall Benefits

SECUREWEB

APPLICATIONS

SCALE UPAND

SPEED UP

GAIN VISIBIILITYVIA LOGS

AND REPORTS

ACHIEVECOMPLIANCE

ACHIEVE COMPLIANCE

• Role based access

• LDAP authentication

• PCI reports

• Audit reports

Typical DeploymentInline between the network firewall and the servers in Proxy or Bridge mode Both these deployments can be put in High Availability set up with two units in a pair

Out of line as a one armed proxy

Summary• Comprehensive Web

application protection• Application delivery

and acceleration• Authentication and

Authorization• Logging, monitoring

and reporting• Achieve compliance:

PCI, HIPAA, GLBA