1Barracuda Networks Confidential 1

Web Application Protection Against Hackers and Vulnerabilities

Barracuda Web Application Controllers

2

Agenda• Introductions• Barracuda Networks Company Overview• Barracuda Web Application Controller

– Deployment Options– Detection / Protection Methods– Profiling – Positive vs. Negative Security Model– Authentication– Traffic Management– Logging and Reporting– Performance

• Roadmap• Q&A

Barracuda Networks Confidential 3

Company Information• Mission

– Deliver comprehensive mid-market appliance-based solutions

• Leader in Email and Web Security– Company started in late 2003

• Headquarters in Campbell, California– Sales and support presence in Australia, Brazil, Belgium, Canada, China,

France, Germany, India, Japan, Spain, Taiwan, UK and USA– 400+ employees worldwide

• Privately Funded– Cash flow positive for more than 4 years– First outside investment $40 million: Sequoia Capital & Francisco

Partners (January 2006)

• Market Leader– 70,000 customers worldwide

Barracuda Networks Confidential 4

Barracuda Networks Management Team• Dean Drako, President & CEO – Velosel, Boldfish, Design Acceleration, 3DO, Apple

• Michael Perone, Executive VP & CMO – Address.com, Spinway, GE, JPL • Zach Levow, CTO – Affinity Path, Spinway, Sun, Cadence

• David Faugno, CFO – Cisco Systems, AT&T

• Blair Hankins, VP Engineering – Nokia, Intellisync, Lotus

• Stephen Pao, VP Product Management – Cisco Systems, Nuance, Oracle

• Sales Management– Ezra Hookano, VP Sales North America – SonicWALL, U4EA– José Luis Sanchez, VP Sales Latin America – Netscreen– Paul Thackeray, VP & Managing Director EMEA – SonicWALL– Peter He, Managing Director China – Pandaguard, PricewaterhouseCoopers– Niall King, VP Sales APAC – Neoteris, Cacheflow

Barracuda Networks Confidential 5

Barracuda Networks Company Strategy• Powerful, easy-to-use hardware solutions• Simple sales process• Aggressive price point

– No per user licensing fees

• Yearly subscription– Energize Updates

• Enterprise and SMB market• Great customer service and technical support• Streamlined manufacturing and delivery

Barracuda Networks Confidential 6

Barracuda Networks Product Strategy• Integrated hardware and software solutions• Comprehensive products

– Complete problem solutions in a single product– No “options” to add extra charges

• Ease of use– Flexible deployment options– Easy to use interfaces

• Single vendor for service and support• No per user license fees• Ongoing security services

Barracuda Networks Confidential 7

Products For All Parts of the NetworkDMZ

Barracuda Spam Firewall

Barracuda IM Firewall

Data Center

Barracuda Load Balancer

Barracuda Web Site Firewall

Inside the Network

Barracuda Web Filter

Barracuda Message Archiver

Barracuda Networks Confidential 8

Barracuda Networks Worldwide

• Products in multiple languages

• Offices in more than 10 countries

• Distributors in more than 80 countries

Barracuda Networks Confidential 9

USA Customers

Barracuda Networks Confidential 10

Vertical CustomersEducation FinancialGovernment Technology /

InternetCorporate

Barracuda Networks Confidential 11

Worldwide Customers (70,000 +)APAC Latin AmericaEMEA

Barracuda Networks Confidential 12

Award-Winning Products“(The Barracuda Web Filter is) an attractive proposition for the enterprise

market, designed for simple administration and high throughput.”

-SC Magazine, February 2007

“Despite being heavy on the features, (Barracuda) WebFilter 310 remains easy to use and fully customizable.”

-CRN, June 2007

Barracuda Networks Confidential 13

Barracuda Networks & NetContinuum

• NetContinuum acquired in July 2007– Leading provider of Web Application Firewall and

Application Gateway appliances– Ranked No. 1 in Forrester Research WAVE Report 2006– Strategic acquisition puts Barracuda Networks in strong

position to expand Web Application Firewall market

• Barracuda Networks support and product investment– Building upon existing NetContinuum products– Additional plans to address needs of smaller customers– Increasing investment in Web Application Firewall

product category

Barracuda Networks Confidential 14

Web Application Controllers Major Features

• Comprehensive Web site protection– Attacks– Unauthorized access– Data theft– Web site defacement

• Web XML services protection• Application access control• Application delivery and acceleration• Logging, monitoring and reporting

Barracuda Networks Confidential 15

Web Application Controllers Detailed Features• Application access control

– SSO portal– LDAP and RADIUS integration– PKI support– Web access management

• CA Siteminder• RSA Access Manager

• Application delivery and acceleration– Caching– Compression– Connection pooling – Load balancing– SSL acceleration– High availability

• Plus much, much more...

• Web site protection– HTTP protocol compliance– SQL injection blocking– OS command injection protection– XSS protection– Form/cookie tampering defense– Online form field validation– Denial of Service Protection– Outbound packet scanning – Web site cloaking– Anti-crawling– Advanced learning modes

• XML services security– XML attack prevention– Validation of XML schema, SOAP

envelopes and XML content– WS-I profile validation– Web services cloaking– XML DoS attack protection

Integrates easily into existing systems

• Authentication– LDAP– RADIUS– X509 / CRL – for two factor authentication with client

certificates

• Logging– Syslog– FTP - standardized transport for log storage– W3C Extended logging – standardized log format to

integrate with generic access log parsers

16

17

Barracuda Web Site Firewall Product Line

Barracuda Networks Confidential 17

NC2000 AG

1 Gbps

NC1100 AG

Barracuda Application Gateway NC500 AG

Barracuda Web Site Firewall 660

Barracuda Web Site Firewall 460

Barracuda Web Site Firewall 360

25 Mbps

Barracuda Web Application Controllers Satisfy Major PCI DSS requirements

• Credit card companies increase pressure on merchants– Must be PCI compliant by June 30, 2008

• Acts as both network firewall and Web Application Firewall• Proxies Web traffic and insulates Web servers from direct

attacks• Provides SSL encryption• Blocks top 10 most common application vulnerabilities• Provides role-based administration• LDAP integration and unique ID support• Provides application access logging and interacts with AAA

systems

Barracuda Networks Confidential 18

Barracuda Networks Confidential 19

Web Application Controllers Architecture• Single point of protection for inbound and outbound Web traffic

20

Session Control• TCP Session Termination

• SSL Termination

• HTTP Protocol Normalization & Compliance

• FTP Compliance

• HTTP Header Re-Write

• URL Translation

• URL Rate Control

Security Assurance• Application Cloaking

• AAA

• White List

• Forms Protection

• Cookie Protection

• Data Theft Protection

• Dynamic Learning

• SQL & OS CMD Injection

• XSS Attack Protection

• Custom Black List: REGEX

Availability Assurance• Caching

• GZIP Compression

• TCP Connection Pooling

• SSL Cryptographic Offload, Backend Encryption

• Layer 7 Content Switching

• Load Balancing

• Server & App Health Checking with Failover

Users Web Applications

Terminate Secure Accelerate

Centralized Control

Deployment Options

21

• Full reverse proxy• One-armed proxy• Normal bridged• Fail open bridged

Proxy vs. Non-proxy: Fundamental Difference in Security Capabilities

22

• Non-proxy WAFs expose server operating systems and TCP stacks directly to the Internet

• You need a proxy based WAF to:

• Web Address Translation – Non-proxies can not re-write URLs

• Cloaking – Non-proxies do not Cloak

• SSL – Non-proxies SSL is VERY slow

• Cookie security – Non-proxies do not protect against ID theft

• L7 Rate Control – Non-proxies do not protect against DoS

• Authentication and Authorization – Non-proxies can not do AAA

• Data Theft Protection – Non-proxies can not mask outbound data

• Response time acceleration – Non-proxies can not accelerate

Flexible HTTP / HTTPS deployments

23

• Front end SSL (Offload SSL)• Front and back end SSL• Enforced SSL : automatic redirect of HTTP to HTTPS

Client SSL certificates support

24

The WAC can support client certificates for authentication to an application/VIP. In addition, the WAC can support client certificates for backend communication.

Client Certificates for backend communication.

Client Certificates for authentication to an application/VIP

Security: Web Site Cloaking

25

Attackers first task: Reconnaissance of network for weakness What Web, database, application servers are being used? What versions, patches or known vulnerabilities are there?

Cloaking makes enterprise Web resources invisible to hackers and worms• Hides all error codes, HTTP headers, IP addresses

Security: Inbound

26

Attacks Injection – SQL, OS

commands Scripting – XSS, CSRF Cookie/session poisoning Parameter/form tampering

Protocol sanitization Validation Request limit checks

Zero-day attacks via Web site profiles

Web ApplicationsPort 80/443 traffic goes through

Cookie and Session Protection

27

Cookie Protection

Session ID Tracking

Security: Outbound

28

Web Applications

• Deep inspection of outgoing content blocks– Credit cards– Social security numbers– Custom patterns

Brute Force Prevention & Rate Control

29

Brute force Prevention

Slow down attackers via Rate Control

Top 10 threats …

Threat Protection Mechanism1 Un-validated Input Learns accepted application logic to validate incoming and outgoing session

content for legitimate application behavior

2 Broken Access Control Sets up and enforces authorization and access control policies to authenticate user access

3 Broken Authentication and Session Management

Automatically encrypts session cookies and assigns unique session-IDs to ensure secure user sessions

4 Cross-Site Scripting (XSS) Attacks

Validates user input by terminating session and inspecting incoming requests

5 Buffer Overflows Rejects any file from in invalid Web page and limits total Web request length across applications

6 Injection Flaws Inspects each request to the Web application for malicious code and blocks the request prior to reaching

7 Improper Error Handling Cloaks details of Web application infrastructure

8 Insecure Storage Filters and intercepts outbound traffic and also blocks or masks attempts to access sensitive information.

9 Application Denial of Service (DoS)

Monitors and controls the amount of queries to the same URL from a single user and queues the requests while allowing legitimate Web site Access

10 Insecure Configuration Management

Acts as the DMZ to proxy inbound and outbound Web traffic to neutralize any configuration vulnerabilities 30

Web Address Translation

31

• URL Translations• Request Rewrites• Response Rewrites• Response Body Rewrites

Real-world WAF deployment experience …

• Multiple geographically distributed deployments• Multiple customers with over 5 years of experience –

using reverse proxy protection• Multiple customers with over 15 Web Application

controllers• Customers protecting THOUSANDS of Web

applications• Wide variety of applications – enterprise,

government, telecom, energy, e-commerce providers

32

33

WAC Customers

Bank

Default Security Policy with Exceptions

Application Templates (OWA, SharePoint, etc.)

Hand Coded Protection

Proven WAF Success Model

Barracuda Networks Confidential 34

Negative Security Model

•Broad based protection

Positive Security Model•Targeted applications

Best Practice – Mix Security Models• Positive versus Negative security models

– Positive: Define the “good” behavior and assume all other traffic is attack traffic

– Negative: Insulate against “bad” behavior • Don’t over-apply positive security model

– Difficult to understand and maintain profiles– Applications change frequently– Only provides cost/benefit for certain applications

• Target specific applications for positive security model• Most companies aim for broad protection through negative

security model

Barracuda Networks Confidential 35

Is this Madness? NO!• Most “real world” security is “negative security model”

– Spam filters profile spam and viruses and let other email traffic flow

– Web filters categorize bad sites and let unknown sites pass• The same should apply to Web application security• Why?

– Most bad traffic is usually easy to identify– False positives are costly and defeat the purpose of

security– Good traffic changes frequently with new business

partners, new business trends, and new applications

Barracuda Networks Confidential 36

Most Bad Traffic is Easy to Identify

Do not need a detailed application profile to:• Cloak the Web site to hide known areas of

vulnerability• Digitally sign or encrypt cookies to prevent cookie

and session tampering• Identify or block common attack types

– SQL injections, OS command injections– Cross-Site Scripting attacks– Remote file inclusions– Directory traversals

• Filter outbound content for credit card, SSN, etc.Barracuda Networks Confidential 37

Defining Policy Exceptions

• Start with conservative policies to provide protection• Can optionally start with passive monitoring• Interactive log view differentiates attacks from

potential policy problems• In many cases, can mitigate issues with a single click• Then, enable active protection

Priority should be on providing broad-based protection to avoid the majority of attack types upfront and early

Barracuda Networks Confidential 38

Fine grained control …

39

The Barracuda Web Application Controller can be deployed in either active or passive modes for each application/VIP (virtual IP).

In addition the following can individually be set to passive mode for further granularity.

• Header ACLs• URL Policies• URL Profiles• Parameter Profiles

Application/VIP:

Easy to use Feedback loop

40

Policy Tuning wizard to make it simple to relax rules and accept false positives.

Full flexibility for power users …

41

The Barracuda Web Application Controller allows a user to create custom signatures via a regular expression wizard.

SharePoint 2007 Deployment with Barracuda Web Application Controller

42

• Deployment• Website Cloaking• Request Lengths• URL Normalization• URL Protection• Enhanced Application Profiles• Session protection• Data/Identity Theft• Deployment Scenarios• SSL• Load balancing and Application monitoring• Authentication and Access Control• Compression and caching• Content Routing• Other Ongoing Efforts

• Virus Protection for uploaded files• Enhanced URL protection in the path itself

Learning Mode

43

Ease of configuring the learning mode

Learning Mode : Flexible Deployment …

44

Can deploy in Active OR Passive mode while learning

Avoid Common Pitfalls• Take care not to over-apply positive security model• Be wary of relying heavily on automated “learning”

– Learning technology has some “sizzle” with new customers– Useful in certain cases (particularly response-based learning on very

simple applications)– Experienced WAF users prefer implementing broad-based protections

early and hand coding targeted application areas

• Problems– Hard to generate complete test traffic cases– Can “learn” bad behavior if used against real-world traffic– Automated profiles are hard to maintain

Analogy: think about automated HTML generators– Does not learn “structure” from a human point of view– Hard to go “half way” – usually not worth waiting for

Barracuda Networks Confidential 45

Authentication, Authorization & Single Sign On

46

Web Applications

Authentication Server

• Provides front-end authentication for Web applications• Integrates with popular authentication servers• Supports two-factor authentication schemes

Authentication Service Support

47

Authentication Support• Basic• Digest Authentication • Client Certificate Authentication.

Integration with the following authentication services• Internal• LDAP• RADIUS• CA SiteMinder• RSA Access Manager

Traffic Management

48

• Load Balancing– Server Health monitoring– Layer 7 persistence– Fall back servers

• Content Switching• Caching• Compression

Cache

www.estore.com/images/banner.jpg

Image Server

HR Server

Partner Portal

www.estore.com/hr/leaveform.html

www.estore.com/partner/order.jsp

Content Switching

Application Delivery and Acceleration

49

TCP Pooling - Multiple requests use same connectionImproved Performance

SSL Offloading/Acceleration, Backend Encryption

Internet

Application Health Monitoring ensures optimal Load Balancing

High Availability minimizes downtime of critical business Apps

Extensive Logging Capabilities

50

- Audit logs, Web firewall logs, Web logs, System logs, and Network Firewall logs.

Comprehensive reporting and scheduling

51

Performance

52

Performance MetricTransaction Rates and

Throughput

NC-1100 Proven through

testing

NC-2000 Proven through testing

L2-L4 Maximum Concurrent TCP Connections

400,000 conns 1,400,000 conns

Maximum Throughput 1 Gbps 1 Gbps

Maximum TCP Connections/sec

6,000 cps 23,000 cps

  TCP Multiplexing Ratio 7:1 10:1

     

L7HTTP

HTTP 1.1 Transactions/Requests/sec

12,000 tps 44,000 tps

  HTTP 1.1 Trans/sec - Security Features - Turned ON

6,000 tps 30,000 tps

  HTTP 1.1 Trans/sec - Security + Acceleration Features - Turned ON

5,000 tps 28,000 tps

  Latency during HTTP 1.1 testing

<1 ms <1 ms

       

conns=total simultaneous connections

cps=new L4 connections per second

tps=new L7 transactions per second

Mbps=Megabits per second

Gbps=Gigabits per second

kbps=kilobits per second

ms=milliseconds

s=seconds

 

*Transaction Rate tests measured using 1024 byte objects, except for TCP and SSL Bulk Throughput test using 1Mb object.

 

*Latency testing performed against 5 popular websites (Yahoo.com, Amazon.com, BBC.com, UCLA.edu, Whitehouse.gov), totaling 1,262,608 bytes of data, sustaining 2048 transactions/second unless otherwise stated.

Performance

53

L7HTTPS

HTTPS 1.1 Transactions/Requests/sec

9,000 tps 16,000 tps

  HTTPS 1.1 Trans/sec - Security Features - Turned ON

6,000 tps 15,000 tps

  HTTPS 1.1 Trans/sec - Security + Acceleration Features - Turned ON

4,000 tps 10,000 tps

  Latency during HTTPS 1.1 testing <5 ms <10 ms

       

SSL Maximum Concurrent SSL Connections

100,000 conns

100,000 conns

  Maximum SSL Throughput - Bulk Transfer of 1Mb File

1 Gbps1 Gbps

  Maximum SSL Transaction Rate with No Session Re-Use

4,000 tps 8,000 tps

conns=total simultaneous connections

cps=new L4 connections per second

tps=new L7 transactions per second

Mbps=Megabits per second

Gbps=Gigabits per second

kbps=kilobits per second

ms=milliseconds

s=seconds

 

*Transaction Rate tests measured using 1024 byte objects, except for TCP and SSL Bulk Throughput test using 1Mb object.

 

*Latency testing performed against 5 popular websites (Yahoo.com, Amazon.com, BBC.com, UCLA.edu, Whitehouse.gov), totaling 1,262,608 bytes of data, sustaining 2048 transactions/second unless otherwise stated.

Road Ahead : Barracuda Control Center

54

London, DC

Mumbai, DC

New York, DC

California, DC

Barracuda Control Center

55

Barracuda Control Center: Features

• Status– See all the devices– Check on:

• Hardware• Connectivity• Subscription• Traffic• Firmware

• Reporting– Aggregated reporting

• Restrict data based on user groups

• Configurations– Standardize

configuration of multiple appliances

– Create exceptions for individual appliance

• Multiple administrators– Provide access to a

subset of appliances– Set permissions

56

Other Roadmap Items• Security

– Virus Checking for file uploads

– Automated attack definitions

• Authentication– Built-in single sign-on across

Web applications– SAML

• Performance– Caching improvements

• Virus checking for file upload

• Performance– Improved caching / content

optimization

• Scalability– Global server load balancing

for N-way clustering– Larger hardware platform –

model 1060 based on model 1000 hardware

57