43% of breaches involve web applications.
Web applications are a major vector for criminals seeking to penetrate your network — and securing them has until now been notoriously difficult and complex. Barracuda Web Application Firewall changes the game, with comprehensive protection against all kinds of app-based threats, highly flexible deployment options, and remarkable ease of use.
*2020 Verizon DBIR
Application security made simple.
Deploy and configure quickly and easily — no steep learning curve or complicated certifications to obtain.
Agile friendly, DevOps ready.
Unmetered DDoS protection includedDevelop and deploy new or updated apps fast, thanks to its full Rest API.
Cloud native for modern workloads.
Seamlessly integrates with cloud-native services to provide security, control, and peace of mind.
Safeguard your applications and data with confidence.
Application security is increasingly complex. Barracuda makes it simple. Barracuda Web Application Firewall is a part of Barracuda Cloud Application Protection, an integrated platform that brings a comprehensive set of interoperable solutions and capabilities together to ensure complete application security.
Ensure protection from web attacks and DDoS.
Barracuda Web Application Firewall protects applications, APIs, and mobile app backends against a variety of attacks including the OWASP Top 10, zero-day threats, data leakage, and application-layer denial of service (DoS) attacks. By combining signature-based policies and positive security with robust anomaly-detection capabilities, Barracuda Web Application Firewall can defeat today’s most sophisticated attacks targeting your web applications.
Barracuda Active DDoS Prevention — an add-on service for the Barracuda Web Application Firewall — filters out volumetric DDoS attacks before they ever reach your network and harm your apps. It also protects against sophisticated application DDoS attacks without the administrative and resource overhead of traditional solutions, to eliminate service outages while keeping costs manageable for organizations of all sizes.
Stop bad bots dead in their tracks.
Sophisticated malicious bots mimic human users to evade standard bot detection. However, blocking legitimate bots can harm your business. So modern bot defense has to both distinguish between legitimate and malicious bots, and between human users and advanced bots. Barracuda Web Application Firewall offers Advanced Bot Protection that uses machine learning to continually improve its ability to spot and block bad bots and human-mimicking bots — while allowing legitimate human and bot traffic to proceed with minimal impact.
Stop bad bots dead in their tracks.
Sophisticated malicious bots mimic human users to evade standard bot detection. However, blocking legitimate bots can harm your business. So modern bot defense has to both distinguish between legitimate and malicious bots, and between human users and advanced bots. Barracuda Web Application Firewall offers Advanced Bot Protection that uses machine learning to continually improve its ability to spot and block bad bots and human-mimicking bots — while allowing legitimate human and bot traffic to proceed with minimal impact.
Enable granular access control and secure app delivery.
To ensure that only authorized personnel can access your application backends and data, Barracuda Web Application Firewall solutions integrate with AD, LDAP, and RADIUS, giving you granular control over which users and groups can access what data. They also secure all the services that rely on ADFS. SAML support provides a seamless single-sign-on (SSO) experience across your on-premises and cloud-hosted applications. Two-factor authentication further enhances security through integrations with RSA SecureID, SMS PASSCODE, Duo, and others.
Barracuda Web Application Firewall features a hardened SSL/TLS stack that provides a secure HTTPS front end to your applications. With pre-built templates, you can immediately set up secure TLS ciphers and protocols for standards compliance with ease.
The built-in application delivery module enables HTTP load balancing, content routing, caching, and compression. The content routing module can be used to direct traffic to various applications based on the characteristics of incoming traffic — for instance, a different server for a PC versus mobile client. Connection pooling, caching, and compression capabilities speed traffic delivery and improve user experience by reducing server load and reducing latency.
Automate and orchestrate security.
Barracuda Web Application Firewall integrates with many popular third-party DevOps tools to ensure CI/CD processes are fully automated. Full-featured REST API seamlessly integrates with Puppet, Chef, Ansible, Terraform, Azure ARM, AWS CloudFormation, and more. In addition, the content routing module further enables CI/CD rollout options such as blue-green deployments, canary rollouts and A/B testing. The Barracuda Web Application Firewall’s REST API is built on OpenAPI specifications, making it easy to create automation scripts, and the official GitHub page has code samples for popular platforms and use cases.
Barracuda Web Application Firewall solutions leverage Barracuda Vulnerability Manager and Remediation Service to let you remediate app vulnerabilities with a single click and deploy new and updated apps with full confidence. Barracuda Web Application Firewall also supports many third-party vulnerability scanning tools such as IBM AppScan, Rapid7, Immuniweb, HPE Security WebInspect, and more to give you complete freedom and control over vulnerability mitigation.
Gain deep visibility into attacks and traffic patterns.
Barracuda Web Application Firewall features a detailed dashboard that presents vast amounts of data in the form of actionable insights that help you make informed decisions. System health and utilization, traffic patterns, subscription status, system performance, attack statistics and origin locations, and much more is layered into a streamlined dashboard that makes it all easy to interpret and use. Barracuda Web Application Firewall also supports many external SIEMs and log management tools such as Azure Sentinel, Loggly, Sumologic, HPE ARCsight, IBM QRadar, Splunk, and many more.
Web Application and API Protection
- Protection against OWASP & zero-day attacks
Protect against all OWASP top 10 attacks, zero-day attacks, data leakage, and DDoS attacks. The layered traffic processing engine and Smart Signatures use fewer attack-detection signatures to detect and block web attacks, including zero-day attacks. Each Smart Signature can detect attacks found in 40 attack-specific signatures, reducing detection time and improving overall detection. Application Learning adds automated Positive Security, with the ability to enforce this security from the URL down to the parameter level.
- Advanced Bot Protection
Barracuda Advanced Bot Protection uses cloud-based machine learning to stop bad bots, easily blocking automated spam, web and price scraping, inventory hoarding, account takeover attacks, and much more. See more.
- API Protection
Barracuda Web Application Firewall protects XML and JSON REST APIs against all application attacks, including OWASP Top 10 API threats. API Discovery capabilities make it easy to configure protection and limit the chances for misconfiguration. See more.
- Server Cloaking
Often the first step of a targeted attack is to probe public-facing applications to learn about the underlying servers, databases, and operating systems. Cloaking prevents attack reconnaissance by suppressing server banners, error messages, HTTP headers, return codes, debug information, or backend IP addresses from leaking to a potential attacker.
- URL Encryption
Encrypt URLs before they are sent to clients, and ensure the original URLs or the directory structure never exposed externally to prying eyes.* End users of the web applications interact and navigate the site using only encrypted URLs, which are decrypted by the WAF. The decryption process immediately identifies URL query or parameter tampering, malicious content injection or blind forceful browsing attacks.
* WAF models 660 and above
- Geo-IP and IP Reputation Checking
Using client source addresses, organizations can control access to web resources. Barracuda Web Application Firewall can control access based on GeoIP to limit access only to specified regions. It is also integrated with the Barracuda Reputational Database and can identify suspicious IP addresses, bots, TOR networks and other anonymous proxies that are often used by attackers to hide their identity and location. Once an IP address is identified as a risk, administrators have the ability to block, limit, throttle, or issue a CAPTCHA challenge before allowing access.
Integrations: MaxMind
- Malware Protection and Anti-Virus
Seamless integration with Barracuda Advanced Threat Protection to provide security against advanced threats. Simply add Barracuda Advanced Threat Protection to Barracuda Web Application Firewall to block advanced zero-hour threats. By analyzing files in a CPU-emulation based sandbox, it can detect, and block malware embedded deep inside files uploaded to websites or web applications.
- Multi-Protocol Support
In addition to HTTP and HTTPS traffic processing, Barracuda Web Application Firewall can also inspect FTP and FTPS traffic and can be configured to allow/deny specific FTP commands. It also provides inspection capabilities for application protocols like XML and JSON and can be configured to proxy HTTP2 as well as HTML5 websockets traffic.
- Application DDoS Protection
Protect against advanced application-layer DDoS (SlowLoris, RUDY and Slow Read) attacks which are different from volumetric DDoS attacks with heuristic fingerprinting and IP reputation to identify real users from botnet. Secure against application DDoS using a variety of risk assessment techniques such as application-centric thresholds, protocol checks, session integrity, active and passive client challenges, historical client reputation block lists, geo-location, and anomalous idle-time detection.
- Volumetric DDoS Protection
Volumetric DDoS attacks are on the rise because the computational resources that are available to attackers make it very easy to launch full scale attacks that can bring an entire network down. Many times, the entry point for these attacks are web sites of organizations that bear the brunt of the load. Barracuda Web Application Firewall offers a subscription-based DDoS protection cloud service that scrubs traffic before it reaches the intended websites. This allows the cloud service to identify patterns of DDOS attacks in the connections and block them.
- JSON Security
Mobile application and REST APIs today rely on JSON (JavaScript Object Notation) to transfer data. However, this opens a whole new attack surface which is often overlooked and hard to secure by traditional scan-testing or pen-testing approaches. Barracuda Web Application Firewall secures the entire attack surface of mobile applications and REST APIs, filters malicious inputs in requests with JSON payloads, helps ensure API SLAs to partners, and provides anti-pharming protection from rogue consumers. Interactive web applications using JSON with AJAX are similarly protected.
- XML Firewall
Applications that rely on XML can now be secured with an XML Firewall capability that secures applications against schema and WSDL poisoning, highly-nested elements, recursive parsing, and other XML-based attacks. This secures communications between client and application or between applications from different systems closing an often-overlooked attack vector.
- Active Threat Intelligence
Real-time attacks need real-time responses. Barracuda Active Threat Intelligence collects threat data from a large, worldwide network of sensors and customer traffic. This data is processed using Machine Learning in near real-time and pushed out to connected units immediately, allowing for rapid detection of new threats and attackers.
- Client-Side Protection
Attackers exploit third-party scripts to perform client-side digital skimming attacks, such as Magecart, to steal PII and financial data directly from the browser. These attacks are difficult to detect because these scripts are loaded directly by the browser and attackers are using sophisticated techniques to avoid detection with scanners and similar defensive methods. Barracuda Web Application Firewall offers Client-Side Protection, a feature that automates the CSP and SRI configuration, reducing admin overheads and configuration errors. In addition to these capabilities, the Barracuda Active Threat Intelligence layer provides visualization and reporting for these configurations, providing admins with deeper visibility into the usage of these scripts.
Application Delivery
- Application Load Balancing and Monitoring
Barracuda Web Application Firewall supports load balancing of all types of applications. Load balancing ensures that subsequent requests from the same IP address will be routed to the same back-end server as the initial request. This requires an awareness of server health so subsequent requests are not routed to a server which is no longer responding. Barracuda WAF can monitor server health by tracking server responses to actual requests and marking the server as out-of-service when errors exceed a user configured threshold. In addition, Barracuda WAF can perform out-of-band health checks, requests created and sent to a server at configured time intervals to verify its health.
- Content Routing
Barracuda WAF provides enormous flexibility while deploying large applications in which each application module can be deployed on multiple servers. Requested content such as the URL of the module, HTTP Headers and parameters, is used to route content to the correct set of servers. This is also useful in scenarios where users should be redirected to different parts of the applications based on various criteria such as the mobile site, or a country specific site.
- Caching, Compression and Traffic Optimization
Caching: Barracuda Web Application Firewall speeds up application response time by caching static content and using it to respond to repeated requests for the same content. Caching rules can be tuned based on URL space, file size or file type.
Compression: The integrated compression engine in Barracuda WAF compresses data as it is sent out to the client. This capability is extremely useful in low bandwidth situations and makes application delivery faster.
Traffic Optimization: Barracuda WAF employs multiple techniques such as connection-pooling and TCP multiplexing to optimize protocol performance. Connection pooling techniques enable Barracuda WAF to cut down the overhead associated with creating and terminating connections, thereby cutting the time it takes to respond to client requests.
Data Protection and Compliance
- Outbound Data Loss Prevention
Inspects all outbound traffic for sensitive data leakage. Content such as credit card numbers, U.S. social security numbers, or any other custom patterns are identified and can either blocked or masked without administrator intervention. Furthermore, the information is logged and can be used by administrators to find potential leaks.
- Compliance Certification
Simple, cost-effective assistance to help administrators comply with major application-specific requirements like PCI-DSS, HIPAA, FISMA, and SOX. Certified by numerous third-party labs including ICSA Labs, Barracuda Web Application Firewall directly satisfies section 6.6 of PCI-DSS and assists compliance with built-in PCI compliance reports. Its robust identity, access management and data loss prevention (DLP) capabilities ensure privacy of sensitive data.
Identity and Access Control
- SAML support and Single Sign-On
Barracuda Web Application Firewall supports the SAML v2 protocol for authentication and web based single sign-on (SSO), which means that it can act as a SAML Service Provider (SP) to SAML-compliant Identity Providers (IdP), saving you from the complexities of implementing SAML on your web servers. This facilitates SSO between the cloud and on-premises web applications as well as interoperability with Azure AD which supports SAML 2.0. Barracuda WAF also supports Federated Identity for authentication and single sign-on, and supports integration with Active Direction Federation Services (ADFS).
- Client Certificate-Based authentication
Barracuda Web Application Firewall can be configured to require the client to provide a certificate for authentication, denying communication with clients who fail to do so.
It also provides server-side encryption, and can provide a certificate to the servers for client authentication (Barracuda WAF acting as the client to the back-end servers). Online Certificate Status Protocol (OCSP) and Certificate Revocation Lists (CRLs) are also supported to determine the current status of client digital certificates.
- Active Directory Federation Services Integration
Securely publish not only ADFS but all the other web applications like SharePoint that rely on ADFS. Just like the Microsoft Web Application Proxy, Barracuda Web Application Firewall is deployed in the perimeter network – the DMZ. It does not require joining the domain and only requires port 443 access to the ADFS farm. It intercepts HTTP/S requests to published applications and provides protection against malicious HTTP/S requests from the Internet.
- LDAP, Kerberos, and RADIUS Integration
Barracuda Web Application Firewall fully integrates Active Directory or any other RADIUS or LDAP-compatible authentication services. Combined with the strong access control capabilities, administrators can provide granular control over which users or groups are able to access specific resources. For securing Kerberos-enabled environments, it can also perform authentication to the protected web application on behalf of the user, including single-sign-on to multiple Kerberos services.
- Two-Factor Authentication
Barracuda Web Application Firewall integrates with a number of two-factor authentication technologies including client certificates, SMS PASSCODES, and hardware tokens such as RSA SecurID to provide strong user authentication.
Integrations: SMS PASSCODES, RSA SecurID
Reporting
- Barracuda Active Threat Intelligence Dashboard
The Barracuda Active Threat Intelligence dashboard provides detailed visualizations of your traffic patterns and allows you to drill down to the level of each individual bot. It also contains detailed reports and visualizations for the Client-Side Protection features, allowing admins to easily identify which scripts are used where, as well as the current configurations and statuses of these scripts.
- Intuitive, Drill-Down Reporting
Powerful graphical reporting provides immediate insight into threat activity, web traffic and regulatory compliance. More than 50 different pre-defined reports are available, which can be easily customized further, using numerous filters for attack types, traffic, time range, and more.
Generated reports are interactive, with drill-down capability. Reports span PCI compliance, security, audit, web traffic and geo-location analytics. They can be generated on-demand, or scheduled for periodic delivery to multiple recipients over email or FTP.
- Comprehensive Logging
All client requests, administrator modifications, and firewall actions are logged. This provides a comprehensive audit log for compliance and security policy tuning. Data from the logs are used by the Web Application Firewall to build graphical reports on attacks, web traffic, compliance or a number of other analytical reports. Logs can also be exported to 3rd party analytics suite via Syslog or FTP.
- SIEM Integrations
Barracuda Web Application Firewall integrates with many popular SIEM solutions out of the box. Logs are sent in the specific format as required by these SIEM solutions, ensuring maximum ease of integration.
In addition, Barracuda WAF has a highly customizable log export engine. Any SIEM solution that uses syslog can be integrated with this, and admins can define specific log formats to ensure complete integration.
Integrations: HPE ArcSight, Splunk, RSA EnVision, Symantec SIM and QRadar
Administration
- High Availability Clustering
Barracuda Web Application Firewall can be clustered in active / passive or active / active pairs with failover to ensure instant recovery. Security configurations and deployments are automatically synchronized between the clusters, providing instant recovery from any outages.
- Granular Role-Based Access Control
With role-based administration, Barracuda WAF Control Center makes it easy to centrally manage multi-tenant deployments of Barracuda Web Application Firewall.
- Automate and Scale with REST API
Barracuda Web Application Firewall comes with a complete REST API that enables you to configure and monitor the appliance programmatically. The functionality of the device is exposed in Representational State Transfer compliant interfaces which can be exercised via any programming language of your choice. REST API allows you to automate, reduce time-to-market and costs by leveraging economies of scale in a programmable environment.
- Enable Integrated DevSecOps
Configuration management software like Puppet, Chef and Ansible are used by organizations worldwide to automate deployments and configuration workflows. Barracuda Web Application Firewall supports custom modules enabling DevOps practitioners to automate their Barracuda WAF configuration.
- Pre-Built Security Templates
Managing application security policies across multiple units can quickly become an error-prone hassle. Barracuda Web Application Firewall features security templates that provide the ability to define baseline security settings to use as a model for security policies. By using templates, you can quickly create security policies designed to safeguard a specific application, web-portal, platform, framework or parts thereof. Templates increase productivity, reduce manual errors and deployment time, and ensure policy compliance.
Central Management
- Single Pane of Glass
The Barracuda WAF Control Center is the centralized management system that allows administrators to manage multiple geo-dispersed Barracuda Web Application Firewalls with varying configurations from a single console. A single pane of glass can manage hybrid hardware, virtual, and cloud deployments, and enables efficient, secure management for system administrators.
- Centralized Certificate Management
The built-in Certificate reports provides a single pane view of all the certificates installed on the various connected Barracuda Web Application Firewall units, and provides expiration reporting based on expiration date ranges.
- Centralized Notification and Alerting
Centralized Notification view gives you consolidated, granular info on the status of all configured services. Alerts from multiple connected WAFs are batched and sent out together to minimize information overload.
Ease-of-Use
- Application Learning (Adaptive Profiling)
Build positive security profiles for applications by sampling web traffic from trusted hosts. Once enabled, the positive security profiles allow administrators to enforce granular whitelist rules on sensitive parts of the application. This greatly reduces the risk of attacks and helps prevent zero-day vulnerabilities.
- Virtual Patching and Vulnerability Scanner Integration
Integrate with Barracuda Vulnerability Manager, Cenzic Hailstorm, HPE Security WebInspect, HPE Security Fortify On Demand, or IBM AppScan to automatically configure an application’s security template and protect against identified issues. All of this is automatic using the output data from the scanners (without any administrator intervention).
Barracuda Web Application Firewall also integrates with over 20 vulnerability scanners via Denim Threadfix integration.
- Auto Configuration Engine
Setting up and maintaining the configuration of a WAF for complex applications can be time consuming. When applications change frequently, admins must tune WAF configurations with these changes, leading to massive admin overheads. The Auto Configuration Engine for Barracuda Web Application Firewall and WAF-as-a-Service runs Machine Learning models on the live traffic of your applications and uses this data to provide configuration recommendations to improve your WAF’s security rules.
No data found in other website………