Review: Barracuda Web Application Firewall 460 Delivers Broad Protection

Government agencies have always been in the crosshairs of cyberattackers. In fact, according to most cybersecurity surveys, government is ranked, with healthcare and finance, among the five most attacked sectors every year.

The Web Application Firewall (WAF) from Barracuda Networks does an excellent job of covering the most important parts of that cybersecurity waterfront.

Placed at the front of the data path, the WAF functions like a reverse proxy, intercepting all traffic and allowing only packets that comply with policy.

Its features include HTTP/S and FTP protocol validation; form field metadata validation; website cloaking; response control; outbound data theft protection; file upload control; logging, monitoring and reporting; high availability (active and passive); SSL offloading; authentication and authorization; vulnerability scanner integration; client IP reputation validation; caching and compression; and Lightweight Directory Access Protocol/Research and Development for Image Understanding Systems (LDAP/RADIUS) services. It can even handle load balancing and content routing.

SIGN UP: Get more news from the FedTech newsletter in your inbox every two weeks!

Security Rules Are Controlled via a Single Interface 

The WAF 460 is designed to protect five to 10 back-end servers, though other models scale up to enterprise levels suitable for larger organizations. With any of the WAFs, new defensive capabilities are activated by spinning up services, a straightforward process that puts inbound and outbound traffic rules into one interface.

Whenever a new service is activated, the WAF automatically applies a default security policy based on best practices. For example, when adding protection for a public-facing app through the WAF, the default policy limits the number of characters that users can type into each field. Administrators may modify default policies as needed, but this limit ensures that simplicity is the rule when generating new protections.

The free Barracuda Vulnerability Manager is available for the WAF’s suite of tools by simply connecting. The WAF can scan new applications looking for vulnerabilities and then create rules to block them from the firewall, without changing any code.

Consolidating defensive services into a single interface makes sense for larger government agencies struggling to fight more cyberbattles with fewer resources. The Barracuda WAF could become a secret weapon that tips the scales in the government’s favor.

How the WAF Fares Against DDoS Attacks 

Distributed denial of service (DDoS) attacks can be extremely problematic, even for federal agencies that have invested heavily in cybersecurity. The attacks try to overload a website with so much junk data that real users can’t get through and use services.

DDoS attacks are popular because they’re highly visible. When the botnet known as Mirai used millions of Internet of Things devices to temporarily shut down several of the world’s top websites, it made news globally. DDoS attacks also require less sophistication than managing cutting-edge malware or an advanced persistent threat. There are quite a few plug-and-play tools available to launch basic DDoS attacks using known compromised clients and servers.

Having DDoS protection makes sense, especially for high-profile organizations such as government agencies. Agencies face two main types of DDoS attacks: web-based and application-based. The most common are web-based attacks, where web traffic is sent to overload a server with junk data. To counter these attacks, the WAF must connect to the Barracuda traffic-scrubbing service. This requires an extra license, but it enables the WAF to forward suspected DDoS traffic through the service and then block the overloading requests.

An application-layer attack is a more advanced form of DDoS that takes even more research. It is intended to send long strings of junk data into valid forms on a website, perhaps overloading the application or even the server that is hosting it.

We tested the WAF’s ability to fight application-layer DDoS attacks by sending more than 5,000 strings of junk data into the name field on a web form every second. Meanwhile, we attempted to use the form like a valid user. Our valid user was never inconvenienced by the ongoing attack, and services never dropped.

The log files confirmed that the WAF easily caught the illegal traffic and blocked it because either the junk strings were too long or the user was attempting to fill out the form too quickly. It broke the WAF’s programmed rules and was dropped. From a user’s point of view, nothing was wrong. Because there was no disruption, administrators could take their time responding to the attack, confident that the WAF could handle it — which it did for more than an hour, when the testing ended.

Most firewalls don’t have the level and variety of cybersecurity modules present in the Barracuda Web Application Firewall 460. Of those that include extra features, DDoS is rarely one of them. Its inclusion rounds out the protection offered by Barracuda, enabling it to provide many cybersecurity defenses.