WAF0201 - Barracuda Web Application Firewall - Advanced Features - Slide Deck

WAF02038 - Allow-Deny-Redirect Rules
Barracuda Web Application Firewall

WAF0201 - Barracuda Web Application Firewall – Advanced
Features

Introducing Allow-Deny-Redirect Rules
Allow/Deny/Redirect Rules
• Define strict access control
rules for the services
Public Private – Rules are service-specific and
cannot be shared
• Cannot be shared among
Access Control services
Payments
• Two types of rules:
– Allow/Deny rules for URLs
– Allow/Deny rules for headers
Web Application
© Barracuda Networks Inc., Revision: 7/18/2022 1

Allow/Deny/Redirect Rules
Request
Tommy Application
Response Server
Allow/Deny/Redirect Rules for Headers

• Enforce strict limitations on incoming headers
• Sanitize HTTP headers containing:
– Sensitive information identifying the client
– Some application-specific state information
• Prevent configured attack types
• Stop potentially malicious metacharacters and keywords
WAF02019 - Website Profiles

Introducing Website Profiles

Website Profiles
Request
Tommy Application
Server
Response
Website Profiles Overview

• Specific rules to fine-tune the security settings of a service
– URL profiles
– Parameter profiles
URL Profile Parameter Profile

First Name
• Input Field
First Name: Tommy
• Type Alpha
/cgi-bin/reg.cgi Last Name: Reed /cgi-bin/reg.cgi
• Max Char 16
Submit Last Name
Tommy Application
Reed • Input Field Server
/cgi-bin/reg.cgi • Type Alpha
WAF • Max Char 16
Website Profiles Modes

• Active - Validates requests; blocks and logs requests
violations
– Use URL profile and corresponding parameter profile(s) settings
• Passive - Validates the requests and logs violations
• Learning - Learns the web application structure
10

Website Profiles - Strict Profile Check

• Enforce the positive or negative security model
• Strict Profile Check enabled:
– Validates requests and denies the requests that do not match the URL
profiles and parameter profiles
• Strict Profile Check disabled:
– Validates requests, and if they do not match the URL profiles and
parameter profiles, the requests are validated against the global security
policy
11
Adaptive Profiling
• Automatically learns the structure of a web application
– Based on requests and/or responses
• Creates the website profile based on the learned structure
URL Profile Parameter Profile

First Name
• Input Field
First Name: Tommy
• Type Alpha
/cgi-bin/reg.cgi Last Name: Reed /cgi-bin/reg.cgi
Last Name
Tommy • … Application
Reed Server
/cgi-bin/reg.cgi
WAF
12
Profile Optimizers
• Reduce the number of URL or Parameter profiles to
manage
• URL Optimizers: merge multiple URL profiles into one
• Parameter Optimizers: merge multiple Parameter profiles into one
/abc/page1.html
/abc/page2.html
/abc/page3.html Learning and optimizing…
/abc/page4.html
/abc/page*.html
param1
param2 param*
param3
param4
WAF
13

WAF02020 - Application DDoS Protection

Introducing Application DDoS Protection
14
IP Reputation Filter
• Filters traffic from specific geographic regions / categories
to a service
– Geo pool
– Barracuda Reputation
– TOR nodes
– Anonymous proxy
Requests blocked
– Satellite provider
WAF Backend Servers
15
Slow Client Attack Prevention

• Prevents:
– Slow HTTP headers vulnerability (Slowloris)
– Slow HTTP POST vulnerability (R-U-Dead-Yet, or RUDY)
– Slow read DoS attack
• Enforces requests / responses timeouts
• Enforces requests / responses minimum data transfer rates
16

DDoS Policies
• Passively evaluate the clients to determine whether they are
suspicious
• The client tagged as suspicious will be forced to answer a
CAPTCHA
JS
WAF
Web Server
BOT
C4PtcH4
Requests blocked
17
reCaptcha Integration
• Domains
• Site Key
• Site Secret
Service
Tommy Web Application

WAF
18
WAF02029 - Advanced System Management

Introducing Advanced System Management
19

Content
• Role Based Administration
• Cloud Control
• Configuration Backup & Templates
• Default Patterns
• Encryption Key Settings
• Response Pages
20
WAF02029 – Advanced System Management

Role-Based Administration
21
Role-Based Administration
• Restricts access to system resources based on roles assigned to users
– Eight roles already preconfigured (cannot be deleted)
Objects
• Services
LDAP / RADIUS / SAML V2 Operations
• Security Policies
• Auth. Services
• Read
User Role
• Write
• Web Interface
Internal DB
22


Cloud Control
23
Cloud Control
• Monitor and configure multiple Barracuda Networks
products from one cloud interface
• The same tabbed pages are available for managing all
aspects of your Barracuda Networks product
WAF
Barracuda Admin
Browser
Cloud Control
24

Configuration Backup & Templates
25

Configuration Backup
• Can be used for backup purposes
• Upload to another Barracuda Web Application Firewall
• Cloud
• FTP /
Every
FTPS
day
WAF • SMB
5:00 a.m.
• Local
System • AWS S3
Destinations
Configuration
26
Templates
• A collection of configuration components arranged serially in a file
• Can be used as a model across policy revisions or across
units
Service1 Service1
URL Policies URL Policies
Service2
Composite Full
URL Policies Template
Template
WAF_Dev WAF_Prod
27

Default Patterns
28

Default Pattern Mode
ADVANCED > System Configuration
ADVANCED > View Internal Patterns
29

Encryption Key Settings
30
Encryption Key Settings
Key Value
WAF
Key Expiration
Time
31


Response Pages
32
Response Pages
Status Response Response

Code Headers Body WAF
Browser
Response Message
Error
Captcha
Access Control
Other
Pages
33
WAF02041 – API Security

Introducing API Security
34

Agenda
• API Services
• API Discovery
• JSON Security
• GraphQL
• XML Firewall
• JWT Validation
• API Attack Actions
35

API Services
36
API Services
Software systems designed to support interoperable machine-
to-machine interaction over a network (W3C)
• JSON
• GraphQL
• XML
HTTP Request
Web
Service
Application A Application B
DB: Oracle HTTP Response DB: MSSQL
Linux + JAVA Windows + ASP
37

REST Services
REST => Representational State Transfer
XML
JSON
HTTP [any method] Request GraphQL
…
XML
Service Service
JSON
Requester HTTP Provider
GraphQL
… Response
38
API Services
HTTP/S REST API
Tommy
Front-end Application Back-end Application
Attacker Payload
39
API Services
• Separate service for front end and back end
• Front-end application communicates with Service 2
Service 1 Front-end Application
Tommy WAF Service 2
Back-end Application
40

API Security on the Barracuda WAF

1. SSL/TLS Security
2. API Message Security
3. Protocol Security
4. Access Control 5. Cloaking
API Server
Inbound Outbound
Inspection Inspection
WAF as API Proxy
41
JSON Security
Request
Tommy Application
Server
Response
42

API Discovery
43

API Discovery Wizard

• Upload API spec
– Swagger
– Open API • JSON Policy
– Google API • JSON Key Profiles
• Authentication and
Authorization
WAF
Administrator API Spec
44
Endpoint Discovery
• Requires ABP license
• Automatically identifies API endpoints
– Review endpoints • JSON Policies
– Fine-tune parameter • JSON Key Profiles
• URL Profiles
• Header ACLs
• DDoS Prevention
WAF
Web Application Web Application
45

JSON Security
46

JSON REST API
HTTP [any method] Request JSON
Application JSON Application

HTTP Response
47
JSON Security
• Ensures that attacks are not tunneled inside HTTP requests
with JSON content
• Easy Open API integration Requests blocked
– Upload API specs SQL injection in JSON data
{“firstname”: “tommy”, “lastname”: “ ‘ OR 1=1 -- “}

WAF
Attacker Application/JSON
Web Server
48
JSON Profile
• Enforces input validations and additional security checks
• Manual creation or generated from uploaded API specs
HTTP Request
Service
Application/JSON
JSON Profile
JSON Policy
WAF
49

JSON Policy
{
“firstname”: “tommy”,
Max Keys “lastname”: “reed”,
“age”: 35 Max Number Value
“contacts”: [
“phoneNumbers”: [
{
"type": "office",
"number": “456 555-7897"
Max Tree Depth }, Max Array Elements
{
"type": "mobile",
"number": "123 456-7890"
}
],
“address”: {
Max Value Length (string)
"streetAddress": “Lost street 23",
Max Siblings "city": “Campbell",
"state": “CA", Max Key Length
"postalCode": "10041-4100"
},
]
}
JSON File
50
JSON Key Profile

{
“firstname”: “tommy”,
“lastname”: “reed”,
“age”: 35 Key Profiles
“contacts”: [
“phoneNumbers”: [ First Name
{ • key=firstname
"type": "office", • Type=string
"number": “456 555-7897"
},
• MaxLength=1024
{ • Class=Alpha
"type": "mobile", Age
"number": "123 456-7890" • key=age
} WAF • Type=number
],
“address”: { • MaxLength=2
"streetAddress": “Lost street 23", • Class=Integer
"city": “Campbell",
"state": “CA",
"postalCode": "10041-4100"
},
]
}
JSON File
51

GraphQL
52

GraphQL
HTTP GET Request
HTTP POST Request JSON

Application Application
JSON
HTTP Response
53
GraphQL vs REST API

REST API GraphQL
GET REQUEST GraphQL Query
REST JSON
REST JSON
54
Common Attacks
• Injection
– SWL and NoSWL injection
– OS command injection
– SSRF / request smuggling
• DoS
• Exposure of sensitive data
55

GraphQL Security
• Attack Signature checks

Requests blocked
• DoS Protection
• Size Limits SQL injection in JSON data
• Rate Limits
GraphQL WAF
Attacker
Web Server
56

XML Firewall
57
XML Web Services Vulnerabilities
<XML>
• Schema Poisoning
• XML Parameter Tampering
HTTP • Inadvertent XDoS
• External Entity Attack
• Processing Instructions Service Provider
Attacker
• ….
58

SOAP Web Services

SOAP => Simple Object Access Protocol
HTTP POST Request

XML
Service XML Service

Requester HTTP Response Provider
59
XML Firewall
Requests blocked External URI Reference Found
<XML>
<>…</> Service
HTTP
<user>http://hackerland.com</
user><>…</> XML Firewall Service
Attacker Provider
WAF
60
XML Firewall Configuration
Schema
Schema XML
<XML> Schemas Validations
http://bigfishinc.org/v1/service SOAP
Message
WSDL
WS-I
Service
Validations
http://bigfishinc.org/api/users/reg <XML>
SOAP
Validations
XML Firewall
WAF
61

XML Validations
<breakfast_menu>
<food category=“breakfast">
Max Tree Elements <name>Belgian Waffles</name>
<price>$5.95</price>
<description>Two of our famous Belgian
Waffles</description>
Max Tree Depth <calories>650</calories>
</food> Max Attribute Name Length
<food category=“breakfast">
<name>Strawberry Belgian Waffles</name>
<price>$7.95</price>
Max Element Name Length
<description>Light Belgian waffles</description>
<calories>900</calories>
</food>
</breakfast_menu>
62

JWT Validation
63
Web Token Validation

• Used for API authorization
– Token present in header
– WAF verfies JWT claims
• External or internal endpoints External Endpoint
WAF
Host: www.cudau.og
URL: /cgi-bin/badsore.cgi
API
JSON Web Token Profile
Internal Endpoint
64


API Attack Actions
65
API Attack Actions

• Attached to security policy
– Shared access security policies
• Response page should match application
– E.g., JSON response page
• Define follow-up action
– Use tarpit instead of CAPTCHA
66
WAF02039 - Web Application and CloudGen Firewall

Integration
Barracuda CloudGen Firewall Integration
67

CloudGen Firewall Integration

Attack blocked
Action Policy – Block IP for 2 min
HTTP Requests
Attacker WAF
Firewall Web Servers
198.51.100.254
API
Offender IP 198.51.100.254
Traffic
Dropped
68
Prerequisites
• CloudGen Firewall • Web Application Firewall
– Firmware 7.0+ – Firmware 9.0+
– Admin user for accessing the – Able to reach the CloudGen
REST API Firewall
– REST API engine configured and – Configured to use the
running CloudGen Firewall as upstream
– App Redirect rule to allow the firewall
WAF – Action Policies set to block IP
to access the REST engine as follow-up action
– Access rule with source
CustomExternalObject4 set to
block/drop
69
WAF02025 - Vulnerability Reports Integration

Introducing Vulnerability Reports Integration
70

Vulnerability Scanners Integration

• Vulnerability Scanners detect and report vulnerabilities
• Vulnerabilities can then be mitigated by importing the
report
Scan
Report WAF
Scanner Web App
71
Currently Supported Scanners

• Barracuda Vulnerability • IBM AppScan v9.0
Manager • ThreadFix
• Cenzic Hailstorm v6.6 • Immuniweb
• HPE Security WebInspect • Rapid 7
• HPE Security Fortify On
Demand
• IBM AppScan v7.9
72
New Open Format

Allows scanners to integrate with the BWAF
WAF
Vulnerability Scanners
73

Vulnerability Reports
Assessment
Vulnerability XML Report Service

Scanner
Security
Recommendations
74
Recommendations
Recommendations
Pending Applied Rejected
75
WAF02026 - Barracuda Vulnerability Manager

Introducing Barracuda Vulnerability Manager
76

Barracuda Vulnerability Manager

Free scanner
Scan
Admin
Barracuda Internet Web App
Report Vulnerability Manager
WAF
77
The Scanner
Barracuda
Vulnerability Manager
Scanner
General Settings Crawler Authentication Exclusions
78
Reports
• Online reports are interactive
• Actions on issues can be tracked
Barracuda Report Admin

Vulnerability Manager
79

WAF02027 - Barracuda Vulnerability Remediation Service

Introducing Barracuda Vulnerability Remediation Service
80
Barracuda Vulnerability Remediation Service

Enables automatic scanning, remediation, and maintenance of
web application policies.
Scan
WAF
Barracuda Internet Physical/Virtual/Cloud
Web App
Vulnerability Remediation
Service
WAF Configuration & Profiles
81
WAF Configuration
Barracuda Barracuda Cloud

Vulnerability Remediation Control
Service
Configuration
WAF
Web App
82

Mitigation – Security Policy
Change the assigned policy Service

OR Security Policy
Create a new policy
Barracuda
Service WAF
83
Vulnerability Mitigation – Manual mode
Scan finished
Report generated
Mitigate SQL
Admin
in email field
Online Vulnerability Report
Barracuda
Service
Changing WAF Configuration
WAF
Web App
84
Vulnerability Mitigation – Passive Mode
Enforcing
Logs
Service (active)
Security Settings (active)
Users Traffic New Security

Settings (passive) Web App
WAF
Barracuda Scan Finished

Changing WAF Configuration
Service
85

Vulnerability Mitigation – Active Mode
Enforcing
Logs
Service (active)
New Security
Users Traffic Web App
Settings (active)
WAF
Barracuda Scan Finished

Service Changing WAF Configuration
86
Notifications
Email
Barracuda
Admin
Service
87
The Scanner
Barracuda
Service
Scanner
General
Crawler Scan Elements Authentication Exclusions
Settings
88

Interference Prevention
Scan
Barracuda Network Firewall IDS/IPS

Internet WAF Web App
Service
Whitelist
Source IP Addresses
• 64.235.153.133
• 64.235.153.134
• 64.235.153.135
• 64.235.153.136
• 64.235.150.121
89
Scan with WAF Bypass

• Scans web app without security checks of WAF
• VRS is set up as trused host
Service (active)
Scan
Trusted hosts
Service WAF
90
Scan without WAF Bypass

• Scans web app through WAF
– Checks security settings of WAF
Enforcing
Scan
Service (active)

Service WAF
91

WAF02027 - Barracuda Vulnerability Remediation Service

VM and VRS Domain Verification
92
Domain Verification
Prevents unlawful scans on a web application (website)
without express permission from its owner or operator
TXT Record Email (preferred)
META Tag File

Barracuda
Service Manual Verification
Barracuda WAF
Verification Methods
93
Email Verification Method
Scan www.bigfishinc.org
Email
Barracuda
admin@bigfishinc.org
Admin
https://[verificationlink]
94

File Verification Method
Create xyz.txt with abc as content

Barracuda
Admin
GET http://www.bigfishinc.org/xyz.txt xyz.txt
Web Server
95
META Tag Verification Method
Add META Tag

Barracuda
Admin
<html>
<head>
<meta name: “bvm-site-verification content=“abcdefg”>
GET http://www.bigfishinc.org/index.html ~~~~~~~~
index.html
96
TXT Record Verification Method
Add TXT Record

Barracuda
Admin
DNS
dig bigfishinc.org txt
bigfishinc.org |TXT| bmv-site-verification=abcdefg
97

Requesting a Manual Domain Verification

Email BVM_Support@barracuda.com or
VRS_Support@barracuda.com and include:
– Your Barracuda Cloud Control email address
– The domain(s) you want to scan
– An explanation of the ownership of the domain
98
Barracuda WAF Verification Method

Vulnerability Remediation Service only
GET www.bigfishinc.org/[randomstring] Admin
Barracuda
Vulnerability Remediation WAF
Service
Internet
Access Logs
Check for [randomstring]
99
WAF02040 - Client Side Protection

Introducing Client Side Protection
100

Content
• Why client-side protection?
• Content Security policy
• Sub-resource integrity
101
WAF2040 – Client-Side Protection

Why Client-Side Protection?
102

• Prevents XSS
• Prevents man-in-the-middle attacks
• Prevents supply-chain attacks
– Ensures third-party resources are not compromised
– Images
– JavaScript
– Stylesheets
103

Third-party
open-
source
repository
Barracuda WAF
Browser
Web server
104

Content Security Policy
105

• Inline script injection
• Referencing attacks
• Injection into dynamic script code generation
• Prevents attackers from injecting code into HTML/JS
– Read access to content
– Can create further HTTP requests and responses
– Forging and interacting with UI elements
– Run scripts in browsers
106


• Defines allowed content and its sources
• Adds the Content Security Policy header
– Controls what browser is allowed to load
• Defines allowed sources
• Two modes
– Report only
– Block
107
CSP Example
Content = default-src 'self‘; campus.barracuda.com;
Directive Source Allowed Hosts
108
CSP Directive
Default for all directives, e.g., JavaScript, CSS,
Default-src
AJAX, frames or HTML 5 media
Script-src Defines sources for JavaScript
Style-src Defines sources for Stylesheets
Defines sources for plugins, e.g., <object>,

Object-src
<embed> or <applet>
Report-uri URI to send reports
109

CSP Sources
None Blocks content from all sources
All Allows content from all sources
Allows content from the same source as the origin,

Self
e.g., the web server
Allows loading of data sources,

Data
e.g., pictures, videos, files
Alllows usage of inline code like style attributes,

Unsave-Inline
eventhandler, and element-noted JavaScript
Unsave-eval Allows unsecure dynamic code
110

Sub-Resource Integrity
111
Sub-Resource Integrity
Third party opensource
• Creates integrity token for third-party resources repositories
• JavaScript modules etc.
– Header inserted into response
– E.g., JS, CSS,… # sha256-PgrwROwuZhlsVg
• Browser verifies token

– Unverified resource does not load
Barracuda WAF
Browser
Web server
112

Thank You
113

WAF0201 - Barracuda Web Application Firewall - Advanced Features - Slide Deck

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

WAF0201 - Barracuda Web Application Firewall - Advanced Features - Slide Deck

Uploaded by

Copyright:

Available Formats

WAF02038 - Allow-Deny-Redirect Rules

Barracuda Web Application Firewall

WAF02038 - Allow-Deny-Redirect Rules

© Barracuda Networks Inc., Revision: 7/18/2022 1

Allow/Deny/Redirect Rules for Headers

WAF02019 - Website Profiles

© Barracuda Networks Inc., Revision: 7/18/2022 2

Website Profiles Overview

URL Profile Parameter Profile

Website Profiles Modes

© Barracuda Networks Inc., Revision: 7/18/2022 3

Website Profiles - Strict Profile Check

URL Profile Parameter Profile

© Barracuda Networks Inc., Revision: 7/18/2022 4

WAF02020 - Application DDoS Protection

WAF Backend Servers

Slow Client Attack Prevention

© Barracuda Networks Inc., Revision: 7/18/2022 5

Tommy Web Application

WAF02029 - Advanced System Management

© Barracuda Networks Inc., Revision: 7/18/2022 6

WAF02029 – Advanced System Management

© Barracuda Networks Inc., Revision: 7/18/2022 7

WAF02029 – Advanced System Management

WAF02029 – Advanced System Management

© Barracuda Networks Inc., Revision: 7/18/2022 8

WAF02029 – Advanced System Management

© Barracuda Networks Inc., Revision: 7/18/2022 9

Default Pattern Mode

ADVANCED > System Configuration

ADVANCED > View Internal Patterns

WAF02029 – Advanced System Management

Encryption Key Settings

© Barracuda Networks Inc., Revision: 7/18/2022 10

WAF02029 – Advanced System Management

Status Response Response

WAF02041 – API Security

© Barracuda Networks Inc., Revision: 7/18/2022 11

WAF02041 – API Security

© Barracuda Networks Inc., Revision: 7/18/2022 12

HTTP/S REST API

Service 1 Front-end Application

Tommy WAF Service 2

© Barracuda Networks Inc., Revision: 7/18/2022 13

API Security on the Barracuda WAF

WAF as API Proxy

WAF02041 – API Security

© Barracuda Networks Inc., Revision: 7/18/2022 14

API Discovery Wizard

WAF02041 – API Security

© Barracuda Networks Inc., Revision: 7/18/2022 15

JSON REST API

HTTP [any method] Request JSON

Application JSON Application

– Upload API specs SQL injection in JSON data

{“firstname”: “tommy”, “lastname”: “ ‘ OR 1=1 -- “}

© Barracuda Networks Inc., Revision: 7/18/2022 16

JSON Key Profile

WAF02041 – API Security

© Barracuda Networks Inc., Revision: 7/18/2022 17

HTTP GET Request

HTTP POST Request JSON

GraphQL vs REST API