Barracuda Web Application Firewall version 8.1 is now in General Availability (GA) for new customers and Energize Updates subscribers. With this release, we have added several new features and capabilities. Here’s a summary of the update:
- Enhanced Web Scraping Protection: To tackle increasingly sophisticated web scrapers, this release adds support for enhanced web scraping that provides multiple protection mechanisms against scrapers. This includes embedding web-based honeypots to trap scrapers, headless browser detection, mouse and keyboard detection, and detection of clients based on common automation tools like PhantomJS. At the same time, search engine crawlers are allow-listed and validated using reverse DNS lookups on their IP addresses. This also helps identify fake googlebots, etc.
- Granular Binding of Security Policies: Security Policies can now bind at a URL or domain level. Earlier these policies had to be associated at a service or VIP level. This allows having separate policies for applications that are on the same server and IP. For example, http://barracuda.com/partner and http://barracuda.com/collaborate could be on the same VIP but can now have different policies associated with them, e.g. WordPress and SharePoint policy respectively.
- URL Profile Optimization: Many applications generate different URLs for similar content, like for different products in an eCommerce portal. From a security perspective, the profile remains the same with similar URL parameters, FORMs, access methods, etc. Under Adaptive Profiling, this can generate a large number of URL and parameter profiles. URL optimizers can now be used to coalesce such URLs into a single profile for easier management and better system performance.
- Support for JSON Key Profiles: This is an enhancement to the JSON security module, where the administrator can define granular policies for JSON Keys, akin to URL and parameter profiles.
Data Path Enhancements:
- Support for HTTP/2 and WebSockets: This release includes support for HTTP/2 and WebSockets. The Barracuda Web Application Firewall can now fully support and secure HTTP/2 connections between clients and servers. In addition, the Barracuda Web Application Firewall also supports HTTP/2 Offloading. This means that the WAF can provide an HTTP/2 connection front-end to clients while the backend connection to the server is via HTTP/1.1.
- The Barracuda Web Application Firewall can now also support WebSocket traffic. With WebSocket support, the Barracuda Web Application Firewall behaves as a pass-through proxy and does not intercept or analyze the traffic.
- SAN Certificate CSR: This release adds the ability to create a Certificate Signing Request (CSR)/self-signed for SAN certificates. SAN certificates are commonly used for Microsoft applications and are even recommended in some instances. SAN Certificates allows organizations to specify alternative domains for a service. For example, a SAN certificate for www.example.com could have the alternative domains www.examples.net and www.ex.com listed as alternative names for the same service. This partially solves the multi-domain limitation with wildcard certificates though SAN Certificates are more expensive than single domain certificates and are often limited to 3-5 domains.
- Integration with Denim ThreadFix: The Denim ThreadFix tool provides the capability to translate the reports from multiple scanners into a format that can be imported by the Barracuda Web Application Firewall. This integration now allows the Barracuda Web Application Firewall to integrate with over 20 different vulnerability scanners for simplified virtual patching of vulnerabilities.
- Support for AMQP formatting in Exported Logs: AMQP (1.0 version) protocol support added to export logs to external aggregators that are compliant to AMQP message queuing, including Microsoft Azure's Event Hub. AMQP is a binary, application layer protocol, designed to efficiently support a wide variety of messaging applications and communication patterns and is being increasingly supported in SIEM solutions and message-oriented middleware.
Infrastructure as a Service (IaaS)
- Support for Auto-Scaling in AWS : The Barracuda Web Application Firewall cluster in AWS can now auto-scale without admin intervention. Earlier dynamic scaling support required an admin to spin up additional instances manually that then synchronized amongst each other. The auto-scale feature allows the cluster to scale out automatically within limits that can be specified. With this feature, the Barracuda Web Application Firewall can now be launched automatically using CloudFormation templates and integrates with various AWS services, including IAM, Cloudwatch, S3, and SNS. The Barracuda Web Application Firewall is now also certified as part of the AWS Security Competency Program.
- Load Balancing across Server Name Resolution: When a server uses hostname as the identifier, rather than IP address, and if it resolves to multiple IPs, the system performs load balancing across these IP addresses. This is especially important in IaaS environments. In AWS, this means that the Barracuda Web Application Firewall can now work with a downstream Elastic Load Balancer to distribute traffic across multiple applications.
Detailed release notes are available here.
The Barracuda Web Application Firewall (WAF) protects web applications from data breaches and defacement. With the Barracuda Web Application Firewall, administrators do not need to wait for clean code or even know how an application works to secure their applications. Organizations can ensure robust security with a WAF hardware or virtual appliance, deployed either on-premises or in the cloud.
Tushar Richabadas is a Product Manager for the Barracuda Web Application Firewall and Barracuda Load Balancer ADC. His current areas of focus are Cloud and automation. His prior roles ranged from leading networking product testing teams and technical marketing for HCL-Cisco. Tushar closely tracks the rapidly increasing impact of digital security and is passionate about simplifying digital security for everyone.